sleuthkit-users Mailing List for The Sleuth Kit (Page 44)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brian C. <ca...@sl...> - 2014-04-18 12:02:12
|
Thanks Matt.
As a side note, if you enter keywords as part of a list during ingest, they will be shown under the name of the list in the tree. The "Single Literal Keyword Search" node is for terms that are entered in the upper right.
While Autopsy is loaded, can you launch a web browser and enter the following into it:
http://localhost:23232/solr/coreCase/select?q=FDA
This doesn't try to show all results, so it maybe faster.
thanks,
brian
On Apr 17, 2014, at 5:25 PM, MATT PIERCE <mat...@ad...> wrote:
> It is an ongoing litigation so I’m being careful with the context.
>
> I used Robocopy to extract all the document types and preserve file locations. The extracted files were then entered into the Case.
> I am rerunning the keyword ingest process.
>
> Say my Keyword list was:
> FDA
> Federal
> Drug
> Administration
>
> I’m using normal search and I’m using the basic three letters no punctuation. I can search on the last three elements via the keyword search bar with no issues. The first generates the Please Wait. I reran ingest using my keyword list and the FDA keyword did not create a Single Literal Keyword Search entry. I added the keyword /^fda$/as a search term and reran ingest with it flaged as regex.
>
>
> Here is the Keyword Indexing Result
> Files with known types
> 1883
> Files with general strings extracted
> 76
> Metadata only was indexed
> 561
> Error (indexer)
> 0
> Error (text extraction)
> 0
> Error (I/O)
> 0
>
> I do not see a Keyword Snipit option in Options/Keyword Seach.
>
>
> From: Jason Letourneau [mailto:jle...@ba...]
> Sent: Thursday, April 17, 2014 9:46 AM
> To: MATT PIERCE
> Cc: sle...@li...
> Subject: Re: [sleuthkit-users] Keyword Searching for three letter term results in Please Wait
>
> Hi Matt -
>
> It's tough to know precisely based on the information we have, but have you tried adding your search term as part of a keyword list and re-running ingest? If you have logs ( Help > About > Userdir:) that you can share, that would help us see if something is throwing an error.
>
> Another thing I notice is that in searching for acronyms with periods at the end of them, the trailing period is ignored in the actual hits. For instance, Ms. will return matches for any occurrence of ms, likewise, m.s. will match occurrences for "m.s" - I am not sure if either of these help with your particular issue, but it could be that you have more hits than you expect based on this and loading is taking more time than expected as highlighting the keyword hits and showing a preview turns out to be a somewhat intensive process.
>
> Jason
>
>
>
>
>
>
> ------------------------------------------------
>
> Jason Letourneau
> Product Manager, Digital Forensics
> Basis Technology
> jle...@ba...
> 617-386-2000 ext. 152
>
>
>
>
> On Apr 17, 2014, at 9:35 AM, MATT PIERCE <mat...@ad...> wrote:
>
>
> I’m sorry to repost but I was hoping someone could explain why my keyword search didn’t progress.
>
>
>
> From: MATT PIERCE
> Sent: Monday, April 14, 2014 4:15 PM
> To: sle...@li...
> Subject: Keyword Searching for three letter term results in Please Wait
>
>
> I’m running Autopsy 3.0.9. I have imported two directories worth of extracted files from a workstation under ediscovery. I can run various keyword searches and get appropriate responses. When I search for a three letter acronym relevant to the case I get “Please Wait” the search never returns from that state. Does anyone have any guidance?
