sleuthkit-users Mailing List for The Sleuth Kit (Page 54)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(6) |
Aug
|
Sep
(11) |
Oct
(5) |
Nov
(4) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
(20) |
Mar
(60) |
Apr
(40) |
May
(24) |
Jun
(28) |
Jul
(18) |
Aug
(27) |
Sep
(6) |
Oct
(14) |
Nov
(15) |
Dec
(22) |
| 2004 |
Jan
(34) |
Feb
(13) |
Mar
(28) |
Apr
(23) |
May
(27) |
Jun
(26) |
Jul
(37) |
Aug
(19) |
Sep
(20) |
Oct
(39) |
Nov
(17) |
Dec
(9) |
| 2005 |
Jan
(45) |
Feb
(43) |
Mar
(66) |
Apr
(36) |
May
(19) |
Jun
(64) |
Jul
(10) |
Aug
(11) |
Sep
(35) |
Oct
(6) |
Nov
(4) |
Dec
(13) |
| 2006 |
Jan
(52) |
Feb
(34) |
Mar
(39) |
Apr
(39) |
May
(37) |
Jun
(15) |
Jul
(13) |
Aug
(48) |
Sep
(9) |
Oct
(10) |
Nov
(47) |
Dec
(13) |
| 2007 |
Jan
(25) |
Feb
(4) |
Mar
(2) |
Apr
(29) |
May
(11) |
Jun
(19) |
Jul
(13) |
Aug
(15) |
Sep
(30) |
Oct
(12) |
Nov
(10) |
Dec
(13) |
| 2008 |
Jan
(2) |
Feb
(54) |
Mar
(58) |
Apr
(43) |
May
(10) |
Jun
(27) |
Jul
(25) |
Aug
(27) |
Sep
(48) |
Oct
(69) |
Nov
(55) |
Dec
(43) |
| 2009 |
Jan
(26) |
Feb
(36) |
Mar
(28) |
Apr
(27) |
May
(55) |
Jun
(9) |
Jul
(19) |
Aug
(16) |
Sep
(15) |
Oct
(17) |
Nov
(70) |
Dec
(21) |
| 2010 |
Jan
(56) |
Feb
(59) |
Mar
(53) |
Apr
(32) |
May
(25) |
Jun
(31) |
Jul
(36) |
Aug
(11) |
Sep
(37) |
Oct
(19) |
Nov
(23) |
Dec
(6) |
| 2011 |
Jan
(21) |
Feb
(20) |
Mar
(30) |
Apr
(30) |
May
(74) |
Jun
(50) |
Jul
(34) |
Aug
(34) |
Sep
(12) |
Oct
(33) |
Nov
(10) |
Dec
(8) |
| 2012 |
Jan
(23) |
Feb
(57) |
Mar
(26) |
Apr
(14) |
May
(27) |
Jun
(27) |
Jul
(60) |
Aug
(88) |
Sep
(13) |
Oct
(36) |
Nov
(97) |
Dec
(85) |
| 2013 |
Jan
(60) |
Feb
(24) |
Mar
(43) |
Apr
(32) |
May
(22) |
Jun
(38) |
Jul
(51) |
Aug
(50) |
Sep
(76) |
Oct
(65) |
Nov
(25) |
Dec
(30) |
| 2014 |
Jan
(19) |
Feb
(41) |
Mar
(43) |
Apr
(28) |
May
(61) |
Jun
(12) |
Jul
(10) |
Aug
(37) |
Sep
(76) |
Oct
(31) |
Nov
(41) |
Dec
(12) |
| 2015 |
Jan
(33) |
Feb
(28) |
Mar
(53) |
Apr
(22) |
May
(29) |
Jun
(20) |
Jul
(15) |
Aug
(17) |
Sep
(52) |
Oct
(3) |
Nov
(18) |
Dec
(21) |
| 2016 |
Jan
(20) |
Feb
(8) |
Mar
(21) |
Apr
(7) |
May
(13) |
Jun
(35) |
Jul
(34) |
Aug
(11) |
Sep
(14) |
Oct
(22) |
Nov
(31) |
Dec
(23) |
| 2017 |
Jan
(20) |
Feb
(7) |
Mar
(5) |
Apr
(6) |
May
(6) |
Jun
(22) |
Jul
(11) |
Aug
(16) |
Sep
(8) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
(16) |
Apr
(2) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(16) |
Dec
(13) |
| 2019 |
Jan
|
Feb
(1) |
Mar
(25) |
Apr
(9) |
May
(2) |
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2020 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(1) |
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
(5) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2022 |
Jan
|
Feb
(2) |
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
(3) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Brian C. <ca...@sl...> - 2013-09-25 19:16:53
|
Yea. If you use Cellebrite to acquire an SD card or other large media, it splits the image up using a naming convention different than what TSK would detect. As I recall, it's something like: image.bin image(2).bin If you point TSK at image.bin, it will now find image(2).bin, etc. On Sep 25, 2013, at 10:54 AM, "Armet, Lee" <Lee...@td...> wrote: > Cellebrite disk image --- so like... mobile image data ?? > > Regards, > > Lee Armet | Senior Investigator, Digital Evidence | Global Security & Investigations | TD Bank Group > T: (416) 982-6855 | M: (647) 242-0002 > > -----Original Message----- > From: Brian Carrier [mailto:ca...@sl...] > Sent: Wednesday, September 25, 2013 9:11 AM > To: sle...@li... Users; sle...@li... > Subject: Re: [sleuthkit-users] [sleuthkit-announce] TSK 4.1.1 is available > > Note that a last minute inclusion of a fiwalk patch means that this will not compile in some cases on Linux (and apparently FreeBSD). We're testing the patch and will likely have a new release soon. Sorry about that. > > > On Sep 24, 2013, at 11:00 PM, Brian Carrier <ca...@sl...> wrote: > >> New version is on the website. Mostly bug fixes. >> >> http://www.sleuthkit.org/sleuthkit >> >> Updates: >> • FILE_NAME times in timelines >> • Cellebrite disk image auto-detect >> • 64-bit windows targets >> • Fixed bug with Sqlite code not using NTFS Sequence >> • Jar files have native libraries in them >> >> Corresponding autopsy release will come soon... >> >> >> ---------------------------------------------------------------------- >> -------- October Webinars: Code for Performance Free Intel webinars >> can help you accelerate application performance. >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the >> most from the latest Intel processors and coprocessors. See abstracts >> and register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.c >> lktrk _______________________________________________ >> sleuthkit-announce mailing list >> sle...@li... >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-announce > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions. > AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions. > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2013-09-25 19:14:56
