sleuthkit-users Mailing List for The Sleuth Kit (Page 9)

Brought to you by: carrier

sleuthkit-users — List to discuss Autopsy and The Sleuth Kit.

You can subscribe to this list here.

2002	Jan	Feb	Mar	Apr	May	Jun	Jul (6)	Aug	Sep (11)	Oct (5)	Nov (4)	Dec
2003	Jan (1)	Feb (20)	Mar (60)	Apr (40)	May (24)	Jun (28)	Jul (18)	Aug (27)	Sep (6)	Oct (14)	Nov (15)	Dec (22)
2004	Jan (34)	Feb (13)	Mar (28)	Apr (23)	May (27)	Jun (26)	Jul (37)	Aug (19)	Sep (20)	Oct (39)	Nov (17)	Dec (9)
2005	Jan (45)	Feb (43)	Mar (66)	Apr (36)	May (19)	Jun (64)	Jul (10)	Aug (11)	Sep (35)	Oct (6)	Nov (4)	Dec (13)
2006	Jan (52)	Feb (34)	Mar (39)	Apr (39)	May (37)	Jun (15)	Jul (13)	Aug (48)	Sep (9)	Oct (10)	Nov (47)	Dec (13)
2007	Jan (25)	Feb (4)	Mar (2)	Apr (29)	May (11)	Jun (19)	Jul (13)	Aug (15)	Sep (30)	Oct (12)	Nov (10)	Dec (13)
2008	Jan (2)	Feb (54)	Mar (58)	Apr (43)	May (10)	Jun (27)	Jul (25)	Aug (27)	Sep (48)	Oct (69)	Nov (55)	Dec (43)
2009	Jan (26)	Feb (36)	Mar (28)	Apr (27)	May (55)	Jun (9)	Jul (19)	Aug (16)	Sep (15)	Oct (17)	Nov (70)	Dec (21)
2010	Jan (56)	Feb (59)	Mar (53)	Apr (32)	May (25)	Jun (31)	Jul (36)	Aug (11)	Sep (37)	Oct (19)	Nov (23)	Dec (6)
2011	Jan (21)	Feb (20)	Mar (30)	Apr (30)	May (74)	Jun (50)	Jul (34)	Aug (34)	Sep (12)	Oct (33)	Nov (10)	Dec (8)
2012	Jan (23)	Feb (57)	Mar (26)	Apr (14)	May (27)	Jun (27)	Jul (60)	Aug (88)	Sep (13)	Oct (36)	Nov (97)	Dec (85)
2013	Jan (60)	Feb (24)	Mar (43)	Apr (32)	May (22)	Jun (38)	Jul (51)	Aug (50)	Sep (76)	Oct (65)	Nov (25)	Dec (30)
2014	Jan (19)	Feb (41)	Mar (43)	Apr (28)	May (61)	Jun (12)	Jul (10)	Aug (37)	Sep (76)	Oct (31)	Nov (41)	Dec (12)
2015	Jan (33)	Feb (28)	Mar (53)	Apr (22)	May (29)	Jun (20)	Jul (15)	Aug (17)	Sep (52)	Oct (3)	Nov (18)	Dec (21)
2016	Jan (20)	Feb (8)	Mar (21)	Apr (7)	May (13)	Jun (35)	Jul (34)	Aug (11)	Sep (14)	Oct (22)	Nov (31)	Dec (23)
2017	Jan (20)	Feb (7)	Mar (5)	Apr (6)	May (6)	Jun (22)	Jul (11)	Aug (16)	Sep (8)	Oct (1)	Nov (1)	Dec (1)
2018	Jan	Feb	Mar (16)	Apr (2)	May (6)	Jun (5)	Jul	Aug (2)	Sep (4)	Oct	Nov (16)	Dec (13)
2019	Jan	Feb (1)	Mar (25)	Apr (9)	May (2)	Jun (1)	Jul (1)	Aug	Sep	Oct	Nov	Dec
2020	Jan (2)	Feb	Mar (1)	Apr	May (1)	Jun (3)	Jul (2)	Aug	Sep	Oct (5)	Nov	Dec
2021	Jan	Feb	Mar (1)	Apr	May	Jun (4)	Jul (1)	Aug	Sep (1)	Oct	Nov (1)	Dec
2022	Jan	Feb (2)	Mar	Apr	May (2)	Jun	Jul (3)	Aug	Sep	Oct	Nov	Dec
2023	Jan (2)	Feb	Mar (1)	Apr	May	Jun	Jul	Aug	Sep	Oct (1)	Nov	Dec
2024	Jan	Feb (3)	Mar	Apr (1)	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2025	Jan	Feb	Mar	Apr	May	Jun	Jul (1)	Aug	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 7 8 9 10 11 .. 211 > >> (Page 9 of 211)