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: MATT P. <mat...@ad...> - 2014-04-17 21:25:29
|
It is an ongoing litigation so I'm being careful with the context. I used Robocopy to extract all the document types and preserve file locations. The extracted files were then entered into the Case. I am rerunning the keyword ingest process. Say my Keyword list was: FDA Federal Drug Administration I'm using normal search and I'm using the basic three letters no punctuation. I can search on the last three elements via the keyword search bar with no issues. The first generates the Please Wait. I reran ingest using my keyword list and the FDA keyword did not create a Single Literal Keyword Search entry. I added the keyword /^fda$/as a search term and reran ingest with it flaged as regex. Here is the Keyword Indexing Result Files with known types 1883 Files with general strings extracted 76 Metadata only was indexed 561 Error (indexer) 0 Error (text extraction) 0 Error (I/O) 0 I do not see a Keyword Snipit option in Options/Keyword Seach. From: Jason Letourneau [mailto:jle...@ba...] Sent: Thursday, April 17, 2014 9:46 AM To: MATT PIERCE Cc: sle...@li... Subject: Re: [sleuthkit-users] Keyword Searching for three letter term results in Please Wait Hi Matt - It's tough to know precisely based on the information we have, but have you tried adding your search term as part of a keyword list and re-running ingest? If you have logs ( Help > About > Userdir:) that you can share, that would help us see if something is throwing an error. Another thing I notice is that in searching for acronyms with periods at the end of them, the trailing period is ignored in the actual hits. For instance, Ms. will return matches for any occurrence of ms, likewise, m.s. will match occurrences for "m.s" - I am not sure if either of these help with your particular issue, but it could be that you have more hits than you expect based on this and loading is taking more time than expected as highlighting the keyword hits and showing a preview turns out to be a somewhat intensive process. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba...<mailto:jle...@ba...> 617-386-2000 ext. 152 On Apr 17, 2014, at 9:35 AM, MATT PIERCE <mat...@ad...<mailto:mat...@ad...>> wrote: I'm sorry to repost but I was hoping someone could explain why my keyword search didn't progress. From: MATT PIERCE Sent: Monday, April 14, 2014 4:15 PM To: sle...@li...<mailto:sle...@li...> Subject: Keyword Searching for three letter term results in Please Wait I'm running Autopsy 3.0.9. I have imported two directories worth of extracted files from a workstation under ediscovery. I can run various keyword searches and get appropriate responses. When I search for a three letter acronym relevant to the case I get "Please Wait" the search never returns from that state. Does anyone have any guidance? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech_______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Luís F. N. <lfc...@gm...> - 2014-04-17 19:58:51
|
Great news Jason! Thank you for quick replying. Em 17/04/2014 10:18, "Jason Letourneau" <jle...@ba...> escreveu: > Hi Luis - > > This is currently in the develop branch and will be available in an > Autopsy 3.1 release coming in the next few weeks. We're really excited > about it. > > Jason > > > > > > > ------------------------------------------------ > > Jason Letourneau > Product Manager, Digital Forensics > Basis Technology > jle...@ba... > 617-386-2000 ext. 152 > > > > > On Apr 16, 2014, at 11:21 PM, Luís Filipe Nassif <lfc...@gm...> > wrote: > > Hi everyone, > > I am new to Autopsy and have played a bit with Autopsy 3.0.9 and, > monitoring system resources and the gui, the module ingesting pipeline > seems to be single threaded to me, i.e., only one file is processed at a > time in the pipeline. Is it correct? > > If yes, I suggest and ask for an improvement to the design to execute > multiple parallel module pipelines concurrently. Each pipeline would > process a different file, picked up from a shared list of files to process. > Autopsy could start N pipelines by default, where N is the number of > processor cores in the system, so it will take full advantage of high > concurrent hardware available these days. I think this would result in > great processing speed ups. > > Nassif > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
|
From: Brian C. <ca...@sl...> - 2014-04-17 16:41:37
|
No specific reason, just not a use case that we originally thought of. I added a check though to give an error if you supply multiple '-i' values to make it more obvious that you can give only one. brian On Apr 15, 2014, at 10:27 AM, Stefan Kelm <sk...@bf...> wrote: > Brian et al, > > is there any reason why one cannot pass both '-i day' and > '-i hour' options to mactime (v4.1.3) during the same run? > Doing so always results in the first output file to be empty, > i.e. > > mactime -b tl.txt -i day daily.txt -i hour hourly.txt > > gives an empty daily.txt file whereas hourly.txt is fine. > > Thanks! > > Stefan. > > -- > Stefan Kelm <sk...@bf...> > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstrasse 100 Tel: +49-721-96201-1 > D-76133 Karlsruhe Fax: +49-721-96201-99 > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2014-04-17 16:36:39