|
Now compiles on Linux (again)! http://sleuthkit.org/sleuthkit/download.php |
|
From: <st...@ap...> - 2013-09-25 18:58:16
|
When e.g. fls in its body-file producing mode walks an NTFS filesystem, from which attributes of each 'file' (MFT entry) are each of the body file record fields produced? On a related note, even after numerous readings of the 3 NTFS chapters of Brian's book, I am still in the dark about the relationship between directories and files. Are files named BOTH by a 'name attribute' within the MFT entry AND named by a 'slot' from the parent directory (in an index tree???) ? Any clarification appreciated. Stuart |
|
From: Armet, L. <Lee...@td...> - 2013-09-25 15:09:22
|
Cellebrite disk image --- so like... mobile image data ?? Regards, Lee Armet | Senior Investigator, Digital Evidence | Global Security & Investigations | TD Bank Group T: (416) 982-6855 | M: (647) 242-0002 -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Wednesday, September 25, 2013 9:11 AM To: sle...@li... Users; sle...@li... Subject: Re: [sleuthkit-users] [sleuthkit-announce] TSK 4.1.1 is available Note that a last minute inclusion of a fiwalk patch means that this will not compile in some cases on Linux (and apparently FreeBSD). We're testing the patch and will likely have a new release soon. Sorry about that. On Sep 24, 2013, at 11:00 PM, Brian Carrier <ca...@sl...> wrote: > New version is on the website. Mostly bug fixes. > > http://www.sleuthkit.org/sleuthkit > > Updates: > • FILE_NAME times in timelines > • Cellebrite disk image auto-detect > • 64-bit windows targets > • Fixed bug with Sqlite code not using NTFS Sequence > • Jar files have native libraries in them > > Corresponding autopsy release will come soon... > > > ---------------------------------------------------------------------- > -------- October Webinars: Code for Performance Free Intel webinars > can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > most from the latest Intel processors and coprocessors. See abstracts > and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.c > lktrk _______________________________________________ > sleuthkit-announce mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-announce ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions. AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions. |
|
From: Brian C. <ca...@sl...> - 2013-09-25 13:11:39
|
Note that a last minute inclusion of a fiwalk patch means that this will not compile in some cases on Linux (and apparently FreeBSD). We're testing the patch and will likely have a new release soon. Sorry about that. On Sep 24, 2013, at 11:00 PM, Brian Carrier <ca...@sl...> wrote: > New version is on the website. Mostly bug fixes. > > http://www.sleuthkit.org/sleuthkit > > Updates: > • FILE_NAME times in timelines > • Cellebrite disk image auto-detect > • 64-bit windows targets > • Fixed bug with Sqlite code not using NTFS Sequence > • Jar files have native libraries in them > > Corresponding autopsy release will come soon... > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-announce mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-announce |
|
From: Brian C. <ca...@sl...> - 2013-09-25 03:00:15
|
New version is on the website. Mostly bug fixes. http://www.sleuthkit.org/sleuthkit Updates: • FILE_NAME times in timelines • Cellebrite disk image auto-detect • 64-bit windows targets • Fixed bug with Sqlite code not using NTFS Sequence • Jar files have native libraries in them Corresponding autopsy release will come soon... |
|
From: Jason W. <jwr...@gm...> - 2013-09-24 06:59:46
|
Use blkls to carve out the unallocated from your image, then use either foremost or scalpel to pull files from your unallocated collection. R/ Jason Wright On Sep 24, 2013 1:44 AM, "Bala" <bal...@cs...> wrote: > Hi**** > > I need to find files in unallocated space and extract them from the > forensic image. **** > > Is this something that could be done with SleuthKit in the first place, If > YES could someone help me with the exact tool that I could use for this > purpose and the commands if there exists any.**** > > ** ** > > Regards**** > > Bala**** > > ** ** > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Bala <bal...@cs...> - 2013-09-24 05:42:12
