sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Greg F. <gre...@gm...>]

Jon Stewart <jo...@li...> wrote:
>As far as I am aware, nothing other than EnCase reads Ex01 files yet.
>The
>spec for it is open, but it doesn't have a lot of detail.
>

Libewf has experimental support of the base format:

 <http://code.google.com/p/libewf/>

I only use E01 (and dd) so I don't know how we'll it works.

Greg
-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Jon S. <jo...@li...>]

It sounds like what you want is TskAuto, which is a C++ class that you
inherit from with your own class and then it will iterate over all the
files in a device. It is pretty well documented on sleuthkit.org. You will
still need to familiarize yourself with the TSK_FS_FILE struct and use
related APIs for reading file contents, but TskAuto solves the recursive
descent problem and gives you a good starting point.

As far as I am aware, nothing other than EnCase reads Ex01 files yet. The
spec for it is open, but it doesn't have a lot of detail.

Jon
 On Sep 12, 2013 3:45 AM, "Bala" <bal...@cs...> wrote:

> Hi Guys****
>
> ** **
>
> I’m a newbie to TSK. Could someone help me figure out which *classes and
> methods* that I need to use to get the following details from *.E01 and
> Ex01* files****
>
> ** **
>
> **1.       **Extract metadata from the forensic image****
>
> **2.       **Iterate over files in the file structure on .E01 and .Ex01
> images and read/copy the files.****
>
> ** **
>
> *Environment *
>
> TSK Version 4.1.0 Core ( not the framework)****
>
> OS version window 7/ windows 2008 R2****
>
> ** **
>
> ** **
>
> ** **
>
> Regards****
>
> Bala****
>
> ** **
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Simson G. <si...@ac...>]

All,

libewfcs is a complete reimplementation of libewf in C#. It is what Bala needs for the first requirement. 

The second requirement can be done almost entirely with existing tools. 

Simson

Re: [sleuthkit-users] Recommended sample images or materials for training users on Autopsy 3

[Mark K. <mke...@gm...>]

Mitch,

NIST has a collection of data sets for testing and education purposes. You
can find them here - http://www.cfreds.nist.gov/. I use the "Hacking Case"
image for training people who are new to forensics.

Mark

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Greg F. <gre...@gm...>]

Bela,

Simon is expert on your question, but so is the team writing plaso.

The plaso team is writing in python.

Libewf is a c library for working with E01 images and can pull out the metadata for you.  It is not part of sleuthkit.  I believe it has a lgpl license so you don't have to worry about license issues.

I suggest you checkout the plaso choices of libraries and how the workflow proceeds. 

I've only used it in linux.  In linux the plaso workflow is:

Use mmls (from sleuthkit) to pull the partition table info.  Offsets are in sectors.

You can then call log2timeline.py to parse a partition.  It requires you pass in the offset.  It uses pytsk as a python wrapper around libtsk to parse the filesystem.  Libtsk is the core library which sleuthkit provides.  In general they don't extract the files, but I think they have a python program that will extract the registry files that you could look at to see how they use libtsk to do that.

In linux they have found their multi-threaded app works poorly if pointed directly at the E01 image, they recommend using ewfmount (included in libewf) as a image decoder and cache.  It creates a virtual file that is the equivalent of a non-segmented dd image.  The user just points log2timeline.py at the virtual dd image.

They also use libvshadow to provide access to the volume shadow copies.  It too has a lgpl license I believe.