|
Hi Matt, A few questions: 1) We've seen that keyword search 'snippets' are one cause of the slowness. If you go to Tools -> Options -> Keyword search and disable showing snippets, is it still slow? 2) Are you doing a regular expression search or normal search? 3) As Jason mentioned, do you have any characters in the acronym or is it just letters? brian On Apr 17, 2014, at 9:35 AM, MATT PIERCE <mat...@ad...> wrote: > I’m sorry to repost but I was hoping someone could explain why my keyword search didn’t progress. > > > > From: MATT PIERCE > Sent: Monday, April 14, 2014 4:15 PM > To: sle...@li... > Subject: Keyword Searching for three letter term results in Please Wait > > > I’m running Autopsy 3.0.9. I have imported two directories worth of extracted files from a workstation under ediscovery. I can run various keyword searches and get appropriate responses. When I search for a three letter acronym relevant to the case I get “Please Wait” the search never returns from that state. Does anyone have any guidance? > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Jason L. <jle...@ba...> - 2014-04-17 14:52:16
|
Hi Matt - It's tough to know precisely based on the information we have, but have you tried adding your search term as part of a keyword list and re-running ingest? If you have logs ( Help > About > Userdir:) that you can share, that would help us see if something is throwing an error. Another thing I notice is that in searching for acronyms with periods at the end of them, the trailing period is ignored in the actual hits. For instance, Ms. will return matches for any occurrence of ms, likewise, m.s. will match occurrences for "m.s" - I am not sure if either of these help with your particular issue, but it could be that you have more hits than you expect based on this and loading is taking more time than expected as highlighting the keyword hits and showing a preview turns out to be a somewhat intensive process. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Apr 17, 2014, at 9:35 AM, MATT PIERCE <mat...@ad...> wrote: > I’m sorry to repost but I was hoping someone could explain why my keyword search didn’t progress. > > > > From: MATT PIERCE > Sent: Monday, April 14, 2014 4:15 PM > To: sle...@li... > Subject: Keyword Searching for three letter term results in Please Wait > > > I’m running Autopsy 3.0.9. I have imported two directories worth of extracted files from a workstation under ediscovery. I can run various keyword searches and get appropriate responses. When I search for a three letter acronym relevant to the case I get “Please Wait” the search never returns from that state. Does anyone have any guidance? > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: MATT P. <mat...@ad...> - 2014-04-17 13:50:33
|
I'm sorry to repost but I was hoping someone could explain why my keyword search didn't progress. From: MATT PIERCE Sent: Monday, April 14, 2014 4:15 PM To: sle...@li... Subject: Keyword Searching for three letter term results in Please Wait I'm running Autopsy 3.0.9. I have imported two directories worth of extracted files from a workstation under ediscovery. I can run various keyword searches and get appropriate responses. When I search for a three letter acronym relevant to the case I get "Please Wait" the search never returns from that state. Does anyone have any guidance? |
|
From: Jason L. <jle...@ba...> - 2014-04-17 13:18:32
|
Hi Luis - This is currently in the develop branch and will be available in an Autopsy 3.1 release coming in the next few weeks. We're really excited about it. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Apr 16, 2014, at 11:21 PM, Luís Filipe Nassif <lfc...@gm...> wrote: > Hi everyone, > > I am new to Autopsy and have played a bit with Autopsy 3.0.9 and, monitoring system resources and the gui, the module ingesting pipeline seems to be single threaded to me, i.e., only one file is processed at a time in the pipeline. Is it correct? > > If yes, I suggest and ask for an improvement to the design to execute multiple parallel module pipelines concurrently. Each pipeline would process a different file, picked up from a shared list of files to process. Autopsy could start N pipelines by default, where N is the number of processor cores in the system, so it will take full advantage of high concurrent hardware available these days. I think this would result in great processing speed ups. > > Nassif > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/NeoTech_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Luís F. N. <lfc...@gm...> - 2014-04-17 03:21:17