|
Hi I need to find files in unallocated space and extract them from the forensic image. Is this something that could be done with SleuthKit in the first place, If YES could someone help me with the exact tool that I could use for this purpose and the commands if there exists any. Regards Bala |
|
From: Mitch W. <mw...@gm...> - 2013-09-22 01:50:23
|
Can someone please describe to me the Autopsy 3 capabailities when it comes to registry analysis? For comparison purposes, I'm looking through the NIST Dell Hacking Case (that we have previously reviewed using other tools) and trying to analyze the same case using Autopsy 3. Thanks. Mitch |
|
From: Jason W. <jwr...@gm...> - 2013-09-20 12:11:57
|
A couple of questions for you, because I've been looking at stuff like this myself lately. 1. Are you including the offset as a parameter in FS_Info. I've had to include that in the FS_Info call to be able to grab metadata or other things on that file system object? 2. Second, do you have the inode for what you are looking? Do you have corresponding fiwalk or fls. Fiwalk has been pretty effiective for building off of in this sense for me of late. The fileobjects have everything you need to interact with the sleuthkit framework in this way. The filenames are the fullpath and the inodes are included, as well as the volume offset for each of the fileobjects. This may be what you need to get that directory information. I've been able to start there and work the same kind of processes with success. R/ Jason Wright On Fri, Sep 20, 2013 at 7:46 AM, alan browne <ala...@gm...>wrote: > Hello list > > I seem to be stuck at step 3. I have been able to open the filesystem at > a particular offset to get access to the partition but I am looking at > how I can get a list of directory paths and/or inodes within that > partition. As per the wiki page, to open the directory node assumes that > I know the inode or directory path. > > ## Step 1: get an IMG_INFO object > img= pytsk3.Img_Info(url) > > ## Step 2: Open the filesystem > fs= pytsk3.FS_Info(img) > > ## Step 3: Open the directory node this will open the node based on path > ## or inode as specified. > directory= fs.open_dir(path=path, inode=inode) > > ## Step 4: Iterate over all files in the directory and print their > ## name. What you get in each iteration is a proxy object for the > ## TSK_FS_FILE struct - you can further dereference this struct into a > ## TSK_FS_NAME and TSK_FS_META structs. > for fin directory: > print f.info.meta.size, f.info.name.name > > > -- > Regards > > ########################### > # # > # Alan Browne # > # # > ########################### > > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Michael C. <scu...@gm...> - 2013-09-20 12:08:50
|
Hi Alan, Not sure what you are asking here. You can open the directory either by path name or by inode number so: directory= fs.open_dir(path="/") or directory= fs.open_dir(inode=2) If you dont know anything about the filesystem you can just use path = "/" or inode = 2. Hope this helps, Michael. On 20 September 2013 13:46, alan browne <ala...@gm...> wrote: > Hello list > > I seem to be stuck at step 3. I have been able to open the filesystem at > a particular offset to get access to the partition but I am looking at > how I can get a list of directory paths and/or inodes within that > partition. As per the wiki page, to open the directory node assumes that > I know the inode or directory path. > > ## Step 1: get an IMG_INFO object > img= pytsk3.Img_Info(url) > > ## Step 2: Open the filesystem > fs= pytsk3.FS_Info(img) > > ## Step 3: Open the directory node this will open the node based on path > ## or inode as specified. > directory= fs.open_dir(path=path, inode=inode) > > ## Step 4: Iterate over all files in the directory and print their > ## name. What you get in each iteration is a proxy object for the > ## TSK_FS_FILE struct - you can further dereference this struct into a > ## TSK_FS_NAME and TSK_FS_META structs. > for fin directory: > print f.info.meta.size, f.info.name.name > > > -- > Regards > > ########################### > # # > # Alan Browne # > # # > ########################### > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: alan b. <ala...@gm...> - 2013-09-20 11:46:25
|
Hello list
I seem to be stuck at step 3. I have been able to open the filesystem at
a particular offset to get access to the partition but I am looking at
how I can get a list of directory paths and/or inodes within that
partition. As per the wiki page, to open the directory node assumes that
I know the inode or directory path.