Re: [sleuthkit-users] Scalpel regular expression \r\n carriage linefeed not work

From: Kalin K. <me....@gm...> - 2017-05-19 09:14:06

Hello,


On Thu, May 18, 2017 at 4:05 AM, Wah Jong <wa...@gm...> wrote:
> I have been trying regular expression in Scalpel version 2.1, no luch with
> carriage return \r inside character class bracket, e.g. [\r\n]
>
> /[\r\n]+/
>
I don't know what exactly are you trying to do, please post more
info/test case (e.g. a simple configuration file you try to use)?

> Any one has hints?
>
May be instead of "\n" try "\0x0A", etc.

Kalin.

[sleuthkit-users] Autopsy v4.3.0 -- no response issue

From: Freeman Ng <fr...@is...> - 2017-05-18 11:07:22

Hi, 

I have happily downloaded Autopsy v4.3.0 64-bit for Windows (currently
on Windows 7 Pro), but have done a couple of test runs. 

Two out of two tries I found Autopsy hanging without response in the
middle of ingesting files. 

Do I miss anything here?

-- 
Best regards,

Freeman

[sleuthkit-users] Scalpel regular expression \r\n carriage linefeed not work

From: Wah J. <wa...@gm...> - 2017-05-18 02:06:03

Dear all,

I have been trying regular expression in Scalpel version 2.1, no luch with
carriage return \r inside character class bracket, e.g. [\r\n]

/[\r\n]+/

Any one has hints?


Best wishes

Wah Jong

[sleuthkit-users] Autopsy Training - June 13

From: Brian C. <ca...@sl...> - 2017-05-05 14:09:30

*Autopsy training is 1-month away (June 13) in Herndon, VA. We'll also be
doing a 2-day event after OSDFCon (Oct 18-19). Registration links are
available at: http://www.autopsy.com/training/
<http://www.autopsy.com/training/>The 1-day Autopsy course is $499 and
provides an overview of using and configuring Autopsy.  It combines lecture
sessions with hands on exercises. All sessions are worth 6 CPE credits and
students receive certificates of completion for attendance.  At the end of
the class, you’ll know about how all of the modules work and how to
efficiently use the tool.More details can be found here:
http://www.autopsy.com/training/ <http://www.autopsy.com/training/>We’re
looking to add more events to the schedule. If you’d like training closer
to you, then let us know where. *

[sleuthkit-users] Forensic 4Cast Awards

From: Brian C. <ca...@sl...> - 2017-05-05 13:59:12

If you didn't see it, Autopsy was nominated for the Forensic 4Cast awards
in the open source category.  You can vote for it here.

https://forensic4cast.com/forensic-4cast-awards/

Votes are due May 31.

thanks,
brian

Re: [sleuthkit-users] [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch

From: Luís F. N. <lfc...@gm...> - 2017-04-28 20:03:08

Opened https://github.com/sleuthkit/sleuthkit/issues/821

I will provide any other info needed to help fix the issue, now that I have
at hand an image to reproduce the problem.

