sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] Autopsy 3.08 - Excel timeline

[Alex <ix...@gm...>]

Just tried the HTML report. Same behaviour.

-A

Brian Carrier <ca...@sl...> wrote:
>Does the HTML report work OK?    The Excel report and HTML report share
>the same backend code, but one outputs in Excel and the other in HTML. 
>
>On Oct 25, 2013, at 8:28 AM, Alex <ix...@gm...> wrote:
>
>> Hi
>> 
>> Generating a bodyfile appears to work as expected, but Excel file
>generation hangs at "now processing Web cookies", at which point the
>CPU goes idle and the machine just waits there (I gave it 8 hours
>overnight).
>> 
>> 64-bit version on Windows 7
>> 
>> How could I troubleshoot this? 
>> 
>> Thanks
>> 
>>
>Alex------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from 
>> the latest Intel processors and coprocessors. See abstracts and
>register >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org

Re: [sleuthkit-users] Drive slack

[Greg F. <gre...@gm...>]

Doesn't NTFS support sub-cluster allocations at the sector level?  That can you convert what you think is slack to allocated space and thus not wipable by ccleaner.

My understanding is that with NTFS for the last decade or so you only have partial sector slack, so you need to write your test data after EOF, but in the last sector containing valid data.

Note: I haven't ever had to testify on this so I'm working from old memories of what I read and I have not researched it myself.

Hopefully one of the sleuthkit devs can be more definitive.

Greg

Sergio Work <ser...@gm...> wrote:
>I have been trying to understand the concept of drive slack and how
>some applications wipe this space. In order to do this, I have created
>a small hard disk with a NTFS filesystem inside a virtual machime with
>Windows 7. Then I have added a simple JPG file to this hard disk.
>After that, I have edited the last sector of the last cluster of such
>file (which it is not the last sector used by the file), and added a
>simple word "DRIVESLACK" to this last sector. Then, I have used the
>CCleaner application and activated the "Wipe Cluster Tips" which
>supposly, remove the drive slack space. After that, If I have
>performed a blkcat of the last cluster of the file, and I observed how
>the DRIVESLACK remains in the last sector of the last cluster of the
>jpg file. Is there something that I have missed, or why the DRIVELSACK
>is not overwritten by the CCleaner application?
>
>------------------------------------------------------------------------------
>October Webinars: Code for Performance
>Free Intel webinars can help you accelerate application performance.
>Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from 
>the latest Intel processors and coprocessors. See abstracts and
>register >
>http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: [sleuthkit-users] Autopsy 3 error "cannot create Java Virtual Machine"

[Charles B. <wi...@gm...>]

​I removed Autopsy completely and did a reinstall of the 64-bit version and
it now works.
Charles​


On Fri, Oct 25, 2013 at 8:08 AM, Florian Weber <web...@gm...>wrote:

> I am running Windows 7 Ultimate 64bit version on both my Laptop and my
> Desktop Computer.
> Interestingly I had to adjust the Java Heap settings for Autopsy, as I
> already described in my previous email, on my Desktop but not on my Laptop.
>
> Anyway, do try to adjust the Java Heap settings in the autopsy.conf file
> and let me know if its working for you afterwards.
>
> Best,
> Florian
>
>>  sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org/
>>
>>
>>
>


-- 

Never do things others can do and will do if there are things others cannot
do or will not do. ~ Amelia Earhart
The very first requirement in a government is that it should
do *no harm.*
Wizard of Odd, LLC
612-200-3221
wi...@gm...

"Designing the Future"

And it harm none, do as ye will.

Opinions expressed are just that: opinions and are owned by those stating
them. They are in no way to be taken as representative of current or future
belief and are subject to withdrawal or modification at any time. Copyright
Wizard of Odd, LLC.

Re: [sleuthkit-users] Autopsy 3 error "cannot create Java Virtual Machine"

[Brian C. <ca...@sl...>]

In that case, can you do the same test that Florian suggested?  

Launch a command prompt and copy this in (it needs to be surrounded in quotes):

"C:\Program Files\Autopsy-3.0.8\jre\bin\java.exe"

thanks,
brian


On Oct 25, 2013, at 9:53 AM, Marc Yu <ma...@ya...> wrote:

> I am using 64-bit on two different machines:
> Wintel i3 processor with 8 GB RAM - Windows 7 Professional 64-bit
> Wintel Dual Xeon Processors with 16 GB RAM - Windows Vista Ultimate 64-bit
> Same exact error on both machines for 3.0.8.
> 
> 
> On Friday, October 25, 2013 8:33 AM, Brian Carrier <ca...@sl...> wrote:
> Charles, are you using 3.0.7 or 3.0.8?
> 
> 32-bit or 64-bit?
> 
> 64-bit should not have the memory problems. 
> 
> On Oct 24, 2013, at 8:55 AM, Charles Barnard <wi...@gm...> wrote:
> 
> > Installed Autopsy 3 using the installer into Win 7 Home Premium 64 bit running in Fusion 6.0 on an iMac i7 Mac OS X 10.7
> > 
> > When I attempt to run it, it returns the error and terminates.
> > 
> > I've searched the forums and others as well as online and the Sleuthkit Wiki but haven't found anything about this error.
> > 
> > I rebooted Win after the install with no changes.
> > I installed the current Java engines no help.
> > 
> > 
> > Layers: (top down)
> > 
> > Autopsy 3
> > Win 7 HP 64
> > VMware Fusion 6.0
> > Mac OS X 10.7 (Lion)  
> > 
> > -- 
> > Never do things others can do and will do if there are things others cannot do or will not do. ~ Amelia Earhart
> > The very first requirement in a government is that it should 
> > do no harm.
> > Wizard of Odd, LLC
> > 612-200-3221
> > wi...@gm...
> > 
> > "Designing the Future"
> > 
> > And it harm none, do as ye will.
> > 
> > Opinions expressed are just that: opinions and are owned by those stating them. They are in no way to be taken as representative of current or future belief and are subject to withdrawal or modification at any time. Copyright Wizard of Odd, LLC.
> > ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> > the latest Intel processors and coprocessors. See abstracts and register >
> > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org/
> 
> 
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org/
> 
> 

Re: [sleuthkit-users] Autopsy 3 error "cannot create Java Virtual Machine"

[Brian C. <ca...@sl...>]

Charles, are you using 3.0.7 or 3.0.8?

32-bit or 64-bit?

64-bit should not have the memory problems. 