|
Hi everyone, I am new to Autopsy and have played a bit with Autopsy 3.0.9 and, monitoring system resources and the gui, the module ingesting pipeline seems to be single threaded to me, i.e., only one file is processed at a time in the pipeline. Is it correct? If yes, I suggest and ask for an improvement to the design to execute multiple parallel module pipelines concurrently. Each pipeline would process a different file, picked up from a shared list of files to process. Autopsy could start N pipelines by default, where N is the number of processor cores in the system, so it will take full advantage of high concurrent hardware available these days. I think this would result in great processing speed ups. Nassif |
|
From: Stefan K. <sk...@bf...> - 2014-04-15 14:40:18
|
Brian et al, is there any reason why one cannot pass both '-i day' and '-i hour' options to mactime (v4.1.3) during the same run? Doing so always results in the first output file to be empty, i.e. mactime -b tl.txt -i day daily.txt -i hour hourly.txt gives an empty daily.txt file whereas hourly.txt is fine. Thanks! Stefan. -- Stefan Kelm <sk...@bf...> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstrasse 100 Tel: +49-721-96201-1 D-76133 Karlsruhe Fax: +49-721-96201-99 |
|
From: MATT P. <mat...@ad...> - 2014-04-14 21:30:57
|
I'm running Autopsy 3.0.9. I have imported two directories worth of extracted files from a workstation under ediscovery. I can run various keyword searches and get appropriate responses. When I search for a three letter acronym relevant to the case I get "Please Wait" the search never returns from that state. Does anyone have any guidance? |
|
From: Jason L. <jle...@ba...> - 2014-04-14 15:13:47
|
Herve - We're still unable to reproduce, but a couple of questions that may help us debug: 1) Can you send logs over for us to have a look at? 2) Did you happen to change settings for displaying times in GMT vs local time? Thanks Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Apr 11, 2014, at 2:45 PM, Hervé Le Guyader <hl...@fr...> wrote: > Thanks, Jason, > > Yes, that's what I mean. > > Clicking on the month of December doesn't trigger the display of December's activities while clicking on any other month "works". > > Thanks! > > Hervé > > > Le 11/04/2014 20:42, Jason Letourneau a écrit : >> Hi Herve - we are taking a look at this, can't say we can reproduce yet on our test images though. By refuses to open, you mean you can't see the activity by day when you click on the month of December? >> >> Jason >> >> >> >> >> >> >> ------------------------------------------------ >> >> Jason Letourneau >> Product Manager, Digital Forensics >> Basis Technology >> jle...@ba... >> 617-386-2000 ext. 152 >> >> >> >> >> On Apr 11, 2014, at 2:19 PM, Hervé Le Guyader <hl...@fr...> wrote: >> >>> Hi, >>> >>> Sorry to be a bit stubborn, but am I the only one experiencing this problem where the Timeline tool doesn't open the last month of any given year (despite the presence of thousands of events)? >>> >>> Best, >>> >>> H >>> >>> Le 10/04/2014 19:07, Hervé Le Guyader a écrit : >>>> Hi, >>>> >>>> I’m using Autopsy 3.09 and am encountering a problem with its Timeline Tool. The .dd image I’m working on corresponds to a computer that has been used in 2010, 2011, 2012 and (all of) 2013. >>>> >>>> Timeline happily reports activity for each month of each year but, for some intriguing reason, “refuses” to open month of December (hence, the last one) for each of these years. All of the other months behave nicely and all days (including the last one) of each of these 11 months can also be opened and reports corresponding activity nicely. >>>> >>>> Of course, I happen to be primarily interested in activities that took place during the month of December of one of these years. >>>> >>>> Does this ring any bell? >>>> >>>> Many thanks in advance, >>>> >>>> Hervé >>>> >>>> >>>> >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>> >>> >>> >>> >>> Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection Antivirus avast! est active. >>> >>> >>> ------------------------------------------------------------------------------ >>> Put Bad Developers to Shame >>> Dominate Development with Jenkins Continuous Integration >>> Continuously Automate Build, Test & Deployment >>> Start a new project now. Try Jenkins in the cloud. >>> http://p.sf.net/sfu/13600_Cloudbees_______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> > > > > > Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection Antivirus avast! est active. > > |
|
From: Gareth E. <don...@fa...> - 2014-04-12 15:43:03
|
Hello,
My attempt to ./configure SleuthKit 4.1.3 on Ubuntu 13.10 ends as follows - there are no held packages according to dpkg --get-selections | grep hold
I would be grateful for any advice on how to fix this.