## Step 1: get an IMG_INFO object
img= pytsk3.Img_Info(url)
## Step 2: Open the filesystem
fs= pytsk3.FS_Info(img)
## Step 3: Open the directory node this will open the node based on path
## or inode as specified.
directory= fs.open_dir(path=path, inode=inode)
## Step 4: Iterate over all files in the directory and print their
## name. What you get in each iteration is a proxy object for the
## TSK_FS_FILE struct - you can further dereference this struct into a
## TSK_FS_NAME and TSK_FS_META structs.
for fin directory:
print f.info.meta.size, f.info.name.name
--
Regards
###########################
# #
# Alan Browne #
# #
###########################
|
|
From: Brian C. <ca...@sl...> - 2013-09-19 01:08:58
|
Early (i.e. discounted) registration for the 4th Annual Open Source Digital Forensics Conference (OSDFCon) ends on friday. Register now for the reduced rate:
http://www.osdfcon.org/
OSDFCon will be held on Nov 5 in Chantilly, VA (near Dulles airport). There are hands-on workshops the day before and 2 days of Autopsy 3 training afterwards. Attend this unique event to learn about open source tools directly from the developers and provide feedback on needed features. With budgets decreasing, knowing about cost effective tools is always important. You'll also get to vote on the winner of the Autopsy 3 Module Writing Competition.
This event is free for government employees.
The program of this conference was chosen by the community and has talks on the following topics:
- Forensics Visualizations by Simson Garfinkel
- Volatility memory forensics by the Volatility team
- Autopsy 3 by Brian Carrier
- Plaso timelines by Kristinn Gudjonsson
- Malware analysis talks from Salvador “Grecs” Grec and Tyler Hudak
- ... many more including search, triage, and hardware write blockers.
Tutorials include:
- DEFT Linux CD
- Triage using MantaRay
- Incident Response with GRR
- Malware analysis
- Autopsy module development
- Plaso module development
The full schedule of the event at the conference location is as follows:
- Nov 4: Tutorials and the Open Memory Forensics Workshop (https://www.volatilesystems.com/default/omfw)
- Nov 5: OSDFCon
- Nov 6-7: Autopsy 3 Training
Register now to reserve your spot.
http://www.osdfcon.org/
thanks,
brian
|
|
From: Santiago <san...@gm...> - 2013-09-17 19:13:21
|
Thank you both !!
I will try this.
2013/9/17 slo...@gm... <slo...@gm...>
> Yes, I realized that, but I read the original email as "if possible"
> extract the files to full paths, and sorter was the closest and easiest
> solution to the problem.
>
> Santiago, this is not a fast solution, but you could do something like
> this if you want the non-matching files to be exported with full paths:
>
> $ partition="-o63 WinXP.E01"
>
> $ fls -r $partition | egrep -o "[0-9-]*" | grep 128 | \
> > while read inode
> > do
> > md5=$(icat $partition $inode | md5sum | cut -d ' ' -f1)
> > hit=$(hfind -q minimal/NSRLFile.txt $md5)
> > if [ $hit -eq 0 ]
> > then
> > fname=$(ffind $partition $inode)
> > mkdir -pv "export${fname%/*}"
> > echo exporting "$fname..."
> > icat $partition $inode > "export${fname}"
> > fi
> > done
>
>
>
>
> On Tue, Sep 17, 2013 at 6:14 AM, Brian Carrier <ca...@sl...>wrote:
>
>> Yes, another tool in TSK that almost meets the requirements, but not
>> quite. Like the framework and Autopsy,sorter knows about hashes and NSRL,
>> but doesn't have an output mode to save the non-NSRL files to their
>> original path.
>>
>> I made an issue (https://github.com/sleuthkit/autopsy/issues/284) for
>> this feature to be added to Autopsy. This could be a great module for the
>> ongoing Autopsy Module Development Contest as part of OSDFCon... :) (
>> http://www.basistechweek.com/osdf.html#contest).
>>
>> On Sep 17, 2013, at 1:47 AM, slo...@gm... wrote:
>>
>> > Why not use sorter for this purpose?
>> >
>> >
>> > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>
>> wrote:
>> > Thanks Brian, I see that I was not so wrong in my tests.
>> >
>> > This I try to do I think it's useful when a forensic investigator must
>> return the results to someone who is not technical and need to access a
>> small number of files.
>> > I will continue looking for a solution.
>> >
>> > Take this opportunity to tell you that your tools are really great !!