On Oct 24, 2013, at 8:55 AM, Charles Barnard <wi...@gm...> wrote:

> Installed Autopsy 3 using the installer into Win 7 Home Premium 64 bit running in Fusion 6.0 on an iMac i7 Mac OS X 10.7
> 
> When I attempt to run it, it returns the error and terminates.
> 
> I've searched the forums and others as well as online and the Sleuthkit Wiki but haven't found anything about this error.
> 
> I rebooted Win after the install with no changes.
> I installed the current Java engines no help.
> 
> 
> Layers: (top down)
> 
> Autopsy 3
> Win 7 HP 64
> VMware Fusion 6.0
> Mac OS X 10.7 (Lion)  
> 
> -- 
> Never do things others can do and will do if there are things others cannot do or will not do. ~ Amelia Earhart
> The very first requirement in a government is that it should 
> do no harm.
> Wizard of Odd, LLC
> 612-200-3221
> wi...@gm...
> 
> "Designing the Future"
> 
> And it harm none, do as ye will.
> 
> Opinions expressed are just that: opinions and are owned by those stating them. They are in no way to be taken as representative of current or future belief and are subject to withdrawal or modification at any time. Copyright Wizard of Odd, LLC.
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy 3 error "cannot create Java Virtual Machine"

[Florian W. <web...@gm...>]

I am running Windows 7 Ultimate 64bit version on both my Laptop and my
Desktop Computer.
Interestingly I had to adjust the Java Heap settings for Autopsy, as I
already described in my previous email, on my Desktop but not on my Laptop.

Anyway, do try to adjust the Java Heap settings in the autopsy.conf file
and let me know if its working for you afterwards.

Best,
Florian


2013/10/25 Marc Yu <ma...@ya...>

> Unfortunately, both Charles and I are using the 64-bit version of
> Autopsy.  I also get the exact same error he does.  This is obviously a bug
> for the 64-bit version.
>
>
>   On Thursday, October 24, 2013 10:05 AM, Florian Weber <
> web...@gm...> wrote:
>  Hi Charles,
>
> I had the same issue at the beginning of the year. Same system same error.
> Luckily Adam was so kind to walk me through the steps to fix this.
> Here is the solution or at least it was for me:
>
> As a first step to debug this, can you verify java.exe from the embedded
> jre but itself works.  Just execute C:\Program Files
> (x86)\Autopsy\jre\bin\java.exe
>
> If Java is working, you can try lowering the java heap settings. For that,
> edit the autopsy.conf file in C:\Program Files (x86)\Autopsy\etc and change
> -J-Xmx768m to something smaller, like -J-Xmx512m. You can do this using
> Notepad++.
>
> Lowering it to 512 worked for me.
>
> Hope this helps.
>
> Cheers,
> Flo
>
>
> 2013/10/24 Charles Barnard <wi...@gm...>
>
> Installed Autopsy 3 using the installer into Win 7 Home Premium 64 bit
> running in Fusion 6.0 on an iMac i7 Mac OS X 10.7
>
> When I attempt to run it, it returns the error and terminates.
>
> I've searched the forums and others as well as online and the Sleuthkit
> Wiki but haven't found anything about this error.
>
> I rebooted Win after the install with no changes.
> I installed the current Java engines no help.
>
>
> Layers: (top down)
>
> Autopsy 3
> Win 7 HP 64
> VMware Fusion 6.0
> Mac OS X 10.7 (Lion)
>
> --
> Never do things others can do and will do if there are things others
> cannot do or will not do. ~ Amelia Earhart
> The very first requirement in a government is that it should
> do *no harm.*
> Wizard of Odd, LLC
> 612-200-3221
> wi...@gm...
>
> "Designing the Future"
>
> And it harm none, do as ye will.
>
> Opinions expressed are just that: opinions and are owned by those stating
> them. They are in no way to be taken as representative of current or future
> belief and are subject to withdrawal or modification at any time. Copyright
> Wizard of Odd, LLC.
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org/
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org/
>
>
>

Re: [sleuthkit-users] Autopsy 3.08 - Excel timeline

[Brian C. <ca...@sl...>]

Does the HTML report work OK?    The Excel report and HTML report share the same backend code, but one outputs in Excel and the other in HTML. 

On Oct 25, 2013, at 8:28 AM, Alex <ix...@gm...> wrote:

> Hi
> 
> Generating a bodyfile appears to work as expected, but Excel file generation hangs at "now processing Web cookies", at which point the CPU goes idle and the machine just waits there (I gave it 8 hours overnight).
> 
> 64-bit version on Windows 7
> 
> How could I troubleshoot this? 
> 
> Thanks
> 
> Alex------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Autopsy 3.08 - Excel timeline

[Alex <ix...@gm...>]

Hi

Generating a bodyfile appears to work as expected,  but Excel file generation hangs at "now processing Web cookies", at which point the CPU goes idle and the machine just waits there (I gave it 8 hours overnight).

64-bit version on Windows 7

How could I troubleshoot this? 

Thanks

Alex

Re: [sleuthkit-users] Autopsy 3 error "cannot create Java Virtual Machine"

[Florian W. <web...@gm...>]

Hi Charles,

I had the same issue at the beginning of the year. Same system same error.
Luckily Adam was so kind to walk me through the steps to fix this.
Here is the solution or at least it was for me:

As a first step to debug this, can you verify java.exe from the embedded
jre but itself works.  Just execute C:\Program Files
(x86)\Autopsy\jre\bin\java.exe



If Java is working, you can try lowering the java heap settings. For that,
edit the autopsy.conf file in C:\Program Files (x86)\Autopsy\etc and change
-J-Xmx768m to something smaller, like -J-Xmx512m. You can do this using
Notepad++.

Lowering it to 512 worked for me.

Hope this helps.