Hope that helps,
Greg


Bala <bal...@cs...> wrote:
>Simson
>
> 
>
>Here's what I'm trying to do. Develop a program on .Net platform to do
>the
>following.
>
> 
>
>1.       Extract metadata from the forensic image (Investigator, case
>number
>etc.)
>
>2.       Iterate over files in the file structure on .E01 and .Ex01
>images
>and read/copy the files
>
>I can't use the tools (.exe) which you have mentioned as they are. The
>best
>would be to write my own wrapper in a .Net language and make calls to
>the
>sleuth kit API to do the above. Hence the reason for me to ask my
>previous
>question
>
> 
>
>BTW tsk_recover doesn't seem to iterate over files in the file
>structure on
>.E01 and .Ex01 images and read/copy the files. Is there another tool
>which I
>could use for this purpose ?
>
> 
>
>Regards
>
>Bala
>
> 
>
>From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
>Garfinkel
>Sent: Friday, September 13, 2013 6:15 PM
>To: Bala
>Cc: sle...@li...; si...@gm...
>Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
>
> 
>
>Bala,
>
> 
>
>I think that you have a fundamental misunderstanding about the tools
>you are
>using.
>
> 
>
>There are no "method signatures" here. ewfinfo and tsk_recover are both
>command-line C++ tools. ewfinfo is built upon libewf, which is a C
>library.
>There is also libewfcs which is a C# implementation of the EWF format.
>tsk_recover is based on The SleuthKit, which is a C/C++ library. There
>is no
>managed code interface, but I believe that there is a JNI interface
>that you
>could call from Java.
>
> 
>
>I'm not sure what you are trying to do, but I suspect that you need to
>focus
>on your desired outcome, rather than on the toolset.
>
> 
>
> 
>
>On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote:
>
>
>
>
>
>Simson
>
> 
>
>I presume ewfinfo & tsk_recover  would suit me ideally according to the
>descriptions that I find, however I' unable to locate both their method
>signature which could help me write a manged .Net code to call them.
>
> 
>
>Could you help me find them (method signatures) in this please.
>
> <http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html>
>http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html
>
> 
>
> 
>
>Regards
>
>Bala
>
> 
>
>From: Simson Garfinkel [mailto:simsong@ <http://gmail.com> gmail.com]
>On
>Behalf Of Simson Garfinkel
>Sent: Thursday, September 12, 2013 5:47 PM
>To: Bala
>Cc:  <mailto:sle...@li...>
>sle...@li...
>Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
>
> 
>
>Why do you want to use classes and methods?
>
> 
>
>For #1 - what do you mean by "metadata"?   Do you want to use ewfinfo?
>
>For #2 - Perhaps you want to use tsk_recover?
>
> 
>
> 
>
> 
>
>On Sep 12, 2013, at 3:27 AM, "Bala" <
><mailto:bal...@cs...>
>bal...@cs...> wrote:
>
>
>
>
>
>
>Hi Guys
>
> 
>
>I'm a newbie to TSK. Could someone help me figure out which classes and
>methods that I need to use to get the following details from .E01 and
>Ex01
>files
>
> 
>
>1.       Extract metadata from the forensic image
>
>2.       Iterate over files in the file structure on .E01 and .Ex01
>images
>and read/copy the files.
>
> 
>
>Environment
>
>TSK Version 4.1.0 Core ( not the framework)
>
>OS version window 7/ windows 2008 R2
>
> 
>
> 
>
> 
>
>Regards
>
>Bala
>
> 
>
>----------------------------------------------------------------------------
>--
>How ServiceNow helps IT people transform IT departments:
>1. Consolidate legacy IT systems to a single system of record for IT
>2. Standardize and globalize service processes across IT
>3. Implement zero-touch automation to replace manual, redundant tasks
> 
><http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
>_______________________________________________>
>http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_
>______________________________________________
>sleuthkit-users mailing list
> <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> <http://www.sleuthkit.org> http://www.sleuthkit.org
>
> 
>
> 
>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>SharePoint
>2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>includes
>Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
>http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>
>------------------------------------------------------------------------
>
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Bala <bal...@cs...>]

Simson

 

Here's what I'm trying to do. Develop a program on .Net platform to do the
following.

 

1.       Extract metadata from the forensic image (Investigator, case number
etc.)

2.       Iterate over files in the file structure on .E01 and .Ex01 images
and read/copy the files

I can't use the tools (.exe) which you have mentioned as they are. The best
would be to write my own wrapper in a .Net language and make calls to the
sleuth kit API to do the above. Hence the reason for me to ask my previous
question

 

BTW tsk_recover doesn't seem to iterate over files in the file structure on
.E01 and .Ex01 images and read/copy the files. Is there another tool which I
could use for this purpose ?

 

Regards

Bala

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Friday, September 13, 2013 6:15 PM
To: Bala
Cc: sle...@li...; si...@gm...
Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

 

Bala,

 

I think that you have a fundamental misunderstanding about the tools you are
using.

 

There are no "method signatures" here. ewfinfo and tsk_recover are both
command-line C++ tools. ewfinfo is built upon libewf, which is a C library.
There is also libewfcs which is a C# implementation of the EWF format.
tsk_recover is based on The SleuthKit, which is a C/C++ library. There is no
managed code interface, but I believe that there is a JNI interface that you
could call from Java.

 

I'm not sure what you are trying to do, but I suspect that you need to focus
on your desired outcome, rather than on the toolset.

 

 

On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote:





Simson

 

I presume ewfinfo & tsk_recover  would suit me ideally according to the
descriptions that I find, however I' unable to locate both their method
signature which could help me write a manged .Net code to call them.

 

Could you help me find them (method signatures) in this please.

 <http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html>
http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html

 

 

Regards

Bala

 

From: Simson Garfinkel [mailto:simsong@ <http://gmail.com> gmail.com] On
Behalf Of Simson Garfinkel
Sent: Thursday, September 12, 2013 5:47 PM
To: Bala
Cc:  <mailto:sle...@li...>
sle...@li...
Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

 

Why do you want to use classes and methods?

 

For #1 - what do you mean by "metadata"?   Do you want to use ewfinfo?

For #2 - Perhaps you want to use tsk_recover?