>> >
>> >
>> > Regards
>> > Santiago
>> >
>> >
>> > 2013/9/16 Brian Carrier <ca...@sl...>
>> > Hi Santiago,
>> >
>> > There is nothing that currently supports that specific use case.
>> > - tsk_recover would be the easiest to expand to this situation, but it
>> currently doesn't know anything about hashes / NSRL (but it does know about
>> saving files to original path).
>> > - framework knows about hashes and NSRL, but doesn't have a reporting
>> module that does exactly what you want.
>> > - Autopsy also knows about hashes and NSRL, but also doesn't have an
>> export / reporting module that does exactly what you want.
>> >
>> > Sorry.
>> >
>> > brian
>> >
>> > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...>
>> wrote:
>> >
>> > > Hi all, maybe you can help me with this:
>> > >
>> > > I have:
>> > >
>> > > a) E01 Image.
>> > > b) Indexed hash database. (NSRL)
>> > > c) hfind working well with hash database.
>> > >
>> > > I need to extract all files from E01 image that are NOT in the hash
>> database. So I need not known files.
>> > >
>> > > And if possible, export the files with the original path and
>> directory strcuture they had in the image.
>> > >
>> > > I've tried with sleutkit framework, but could not make it work,
>> > >
>> > > Any ideas ?
>> > >
>> > > Many Thanks
>> > > Santiago
>> > >
>> > >
>> ------------------------------------------------------------------------------
>> > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> > >
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
>> > > sleuthkit-users mailing list
>> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > > http://www.sleuthkit.org
>> >
>> >
>> >
>> >
>> > --
>> > Santiago Vallés
>> >
>> >
>> ------------------------------------------------------------------------------
>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>>
>>
>
--
Santiago Vallés
|
|
From: <slo...@gm...> - 2013-09-17 18:41:53
|
Yes, I realized that, but I read the original email as "if possible"
extract the files to full paths, and sorter was the closest and easiest
solution to the problem.
Santiago, this is not a fast solution, but you could do something like this
if you want the non-matching files to be exported with full paths:
$ partition="-o63 WinXP.E01"
$ fls -r $partition | egrep -o "[0-9-]*" | grep 128 | \
> while read inode
> do
> md5=$(icat $partition $inode | md5sum | cut -d ' ' -f1)
> hit=$(hfind -q minimal/NSRLFile.txt $md5)
> if [ $hit -eq 0 ]
> then
> fname=$(ffind $partition $inode)
> mkdir -pv "export${fname%/*}"
> echo exporting "$fname..."
> icat $partition $inode > "export${fname}"
> fi
> done
On Tue, Sep 17, 2013 at 6:14 AM, Brian Carrier <ca...@sl...>wrote:
> Yes, another tool in TSK that almost meets the requirements, but not
> quite. Like the framework and Autopsy,sorter knows about hashes and NSRL,
> but doesn't have an output mode to save the non-NSRL files to their
> original path.
>
> I made an issue (https://github.com/sleuthkit/autopsy/issues/284) for
> this feature to be added to Autopsy. This could be a great module for the
> ongoing Autopsy Module Development Contest as part of OSDFCon... :) (
> http://www.basistechweek.com/osdf.html#contest).
>
> On Sep 17, 2013, at 1:47 AM, slo...@gm... wrote:
>
> > Why not use sorter for this purpose?
> >
> >
> > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>
> wrote:
> > Thanks Brian, I see that I was not so wrong in my tests.
> >
> > This I try to do I think it's useful when a forensic investigator must
> return the results to someone who is not technical and need to access a
> small number of files.
> > I will continue looking for a solution.
> >
> > Take this opportunity to tell you that your tools are really great !!
> >
> >
> > Regards
> > Santiago
> >
> >
> > 2013/9/16 Brian Carrier <ca...@sl...>
> > Hi Santiago,
> >
> > There is nothing that currently supports that specific use case.
> > - tsk_recover would be the easiest to expand to this situation, but it
> currently doesn't know anything about hashes / NSRL (but it does know about
> saving files to original path).
> > - framework knows about hashes and NSRL, but doesn't have a reporting
> module that does exactly what you want.
> > - Autopsy also knows about hashes and NSRL, but also doesn't have an
> export / reporting module that does exactly what you want.
> >
> > Sorry.
> >
> > brian
> >
> > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote:
> >
> > > Hi all, maybe you can help me with this:
> > >
> > > I have:
> > >
> > > a) E01 Image.
> > > b) Indexed hash database. (NSRL)
> > > c) hfind working well with hash database.
> > >
> > > I need to extract all files from E01 image that are NOT in the hash
> database. So I need not known files.
> > >
> > > And if possible, export the files with the original path and directory
> strcuture they had in the image.