Cheers,
Flo


2013/10/24 Charles Barnard <wi...@gm...>

> Installed Autopsy 3 using the installer into Win 7 Home Premium 64 bit
> running in Fusion 6.0 on an iMac i7 Mac OS X 10.7
>
> When I attempt to run it, it returns the error and terminates.
>
> I've searched the forums and others as well as online and the Sleuthkit
> Wiki but haven't found anything about this error.
>
> I rebooted Win after the install with no changes.
> I installed the current Java engines no help.
>
>
> Layers: (top down)
>
> Autopsy 3
> Win 7 HP 64
> VMware Fusion 6.0
> Mac OS X 10.7 (Lion)
>
> --
>
> Never do things others can do and will do if there are things others
> cannot do or will not do. ~ Amelia Earhart
> The very first requirement in a government is that it should
> do *no harm.*
> Wizard of Odd, LLC
> 612-200-3221
> wi...@gm...
>
> "Designing the Future"
>
> And it harm none, do as ye will.
>
> Opinions expressed are just that: opinions and are owned by those stating
> them. They are in no way to be taken as representative of current or future
> belief and are subject to withdrawal or modification at any time. Copyright
> Wizard of Odd, LLC.
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] Autopsy 3 error "cannot create Java Virtual Machine"

[Charles B. <wi...@gm...>]

Installed Autopsy 3 using the installer into Win 7 Home Premium 64 bit
running in Fusion 6.0 on an iMac i7 Mac OS X 10.7

When I attempt to run it, it returns the error and terminates.

I've searched the forums and others as well as online and the Sleuthkit
Wiki but haven't found anything about this error.

I rebooted Win after the install with no changes.
I installed the current Java engines no help.


Layers: (top down)

Autopsy 3
Win 7 HP 64
VMware Fusion 6.0
Mac OS X 10.7 (Lion)

-- 

Never do things others can do and will do if there are things others cannot
do or will not do. ~ Amelia Earhart
The very first requirement in a government is that it should
do *no harm.*
Wizard of Odd, LLC
612-200-3221
wi...@gm...

"Designing the Future"

And it harm none, do as ye will.

Opinions expressed are just that: opinions and are owned by those stating
them. They are in no way to be taken as representative of current or future
belief and are subject to withdrawal or modification at any time. Copyright
Wizard of Odd, LLC.

Re: [sleuthkit-users] Drive slack

[Sergio W. <ser...@gm...>]

Ohh I forgot to mention that yes, the system was halted when I
obtained the image of the disk after the execution of ccleaner.

Re: [sleuthkit-users] Drive slack

[Sergio W. <ser...@gm...>]

> "which it is not the last sector used by the file"
>
> what did you mean here?

I will try to explain it with "an image". This represents the last
cluster associated with the image:

             CLUSTER:
+--------+--------+--------+--------+
|XXX     |        |        |S       |
+--------+--------+--------+--------+
 sector1  sector2  sector3  sector4

The X marks are the data which is the last part of the JPG file (the
image has another clusters associated), and the S si where I put the
string "SLACKDRIVE". So, when I use the CCleaner, the S should be
removed since it is considered as a slack drive space, however the
string remains and is not overwritten. I don't understand why this
happens because the sector2, sector3 and sector4 should be overwritten
by the wipe algorithm. Have I missed something or am I wrong with some
concept?

Thank you!

Re: [sleuthkit-users] Drive slack

[Andrew C. <at...@gm...>]

"which it is not the last sector used by the file"

what did you mean here?

Also, did you reboot the machine or dismount/mount the drive after
running ccleaner and before running tsk? tsk may be reading cached
data and not going back to the actual disk.

On Mon, Oct 21, 2013 at 6:30 PM, Sergio Work <ser...@gm...> wrote:
> I have been trying to understand the concept of drive slack and how
> some applications wipe this space. In order to do this, I have created
> a small hard disk with a NTFS filesystem inside a virtual machime with
> Windows 7. Then I have added a simple JPG file to this hard disk.
> After that, I have edited the last sector of the last cluster of such
> file (which it is not the last sector used by the file), and added a
> simple word "DRIVESLACK" to this last sector. Then, I have used the
> CCleaner application and activated the "Wipe Cluster Tips" which
> supposly, remove the drive slack space. After that, If I have
> performed a blkcat of the last cluster of the file, and I observed how
> the DRIVESLACK remains in the last sector of the last cluster of the
> jpg file. Is there something that I have missed, or why the DRIVELSACK
> is not overwritten by the CCleaner application?
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Drive slack

[Sergio W. <ser...@gm...>]

I have been trying to understand the concept of drive slack and how
some applications wipe this space. In order to do this, I have created
a small hard disk with a NTFS filesystem inside a virtual machime with
Windows 7. Then I have added a simple JPG file to this hard disk.
After that, I have edited the last sector of the last cluster of such
file (which it is not the last sector used by the file), and added a
simple word "DRIVESLACK" to this last sector. Then, I have used the
CCleaner application and activated the "Wipe Cluster Tips" which
supposly, remove the drive slack space. After that, If I have
performed a blkcat of the last cluster of the file, and I observed how
the DRIVESLACK remains in the last sector of the last cluster of the
jpg file. Is there something that I have missed, or why the DRIVELSACK
is not overwritten by the CCleaner application?

[sleuthkit-users] Autopsy 3.0.8

[Brian C. <ca...@sl...>]

Autopsy 3.0.8 is available and fixes the installer issue that some of you saw whereby Keyword Search was not working. It has only this fix. If you aren't having problems, then you don't need to upgrade.

http://sleuthkit.org/autopsy/download.php

brian

Re: [sleuthkit-users] Autopsy 3.07 keywords search issue

[Brian C. <ca...@sl...>]

Ughh, we definitely need a new release ASAP. The work around for this is to edit "C:\Program Files\Autopsy-3.0.7\etc\autopsy.conf" to have:

	jdkhome="jre"

at the bottom.  I needed to change the permissions on my system to allow write access to that file before I did it.



On Oct 11, 2013, at 7:50 PM, Alex <ix...@gm...> wrote:

> This results in "cannot locate java installation in specified jdkhome: jre7
> Do you want to try to use default version?"
> 
> Clicking YES we get "error: cannot find java 1.6 or higher" 
> 
> Cheers
> Alex 
> 
> Brian Carrier <ca...@sl...> wrote:
> Thanks for the painful phone typing!
> 
> I think I found it.  
> 
> Can you rename this folder (remove the 7):
> 
> C:\Program Files\Autopsy-3.0.7\autopsy\jre7 
> to 
> C:\Program Files\Autopsy-3.0.7\autopsy\jre 
> 
> And see if that works.  I think this was introduced because we now do 32-bit and 64-bit and missed that we call it something different. Not everyone is seeing the error because they may already have java on their path.
> 
> thanks,
> brian
> 
> 
> 
> On Oct 11, 2013, at 12:14 PM, Alex <ix...@gm...> wrote:
> 
> The error message is preceded by:
> INFO: Starting Solr using: java -Xmx512m -DSTOP.PORT=34343 -Djetty.port=23232 -DSTOP.KEY=jjk#09s -Djava.util.logging.config.file=C:\Program Files\Autopsy-3.0.7\autopsy\solr\solr\conf\logging-release.properties -jar
> start.jar 
> 
> 
> Not sending more logs as I have to type this on the phone, if you need more logs will send on Monday. 
> 
> Hope this helps,
> 
> Alex 
> 
> Brian Carrier <ca...@sl...> wrote:
> Strange.  In that log, there should be a message about what command it was going to run, something like "Starting Solr using:".  What did that say? 
> 
> thanks,
> brian
> 
> 
> On Oct 10, 2013, at 5:56 PM, Alex <ix...@gm...> wrote:
> 
> I take back my postscript: Fresh install on Win7 x64 has same issue. Logs show: 
> 
> WARNING: Could not start Solr server process!Exception: java.io.IOException: Cannot run program "java" (in directory "C:\Program Files\Autopsy-3.0.7\autopsy\solr"): CreateProcess error=2, The system cannot find the file specified. 
> 
> So it looks like a path issue, but how to fix?
> 
> Thanks
> 
> Alex 
> 
> Alex <ix4svs@gmail.c
>  om>
> wrote:
> 
> I think I'm experiencing the same bug with Autopsy 3.x on a Windows 8 x64 VMware
> host,
> running 64-bit Autopsy. 
> 
> 
> Autopsy 3.01 message on application launch: "Error initializing Keyword Search module. File indexing and search will not be functional. Please try to restart your computer and the application."
> Autopsy 3.07 message has slightly different wording but log still shows:
> 
> SEVERE: Starting server failed. Exception: org.sleuthkit.autopsy.keywordsearch.KeywordSearchModuleException: Error checking if Solr server is running. 
> 
> Rebooting doesn't appear to help. How could I troubleshoot this?
> 
> Thanks
> Alex
> 
> PS: All fine on Windows 7 x64. 
> 
> Brian Carrier <ca...@sl...> wrote:
> For everyone's update, seems that the SOLR (keyword search) service was not happy.  A reboot fixed the problem, but we will look into make sure that we give better errors in this case.
> 
>  
> 
> thanks,
> brian
> 
> On Oct 3, 2013, at 10:04 AM, Nanni Bassetti <dig...@gm...> wrote:
> 64bit and yes I see all the file system hierarchy, I don't get any error, all the rest works fine!
> thanks bye
> 
> 
> 2013/10/3 Brian Carrier <ca...@sl...>
> 32-bit version or 64-bit version?
> 
> If you open up the "Data Sources" node in the tree, does it show you the file system hierarchy or is it one big unallocated chunk?
> 
> You don't get any other errors?
> 
> 
> On Oct 3, 2013, at 2:46 AM, Nanni Bassetti <dig...@gm...> wrote:
> 
> Hi all,
> I ran Autopsy 3.07, in a Win 7 OS against, a 500Gb NTFS disk image file in EWF format made by Guymager 7.1.
> When I tried to do a keywords search I got this msg:
> 
> "No files were indexed - Re-Ingest the image with keyword search module enabled"
> 
> The keyword module is enabled, I re-ingest all, it finished and I re-tried the
> keyword search, but nothing...the same previous error message.
> 
> In the directory
> "\ModuleOutput\keywordsearch\data\index", I have only two files 1Kb size:
> 
> segments.gen and segments_1
> 
> With the past release I did not get this problem...what I'm wrong?
> Thanks
> 
> --
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> 
> October Webina
> rs:
> Code for Performance
> 
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> 
> 
> 
> -- 
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> 
> October Webinars: Code for Performance
> Fre
> e Intel
> webinars can help you accelerate application performance.
> 
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> 
> sleuthkit-users mailin
>  g
> list
> 
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> 
> 
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> 
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> October Webinars: Code for
> Performance<
> 
> br
> />Free Intel webinars can help you accelerate application performance.
> 
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> 
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> 
> October Webinars: Code for Performance
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> 
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> )
> 8 OK Success
> * 50 FETCH (UID 51 BODY[] {14588}
> Return-Path: <ix4svs
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy 3.07 keywords search issue

[Alex <ix...@gm...>]

This results in "cannot locate java installation in specified jdkhome: jre7
Do you want to try to use default version?"

Clicking YES we get "error: cannot find java 1.6 or higher" 