 

 

 

On Sep 12, 2013, at 3:27 AM, "Bala" < <mailto:bal...@cs...>
bal...@cs...> wrote:






Hi Guys

 

I'm a newbie to TSK. Could someone help me figure out which classes and
methods that I need to use to get the following details from .E01 and Ex01
files

 

1.       Extract metadata from the forensic image

2.       Iterate over files in the file structure on .E01 and .Ex01 images
and read/copy the files.

 

Environment

TSK Version 4.1.0 Core ( not the framework)

OS version window 7/ windows 2008 R2

 

 

 

Regards

Bala

 

----------------------------------------------------------------------------
--
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
 
<http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________>
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_
______________________________________________
sleuthkit-users mailing list
 <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
 <http://www.sleuthkit.org> http://www.sleuthkit.org

 

 

Re: [sleuthkit-users] Recommended sample images or materials for training users on Autopsy 3

[Mitch W. <mw...@gm...>]

Simson, Hmmm... we have not used that one yet (only Jean, Patents,
Nitroba). Where is it hosted for download? I will work that into our
training schedule for this coming year. And, yes, will try our best to
provide feedback or training materials.

For me personally, I'd like to do our initial training on a Windows image,
if possible. It's just a personal preference so that I can develop the
training in less time. I think we will use Jean if no other suggestions
come to light.

Thanks.

Mitch


On Sun, Sep 15, 2013 at 9:05 AM, Simson Garfinkel <si...@ac...> wrote:

> Mitch,
>
> Have you used the National Gallery DC attack scenario that we put together
> in 2012? Currently we don't have any teaching materials for those images.
> If you have used them, we would very much appreciate your materials. If you
> have not used them, drop me an email and we can work on turing the raw data
> into something usable for your application.
>
> To summarize what we have:
>
> * Iphone images
> * Android phone images
> * android tablet images
> * network captures (one broken—they captured tcpdump's standard out rather
> than the packets — this is interesting because such accidents actually
> happen in the real world from time to time)
> * memory dumps
> * keyboard logging from a keystroke logger that was planted on the laptop
> * Apple Macbook Air laptop
>
> There are two intertwined attacks, one involving a terrorist
> organization's attempted attack on the National Gallery DC ( a fictional
> art museum in Washington DC), the second involving the intended theft of
> some art by an insider.
>
>
> On Sep 15, 2013, at 8:56 AM, Mitch Wander <mw...@gm...> wrote:
>
> Appreciate that suggestion, Joel. We have used the NPS Corpus disk images
> extensively for other training (and I should have noted that).
>
> We could re-do the same images. However, I know the training audience
> would already have a leg up because of their familiarity with the images.
>
> Definitely a fallback option...
>
> Thanks.
>
> Mitch
>
>
>
>
> On Sun, Sep 15, 2013 at 8:51 AM, Joel Fernandez <
> Joe...@is...> wrote:
>
>> did you check out the NPS Corpus?
>> http://digitalcorpora.org/corpora/disk-images
>>
>>
>>
>> On Sun, Sep 15, 2013 at 8:36 AM, Mitch Wander <mw...@gm...> wrote:
>>
>>>  I'm conducting an internal training session (4-8 hours) on Autopsy 3
>>> for users who are familiar with Autopsy 2. All attendees are experienced
>>> forensics analysts.
>>>
>>> Does anyone have suggestions on a good publicly available disk image to
>>> highlight some of Autopsy 3's functionality (emails, extracted content,
>>> hash sets, registry)?
>>>
>>> Also, does anyone have suggestions on training material or overall
>>> training flow? For now, I was planning to develop my training by reviewing
>>> the "help" pages for Autopsy 3 (in order to make sure I hit all the high
>>> points).
>>>
>>> Thanks.
>>>
>>> Mitch
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>>> SharePoint
>>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>>> includes
>>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>>
>>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>

Re: [sleuthkit-users] Recommended sample images or materials for training users on Autopsy 3

[Simson G. <si...@ac...>]

Mitch,

Have you used the National Gallery DC attack scenario that we put together in 2012? Currently we don't have any teaching materials for those images. If you have used them, we would very much appreciate your materials. If you have not used them, drop me an email and we can work on turing the raw data into something usable for your application.

To summarize what we have:

* Iphone images
* Android phone images
* android tablet images
* network captures (one broken—they captured tcpdump's standard out rather than the packets — this is interesting because such accidents actually happen in the real world from time to time)
* memory dumps 
* keyboard logging from a keystroke logger that was planted on the laptop
* Apple Macbook Air laptop

There are two intertwined attacks, one involving a terrorist organization's attempted attack on the National Gallery DC ( a fictional art museum in Washington DC), the second involving the intended theft of some art by an insider.


