sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] What if a module fails to initialize

[Willi B. <wil...@gm...>]

Perhaps I've missed a menu item, but I don't remember seeing a way to
re-run the ingest process on a given case. Assuming that's true, I would
prefer to bail at the first opportunity.

If I'm using Autopsy during an investigation with a set of plugins, I've
decided to use them for a specific reason (otherwise they'd be disabled for
better performance). Therefore, if I spend a while waiting for processing
to complete, only to learn its in fact incomplete and the only way to
finish is to re-ingest, I'd be annoyed.

If there is a way to re-ingest a case, then a large warning dialog with a
quick fix/reconfigure button would be my second choice.

Willi


On Mon, Oct 7, 2013 at 1:44 PM, Alex Nelson <ajn...@cs...> wrote:

> I vote 1, because one faulty module should not prevent the other modules'
> results, which may take a long time, from doing their work.  (Please
> believe me that this is not commentary on other current events.)
>
> However, this requires the module framework have support for a results
> dependency graph.  This'll take some intelligent designer's time to get
> across gracefully to the end user if one module among many fails.  (I can
> say from experience that Make and Dot/GraphViz are not a simple solution.)
>
> How do later modules in a pipeline specify that they need the results of
> an earlier module?
>
> --Alex
>
>
> On Oct 7, 2013, at 13:26 , Nanni Bassetti <dig...@gm...> wrote:
>
> My vote is for the number 2 :-)
> bye
> --
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] What if a module fails to initialize

[Ketil F. <ke...@fr...>]

I'm for #2 - halt and notify. To continue processing, fix the problem
or disable the modules that didn't initialize.


On Mon, Oct 7, 2013 at 7:22 PM, Brian Carrier <ca...@sl...> wrote:
> There was an error reported last week that the Keyword Search module failed to initialize.  We're reviewing how that situation was handled and we have two options.  We're looking for feedback.  The scenario is that the user has selected the ingest modules that they want to run on the data source.  One of the modules fails to initialize (we have a model where each module is initialized, it then runs on the entire disk or set of files, and then is closed). What should we do when a module does not initialize (for the sake of example, let's say it was a hash calculation module).
>
> 1) We log the error, notify the user with a message, and continue to run the modules that did initialize. In our current example, a challenge is that the later modules in the pipeline may be depending on that module's output. For example, the  hash lookup module will need the  hash value so that it can use its hash databases.   This approach requires the user to then decide to cancel and restart (which may result in duplicate data).
>
> 2) We halt the pipeline and no data is analyzed unless all modules could initialize.  The user is notified and can either fix the problem or remove the module from the pipeline so that it can continue.
>
> Preferences?
>
> brian
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org



-- 
-Ketil

Re: [sleuthkit-users] What if a module fails to initialize

[<slo...@gm...>]

I vote option 2.  Simple is better.  I can handle disabling a module fast
and simply based on an error report much easier than you can avoid it
programatically.  I just need to know the error to determine my best course
of action.


On Mon, Oct 7, 2013 at 10:44 AM, Alex Nelson <ajn...@cs...> wrote:

> I vote 1, because one faulty module should not prevent the other modules'
> results, which may take a long time, from doing their work.  (Please
> believe me that this is not commentary on other current events.)
>
> However, this requires the module framework have support for a results
> dependency graph.  This'll take some intelligent designer's time to get
> across gracefully to the end user if one module among many fails.  (I can
> say from experience that Make and Dot/GraphViz are not a simple solution.)
>
> How do later modules in a pipeline specify that they need the results of
> an earlier module?
>
> --Alex
>
>
> On Oct 7, 2013, at 13:26 , Nanni Bassetti <dig...@gm...> wrote:
>
> My vote is for the number 2 :-)
> bye
> --
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] What if a module fails to initialize

[Jon S. <jo...@li...>]

#2 seems the approach that'll lead to the least surprise.