Cheers
Alex 

Brian Carrier <ca...@sl...> wrote:
>Thanks for the painful phone typing!
>
>I think I found it.  
>
>Can you rename this folder (remove the 7):
>
>C:\Program Files\Autopsy-3.0.7\autopsy\jre7 
>  to 
>C:\Program Files\Autopsy-3.0.7\autopsy\jre 
>
>And see if that works.  I think this was introduced because we now do
>32-bit and 64-bit and missed that we call it something different. Not
>everyone is seeing the error because they may already have java on
>their path.
>
>thanks,
>brian
>
>
>
>On Oct 11, 2013, at 12:14 PM, Alex <ix...@gm...> wrote:
>
>> The error message is preceded by:
>> INFO: Starting Solr using: java -Xmx512m -DSTOP.PORT=34343
>-Djetty.port=23232 -DSTOP.KEY=jjk#09s
>-Djava.util.logging.config.file=C:\Program
>Files\Autopsy-3.0.7\autopsy\solr\solr\conf\logging-release.properties
>-jar start.jar 
>> 
>> Not sending more logs as I have to type this on the phone, if you
>need more logs will send on Monday. 
>> 
>> Hope this helps,
>> 
>> Alex 
>> 
>> Brian Carrier <ca...@sl...> wrote:
>> Strange.  In that log, there should be a message about what command
>it was going to run, something like "Starting Solr using:".  What did
>that say? 
>> 
>> thanks,
>> brian
>> 
>> 
>> On Oct 10, 2013, at 5:56 PM, Alex <ix...@gm...> wrote:
>> 
>> I take back my postscript: Fresh install on Win7 x64 has same issue.
>Logs show: 
>> 
>> WARNING: Could not start Solr server process!Exception:
>java.io.IOException: Cannot run program "java" (in directory
>"C:\Program Files\Autopsy-3.0.7\autopsy\solr"): CreateProcess error=2,
>The system cannot find the file specified. 
>> 
>> So it looks like a path issue, but how to fix?
>> 
>> Thanks
>> 
>> Alex 
>> 
>> Alex <ix...@gm...> wrote:
>> I think I'm experiencing the same bug with Autopsy 3.x on a Windows 8
>x64 VMware
>>   host,
>> running 64-bit Autopsy. 
>> 
>> 
>> Autopsy 3.01 message on application launch: "Error initializing
>Keyword Search module. File indexing and search will not be functional.
>Please try to restart your computer and the application."
>> Autopsy 3.07 message has slightly different wording but log still
>shows:
>> 
>> SEVERE: Starting server failed. Exception:
>org.sleuthkit.autopsy.keywordsearch.KeywordSearchModuleException: Error
>checking if Solr server is running. 
>> 
>> Rebooting doesn't appear to help. How could I troubleshoot this?
>> 
>> Thanks
>> Alex
>> 
>> PS: All fine on Windows 7 x64. 
>> 
>> Brian Carrier <ca...@sl...> wrote:
>> For everyone's update, seems that the SOLR (keyword search) service
>was not happy.  A reboot fixed the problem, but we will look into make
>sure that we give better errors in this case.
>> 
>> thanks,
>> brian
>> 
>> On Oct 3, 2013, at 10:04 AM, Nanni Bassetti <dig...@gm...>
>wrote:
>> 64bit and yes I see all the file system hierarchy, I don't get any
>error, all the rest works fine!
>> thanks bye
>> 
>> 
>> 2013/10/3 Brian Carrier <ca...@sl...>
>> 32-bit version or 64-bit version?
>> 
>> If you open up the "Data Sources" node in the tree, does it show you
>the file system hierarchy or is it one big unallocated chunk?
>> 
>> You don't get any other errors?
>> 
>> 
>> On Oct 3, 2013, at 2:46 AM, Nanni Bassetti <dig...@gm...>
>wrote:
>> 
>> Hi all,
>> I ran Autopsy 3.07, in a Win 7 OS against, a 500Gb NTFS disk image
>file in EWF format made by Guymager 7.1.
>> When I tried to do a keywords search I got this msg:
>> 
>> "No files were indexed - Re-Ingest the image with keyword search
>module enabled"
>> 
>> The keyword module is enabled, I re-ingest all, it finished and I
>re-tried the keyword search, but nothing...the same previous error
>message.
>> In the directory
>> "\ModuleOutput\keywordsearch\data\index", I have only two files 1Kb
>size:
>> 
>> segments.gen and segments_1
>> 
>> With the past release I did not get this problem...what I'm wrong?
>> Thanks
>> 
>> --
>> Dr. Nanni Bassetti
>> http://www.nannibassetti.com
>> CAINE project manager - http://www.caine-live.net
>> 
>> October Webina
>> rs:
>> Code for Performance
>> 
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from
>> the latest Intel processors and coprocessors. See abstracts and
>register >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
>> 
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>> 
>> 
>> 
>> 
>> -- 
>> Dr. Nanni Bassetti
>> http://www.nannibassetti.com
>> CAINE project manager - http://www.caine-live.net
>> 
>> October Webinars: Code for Performance
>> Fre
>> e Intel
>> webinars can help you accelerate application performance.
>> 
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from 
>> the latest Intel processors and coprocessors. See abstracts and
>register >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
>> 
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>> 
>> 
>> 
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from 
>> the latest Intel processors and coprocessors. See abstracts and
>register >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
>> 
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>> 
>> October Webinars: Code for Performance<
>>  br
>> />Free Intel webinars can help you accelerate application
>performance.
>> 
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from 
>> the latest Intel processors and coprocessors. See abstracts and
>register >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> 
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>> 
>>
>------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>most from 
>> the latest Intel processors and coprocessors. See abstracts and
>register >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
>)
>8 OK Success
>* 50 FETCH (UID 51 BODY[] {14588}
>Return-Path: <ix4svs

Re: [sleuthkit-users] fiwalk output

[Alex N. <ajn...@cs...>]

Notes are here on representing multiple allocation statuses in DFXML:
https://github.com/dfxml-working-group/dfxml_schema/issues/14

Discussion welcome.

--Alex


On Oct 11, 2013, at 15:51 , Alex Nelson <ajn...@cs...> wrote:

> On Oct 11, 2013, at 15:35 , Brian Carrier <ca...@sl...> wrote:
> 
>> I'm not sure which e-mail message to reply to at this point, so I'm going back to the original. 
>> 
>> Basic concepts for background:
>> - For most file systems (all except FAT), there is a file name structure and a metadata structure. 
>> - Each of those structures has an allocation status. 
>> - TSK data structures (which fiwalk uses) reports if it is allocated or not.
>> - fls has some additional logic in it to detect when a deleted file name points to a metadata structure that is allocated and adds the "(realloc)" string to highlight the fact that the content that this file name points to is probably not the same content that the file name originally pointed to when it was allocated.  This isn't always true (i.e. if a file is moved from one folder to another, it's old name will be marked with realloc). 
>> 
>> For a given file, does DFXML differentiate the allocation status of its file name structure versus its metadata structure?
> No.  But this situation probably means it should.  I'll make some notes on the schema repository.
> 
> --Alex
>> 
>> 
>> 
>> 
>> On Oct 11, 2013, at 1:36 PM, Jason Wright <jwr...@gm...> wrote:
>> 
>>> All,
>>> 
>>> 
>>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions?
>>> 
>>> Thanks,
>>> 
>>> Jason Wright
>>> ------------------------------------------------------------------------------
>>> October Webinars: Code for Performance
>>> Free Intel webinars can help you accelerate application performance.
>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>>> the latest Intel processors and coprocessors. See abstracts and register >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>> 
>> 
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 

Re: [sleuthkit-users] fiwalk output

[Alex N. <ajn...@cs...>]

On Oct 11, 2013, at 15:35 , Brian Carrier <ca...@sl...> wrote:

> I'm not sure which e-mail message to reply to at this point, so I'm going back to the original. 
> 
> Basic concepts for background:
> - For most file systems (all except FAT), there is a file name structure and a metadata structure. 
> - Each of those structures has an allocation status. 
> - TSK data structures (which fiwalk uses) reports if it is allocated or not.
> - fls has some additional logic in it to detect when a deleted file name points to a metadata structure that is allocated and adds the "(realloc)" string to highlight the fact that the content that this file name points to is probably not the same content that the file name originally pointed to when it was allocated.  This isn't always true (i.e. if a file is moved from one folder to another, it's old name will be marked with realloc). 
> 
> For a given file, does DFXML differentiate the allocation status of its file name structure versus its metadata structure?
No.  But this situation probably means it should.  I'll make some notes on the schema repository.