Thanks,
Luis

2017-04-28 16:46 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> Hi folks,
>
> We are still having this issue with tsk-4.4. I have received one report
> yesterday and one today about the processing hanging with thousands of
> orphan files with ~4GB of size, which together result in 140TB of data in
> one image!
>
> Fortunately I have access to the image of the other report. Looking at it,
> the orphans together resulted in ~500GB of data, they were recovered from a
> FAT32 file system of only ~32GB of size! That 32GB FAT32 FS was recovered
> from a 92,5 KB volume/partition! This 92,5KB partition recognized by
> TSK-4.4 is shown by FTKImager as an unpartitioned space, but I think this
> is another issue.
>
> I have trimmed the image down from the original 320GB to 10GB (5GB in ewf
> format) without the user data. Because of that, the orphan files together
> now result in ~45GB (not the original 500GB). I will open a ticket at
> github and post the link to the trimmed image there for reproducing the
> problem.
>
> PS: In the past I have received similar reports with thumbdrives. So looks
> like the issue is with FAT and not with NTFS like I originally reported
> below. Probably those ntfs images had fat32 partitions side by side. This
> explains the upper limit of 4GB of size of those orphans.
>
> Regards,
> Luis Nassif
>
>
> 2015-09-07 12:12 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>
>> Sorry for the long delay. I do not have the image with me, I will ask my
>> colleague if trimming the image is possible... We worked around the problem
>> by filtering out orphans with logical size greater than 10 MB before
>> sending them to the processing engine.
>>
>> Thank you,
>> Luis
>>
>> 2015-08-13 14:13 GMT-03:00 Stefan Petrea <ste...@gm...>:
>>
>>> Hi Luis,
>>>
>>> Could the NTFS image you're looking at be trimmed down and provided as
>>> sample input to reproduce the problem ?
>>>
>>> Best Regards,
>>> Stefan
>>>
>>> On Thu, Aug 13, 2015 at 8:05 PM, Luís Filipe Nassif <lfc...@gm...
>>> > wrote:
>>>
>>>> This error have happened again with a colleague's NTFS image, using the
>>>> develop branch compiled about 1 month ago. Thousands of huge corrupted
>>>> orphans were added by loaddb, which caused our processing application (and
>>>> probably Autopsy too) to process indefinitely the evidence.
>>>>
>>>> Any help will be appreciated.
>>>>
>>>> Regards,
>>>> Luis Nassif
>>>>
>>>>
>>>> 2014-09-30 21:00 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>>
>>>>> This problem still happens with 4.2.0 branch. If I can help with some
>>>>> more information, please let me know.
>>>>>
>>>>> Thanks
>>>>> Luis
>>>>>
>>>>> 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>>>
>>>>>> Another information: the sum of the millions of file sizes resulted
>>>>>> in 1,1 petabyte, while the image has only 250 GB.
>>>>>>
>>>>>>
>>>>>> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>>>>
>>>>>>> We tested loaddb of both the released 4.1.3 version and the develop
>>>>>>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad
>>>>>>> blocks, many of them at the beginning of the disk.
>>>>>>>
>>>>>>> The 4.1.3 version found ~400.000 allocated files more ~100.000
>>>>>>> orphan files, about the same found by other forensic tools. The develop
>>>>>>> branch found the same ~400.000 allocated files more ~2.500.000 orphan
>>>>>>> files! Most of these millions of orphans have corrupted names or the name
>>>>>>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes.
>>>>>>> We think the recent changes to NTFS code are causing this large number of
>>>>>>> corrupted orphans to be added to the case. Maybe it should be investigated
>>>>>>> before the final 4.2 release.
>>>>>>>
>>>>>>> Luis
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>>
>>>> _______________________________________________
>>>> sleuthkit-developers mailing list
>>>> sle...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>>
>>>>
>>>
>>
>

Re: [sleuthkit-users] [sleuthkit-developers] Millions of orphan files found with sleuthkit develop branch

From: Luís F. N. <lfc...@gm...> - 2017-04-28 19:47:07

Hi folks,

We are still having this issue with tsk-4.4. I have received one report
yesterday and one today about the processing hanging with thousands of
orphan files with ~4GB of size, which together result in 140TB of data in
one image!