Thanks
Gareth
"Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
libstdc++-4.8-doc : Conflicts: libstdc++6-4.4-doc but 4.4.7-2ubuntu2 is to be installed
Conflicts: libstdc++6-4.6-doc but 4.6.4-3ubuntu1 is to be installed
Conflicts: libstdc++6-4.7-doc but 4.7.3-7ubuntu3 is to be installed
libstdc++6-4.6-dbg : Conflicts: libstdc++6-4.4-dbg but 4.4.7-2ubuntu2 is to be installed
libstdc++6-4.6-doc : Conflicts: libstdc++6-4.4-doc but 4.4.7-2ubuntu2 is to be installed
libstdc++6-4.7-dbg : Conflicts: libstdc++6-4.4-dbg but 4.4.7-2ubuntu2 is to be installed
Conflicts: libstdc++6-4.6-dbg but 4.6.4-3ubuntu1 is to be installed
libstdc++6-4.7-doc : Conflicts: libstdc++6-4.4-doc but 4.4.7-2ubuntu2 is to be installed
Conflicts: libstdc++6-4.6-doc but 4.6.4-3ubuntu1 is to be installed
libstdc++6-4.8-dbg : Conflicts: libstdc++6-4.4-dbg but 4.4.7-2ubuntu2 is to be installed
Conflicts: libstdc++6-4.6-dbg but 4.6.4-3ubuntu1 is to be installed
Conflicts: libstdc++6-4.7-dbg but 4.7.3-7ubuntu3 is to be installed
libstdc++6-4.8-dbg-arm64-cross : Conflicts: libstdc++6-4.7-dbg-arm64-cross but 4.7.3-1ubuntu1cross0.6 is to be installed
libstdc++6-4.8-dbg-armhf-cross : Conflicts: libstdc++6-4.7-dbg-armhf-cross but 4.7.3-7ubuntu3cross1.84 is to be installed
libstdc++6-4.8-dbg-powerpc-cross : Conflicts: libstdc++6-4.7-dbg-powerpc-cross but 4.7.3-1ubuntu1cross0.7 is to be installed
E: Unable to correct problems, you have held broken packages."
|
|
From: Jason L. <jle...@ba...> - 2014-04-11 18:50:27
|
Hi Herve - we are taking a look at this, can't say we can reproduce yet on our test images though. By refuses to open, you mean you can't see the activity by day when you click on the month of December? Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Apr 11, 2014, at 2:19 PM, Hervé Le Guyader <hl...@fr...> wrote: > Hi, > > Sorry to be a bit stubborn, but am I the only one experiencing this problem where the Timeline tool doesn't open the last month of any given year (despite the presence of thousands of events)? > > Best, > > H > > Le 10/04/2014 19:07, Hervé Le Guyader a écrit : >> Hi, >> >> I’m using Autopsy 3.09 and am encountering a problem with its Timeline Tool. The .dd image I’m working on corresponds to a computer that has been used in 2010, 2011, 2012 and (all of) 2013. >> >> Timeline happily reports activity for each month of each year but, for some intriguing reason, “refuses” to open month of December (hence, the last one) for each of these years. All of the other months behave nicely and all days (including the last one) of each of these 11 months can also be opened and reports corresponding activity nicely. >> >> Of course, I happen to be primarily interested in activities that took place during the month of December of one of these years. >> >> Does this ring any bell? >> >> Many thanks in advance, >> >> Hervé >> >> >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > > > Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection Antivirus avast! est active. > > > ------------------------------------------------------------------------------ > Put Bad Developers to Shame > Dominate Development with Jenkins Continuous Integration > Continuously Automate Build, Test & Deployment > Start a new project now. Try Jenkins in the cloud. > http://p.sf.net/sfu/13600_Cloudbees_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Hervé Le G. <hl...@fr...> - 2014-04-11 18:45:39
|
Thanks, Jason, Yes, that's what I mean. Clicking on the month of December doesn't trigger the display of December's activities while clicking on any other month "works". Thanks! Hervé Le 11/04/2014 20:42, Jason Letourneau a écrit : > Hi Herve - we are taking a look at this, can't say we can reproduce > yet on our test images though. By refuses to open, you mean you can't > see the activity by day when you click on the month of December? > > Jason > > > > > > > ------------------------------------------------ > > Jason Letourneau > Product Manager, Digital Forensics > Basis Technology > jle...@ba... <mailto:jle...@ba...> > 617-386-2000 ext. 152 > > > > > On Apr 11, 2014, at 2:19 PM, Hervé Le Guyader <hl...@fr... > <mailto:hl...@fr...