--Alex
> 
> 
> 
> 
> On Oct 11, 2013, at 1:36 PM, Jason Wright <jwr...@gm...> wrote:
> 
>> All,
>> 
>> 
>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions?
>> 
>> Thanks,
>> 
>> Jason Wright
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> 
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] fiwalk output

[Brian C. <ca...@sl...>]

I'm not sure which e-mail message to reply to at this point, so I'm going back to the original. 

Basic concepts for background:
- For most file systems (all except FAT), there is a file name structure and a metadata structure. 
- Each of those structures has an allocation status. 
- TSK data structures (which fiwalk uses) reports if it is allocated or not.
- fls has some additional logic in it to detect when a deleted file name points to a metadata structure that is allocated and adds the "(realloc)" string to highlight the fact that the content that this file name points to is probably not the same content that the file name originally pointed to when it was allocated.  This isn't always true (i.e. if a file is moved from one folder to another, it's old name will be marked with realloc). 

For a given file, does DFXML differentiate the allocation status of its file name structure versus its metadata structure?




On Oct 11, 2013, at 1:36 PM, Jason Wright <jwr...@gm...> wrote:

> All,
> 
> 
> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions?
> 
> Thanks,
> 
> Jason Wright
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] fiwalk output

[Jason W. <jwr...@gm...>]

unfortunately, no. i wish, but it's not shareable.

istat for the entry only gives me metadata for the allocated file. i'm
going to write something up to see if I can't determine how the framework
tags the deleted entry. i'll pass on anything interesting that i find.

Thanks for the help.
Jason


On Fri, Oct 11, 2013 at 2:40 PM, Alex Nelson <ajn...@cs...> wrote:

> Oh, that's exciting.  You've found a bug.  Correcting the bug will
> unfortunately probably require access to the metadata structures on the
> disk image, best dumpable with istat and icat.
>
> Does this happen to be a shareable disk image?  (Long shot, I know.)
>
> --Alex
>
>
> On Oct 11, 2013, at 14:36 , Jason Wright <jwr...@gm...> wrote:
>
> Yes, it does normally, but in this case it did not. For both entries in
> the dfxml, the alloc field is 1.
>
>
> On Fri, Oct 11, 2013 at 2:34 PM, Simson Garfinkel <si...@ac...> wrote:
>
>> The XML indicates whether the file is allocated or not.
>>
>> On Oct 11, 2013, at 2:32 PM, Jason Wright <jwr...@gm...> wrote:
>>
>> I don't have the exact fiwalk output accessible here, so sorry that I
>> can't paste it in for more clarity, but at present the only difference in
>> the fileobjects for both inodes in the dfxml, is the filename. After
>> researching I think found that one was for a deleted entry based off of
>> some fls output I obtained. That cleared things up. My next thought was
>> then, how can I use fiwalk to help differentiate between the allocated and
>> deleted entries for two files referencing the same inode from the same
>> partition on a drive.
>>
>> I'm not sure there is anything at present and wanted to find out before
>> creating something on my own.
>>
>> Thanks again,
>>
>> Jason
>>
>>
>> On Fri, Oct 11, 2013 at 2:19 PM, Alex Nelson <ajn...@cs...>wrote:
>>
>>> Whoops, looks like you beat me to a response.  But yes, that clarifies
>>> your question.
>>>
>>> I think your question boils down to recording allocation status.  Do you
>>> have DFXML output from Fiwalk?  Are there <alloc> or <unalloc> elements for
>>> the fileobjects that you're looking at?
>>>
>>> --Alex
>>>
>>>
>>> On Oct 11, 2013, at 14:16 , Jason Wright <jwr...@gm...> wrote:
>>>
>>> Thanks, Alex. What I've come across is two references for the same inode
>>> in the fiwalk output for a particular drive. Both are on the same
>>> partition. One is for the allocated file the other is for the unallocated
>>> state for the filename of the file that previously used the inode.
>>>
>>> If running fls and looking for inode 79456, for example, you may get
>>> these two outputs
>>> +++ r/r 79456-128-3: filename1.ext
>>> ++++++++ r/r 79456-128-3(realloc): filename2.ext
>>>
>>> So, in this case filename2.ext is a reference for a file that once used
>>> inode 79456 and the file that currently uses the inode is filename1.ext.
>>>
>>> What I'm interested in is a possible reference in the dfxml fiwalk
>>> output that would differentiate the two references?
>>>
>>> Hopefully, that helps explain it a little better.
>>>
>>> R/
>>>
>>> Jason
>>>
>>>
>>>
>>>
>>> On Fri, Oct 11, 2013 at 1:46 PM, Alex Nelson <ajn...@cs...>wrote:
>>>
>>>> That's interesting.  It might, but I don't understand the whole
>>>> situation you're describing.  What are indicators of reallocation for a
>>>> disk image at a single point in time?  Do you mean multiple hard-links to
>>>> the same file exist and are legitimate files?  Or do you mean a file was
>>>> unlinked somewhere and reallocated, but the file system was imaged in an
>>>> inconsistent state?
>>>>
>>>> --Alex
>>>>
>>>>
>>>> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote:
>>>>
>>>> All,
>>>>
>>>>
>>>> Does the dfxml output of fiwalk report whether a file object has been
>>>> reallocated? Fls will (indicated by realloc), but will fiwalk do the same?
>>>> I've come across this situation for a particular ntfs partition and have
>>>> found two references for the same inode in fiwalk. In know which one is the
>>>> allocated entry based off of fls, but I'm not sure of how that can be
>>>> identified in fiwalk. Does anyone have any suggestions?
>>>>
>>>> Thanks,
>>>>
>>>> Jason Wright
>>>>
>>>> ------------------------------------------------------------------------------
>>>> October Webinars: Code for Performance
>>>> Free Intel webinars can help you accelerate application performance.
>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the
>>>> most from
>>>> the latest Intel processors and coprocessors. See abstracts and
>>>> register >
>>>>
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>>>
>>>>
>>>>
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>>
>
>

Re: [sleuthkit-users] fiwalk output

[Jason W. <jwr...@gm...>]

Unfortunately, in this case both entries only contain the <alloc> field and
both are marked 1. The confusion started because I have it scripted to look
out for the unalloc field, but there wasn't one.