Fortunately I have access to the image of the other report. Looking at it,
the orphans together resulted in ~500GB of data, they were recovered from a
FAT32 file system of only ~32GB of size! That 32GB FAT32 FS was recovered
from a 92,5 KB volume/partition! This 92,5KB partition recognized by
TSK-4.4 is shown by FTKImager as an unpartitioned space, but I think this
is another issue.

I have trimmed the image down from the original 320GB to 10GB (5GB in ewf
format) without the user data. Because of that, the orphan files together
now result in ~45GB (not the original 500GB). I will open a ticket at
github and post the link to the trimmed image there for reproducing the
problem.

PS: In the past I have received similar reports with thumbdrives. So looks
like the issue is with FAT and not with NTFS like I originally reported
below. Probably those ntfs images had fat32 partitions side by side. This
explains the upper limit of 4GB of size of those orphans.

Regards,
Luis Nassif

2015-09-07 12:12 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:

> Sorry for the long delay. I do not have the image with me, I will ask my
> colleague if trimming the image is possible... We worked around the problem
> by filtering out orphans with logical size greater than 10 MB before
> sending them to the processing engine.
>
> Thank you,
> Luis
>
> 2015-08-13 14:13 GMT-03:00 Stefan Petrea <ste...@gm...>:
>
>> Hi Luis,
>>
>> Could the NTFS image you're looking at be trimmed down and provided as
>> sample input to reproduce the problem ?
>>
>> Best Regards,
>> Stefan
>>
>> On Thu, Aug 13, 2015 at 8:05 PM, Luís Filipe Nassif <lfc...@gm...>
>> wrote:
>>
>>> This error have happened again with a colleague's NTFS image, using the
>>> develop branch compiled about 1 month ago. Thousands of huge corrupted
>>> orphans were added by loaddb, which caused our processing application (and
>>> probably Autopsy too) to process indefinitely the evidence.
>>>
>>> Any help will be appreciated.
>>>
>>> Regards,
>>> Luis Nassif
>>>
>>>
>>> 2014-09-30 21:00 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>
>>>> This problem still happens with 4.2.0 branch. If I can help with some
>>>> more information, please let me know.
>>>>
>>>> Thanks
>>>> Luis
>>>>
>>>> 2014-07-24 9:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>>
>>>>> Another information: the sum of the millions of file sizes resulted in
>>>>> 1,1 petabyte, while the image has only 250 GB.
>>>>>
>>>>>
>>>>> 2014-07-23 22:21 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>:
>>>>>
>>>>>> We tested loaddb of both the released 4.1.3 version and the develop
>>>>>> branch of sleuthkit on a NTFS image of a hard disk with a lot of bad
>>>>>> blocks, many of them at the beginning of the disk.
>>>>>>
>>>>>> The 4.1.3 version found ~400.000 allocated files more ~100.000 orphan
>>>>>> files, about the same found by other forensic tools. The develop branch
>>>>>> found the same ~400.000 allocated files more ~2.500.000 orphan files! Most
>>>>>> of these millions of orphans have corrupted names or the name
>>>>>> OrphanFile-xxxxxxx and have lengths ranging from 0 to 4.294.967.296 bytes.
>>>>>> We think the recent changes to NTFS code are causing this large number of
>>>>>> corrupted orphans to be added to the case. Maybe it should be investigated
>>>>>> before the final 4.2 release.
>>>>>>
>>>>>> Luis
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>>
>>> _______________________________________________
>>> sleuthkit-developers mailing list
>>> sle...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>>>
>>>
>>
>

[sleuthkit-users] New NSRL

From: Brian C. <ca...@sl...> - 2017-04-19 16:28:01

There a new pre-indexed NSRL on the sourceforge site. It is smaller than in
the past because NIST now groups them differently.  The "Modern"
distribution is up there.