>> wrote: > >> Hi, >> >> Sorry to be a bit stubborn, but am I the only one experiencing this >> problem where the Timeline tool doesn't open the last month of any >> given year (despite the presence of thousands of events)? >> >> Best, >> >> H >> >> Le 10/04/2014 19:07, Hervé Le Guyader a écrit : >>> >>> Hi, >>> >>> I’m using Autopsy 3.09 and am encountering a problem with its >>> Timeline Tool. The .dd image I’m working on corresponds to a >>> computer that has been used in 2010, 2011, 2012 and (all of) 2013. >>> >>> Timeline happily reports activity for each month of each year but, >>> for some intriguing reason, “refuses” to open month of December >>> (hence, the last one) for each of these years. All of the other >>> months behave nicely and all days (including the last one) of each >>> of these 11 months can also be opened and reports corresponding >>> activity nicely. >>> >>> Of course, I happen to be primarily interested in activities that >>> took place during the month of December of one of these years. >>> >>> Does this ring any bell? >>> >>> Many thanks in advance, >>> >>> Hervé >>> >>> >>> >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> >> >> ------------------------------------------------------------------------ >> <http://www.avast.com/> >> >> Ce courrier électronique ne contient aucun virus ou logiciel >> malveillant parce que la protection Antivirus avast! >> <http://www.avast.com/> est active. >> >> >> ------------------------------------------------------------------------------ >> Put Bad Developers to Shame >> Dominate Development with Jenkins Continuous Integration >> Continuously Automate Build, Test & Deployment >> Start a new project now. Try Jenkins in the cloud. >> http://p.sf.net/sfu/13600_Cloudbees_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com |
|
From: Hervé Le G. <hl...@fr...> - 2014-04-11 18:20:04
|
Hi, Sorry to be a bit stubborn, but am I the only one experiencing this problem where the Timeline tool doesn't open the last month of any given year (despite the presence of thousands of events)? Best, H Le 10/04/2014 19:07, Hervé Le Guyader a écrit : > > Hi, > > I'm using Autopsy 3.09 and am encountering a problem with its Timeline > Tool. The .dd image I'm working on corresponds to a computer that has > been used in 2010, 2011, 2012 and (all of) 2013. > > Timeline happily reports activity for each month of each year but, for > some intriguing reason, "refuses" to open month of December (hence, > the last one) for each of these years. All of the other months behave > nicely and all days (including the last one) of each of these 11 > months can also be opened and reports corresponding activity nicely. > > Of course, I happen to be primarily interested in activities that took > place during the month of December of one of these years. > > Does this ring any bell? > > Many thanks in advance, > > Hervé > > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com |
|
From: Jason L. <jle...@ba...> - 2014-04-11 14:31:53
|
Hi Ronald - Glad you had a good experience with Autopsy 3. Right now, the case creation and workflow is heavily dependent on the user interface, but we'll be working in the near future at decoupling that a bit more. Our primary use case is testing, but it could provide a way to script from the command line as well potentially. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba... 617-386-2000 ext. 152 On Apr 11, 2014, at 6:18 AM, Ronald In de Braekt <rb...@ho...> wrote: > Hi, > > I'm new to Sleuthkit and Autopsy 3. I downloaded autopsy 3 and was very impressed. > > Is there a way to create and run Autopsy case command? > > Kind regards, > Ronald. > ------------------------------------------------------------------------------ > Put Bad Developers to Shame > Dominate Development with Jenkins Continuous Integration > Continuously Automate Build, Test & Deployment > Start a new project now. Try Jenkins in the cloud. > http://p.sf.net/sfu/13600_Cloudbees > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Ronald In de B. <rb...@ho...> - 2014-04-11 10:19:04
|
Hi, I'm new to Sleuthkit and Autopsy 3. I downloaded autopsy 3 and was very impressed. Is there a way to create and run Autopsy case command? Kind regards, Ronald. |
|
From: Hervé Le G. <hl...@fr...> - 2014-04-10 17:07:59
|