On Fri, Oct 11, 2013 at 2:38 PM, Alex Nelson <ajn...@cs...> wrote:

> It's a shame that causes confusion...maybe it'd be worth including an XML
> comment next to <unalloc>?  <!--This file was marked as deleted-->?  The
> (un)alloc elements are sufficient information to display allocation status
> for scripts, but I suppose are easy to overlook with eyes.
>
> --Alex
>
>
>
> On Oct 11, 2013, at 14:21 , Simson Garfinkel <si...@ac...> wrote:
>
> From Jason's description it sounds like he has an allocated file and a
> deleted file that use the same filenode. This has caused confusion for
> others. The deleted "file" is probably just an old deleted directory entry.
>
> On Oct 11, 2013, at 2:17 PM, Alex Nelson <ajn...@cs...> wrote:
>
> Jason, if you actually meant the multiple hard-link situation, then TSK
> should be able to expose this as finding multiple directory entries (I
> forgot the struct name, but it's an abstract-sounding "Name" struct).  In
> the TSK API, you would encounter this during a directory hierarchy walk,
> and I think you'd have to retain this in your own structure.
>
> Currently, Fiwalk indirectly records multiple paths referencing the same
> MFT entry by using the <inode> and <parent_object> elements.
>
> It's theoretically possible to record a file's name with from where the
> name came:
> https://github.com/dfxml-working-group/dfxml_schema/issues/12
> That's engineering that is awaiting (1) free time and (2) a little
> discussion for whether it's something worth doing, and whether what's in
> that Issue is the right way to go about it.
>
> Of course, if I'm guessing wrong and you mean only one of the entries was
> actually allocated (which seems so, now that I've re-read your original
> message), that's a different matter.
>
> --Alex
>
>
> On Oct 11, 2013, at 14:08 , Simson Garfinkel <si...@ac...> wrote:
>
> The real question is this — how does SleuthKit handle it, and how do you
> want to indicate it?
>
> On Oct 11, 2013, at 1:46 PM, Alex Nelson <ajn...@cs...> wrote:
>
> That's interesting.  It might, but I don't understand the whole situation
> you're describing.  What are indicators of reallocation for a disk image at
> a single point in time?  Do you mean multiple hard-links to the same file
> exist and are legitimate files?  Or do you mean a file was unlinked
> somewhere and reallocated, but the file system was imaged in an
> inconsistent state?
>
> --Alex
>
>
> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote:
>
> All,
>
>
> Does the dfxml output of fiwalk report whether a file object has been
> reallocated? Fls will (indicated by realloc), but will fiwalk do the same?
> I've come across this situation for a particular ntfs partition and have
> found two references for the same inode in fiwalk. In know which one is the
> allocated entry based off of fls, but I'm not sure of how that can be
> identified in fiwalk. Does anyone have any suggestions?
>
> Thanks,
>
> Jason Wright
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
>
>
>

Re: [sleuthkit-users] fiwalk output

[Alex N. <ajn...@cs...>]

Oh, that's exciting.  You've found a bug.  Correcting the bug will unfortunately probably require access to the metadata structures on the disk image, best dumpable with istat and icat.

Does this happen to be a shareable disk image?  (Long shot, I know.)

--Alex


On Oct 11, 2013, at 14:36 , Jason Wright <jwr...@gm...> wrote:

> Yes, it does normally, but in this case it did not. For both entries in the dfxml, the alloc field is 1. 
> 
> 
> On Fri, Oct 11, 2013 at 2:34 PM, Simson Garfinkel <si...@ac...> wrote:
> The XML indicates whether the file is allocated or not.
> 
> On Oct 11, 2013, at 2:32 PM, Jason Wright <jwr...@gm...> wrote:
> 
>> I don't have the exact fiwalk output accessible here, so sorry that I can't paste it in for more clarity, but at present the only difference in the fileobjects for both inodes in the dfxml, is the filename. After researching I think found that one was for a deleted entry based off of some fls output I obtained. That cleared things up. My next thought was then, how can I use fiwalk to help differentiate between the allocated and deleted entries for two files referencing the same inode from the same partition on a drive. 
>> 
>> I'm not sure there is anything at present and wanted to find out before creating something on my own. 
>> 
>> Thanks again,
>> 
>> Jason
>> 
>> 
>> On Fri, Oct 11, 2013 at 2:19 PM, Alex Nelson <ajn...@cs...> wrote:
>> Whoops, looks like you beat me to a response.  But yes, that clarifies your question.
>> 
>> I think your question boils down to recording allocation status.  Do you have DFXML output from Fiwalk?  Are there <alloc> or <unalloc> elements for the fileobjects that you're looking at?
>> 
>> --Alex
>> 
>> 
>> On Oct 11, 2013, at 14:16 , Jason Wright <jwr...@gm...> wrote:
>> 
>>> Thanks, Alex. What I've come across is two references for the same inode in the fiwalk output for a particular drive. Both are on the same partition. One is for the allocated file the other is for the unallocated state for the filename of the file that previously used the inode. 
>>> 
>>> If running fls and looking for inode 79456, for example, you may get these two outputs
>>> +++ r/r 79456-128-3: filename1.ext
>>> ++++++++ r/r 79456-128-3(realloc): filename2.ext
>>> 
>>> So, in this case filename2.ext is a reference for a file that once used inode 79456 and the file that currently uses the inode is filename1.ext. 
>>> 
>>> What I'm interested in is a possible reference in the dfxml fiwalk output that would differentiate the two references?
>>> 
>>> Hopefully, that helps explain it a little better. 
>>> 
>>> R/
>>> 
>>> Jason
>>> 
>>> 
>>> 
>>> 
>>> On Fri, Oct 11, 2013 at 1:46 PM, Alex Nelson <ajn...@cs...> wrote:
>>> That's interesting.  It might, but I don't understand the whole situation you're describing.  What are indicators of reallocation for a disk image at a single point in time?  Do you mean multiple hard-links to the same file exist and are legitimate files?  Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state?
>>> 
>>> --Alex
>>> 
>>> 
>>> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote:
>>> 
>>>> All,
>>>> 
>>>> 
>>>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions?
>>>> 
>>>> Thanks,
>>>> 
>>>> Jason Wright
>>>> ------------------------------------------------------------------------------
>>>> October Webinars: Code for Performance
>>>> Free Intel webinars can help you accelerate application performance.
>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>>>> the latest Intel processors and coprocessors. See abstracts and register >
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>> 
>>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> 

Re: [sleuthkit-users] fiwalk output

[Alex N. <ajn...@cs...>]

It's a shame that causes confusion...maybe it'd be worth including an XML comment next to <unalloc>?  <!--This file was marked as deleted-->?  The (un)alloc elements are sufficient information to display allocation status for scripts, but I suppose are easy to overlook with eyes.