Jon


On Mon, Oct 7, 2013 at 1:22 PM, Brian Carrier <ca...@sl...> wrote:
> There was an error reported last week that the Keyword Search module failed to initialize.  We're reviewing how that situation was handled and we have two options.  We're looking for feedback.  The scenario is that the user has selected the ingest modules that they want to run on the data source.  One of the modules fails to initialize (we have a model where each module is initialized, it then runs on the entire disk or set of files, and then is closed). What should we do when a module does not initialize (for the sake of example, let's say it was a hash calculation module).
>
> 1) We log the error, notify the user with a message, and continue to run the modules that did initialize. In our current example, a challenge is that the later modules in the pipeline may be depending on that module's output. For example, the  hash lookup module will need the  hash value so that it can use its hash databases.   This approach requires the user to then decide to cancel and restart (which may result in duplicate data).
>
> 2) We halt the pipeline and no data is analyzed unless all modules could initialize.  The user is notified and can either fix the problem or remove the module from the pipeline so that it can continue.
>
> Preferences?
>
> brian
>
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org



-- 
Jon Stewart, Principal
(646) 719-0317 | jo...@li... | Arlington, VA

Re: [sleuthkit-users] What if a module fails to initialize

[Alex N. <ajn...@cs...>]

I vote 1, because one faulty module should not prevent the other modules' results, which may take a long time, from doing their work.  (Please believe me that this is not commentary on other current events.)

However, this requires the module framework have support for a results dependency graph.  This'll take some intelligent designer's time to get across gracefully to the end user if one module among many fails.  (I can say from experience that Make and Dot/GraphViz are not a simple solution.)

How do later modules in a pipeline specify that they need the results of an earlier module?

--Alex


On Oct 7, 2013, at 13:26 , Nanni Bassetti <dig...@gm...> wrote:

> My vote is for the number 2 :-)
> bye
> -- 
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] What if a module fails to initialize

[Nanni B. <dig...@gm...>]

My vote is for the number 2 :-)
bye
-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

[sleuthkit-users] What if a module fails to initialize

[Brian C. <ca...@sl...>]

There was an error reported last week that the Keyword Search module failed to initialize.  We're reviewing how that situation was handled and we have two options.  We're looking for feedback.  The scenario is that the user has selected the ingest modules that they want to run on the data source.  One of the modules fails to initialize (we have a model where each module is initialized, it then runs on the entire disk or set of files, and then is closed). What should we do when a module does not initialize (for the sake of example, let's say it was a hash calculation module). 

1) We log the error, notify the user with a message, and continue to run the modules that did initialize. In our current example, a challenge is that the later modules in the pipeline may be depending on that module's output. For example, the  hash lookup module will need the  hash value so that it can use its hash databases.   This approach requires the user to then decide to cancel and restart (which may result in duplicate data).

2) We halt the pipeline and no data is analyzed unless all modules could initialize.  The user is notified and can either fix the problem or remove the module from the pipeline so that it can continue.

Preferences?    

brian

[sleuthkit-users] intact

[Loui O. <lou...@gm...>]

Re: [sleuthkit-users] Autopsy 3.07 keywords search issue

[Brian C. <ca...@sl...>]

For everyone's update, seems that the SOLR (keyword search) service was not happy.  A reboot fixed the problem, but we will look into make sure that we give better errors in this case.

thanks,
brian

On Oct 3, 2013, at 10:04 AM, Nanni Bassetti <dig...@gm...> wrote:

> 64bit and yes I see all the file system hierarchy, I don't get any error, all the rest works fine!
> thanks bye
> 
> 
> 2013/10/3 Brian Carrier <ca...@sl...>
> 32-bit version or 64-bit version?
> 
> If you open up the "Data Sources" node in the tree, does it show you the file system hierarchy or is it one big unallocated chunk?
> 
> You don't get any other errors?
> 
> 
> On Oct 3, 2013, at 2:46 AM, Nanni Bassetti <dig...@gm...> wrote:
> 
> > Hi all,
> > I ran Autopsy 3.07, in a Win 7 OS against, a 500Gb NTFS disk image file in EWF format made by Guymager 7.1.
> > When I tried to do a keywords search I got this msg:
> >
> > "No files were indexed - Re-Ingest the image with keyword search module enabled"
> >
> > The keyword module is enabled, I re-ingest all, it finished and I re-tried the keyword search, but nothing...the same previous error message.
> > In the directory "\ModuleOutput\keywordsearch\data\index", I have only two files 1Kb size:
> > segments.gen and segments_1
> >
> > With the past release I did not get this problem...what I'm wrong?
> > Thanks
> >
> > --
> > Dr. Nanni Bassetti
> > http://www.nannibassetti.com
> > CAINE project manager - http://www.caine-live.net
> > ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> > the latest Intel processors and coprocessors. See abstracts and register >
> > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> 
> 
> 
> 
> -- 
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy 3.07 keywords search issue

[Nanni B. <dig...@gm...>]

64bit and yes I see all the file system hierarchy, I don't get any error,
all the rest works fine!
thanks bye