> > >
> > > I've tried with sleutkit framework, but could not make it work,
> > >
> > > Any ideas ?
> > >
> > > Many Thanks
> > > Santiago
> > >
> > >
> ------------------------------------------------------------------------------
> > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
> > > sleuthkit-users mailing list
> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > > http://www.sleuthkit.org
> >
> >
> >
> >
> > --
> > Santiago Vallés
> >
> >
> ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
> >
> >
> ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
|
|
From: sandun c. <san...@gm...> - 2013-09-17 16:37:04
|
Hi, I am trying to invoke the methods of libtskframework.dll in order to retrieve file info from a forensic image. As I can see libtskframework.dll is not a managed dll. So I may need P\Invoke to invoke methods in the framework dll. Can you please advice me on best approach of invoking libtskframework.dll from C#? Thanks, Sandun |
|
From: Brian C. <ca...@sl...> - 2013-09-17 13:14:51
|
Yes, another tool in TSK that almost meets the requirements, but not quite. Like the framework and Autopsy,sorter knows about hashes and NSRL, but doesn't have an output mode to save the non-NSRL files to their original path. I made an issue (https://github.com/sleuthkit/autopsy/issues/284) for this feature to be added to Autopsy. This could be a great module for the ongoing Autopsy Module Development Contest as part of OSDFCon... :) (http://www.basistechweek.com/osdf.html#contest). On Sep 17, 2013, at 1:47 AM, slo...@gm... wrote: > Why not use sorter for this purpose? > > > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...> wrote: > Thanks Brian, I see that I was not so wrong in my tests. > > This I try to do I think it's useful when a forensic investigator must return the results to someone who is not technical and need to access a small number of files. > I will continue looking for a solution. > > Take this opportunity to tell you that your tools are really great !! > > > Regards > Santiago > > > 2013/9/16 Brian Carrier <ca...@sl...> > Hi Santiago, > > There is nothing that currently supports that specific use case. > - tsk_recover would be the easiest to expand to this situation, but it currently doesn't know anything about hashes / NSRL (but it does know about saving files to original path). > - framework knows about hashes and NSRL, but doesn't have a reporting module that does exactly what you want. > - Autopsy also knows about hashes and NSRL, but also doesn't have an export / reporting module that does exactly what you want. > > Sorry. > > brian > > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: > > > Hi all, maybe you can help me with this: > > > > I have: > > > > a) E01 Image. > > b) Indexed hash database. (NSRL) > > c) hfind working well with hash database. > > > > I need to extract all files from E01 image that are NOT in the hash database. So I need not known files. > > > > And if possible, export the files with the original path and directory strcuture they had in the image. > > > > I've tried with sleutkit framework, but could not make it work, > > > > Any ideas ? > > > > Many Thanks > > Santiago > > > > ------------------------------------------------------------------------------ > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > -- > Santiago Vallés > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: <slo...@gm...> - 2013-09-17 12:56:55
|
The sorter tool is a part of sleuthkit. Find information about it here: http://wiki.sleuthkit.org/index.php?title=Sorter. On Tue, Sep 17, 2013 at 5:08 AM, Santiago <san...@gm...> wrote: > How can I do this ?? > > With sorter you mean linux sort command ? > > > 2013/9/17 slo...@gm... <slo...@gm...> > > Why not use sorter for this purpose? >> >> >> On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>wrote: >> >>> Thanks Brian, I see that I was not so wrong in my tests. >>> >>> This I try to do I think it's useful when a forensic investigator must >>> return the results to someone who is not technical and need to access a >>> small number of files. >>> I will continue looking for a solution. >>> >>> Take this opportunity to tell you that your tools are really great !! >>> >>> >>> Regards >>> Santiago >>> >>> >>> 2013/9/16 Brian Carrier <ca...@sl...> >>> >>>> Hi Santiago, >>>> >>>> There is nothing that currently supports that specific use case. >>>> - tsk_recover would be the easiest to expand to this situation, but it >>>> currently doesn't know anything about hashes / NSRL (but it does know about >>>> saving files to original path). >>>> - framework knows about hashes and NSRL, but doesn't have a reporting >>>> module that does exactly what you want. >>>> - Autopsy also knows about hashes and NSRL, but also doesn't have an >>>> export / reporting module that does exactly what you want. >>>> >>>> Sorry. >>>> >>>> brian >>>> >>>> On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> >>>> wrote: >>>> >>>> > Hi all, maybe you can help me with this: >>>> > >>>> > I have: >>>> > >>>> > a) E01 Image. >>>> > b) Indexed hash database. (NSRL) >>>> > c) hfind working well with hash database. >>>> > >>>> > I need to extract all files from E01 image that are NOT in the hash >>>> database. So I need not known files. >>>> > >>>> > And if possible, export the files with the original path and >>>> directory strcuture they had in the image. >>>> > >>>> > I've tried with sleutkit framework, but could not make it work, >>>> > >>>> > Any ideas ? >>>> > >>>> > Many Thanks >>>> > Santiago >>>> > >>>> > >>>> ------------------------------------------------------------------------------ >>>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >>>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >>>> SharePoint >>>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >>>> includes >>>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >>>> > >>>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ >>>> > sleuthkit-users mailing list >>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> > http://www.sleuthkit.org >>>> >>>> >>> >>> >>> -- >>> Santiago Vallés >>> >>> >>> ------------------------------------------------------------------------------ >>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >>> SharePoint >>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >>> includes >>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> > > > -- > Santiago Vallés > |