On Sep 15, 2013, at 8:56 AM, Mitch Wander <mw...@gm...> wrote:

> Appreciate that suggestion, Joel. We have used the NPS Corpus disk images extensively for other training (and I should have noted that).
> 
> We could re-do the same images. However, I know the training audience would already have a leg up because of their familiarity with the images.
> 
> Definitely a fallback option...
> 
> Thanks.
> 
> Mitch
> 
> 
> 
> 
> On Sun, Sep 15, 2013 at 8:51 AM, Joel Fernandez <Joe...@is...> wrote:
> did you check out the NPS Corpus?  http://digitalcorpora.org/corpora/disk-images
> 
> 
> 
> On Sun, Sep 15, 2013 at 8:36 AM, Mitch Wander <mw...@gm...> wrote:
> I'm conducting an internal training session (4-8 hours) on Autopsy 3 for users who are familiar with Autopsy 2. All attendees are experienced forensics analysts.
> 
> Does anyone have suggestions on a good publicly available disk image to highlight some of Autopsy 3's functionality (emails, extracted content, hash sets, registry)?
> 
> Also, does anyone have suggestions on training material or overall training flow? For now, I was planning to develop my training by reviewing the "help" pages for Autopsy 3 (in order to make sure I hit all the high points).
> 
> Thanks.
> 
> Mitch
> 
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> 
> 
> 
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. 
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Recommended sample images or materials for training users on Autopsy 3

[Mitch W. <mw...@gm...>]

Appreciate that suggestion, Joel. We have used the NPS Corpus disk images
extensively for other training (and I should have noted that).

We could re-do the same images. However, I know the training audience would
already have a leg up because of their familiarity with the images.

Definitely a fallback option...

Thanks.

Mitch




On Sun, Sep 15, 2013 at 8:51 AM, Joel Fernandez <
Joe...@is...> wrote:

> did you check out the NPS Corpus?
> http://digitalcorpora.org/corpora/disk-images
>
>
>
> On Sun, Sep 15, 2013 at 8:36 AM, Mitch Wander <mw...@gm...> wrote:
>
>>  I'm conducting an internal training session (4-8 hours) on Autopsy 3
>> for users who are familiar with Autopsy 2. All attendees are experienced
>> forensics analysts.
>>
>> Does anyone have suggestions on a good publicly available disk image to
>> highlight some of Autopsy 3's functionality (emails, extracted content,
>> hash sets, registry)?
>>
>> Also, does anyone have suggestions on training material or overall
>> training flow? For now, I was planning to develop my training by reviewing
>> the "help" pages for Autopsy 3 (in order to make sure I hit all the high
>> points).
>>
>> Thanks.
>>
>> Mitch
>>
>>
>> ------------------------------------------------------------------------------
>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>

Re: [sleuthkit-users] Recommended sample images or materials for training users on Autopsy 3

[Joel F. <Joe...@is...>]

did you check out the NPS Corpus?
http://digitalcorpora.org/corpora/disk-images



On Sun, Sep 15, 2013 at 8:36 AM, Mitch Wander <mw...@gm...> wrote:

> I'm conducting an internal training session (4-8 hours) on Autopsy 3 for
> users who are familiar with Autopsy 2. All attendees are experienced
> forensics analysts.
>
> Does anyone have suggestions on a good publicly available disk image to
> highlight some of Autopsy 3's functionality (emails, extracted content,
> hash sets, registry)?
>
> Also, does anyone have suggestions on training material or overall
> training flow? For now, I was planning to develop my training by reviewing
> the "help" pages for Autopsy 3 (in order to make sure I hit all the high
> points).
>
> Thanks.
>
> Mitch
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

[sleuthkit-users] Recommended sample images or materials for training users on Autopsy 3

[Mitch W. <mw...@gm...>]

I'm conducting an internal training session (4-8 hours) on Autopsy 3 for
users who are familiar with Autopsy 2. All attendees are experienced
forensics analysts.

Does anyone have suggestions on a good publicly available disk image to
highlight some of Autopsy 3's functionality (emails, extracted content,
hash sets, registry)?

Also, does anyone have suggestions on training material or overall training
flow? For now, I was planning to develop my training by reviewing the
"help" pages for Autopsy 3 (in order to make sure I hit all the high
points).

Thanks.

Mitch

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Simson G. <si...@ac...>]

Bala,

I think that you have a fundamental misunderstanding about the tools you are using.

There are no "method signatures" here. ewfinfo and tsk_recover are both command-line C++ tools. ewfinfo is built upon libewf, which is a C library. There is also libewfcs which is a C# implementation of the EWF format.  tsk_recover is based on The SleuthKit, which is a C/C++ library. There is no managed code interface, but I believe that there is a JNI interface that you could call from Java.

I'm not sure what you are trying to do, but I suspect that you need to focus on your desired outcome, rather than on the toolset.