2013/10/3 Brian Carrier <ca...@sl...>

> 32-bit version or 64-bit version?
>
> If you open up the "Data Sources" node in the tree, does it show you the
> file system hierarchy or is it one big unallocated chunk?
>
> You don't get any other errors?
>
>
> On Oct 3, 2013, at 2:46 AM, Nanni Bassetti <dig...@gm...> wrote:
>
> > Hi all,
> > I ran Autopsy 3.07, in a Win 7 OS against, a 500Gb NTFS disk image file
> in EWF format made by Guymager 7.1.
> > When I tried to do a keywords search I got this msg:
> >
> > "No files were indexed - Re-Ingest the image with keyword search module
> enabled"
> >
> > The keyword module is enabled, I re-ingest all, it finished and I
> re-tried the keyword search, but nothing...the same previous error message.
> > In the directory "\ModuleOutput\keywordsearch\data\index", I have only
> two files 1Kb size:
> > segments.gen and segments_1
> >
> > With the past release I did not get this problem...what I'm wrong?
> > Thanks
> >
> > --
> > Dr. Nanni Bassetti
> > http://www.nannibassetti.com
> > CAINE project manager - http://www.caine-live.net
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> > the latest Intel processors and coprocessors. See abstracts and register
> >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>


-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

Re: [sleuthkit-users] Autopsy 3.07 keywords search issue

[Brian C. <ca...@sl...>]

32-bit version or 64-bit version?

If you open up the "Data Sources" node in the tree, does it show you the file system hierarchy or is it one big unallocated chunk?

You don't get any other errors?


On Oct 3, 2013, at 2:46 AM, Nanni Bassetti <dig...@gm...> wrote:

> Hi all,
> I ran Autopsy 3.07, in a Win 7 OS against, a 500Gb NTFS disk image file in EWF format made by Guymager 7.1.
> When I tried to do a keywords search I got this msg:
> 
> "No files were indexed - Re-Ingest the image with keyword search module enabled"
> 
> The keyword module is enabled, I re-ingest all, it finished and I re-tried the keyword search, but nothing...the same previous error message.
> In the directory "\ModuleOutput\keywordsearch\data\index", I have only two files 1Kb size:
> segments.gen and segments_1
> 
> With the past release I did not get this problem...what I'm wrong?
> Thanks
> 
> -- 
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Autopsy 3.07 keywords search issue

[Nanni B. <dig...@gm...>]

Hi all,
I ran Autopsy 3.07, in a Win 7 OS against, a 500Gb NTFS disk image file in
EWF format made by Guymager 7.1.
When I tried to do a keywords search I got this msg:

"No files were indexed - Re-Ingest the image with keyword search module
enabled"

The keyword module is enabled, I re-ingest all, it finished and I re-tried
the keyword search, but nothing...the same previous error message.
In the directory "\ModuleOutput\keywordsearch\data\index", I have only two
files 1Kb size:
segments.gen and segments_1

With the past release I did not get this problem...what I'm wrong?
Thanks

-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

[sleuthkit-users] dir walk question/observation

[Stuart M. <st...@ap...>]

This may be one more the dev list, but here goes anyway.

In testing my Java binding for TSK (soon to be released I promise!) I 
came across weird errors when calling tsk_fs_dir_walk.  I was under the 
impression that if I wanted to halt the walk, no matter where in the 
recursive process we are, I could call TSK_WALK_ERROR from the 
callback.  Yet looking at the code in fs_dir.c it appears that if the 
callback returns TSK_WALK_ERROR, the central tsk_fs_dir_walk_lcl can 
'reset the error' and continue.  It appears that TSK_WALK_STOP will bail 
the walk immediately.  This behaviour doesn't seem to jive with the 
public (web) explanations of the WALK_RET_ENUM.

Anyone care to comment?

Stuart

Re: [sleuthkit-users] Extracting Metadata from .dd files

[Ade <adr...@nt...>]

Hi Bala
 
The dd format is a bit copy of the input file, any metadata for the file will not appear in 
your dd image file.  If your imaging tool has the ability to
generate metadata about the disk image or input file will appear in a separate file, but only 
if you configure your imaging tool to log that metadata.

Ade
On Wednesday 02 Oct 2013 16:19:17 Bala wrote:


Hi Guys
 
Is there a way to extract metadata of *.dd file (Files with the extension .dd) 
I know for sure that libewf extracts E01 and Ex01 metadata, however it doesn’t seem to 
work with .dd files.
 