|
From: Santiago <san...@gm...> - 2013-09-17 12:09:08
|
How can I do this ?? With sorter you mean linux sort command ? 2013/9/17 slo...@gm... <slo...@gm...> > Why not use sorter for this purpose? > > > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>wrote: > >> Thanks Brian, I see that I was not so wrong in my tests. >> >> This I try to do I think it's useful when a forensic investigator must >> return the results to someone who is not technical and need to access a >> small number of files. >> I will continue looking for a solution. >> >> Take this opportunity to tell you that your tools are really great !! >> >> >> Regards >> Santiago >> >> >> 2013/9/16 Brian Carrier <ca...@sl...> >> >>> Hi Santiago, >>> >>> There is nothing that currently supports that specific use case. >>> - tsk_recover would be the easiest to expand to this situation, but it >>> currently doesn't know anything about hashes / NSRL (but it does know about >>> saving files to original path). >>> - framework knows about hashes and NSRL, but doesn't have a reporting >>> module that does exactly what you want. >>> - Autopsy also knows about hashes and NSRL, but also doesn't have an >>> export / reporting module that does exactly what you want. >>> >>> Sorry. >>> >>> brian >>> >>> On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: >>> >>> > Hi all, maybe you can help me with this: >>> > >>> > I have: >>> > >>> > a) E01 Image. >>> > b) Indexed hash database. (NSRL) >>> > c) hfind working well with hash database. >>> > >>> > I need to extract all files from E01 image that are NOT in the hash >>> database. So I need not known files. >>> > >>> > And if possible, export the files with the original path and directory >>> strcuture they had in the image. >>> > >>> > I've tried with sleutkit framework, but could not make it work, >>> > >>> > Any ideas ? >>> > >>> > Many Thanks >>> > Santiago >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >>> SharePoint >>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >>> includes >>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >>> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ >>> > sleuthkit-users mailing list >>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> > http://www.sleuthkit.org >>> >>> >> >> >> -- >> Santiago Vallés >> >> >> ------------------------------------------------------------------------------ >> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >> SharePoint >> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >> includes >> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > -- Santiago Vallés |
|
From: <slo...@gm...> - 2013-09-17 05:47:56
|
Why not use sorter for this purpose? On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...> wrote: > Thanks Brian, I see that I was not so wrong in my tests. > > This I try to do I think it's useful when a forensic investigator must > return the results to someone who is not technical and need to access a > small number of files. > I will continue looking for a solution. > > Take this opportunity to tell you that your tools are really great !! > > > Regards > Santiago > > > 2013/9/16 Brian Carrier <ca...@sl...> > >> Hi Santiago, >> >> There is nothing that currently supports that specific use case. >> - tsk_recover would be the easiest to expand to this situation, but it >> currently doesn't know anything about hashes / NSRL (but it does know about >> saving files to original path). >> - framework knows about hashes and NSRL, but doesn't have a reporting >> module that does exactly what you want. >> - Autopsy also knows about hashes and NSRL, but also doesn't have an >> export / reporting module that does exactly what you want. >> >> Sorry. >> >> brian >> >> On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: >> >> > Hi all, maybe you can help me with this: >> > >> > I have: >> > >> > a) E01 Image. >> > b) Indexed hash database. (NSRL) >> > c) hfind working well with hash database. >> > >> > I need to extract all files from E01 image that are NOT in the hash >> database. So I need not known files. >> > >> > And if possible, export the files with the original path and directory >> strcuture they had in the image. >> > >> > I've tried with sleutkit framework, but could not make it work, >> > >> > Any ideas ? >> > >> > Many Thanks >> > Santiago >> > >> > >> ------------------------------------------------------------------------------ >> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >> SharePoint >> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >> includes >> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ >> > sleuthkit-users mailing list >> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> > http://www.sleuthkit.org >> >> > > > -- > Santiago Vallés > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Bala <bal...@cs...> - 2013-09-17 04:38:09
|