https://sourceforge.net/projects/autopsy/files/NSRL/NSRL-255m-autopsy.zip/download

You will notice that we are already a version behind, but we are trying to
figure out what to do with the latest, since there no longer seems to a
minimal version and it is in ISO form.  So, we need to update our
procedures, but I didn't want to delay in at least getting 255 out there.

brian

Re: [sleuthkit-users] Account Info Survey

From: Stefan K. <sle...@df...> - 2017-04-18 08:46:45

Brian,

> Known examples already include:
> - email
> - phone
> - credit card / bank
> - chat app (WhatsApp, Twitter, Hangouts, etc.)
> - website login (Facebook, forums, etc.)
> - computer login account (Windows account, etc.)
> 
> Anything else you want us to make sure we support?

what about database credentials?

Cheers,

	Stefan.

-- 
Stefan Kelm
Mail: ke...@df...                          Phone: +49 40 808077-686

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Fax: +49 40 808077-556
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.: DE232129737
Sachsenstraße 5, 20097 Hamburg/Germany. CEO: Dr. Klaus-Peter Kossakowski

[sleuthkit-users] Account Info Survey

From: Brian C. <ca...@sl...> - 2017-04-17 20:50:57

We are in the process of designing a new infrastructure to Autopsy to store
"account" information and messages between the accounts.  This will allow
Autopsy to better store and display emails, text messages, chat logs, etc.

Essentially, accounts and messages will become more first-class citizens
than they are now.

Can you help us out by sending me (off list if you want), what types of
accounts you most often deal with so that we can make sure that we have a
way of storing all of the relevant data.

Known examples already include:
- email
- phone
- credit card / bank
- chat app (WhatsApp, Twitter, Hangouts, etc.)
- website login (Facebook, forums, etc.)
- computer login account (Windows account, etc.)

Anything else you want us to make sure we support?

[sleuthkit-users] OSDFCon CFP and Module Competition

From: Brian C. <ca...@sl...> - 2017-04-17 18:19:05

We’re a bit late this year, but it’s time to start getting ready for the 8th Annual Open Source Digital Forensics Conference (OSDFCon).

* Conference Date: October 17, 2017
* Location: Herndon, VA

We want you to start submitting your talk ideas, writing Autopsy modules, and saving the date on your calendar. OSDFCon is the 1-day event to attend each year to learn about the latest open source digital forensics and incident response tools with over 400 of your colleagues.

If you want to get direct updates as the event gets closer, sign up at http://www.osdfcon.org/get-updates/.

CALL FOR PRESENTATIONS AND WORKSHOPS

Each year, OSDFCon gives developers and users a platform to talk about the open source software they love and give hands-on workshops. We want to hear your presentation and workshop ideas. Submissions are due by June 1.

Past presentations have covered new software, new features in mature software, modules for plug-in frameworks, and use cases that integrate several pieces of software. A detailed list of topics and submission details can be found here:

http://www.osdfcon.org/osdfcon-2017/2017-call-for-presentations/

AUTOPSY MODULE COMPETITION

Basis Technology is again organizing an Autopsy module writing competition. The modules can be written in Python or Java and we have tutorials to help you get started. Learning to write Autopsy modules will make you more efficient because Autopsy takes care of providing access to files, user interface, and reporting. All you have to do is focus on some cool analytics.

Attendees of OSDFCon vote to help pick the winner and the top three will get cash prizes. If we get 12 or more submissions, Basis Technology will double the prize amounts. Submissions are due by October 2 (5+ months away!). Links to tutorials and submission details can be found here:

http://www.osdfcon.org/osdfcon-2017/2017-module-development-contest/

SPONSORSHIP

We have a few sponsorship opportunities available if you would like to help support the open source community and get exposure to the audience by having a table at the event.

http://www.osdfcon.org/sponsorship-opportunities/

ABOUT OSDFCON

OSDFCon is the premier event focused exclusively on open source digital forensics tools, OSDFCon offers short talks over the course of a single day. These talks are packed with information and present a unique opportunity to learn about new (often free) tools and provide feedback directly to developers. Basis Technology is the organizing sponsor of the event and it is free for government employees to attend.