--Alex


On Oct 11, 2013, at 14:21 , Simson Garfinkel <si...@ac...> wrote:

> From Jason's description it sounds like he has an allocated file and a deleted file that use the same filenode. This has caused confusion for others. The deleted "file" is probably just an old deleted directory entry.
> 
> On Oct 11, 2013, at 2:17 PM, Alex Nelson <ajn...@cs...> wrote:
> 
>> Jason, if you actually meant the multiple hard-link situation, then TSK should be able to expose this as finding multiple directory entries (I forgot the struct name, but it's an abstract-sounding "Name" struct).  In the TSK API, you would encounter this during a directory hierarchy walk, and I think you'd have to retain this in your own structure.
>> 
>> Currently, Fiwalk indirectly records multiple paths referencing the same MFT entry by using the <inode> and <parent_object> elements.
>> 
>> It's theoretically possible to record a file's name with from where the name came:
>> https://github.com/dfxml-working-group/dfxml_schema/issues/12
>> That's engineering that is awaiting (1) free time and (2) a little discussion for whether it's something worth doing, and whether what's in that Issue is the right way to go about it.
>> 
>> Of course, if I'm guessing wrong and you mean only one of the entries was actually allocated (which seems so, now that I've re-read your original message), that's a different matter.
>> 
>> --Alex
>> 
>> 
>> On Oct 11, 2013, at 14:08 , Simson Garfinkel <si...@ac...> wrote:
>> 
>>> The real question is this — how does SleuthKit handle it, and how do you want to indicate it?
>>> 
>>> On Oct 11, 2013, at 1:46 PM, Alex Nelson <ajn...@cs...> wrote:
>>> 
>>>> That's interesting.  It might, but I don't understand the whole situation you're describing.  What are indicators of reallocation for a disk image at a single point in time?  Do you mean multiple hard-links to the same file exist and are legitimate files?  Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state?
>>>> 
>>>> --Alex
>>>> 
>>>> 
>>>> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote:
>>>> 
>>>>> All,
>>>>> 
>>>>> 
>>>>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions?
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> Jason Wright
>>>>> ------------------------------------------------------------------------------
>>>>> October Webinars: Code for Performance
>>>>> Free Intel webinars can help you accelerate application performance.
>>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>>>>> the latest Intel processors and coprocessors. See abstracts and register >
>>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>>>>> sleuthkit-users mailing list
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>> http://www.sleuthkit.org
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> October Webinars: Code for Performance
>>>> Free Intel webinars can help you accelerate application performance.
>>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>>>> the latest Intel processors and coprocessors. See abstracts and register >
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>> 
>> 
> 

Re: [sleuthkit-users] fiwalk output

[Alex N. <ajn...@cs...>]

In Fiwalk's DFXML output, you should see this in the "Present" file's <fileobject>:

<alloc>1</alloc>

In the deleted file, you should see this:

<unalloc>1</unalloc>

If you don't, that's a bug.

--Alex


On Oct 11, 2013, at 14:32 , Jason Wright <jwr...@gm...> wrote:

> I don't have the exact fiwalk output accessible here, so sorry that I can't paste it in for more clarity, but at present the only difference in the fileobjects for both inodes in the dfxml, is the filename. After researching I think found that one was for a deleted entry based off of some fls output I obtained. That cleared things up. My next thought was then, how can I use fiwalk to help differentiate between the allocated and deleted entries for two files referencing the same inode from the same partition on a drive. 
> 
> I'm not sure there is anything at present and wanted to find out before creating something on my own. 
> 
> Thanks again,
> 
> Jason
> 
> 
> On Fri, Oct 11, 2013 at 2:19 PM, Alex Nelson <ajn...@cs...> wrote:
> Whoops, looks like you beat me to a response.  But yes, that clarifies your question.
> 
> I think your question boils down to recording allocation status.  Do you have DFXML output from Fiwalk?  Are there <alloc> or <unalloc> elements for the fileobjects that you're looking at?
> 
> --Alex
> 
> 
> On Oct 11, 2013, at 14:16 , Jason Wright <jwr...@gm...> wrote:
> 
>> Thanks, Alex. What I've come across is two references for the same inode in the fiwalk output for a particular drive. Both are on the same partition. One is for the allocated file the other is for the unallocated state for the filename of the file that previously used the inode. 
>> 
>> If running fls and looking for inode 79456, for example, you may get these two outputs
>> +++ r/r 79456-128-3: filename1.ext
>> ++++++++ r/r 79456-128-3(realloc): filename2.ext
>> 
>> So, in this case filename2.ext is a reference for a file that once used inode 79456 and the file that currently uses the inode is filename1.ext. 
>> 
>> What I'm interested in is a possible reference in the dfxml fiwalk output that would differentiate the two references?
>> 
>> Hopefully, that helps explain it a little better. 
>> 
>> R/
>> 
>> Jason
>> 
>> 
>> 
>> 
>> On Fri, Oct 11, 2013 at 1:46 PM, Alex Nelson <ajn...@cs...> wrote:
>> That's interesting.  It might, but I don't understand the whole situation you're describing.  What are indicators of reallocation for a disk image at a single point in time?  Do you mean multiple hard-links to the same file exist and are legitimate files?  Or do you mean a file was unlinked somewhere and reallocated, but the file system was imaged in an inconsistent state?
>> 
>> --Alex
>> 
>> 
>> On Oct 11, 2013, at 13:36 , Jason Wright <jwr...@gm...> wrote:
>> 
>>> All,
>>> 
>>> 
>>> Does the dfxml output of fiwalk report whether a file object has been reallocated? Fls will (indicated by realloc), but will fiwalk do the same? I've come across this situation for a particular ntfs partition and have found two references for the same inode in fiwalk. In know which one is the allocated entry based off of fls, but I'm not sure of how that can be identified in fiwalk. Does anyone have any suggestions?
>>> 
>>> Thanks,
>>> 
>>> Jason Wright
>>> ------------------------------------------------------------------------------
>>> October Webinars: Code for Performance
>>> Free Intel webinars can help you accelerate application performance.
>>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
>>> the latest Intel processors and coprocessors. See abstracts and register >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>> 
>> 
> 
>