Hi, I'm using Autopsy 3.09 and am encountering a problem with its Timeline Tool. The .dd image I'm working on corresponds to a computer that has been used in 2010, 2011, 2012 and (all of) 2013. Timeline happily reports activity for each month of each year but, for some intriguing reason, "refuses" to open month of December (hence, the last one) for each of these years. All of the other months behave nicely and all days (including the last one) of each of these 11 months can also be opened and reports corresponding activity nicely. Of course, I happen to be primarily interested in activities that took place during the month of December of one of these years. Does this ring any bell? Many thanks in advance, Hervé --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com |
|
From: Chris P. <ce...@gm...> - 2014-03-21 19:51:10
|
I have two openings on the SpiderLabs DFIR team. Both openings are in Chicago....one JR level and one Mid-Level. If you are interested, please email me at ce...@tr.... Thanks, -- Chris @cpbeefcake |
|
From: Ketil F. <ke...@fr...> - 2014-03-20 11:55:36
|
Thanks. This image was made with data recovery tools, and some sectors couldn't be read. Cheers, Ketil On 20 March 2014 12:38, Atila <ati...@dp...> wrote: > I don't know how you made your image, but it's worth mentioning that gnu > ddrescue is very good in those cases. While some other tools just skip bad > sectors, gnu ddrescue keeps a log of them, so you can retry again later how > many times you like. > > > On 20-03-2014 07:37, Ketil Froyn wrote: > > I tried autopsy 3.0.9, and autopsy seems to do just as well as EnCase 6 > for the folder I was looking for, so that is very good! I guess part of my > mistake was using the sleuthkit bundled with Ubuntu, which is v3.2.3... > Sorry for the noise, I'll try some more. > > > On 20 March 2014 10:47, Ketil Froyn <ke...@fr...> wrote: > >> Hi, >> >> I have an image from a malfunctioning hard drive where some sectors could >> not be read. Using different tools, I am getting different success rates >> when recovering files from an NTFS file system. >> >> With sleuthkit I am not getting very far at all. FLS gives me some >> different errors depending on how I run it: >> >> $ fls -i split -o 64 -l -p -r file*.bin >> Error in metadata structure (Extension record 90739 (file ref = 0) is not >> for attribute list of 2584) >> $ fls -i split -o 64 -l -p -r file*.bin 2 >> Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 not >> found) ( - dent_walk: $IDX_ROOT not found) >> >> EnCase 6 actually manages to read this file system very well, and >> reconstructed lots of files from a folder where the MFT was actually >> unreadable, but it seems to have used an old version of that folder's MFT >> instead. >> >> Are there any tricks to getting sleuthkit to work better with partial >> images like this? >> >> Regards, Ketil >> > > > > -- > -Ketil > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today!http://p.sf.net/sfu/13534_NeoTech > > > > _______________________________________________ > sleuthkit-users mailing listhttps://lists.sourceforge.net/lists/listinfo/sleuthkit-usershttp://www.sleuthkit.org > > > -- -Ketil <http://ketil.froyn.name/> |
|
From: Atila <ati...@dp...> - 2014-03-20 11:38:26
|
I don't know how you made your image, but it's worth mentioning that gnu ddrescue is very good in those cases. While some other tools just skip bad sectors, gnu ddrescue keeps a log of them, so you can retry again later how many times you like. On 20-03-2014 07:37, Ketil Froyn wrote: > I tried autopsy 3.0.9, and autopsy seems to do just as well as EnCase > 6 for the folder I was looking for, so that is very good! I guess part > of my mistake was using the sleuthkit bundled with Ubuntu, which is > v3.2.3... Sorry for the noise, I'll try some more. > > > On 20 March 2014 10:47, Ketil Froyn <ke...@fr... > <mailto:ke...@fr...