On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote:

> Simson
>  
> I presume ewfinfo & tsk_recover  would suit me ideally according to the descriptions that I find, however I’ unable to locate both their method signature which could help me write a manged .Net code to call them.
>  
> Could you help me find them (method signatures) in this please.
> http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html
>  
>  
> Regards
> Bala
>  
> From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel
> Sent: Thursday, September 12, 2013 5:47 PM
> To: Bala
> Cc: sle...@li...
> Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
>  
> Why do you want to use classes and methods?
>  
> For #1 - what do you mean by "metadata"?   Do you want to use ewfinfo?
> For #2 - Perhaps you want to use tsk_recover?
>  
>  
>  
> On Sep 12, 2013, at 3:27 AM, "Bala" <bal...@cs...> wrote:
> 
> 
> Hi Guys
>  
> I’m a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files
>  
> 1.       Extract metadata from the forensic image
> 2.       Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files.
>  
> Environment
> TSK Version 4.1.0 Core ( not the framework)
> OS version window 7/ windows 2008 R2
>  
>  
>  
> Regards
> Bala
>  
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>  

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Bala <bal...@cs...>]

Simson

 

I presume ewfinfo & tsk_recover  would suit me ideally according to the
descriptions that I find, however I' unable to locate both their method
signature which could help me write a manged .Net code to call them.

 

Could you help me find them (method signatures) in this please.

http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html

 

 

Regards

Bala

 

From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson
Garfinkel
Sent: Thursday, September 12, 2013 5:47 PM
To: Bala
Cc: sle...@li...
Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

 

Why do you want to use classes and methods?

 

For #1 - what do you mean by "metadata"?   Do you want to use ewfinfo?

For #2 - Perhaps you want to use tsk_recover?

 

 

 

On Sep 12, 2013, at 3:27 AM, "Bala" <bal...@cs...> wrote:





Hi Guys

 

I'm a newbie to TSK. Could someone help me figure out which classes and
methods that I need to use to get the following details from .E01 and Ex01
files

 

1.       Extract metadata from the forensic image

2.       Iterate over files in the file structure on .E01 and .Ex01 images
and read/copy the files.

 

Environment

TSK Version 4.1.0 Core ( not the framework)

OS version window 7/ windows 2008 R2

 

 

 

Regards

Bala

 

----------------------------------------------------------------------------
--
How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
 
<http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________>
http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_
______________________________________________
sleuthkit-users mailing list
 <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
 <http://www.sleuthkit.org> http://www.sleuthkit.org

 

Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata

[Simson G. <si...@ac...>]

Why do you want to use classes and methods?

For #1 - what do you mean by "metadata"?   Do you want to use ewfinfo?
For #2 - Perhaps you want to use tsk_recover?



On Sep 12, 2013, at 3:27 AM, "Bala" <bal...@cs...> wrote:

> Hi Guys
>  
> I’m a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files
>  
> 1.       Extract metadata from the forensic image
> 2.       Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files.
>  
> Environment
> TSK Version 4.1.0 Core ( not the framework)
> OS version window 7/ windows 2008 R2
>  
>  
>  
> Regards
> Bala
>  
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

[sleuthkit-users] extracting .E01 and .Ex01 metadata

[Bala <bal...@cs...>]

Hi Guys

 

I'm a newbie to TSK. Could someone help me figure out which classes and
methods that I need to use to get the following details from .E01 and Ex01
files

 

1.       Extract metadata from the forensic image

2.       Iterate over files in the file structure on .E01 and .Ex01 images
and read/copy the files.

 

Environment 

TSK Version 4.1.0 Core ( not the framework)

OS version window 7/ windows 2008 R2

 

 

 

Regards

Bala

 

[sleuthkit-users] DFXML Schema draft validates Fiwalk output

[Alex N. <ajn...@cs...>]

Hi all,

This is an annotation for a patch I realize now could've been titled with
some more vigor:
<https://github.com/sleuthkit/sleuthkit/pull/212>

There is now a draft XML Schema that validates the output of Fiwalk, once
that patch with XML code motion is merged.  The schema is at this
repository:
<https://github.com/dfxml-working-group/dfxml_schema>

The schema's version currently includes "rfc" for "Request for comments."
 It would be helpful for any Fiwalk or DFXML users to provide feedback on
the schema.

As for how to give feedback, anybody is welcome to:
* Join the discussion mailing list, df...@ni...: <
https://email.nist.gov/mailman/listinfo/dfxml>;
* Open a Github Issue on the schema repository (which may be cleanest for
easily actionable issues); or
* Email the sleuthkit-users or sleuthkit-developers list (or even me).

I don't mean to overload the sleuthkit lists.  The DFXML working group is
trying to make DFXML a topic of a bigger community than just TSK.  However,
discussion wherever it occurs will be good discussion.

--Alex

Re: [sleuthkit-users] tsk_recover reporting

[Grundy B. J T. <Bar...@ti...>]

You could use the -v option and redirect stderr to a file...it's quite wordy, though.