Regards
Bala
 

[sleuthkit-users] Extracting Metadata from .dd files

[Bala <bal...@cs...>]

Hi Guys

 

Is there a way to extract metadata of *.dd file (Files with the extension
.dd) 

I know for sure that libewf extracts E01 and Ex01 metadata, however it
doesn't seem to work with .dd files.

 

Regards

Bala

 

[sleuthkit-users] Autopsy Module Writing Competitors

[Brian C. <ca...@sl...>]

We're trying to plan accordingly for OSDFCon and need to know how much time to allocate to reviewing module submissions. If you are working on a module for the competition (http://www.basistechweek.com/osdf.html#contest), can you shoot me an e-mail off list? I want to get a rough count. 

thanks,
brian

Re: [sleuthkit-users] Autopsy 3 - Registry Analysis

[Jason L. <jle...@ba...>]

The registry is analyzed during ingest for the Recent Activity results under Extracted Content (devices attached, installed programs, etc.).

In 3.0.7 (just released), raw RegRipper output is available in Extracted Content as well under Raw Tool Output.  We'd like to evolve the registry analysis, so any feedback logged in the Github issues would be really helpful - especially when comparing to other tools, or what you'd like to see that other tools aren't doing.

Jason 






------------------------------------------------

Jason Letourneau
Product Manager, Digital Forensics
Basis Technology
jle...@ba...
617-386-2000 ext. 152




On Sep 21, 2013, at 9:49 PM, Mitch Wander <mw...@gm...> wrote:

> Can someone please describe to me the Autopsy 3 capabailities when it comes to registry analysis?
>  
> For comparison purposes, I'm looking through the NIST Dell Hacking Case (that we have previously reviewed using other tools) and trying to analyze the same case using Autopsy 3.
>  
> Thanks.
>  
> Mitch
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Publicly available Disk Images

[Alex N. <ajn...@cs...>]

That page appears to have some, though not total, overlap with the corpora
page on the forensics wiki:

http://www.forensicswiki.org/wiki/Forensic_corpora

--Alex


On Thu, Sep 26, 2013 at 12:06 PM, slo...@gm... <slo...@gm...
> wrote:

> Here is a source with links to a wide selection of images...
>
> http://www.forensicfocus.com/images-and-challenges
>
>
> On Thu, Sep 26, 2013 at 9:02 AM, Umit Karabiyik <umi...@gm...>wrote:
>
>> Hi All,
>>
>> I am working on a project and using tsk_recover. I need to test my work
>> on a relatively large disk images around 1GB. I've created some images
>> however I also would like to use some publicly available disk images that
>> people are already working on it. Disk image might be even bigger as long
>> as I have many (~1gb) files (pdf,doc,docx,xls,rtf,txt,odt etc.) includes
>> keywords or key streams in them.
>>
>> Any recommendation will be greatly appreciated.
>>
>> p.s. I've checked Digital Corpora website
>>
>> Best,
>> Umit
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
>> from
>> the latest Intel processors and coprocessors. See abstracts and register >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Publicly available Disk Images

[<slo...@gm...>]

Here is a source with links to a wide selection of images...

http://www.forensicfocus.com/images-and-challenges


On Thu, Sep 26, 2013 at 9:02 AM, Umit Karabiyik <umi...@gm...>wrote:

> Hi All,
>
> I am working on a project and using tsk_recover. I need to test my work on
> a relatively large disk images around 1GB. I've created some images however
> I also would like to use some publicly available disk images that people
> are already working on it. Disk image might be even bigger as long as I
> have many (~1gb) files (pdf,doc,docx,xls,rtf,txt,odt etc.) includes
> keywords or key streams in them.
>
> Any recommendation will be greatly appreciated.
>
> p.s. I've checked Digital Corpora website
>
> Best,
> Umit
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] Publicly available Disk Images

[Umit K. <umi...@gm...>]

Hi All,

I am working on a project and using tsk_recover. I need to test my work on
a relatively large disk images around 1GB. I've created some images however
I also would like to use some publicly available disk images that people
are already working on it. Disk image might be even bigger as long as I
have many (~1gb) files (pdf,doc,docx,xls,rtf,txt,odt etc.) includes
keywords or key streams in them.

Any recommendation will be greatly appreciated.

p.s. I've checked Digital Corpora website

Best,
Umit

Re: [sleuthkit-users] TSK 4.1.2

[Joachim M. <joa...@gm...>]

Sure, I'll separate them out. Any preferred workflow there? Separate branch
for new features?
As I said before I would opt dedicating some text to describe the projects
preferred dev workflow.