>> wrote: > > Hi, > > I have an image from a malfunctioning hard drive where some > sectors could not be read. Using different tools, I am getting > different success rates when recovering files from an NTFS file > system. > > With sleuthkit I am not getting very far at all. FLS gives me some > different errors depending on how I run it: > > $ fls -i split -o 64 -l -p -r file*.bin > Error in metadata structure (Extension record 90739 (file ref = 0) > is not for attribute list of 2584) > $ fls -i split -o 64 -l -p -r file*.bin 2 > Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 > not found) ( - dent_walk: $IDX_ROOT not found) > > EnCase 6 actually manages to read this file system very well, and > reconstructed lots of files from a folder where the MFT was > actually unreadable, but it seems to have used an old version of > that folder's MFT instead. > > Are there any tricks to getting sleuthkit to work better with > partial images like this? > > Regards, Ketil > > > > > -- > -Ketil > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Ketil F. <ke...@fr...> - 2014-03-20 10:51:16
|
Hi, I have an image from a malfunctioning hard drive where some sectors could not be read. Using different tools, I am getting different success rates when recovering files from an NTFS file system. With sleuthkit I am not getting very far at all. FLS gives me some different errors depending on how I run it: $ fls -i split -o 64 -l -p -r file*.bin Error in metadata structure (Extension record 90739 (file ref = 0) is not for attribute list of 2584) $ fls -i split -o 64 -l -p -r file*.bin 2 Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 not found) ( - dent_walk: $IDX_ROOT not found) EnCase 6 actually manages to read this file system very well, and reconstructed lots of files from a folder where the MFT was actually unreadable, but it seems to have used an old version of that folder's MFT instead. Are there any tricks to getting sleuthkit to work better with partial images like this? Regards, Ketil |
|
From: Ketil F. <ke...@fr...> - 2014-03-20 10:37:25
|
I tried autopsy 3.0.9, and autopsy seems to do just as well as EnCase 6 for the folder I was looking for, so that is very good! I guess part of my mistake was using the sleuthkit bundled with Ubuntu, which is v3.2.3... Sorry for the noise, I'll try some more. On 20 March 2014 10:47, Ketil Froyn <ke...@fr...> wrote: > Hi, > > I have an image from a malfunctioning hard drive where some sectors could > not be read. Using different tools, I am getting different success rates > when recovering files from an NTFS file system. > > With sleuthkit I am not getting very far at all. FLS gives me some > different errors depending on how I run it: > > $ fls -i split -o 64 -l -p -r file*.bin > Error in metadata structure (Extension record 90739 (file ref = 0) is not > for attribute list of 2584) > $ fls -i split -o 64 -l -p -r file*.bin 2 > Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 not found) > ( - dent_walk: $IDX_ROOT not found) > > EnCase 6 actually manages to read this file system very well, and > reconstructed lots of files from a folder where the MFT was actually > unreadable, but it seems to have used an old version of that folder's MFT > instead. > > Are there any tricks to getting sleuthkit to work better with partial > images like this? > > Regards, Ketil > -- -Ketil <http://ketil.froyn.name/> |
|
From: RB <ao...@gm...> - 2014-03-15 22:42:55
|
On Sat, Mar 15, 2014 at 12:41 PM, Emmanuelle Delouvée <emm...@gm...> wrote: > Hi, > Question to the SCALPEL developer team : > > Scalpel runs native on Mac OS X, which uses two filesystems : AFS ( "Apple File System », a Legacy From Mac OS 9 ) and UFS ( « Unix File System », From BSD - where it’s called FFS, for « Fast File System » ). > Obviously, Scalpel’s got to be able to scan/carve both Filesystem. > FREEBSD, as a member of the BSD UNIX Family, uses FFS (UFS) too : so, logically, Scalpel - say, the Linux version of it - ought to be able to properly scan/carve disk partitions formatted in FFS by FREEBSD; am I correct ? Scalpel running on a given platform has nothing to do with what filesystems it supports. In fact, a quick glance at the source tree tells me it is unlikely Scalpel directly parses any filesystem structure, instead it just looks for signatures on disk. This means your files will need to have been laid down contiguously with a recognizable head/tail for it to work. So sure - if FFS mostly just places files on the disk in contiguous chunks, Scalpel should be able to parse it just fine. |
38 messages has been excluded from this view by a project administrator.