/*******************************************
Barry J. Grundy
Assistant Special Agent in Charge
Digital Forensic Support Group
Electronic Crimes and Intelligence Division
Treasury Inspector General for Tax Administration
(301) 210-8741 (w)
(202) 527-5778 (c)
Bar...@ti...
********************************************\

From: Umit Karabiyik [mailto:umi...@gm...]
Sent: Monday, September 09, 2013 12:38 PM
To: sle...@li...
Subject: [sleuthkit-users] tsk_recover reporting

Hi all,
Is there anyway that I can generate a report about the files that are recoverd by tsk_recover? It seems tsk_recover doesn't provide any help with parameters on reporting.
Thanks in advance,
Umit

[sleuthkit-users] tsk_recover reporting

[Umit K. <umi...@gm...>]

Hi all,

Is there anyway that I can generate a report about the files that are
recoverd by tsk_recover? It seems tsk_recover doesn't provide any help with
parameters on reporting.

Thanks in advance,
Umit

Re: [sleuthkit-users] Processing E01 and Ex01

[sandun c. <san...@gm...>]

On Thu, Sep 5, 2013 at 9:19 PM, sandun css <san...@gm...> wrote:
>
> Thanks Brian for the response.
>
> I am using the sleuthkit sharp to read the file. There is no any compilation error. But, at run time, it seems tsk_fs_open_img() doesn't return the correct file info. (handle == IntPtr.Zero)
>
> But it reads img and iso files correctly. What could be the problem?
>
>
> On Thu, Sep 5, 2013 at 8:08 PM, Brian Carrier <ca...@sl...> wrote:
>>
>> What error are you getting?  Are you having trouble compiling or running?  Do you need the framework or did you really want TSK core?
>>
>> On Sep 5, 2013, at 10:17 AM, sandun css <san...@gm...> wrote:
>>
>> > Hi,
>> >
>> > I am new to TSK and Libewf and tried to use following (latest) TSK, Libewf and Zlib versions together to process E01 files.
>> >
>> > sleuthkit-framework-win32-4.1.0
>> > libewf-20130416
>> > zlib-128
>> >
>> > But it doesn't seem to be working. Can you please advice me on the recommended compatible versions of these?
>> >
>> > Please note that I built libewf myself (didn't build TSK) to use it in the sleuthkit sharp
>> >
>> > Thanks,
>> > Nilanga
>> > ------------------------------------------------------------------------------
>> > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
>> > Discover the easy way to master current and previous Microsoft technologies
>> > and advance your career. Get an incredible 1,500+ hours of step-by-step
>> > tutorial videos with LearnDevNow. Subscribe today and save!
>> > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk_______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>>
>

[sleuthkit-users] R: R: Newbie question on autopsy3

[Netexpress <Net...@ti...>]

> -----Messaggio originale-----
> Da: Brian Carrier [mailto:ca...@sl...]
> Inviato: venerdì 6 settembre 2013 03.27
> A: Netexpress
> Cc: sle...@li...
> Oggetto: Re: [sleuthkit-users] R: Newbie question on autopsy3
> 
> 883162 files is probably more files than we have tried to send to the
table
> area at a single time.   We'll run some tests.  Does it hang only when you
try
> to view all deleted files?  We've certainly analyzed images that are
larger than
> 36GB before.
[Fiorenzi Alessandro] 
Yes it hangs and I have never seen the list of deleted files
> 
> That being said, the scenario you describe below is a bit confusing.  If
the
> image that you want to analyze is only 36GB and that is a file inside of
the
> 500GB image, then you may not get the results that you expect because it
> will be analyzing the 500GB drive and not the 36GB drive.  Autopsy does
not
> currently have the functionality to detect a disk image inside of a disk
image
> and process it.

[Fiorenzi Alessandro] 
Policy have do dd from originale device of 36GB to a destination drive of
500GB
  dd if=/dev/sdc(36GB) of=/dev/sdd(500GB) 