@Brian Tsk_recover says 0 file recovered. I'm yet to figure out what that means Sleuthkitsharp is something that I've tried, however it's got two problems. First it was developed for TSK version 3 and with TSK version 4 it seems to have some errors, second it doesn't have an active developer community, it was last updated on September 2011 and hence then no updates. @Simson Libewfcs is again has the same problem that I mentioned above. It doesn't have an active developer community and that's something very risky for my project. I'd rather write my own wrapper over libewf than use libewfcs. Regards Bala -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Monday, September 16, 2013 7:02 PM To: Bala Cc: 'Simson Garfinkel'; si...@gm...; sle...@li... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata On Sep 16, 2013, at 5:24 AM, Bala <bal...@cs...> wrote: > Simson > > Here's what I'm trying to do. Develop a program on .Net platform to do the following. > > 1. Extract metadata from the forensic image (Investigator, case number etc.) > 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files > I can't use the tools (.exe) which you have mentioned as they are. The best would be to write my own wrapper in a .Net language and make calls to the sleuth kit API to do the above. Hence the reason for me to ask my previous question Have you looked into this project: http://sleuthkitsharp.codeplex.com/ > BTW tsk_recover doesn't seem to iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Is there another tool which I could use for this purpose ? It should. That's its only purpose in life. Are you getting an error? |
|
From: Santiago <san...@gm...> - 2013-09-17 02:45:00
|
Thanks Brian, I see that I was not so wrong in my tests. This I try to do I think it's useful when a forensic investigator must return the results to someone who is not technical and need to access a small number of files. I will continue looking for a solution. Take this opportunity to tell you that your tools are really great !! Regards Santiago 2013/9/16 Brian Carrier <ca...@sl...> > Hi Santiago, > > There is nothing that currently supports that specific use case. > - tsk_recover would be the easiest to expand to this situation, but it > currently doesn't know anything about hashes / NSRL (but it does know about > saving files to original path). > - framework knows about hashes and NSRL, but doesn't have a reporting > module that does exactly what you want. > - Autopsy also knows about hashes and NSRL, but also doesn't have an > export / reporting module that does exactly what you want. > > Sorry. > > brian > > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: > > > Hi all, maybe you can help me with this: > > > > I have: > > > > a) E01 Image. > > b) Indexed hash database. (NSRL) > > c) hfind working well with hash database. > > > > I need to extract all files from E01 image that are NOT in the hash > database. So I need not known files. > > > > And if possible, export the files with the original path and directory > strcuture they had in the image. > > > > I've tried with sleutkit framework, but could not make it work, > > > > Any ideas ? > > > > Many Thanks > > Santiago > > > > > ------------------------------------------------------------------------------ > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > > > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > -- Santiago Vallés |
|
From: Brian C. <ca...@sl...> - 2013-09-17 01:52:51
|
Hi Santiago, There is nothing that currently supports that specific use case. - tsk_recover would be the easiest to expand to this situation, but it currently doesn't know anything about hashes / NSRL (but it does know about saving files to original path). - framework knows about hashes and NSRL, but doesn't have a reporting module that does exactly what you want. - Autopsy also knows about hashes and NSRL, but also doesn't have an export / reporting module that does exactly what you want. Sorry. brian On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: > Hi all, maybe you can help me with this: > > I have: > > a) E01 Image. > b) Indexed hash database. (NSRL) > c) hfind working well with hash database. > > I need to extract all files from E01 image that are NOT in the hash database. So I need not known files. > > And if possible, export the files with the original path and directory strcuture they had in the image. > > I've tried with sleutkit framework, but could not make it work, > > Any ideas ? > > Many Thanks > Santiago > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Santiago <san...@gm...> - 2013-09-17 01:42:07
|
Hi all, maybe you can help me with this: I have: a) E01 Image. b) Indexed hash database. (NSRL) c) hfind working well with hash database. I need to extract all files from E01 image that are NOT in the hash database. So I need not known files. And if possible, export the files with the original path and directory strcuture they had in the image. I've tried with sleutkit framework, but could not make it work, Any ideas ? Many Thanks Santiago |
|
From: Brian C. <ca...@sl...> - 2013-09-16 13:32:23
|
On Sep 16, 2013, at 5:24 AM, Bala <bal...@cs...> wrote: > Simson > > Here’s what I’m trying to do. Develop a program on .Net platform to do the following. > > 1. Extract metadata from the forensic image (Investigator, case number etc.) > 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files > I can’t use the tools (.exe) which you have mentioned as they are. The best would be to write my own wrapper in a .Net language and make calls to the sleuth kit API to do the above. Hence the reason for me to ask my previous question Have you looked into this project: http://sleuthkitsharp.codeplex.com/ > BTW tsk_recover doesn’t seem to iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Is there another tool which I could use for this purpose ? It should. That's its only purpose in life. Are you getting an error? |
38 messages has been excluded from this view by a project administrator.