>  (and since it's not broken, there are lots of higher priority things for
me to think about :)
It is broken, it is failing to include stdc++. The fact that it "works for
you" does not mean it is not-broken ;)

> there are lots of higher priority things for me to think about :)
I understand but I would opt that (from the project POV) code and build
stability are high prios.
Otherwise consider adding a label about the code state, experimental,
alpha, beta?




On Thu, Sep 26, 2013 at 12:04 AM, Brian Carrier <ca...@sl...>wrote:

> Hey Joachim,
>
> Can you separate out the bug fixes from the auto-conf changes in the pull
> request? I really hate changing autoconf/automake stuff unless I need to
> and over the years we have gone through various approaches of what to
> include and what not to include.  The current approach has worked for
> several years and I haven't had enough cycles to think about the autoconf
> changes that you suggested and think through the implications (and since
> it's not broken, there are lots of higher priority things for me to think
> about :) ).
>
> thanks,
> brian
>
>
>
>
> On Sep 25, 2013, at 3:26 PM, Joachim Metz <joa...@gm...> wrote:
>
> > Can you include the proposed fixes/changes in
> > https://github.com/sleuthkit/sleuthkit/pull/211
> >
> > And make that TSK 4.1.3 ?
> >
> ------------------------------------------------------------------------------
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> > the latest Intel processors and coprocessors. See abstracts and register
> >
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] TSK 4.1.2

[Brian C. <ca...@sl...>]

Hey Joachim,

Can you separate out the bug fixes from the auto-conf changes in the pull request? I really hate changing autoconf/automake stuff unless I need to and over the years we have gone through various approaches of what to include and what not to include.  The current approach has worked for several years and I haven't had enough cycles to think about the autoconf changes that you suggested and think through the implications (and since it's not broken, there are lots of higher priority things for me to think about :) ).

thanks,
brian




On Sep 25, 2013, at 3:26 PM, Joachim Metz <joa...@gm...> wrote:

> Can you include the proposed fixes/changes in
> https://github.com/sleuthkit/sleuthkit/pull/211
> 
> And make that TSK 4.1.3 ?
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] Autopsy 3.0.7 is available

[Brian C. <ca...@sl...>]

Long overdue release with new features and bug fixes. 

New features include:
* Multi-select for tagging and extraction
* 64-bit Windows installer (has more limited video playback though)
* Raw regripper output is available.
* Metadata content viewer
* Custom tag names persist across cases

Bug fixes: 
* Better error reporting
* TSK NTFS bug fix that was showing deleted files in the wrong folder.

    http://www.sleuthkit.org/autopsy

Note to developers: Sorry. We had to make some backward incompatible API changes with this release. It should not effect  your module development except that major version of the platform incremented. You'll need to update your module to depend on the new version. Contact me with any questions about this. 


Don't forget:
* 2-day Autopsy user training in November (http://info.basistech.com/blog/bid/317039/Autopsy-Training-Scheduled-for-November-6-7-2013)
* 1/2 day Autopsy development training before OSDFCon 

Re: [sleuthkit-users] body file records walking ntfs images

[Alex N. <ajn...@cs...>]

On the multiple names: There is potentially a name in both of those spots,
yes.  I'm not sure offhand what happens with a multiple-hard-link file,
though, and TSK's name resolution.

It appears istat outputs the $FILE_NAME attribute from only the MFT, and
not from the parent directory's btree.

I think this is worth a little more exploration; maybe a DFXML extension?
https://github.com/dfxml-working-group/dfxml_schema/issues/12

Or did I conceptually blow it?  Stuart seems correct by my mental
recollection of the NTFS chapters.

--Alex


On Wed, Sep 25, 2013 at 2:37 PM, <st...@ap...> wrote:

> When e.g. fls in its body-file producing mode walks an NTFS filesystem,
> from which attributes of each 'file' (MFT entry) are each of the body file
> record fields produced?
>
> On a related note, even after numerous readings of the 3 NTFS chapters of
> Brian's book, I am still in the dark about the relationship between
> directories and files.  Are files named BOTH by a 'name attribute' within
> the MFT entry AND named by a 'slot' from the parent directory (in an index
> tree???) ?
>
> Any clarification appreciated.
>
> Stuart
>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

[sleuthkit-users] TSK 4.1.2

[Joachim M. <joa...@gm...>]

Can you include the proposed fixes/changes in
https://github.com/sleuthkit/sleuthkit/pull/211

And make that TSK 4.1.3 ?