> 
> thanks,
> brian
> 
> 
> On Sep 4, 2013, at 5:25 PM, Netexpress wrote:
> 
> > Hi Brian, thanks very much for your help. I fill your tips with more
data.
> >
> >>> 3-      If i go on view three and select deleted files all seems to be
> > freeze,
> >> and even if I know that are present many deleted files i do not find
> >> noone
> > of
> >> them.
> >>
> >> Meaning that the entire system freezes?  I haven't seen that yet, but
> >> can certainly make some test images to stress that feature. If you
> >> select
> > "Deleted
> >> Files", it should show two child entries (File System and All). What
> >> are
> > the
> >> numbers next to those?
> >
> > Let me explain more about my lab of analysis I have autopy on Windows
> > 2003 virtual machine with 4GB Ram and 2 Processor.
> > I am using vmware server 2.0 running on linux; and I connect to
> > windows 2003 to use autopsy with terminal server using administator
> > user; a bit complitated scenario? :-) The image on witch I am working
> > is on original image of 36GB that police have duplicated to lawyer  on
> > 500GB disk via dd or logicube, not a dd raw image file  but dd output
> > on disk device of 500 GB, and when I made raw image  from this disk I
> > get an image of 500GB, the one on witch I am
> > working. Something mistake in the process?
> >
> > Now I will try to explai more about the problem The system is ok i
> > notice a fixed use of 50% of cpu from autopsy. everyhing I choose on
> > menu and view of autopsy is too slow and many times i cannot change
> > view.
> > Furthermore if I iconize autopys it doesnt return to full windows. If
> > I try to kill processi t goes on state "not responding"
> >
> > On deleted files view autopsy report:
> > File System 883162
> > All 883162
> > But I am not able to vew the list of files
> >
> >
> > Looking into event viewer I have found this, only one occurence,  if
> > can help
> >
> > Application:
> > Event Type:	Error
> > Event Source:	Application Hang
> > Event Category:	(101)
> > Event ID:	1002
> > Date:		28/08/2013
> > Time:		23.30.36
> > User:		N/A
> > Computer:	LABORATORIO
> > Description:
> > Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp,
> > version 0.0.0.0, hang address 0x00000000.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 41 70 70 6c 69 63 61 74   Applicat
> > 0008: 69 6f 6e 20 48 61 6e 67   ion Hang
> > 0010: 20 20 61 75 74 6f 70 73     autops
> > 0018: 79 2e 65 78 65 20 30 2e   y.exe 0.
> > 0020: 30 2e 30 2e 30 20 69 6e   0.0.0 in
> > 0028: 20 68 75 6e 67 61 70 70    hungapp
> > 0030: 20 30 2e 30 2e 30 2e 30    0.0.0.0
> > 0038: 20 61 74 20 6f 66 66 73    at offs
> > 0040: 65 74 20 30 30 30 30 30   et 00000
> > 0048: 30 30 30                  000
> >
> >
> > I have used autopy 2 on linux and found this new versioni  very good
> > more intuitive and better for general view of the case. The only two
> > things could be of help, for me, should be a log of what is doing with
> > a marker of activity, and a dialog box telling to wait for process to
> > complete, sometimes the user things that all was completed even if it's
> going on.
> >
> > Sorry for my bad english, and thanks very much for your help.
> >
> > Alessandro Fiorenzi
> >
> >
> >
> > ----------------------------------------------------------------------
> > -------- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL
> > 2012, more!
> > Discover the easy way to master current and previous Microsoft
> > technologies and advance your career. Get an incredible 1,500+ hours
> > of step-by-step tutorial videos with LearnDevNow. Subscribe today and
> save!
> > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.c
> > lktrk _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org

Re: [sleuthkit-users] R: Newbie question on autopsy3

[Brian C. <ca...@sl...>]

883162 files is probably more files than we have tried to send to the table area at a single time.   We'll run some tests.  Does it hang only when you try to view all deleted files?  We've certainly analyzed images that are larger than 36GB before. 

That being said, the scenario you describe below is a bit confusing.  If the image that you want to analyze is only 36GB and that is a file inside of the 500GB image, then you may not get the results that you expect because it will be analyzing the 500GB drive and not the 36GB drive.  Autopsy does not currently have the functionality to detect a disk image inside of a disk image and process it. 

thanks,
brian


On Sep 4, 2013, at 5:25 PM, Netexpress wrote:

> Hi Brian, thanks very much for your help. I fill your tips with more data.
> 
>>> 3-      If i go on view three and select deleted files all seems to be
> freeze,
>> and even if I know that are present many deleted files i do not find noone
> of
>> them.
>> 
>> Meaning that the entire system freezes?  I haven't seen that yet, but can
>> certainly make some test images to stress that feature. If you select
> "Deleted
>> Files", it should show two child entries (File System and All). What are
> the
>> numbers next to those?
> 
> Let me explain more about my lab of analysis
> I have autopy on Windows 2003 virtual machine with 4GB Ram and 2 Processor.
> I am using vmware server 2.0 running on linux; and I connect to windows 2003
> to use autopsy with terminal server using administator user; a bit
> complitated scenario? :-)
> The image on witch I am working is on original image of 36GB that police
> have duplicated to lawyer  on 500GB disk via dd or logicube, not a dd raw
> image file  but dd output on disk device of 500 GB, and when I made raw
> image  from this disk I get an image of 500GB, the one on witch I am
> working. Something mistake in the process?   
> 
> Now I will try to explai more about the problem 
> The system is ok i notice a fixed use of 50% of cpu from autopsy. everyhing
> I choose on menu and view of autopsy is too slow and many times i cannot
> change view.
> Furthermore if I iconize autopys it doesnt return to full windows. If I try
> to kill processi t goes on state "not responding" 
> 
> On deleted files view autopsy report:
> File System 883162
> All 883162 
> But I am not able to vew the list of files
> 
> 
> Looking into event viewer I have found this, only one occurence,  if can
> help
> 
> Application: 
> Event Type:	Error
> Event Source:	Application Hang
> Event Category:	(101)
> Event ID:	1002
> Date:		28/08/2013
> Time:		23.30.36
> User:		N/A
> Computer:	LABORATORIO
> Description:
> Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp,
> version 0.0.0.0, hang address 0x00000000.
> 
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 41 70 70 6c 69 63 61 74   Applicat
> 0008: 69 6f 6e 20 48 61 6e 67   ion Hang
> 0010: 20 20 61 75 74 6f 70 73     autops
> 0018: 79 2e 65 78 65 20 30 2e   y.exe 0.
> 0020: 30 2e 30 2e 30 20 69 6e   0.0.0 in
> 0028: 20 68 75 6e 67 61 70 70    hungapp
> 0030: 20 30 2e 30 2e 30 2e 30    0.0.0.0
> 0038: 20 61 74 20 6f 66 66 73    at offs
> 0040: 65 74 20 30 30 30 30 30   et 00000
> 0048: 30 30 30                  000     
> 
> 
> I have used autopy 2 on linux and found this new versioni  very good more
> intuitive and better for general view of the case. The only two things could
> be of help, for me, should be a log of what is doing with a marker of
> activity, and a dialog box telling to wait for process to complete,
> sometimes the user things that all was completed even if it's going on.
> 
> Sorry for my bad english, and thanks very much for your help.
> 
> Alessandro Fiorenzi
> 
> 
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Adding file to an disk image

[Greg F. <gre...@gm...>]

A dd image can be mounted in linux as read/write with no issues, so it
is relatively straighforward.

Assuming you want to mount the second NTFS partition on the image this
should work:

====
mkdir /tmp/output
mmls image.dd > /tmp/output/partition-table
grep NTFS  /tmp/output/partition-table > /tmp/output/NTFS-partitions
cut -b 14-24 /tmp/output/NTFS-partitions >  /tmp/output/NTFS-partitions-offset
#process only the second partition
offset=$(head -2  /tmp/output/NTFS-partitions-offset | tail -1)

sudo mount -o loop,ro,offset=$((10#$offset * 512)) image.dd /mnt
====

In your case drop the ro option to make it read/write.  Obviously you
can tweak the above as needed, but it shows a relatively complete
situation.

fyi: mmls is part of sleuthkit, but the rest of the above is standard linux.

Greg
Greg
--
Greg Freemyer


On Thu, Sep 5, 2013 at 12:16 PM, Umit Karabiyik <umi...@gm...> wrote:
> Hi all,
>
> I have a quick question. Let's say I have a disk image created by dd tool.
> Is there any way I can add a file somewhere in the image file? I'll
> basically try to put some file in a disk image and test some tools if they
> can find the file or a string in the file.
>
> Thanks in advance,
> Umit
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] Adding file to an disk image

[Simson G. <si...@ac...>]

It would be easier and faster to simply mount the file using the Linux loopback device and the appropriate file system. 


On Sep 5, 2013, at 12:30 PM, Terry Olson <twj...@ho...> wrote:

> There are several methods, but probably the easiest one would be to write the image to a disk, then copy the file in, then reimage the disk.
> 
> Using WinHex, for example, you could place the file's contents in an arbitrary location, but it wouldn't generate the metadata structures needed to access such file by the end user.
> 
> Date: Thu, 5 Sep 2013 12:16:51 -0400
> From: umi...@gm...
> To: sle...@li...
> Subject: [sleuthkit-users] Adding file to an disk image
> 
> Hi all,
> 
> I have a quick question. Let's say I have a disk image created by dd tool. Is there any way I can add a file somewhere in the image file? I'll basically try to put some file in a disk image and test some tools if they can find the file or a string in the file.
> 
> Thanks in advance,
> Umit
> 
> ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-usershttp://www.sleuthkit.org
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Adding file to an disk image

[Terry O. <twj...@ho...>]

There are several methods, but probably the easiest one would be to write the image to a disk, then copy the file in, then reimage the disk.
Using WinHex, for example, you could place the file's contents in an arbitrary location, but it wouldn't generate the metadata structures needed to access such file by the end user.

Date: Thu, 5 Sep 2013 12:16:51 -0400
From: umi...@gm...
To: sle...@li...
Subject: [sleuthkit-users] Adding file to an disk image

Hi all,

I have a quick question. Let's say I have a disk image created by dd tool. Is there any way I can add a file somewhere in the image file? I'll basically try to put some file in a disk image and test some tools if they can find the file or a string in the file.


Thanks in advance,
Umit


------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org 		 	   		  

[sleuthkit-users] Adding file to an disk image

[Umit K. <umi...@gm...>]

Hi all,

I have a quick question. Let's say I have a disk image created by dd tool.
Is there any way I can add a file somewhere in the image file? I'll
basically try to put some file in a disk image and test some tools if they
can find the file or a string in the file.

Thanks in advance,
Umit