[sleuthkit-users] Bug #393 with ISO images

From: Luís F. N. <lfc...@gm...> - 2017-03-30 20:42:11

Hi,

Did someone with ISO9660 knowledge have take a look at
https://github.com/sleuthkit/sleuthkit/issues/393 ?

I think it is a critical issue and currently TSK could miss a whole
directory structure without any warning.

Thanks,
Luis

Re: [sleuthkit-users] NBTempoW - timeline in Windows

From: Nanni B. <dig...@gm...> - 2017-03-06 18:54:12

Hi David,
are you using NBTempoW 2.0? I guess yes...so, it's strange, because I and
other people have tried on E01 and DD (raw) images and it works fine. Did
you select a date range? Or did you use no parameters?
Let me know :-)
BTW you can try using tsk_gettimes.exe disk.E01 | mactime exe -d 0000-00-00
> timeline.csv you can find them in \bin directory, so you can check using
only TSK tools without my GUI and let me know if it works.
Thank you

2017-03-06 19:43 GMT+01:00 David Nides <dav...@gm...>:

> just for kicks i tried running it quickly on a few images (e01) to see
> what the output looks like and it produced empty excels each time.
>
> On Fri, Mar 3, 2017 at 4:28 AM, Nanni Bassetti <dig...@gm...> wrote:
>
>> Thanks to Derrick Karpo for warning of a problem in the file selection, I
>> changed the system and now there is NBTempoW V. 2.0 ;-)
>>
>> 2017-03-02 22:04 GMT+01:00 Nanni Bassetti <dig...@gm...>:
>>
>>> NBTempoW is a forensic tool for making timelines from block devices
>>> image files (raw, ewf,etc.). It uses TSK (The Sleuthkit) and it has been
>>> developed with Lazarus V. 1.6.2 ( Delphi compatible cross-platform IDE for
>>> Rapid Application Development). It runs only in Windows. If the device
>>> image file is splitted, you can select just the first chunk.
>>> https://github.com/nannib/NBTEMPOW
>>>
>>> Enjoy it! ;-)
>>>
>>> Dott. Nanni Bassetti
>>> www.nannibassetti.com
>>>
>>
>>
>>
>> --
>> Dott. Nanni Bassetti
>> http://www.nannibassetti.com
>> CAINE project manager - http://www.caine-live.net
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>


-- 
Dott. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

Re: [sleuthkit-users] NBTempoW - timeline in Windows

From: David N. <dav...@gm...> - 2017-03-06 18:43:34

just for kicks i tried running it quickly on a few images (e01) to see what
the output looks like and it produced empty excels each time.

On Fri, Mar 3, 2017 at 4:28 AM, Nanni Bassetti <dig...@gm...> wrote:

> Thanks to Derrick Karpo for warning of a problem in the file selection, I
> changed the system and now there is NBTempoW V. 2.0 ;-)
>
> 2017-03-02 22:04 GMT+01:00 Nanni Bassetti <dig...@gm...>:
>
>> NBTempoW is a forensic tool for making timelines from block devices image
>> files (raw, ewf,etc.). It uses TSK (The Sleuthkit) and it has been
>> developed with Lazarus V. 1.6.2 ( Delphi compatible cross-platform IDE for
>> Rapid Application Development). It runs only in Windows. If the device
>> image file is splitted, you can select just the first chunk.
>> https://github.com/nannib/NBTEMPOW
>>
>> Enjoy it! ;-)
>>
>> Dott. Nanni Bassetti
>> www.nannibassetti.com
>>
>
>
>
> --
> Dott. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] NBTempoW - timeline in Windows

From: Nanni B. <dig...@gm...> - 2017-03-03 10:29:04

Thanks to Derrick Karpo for warning of a problem in the file selection, I
changed the system and now there is NBTempoW V. 2.0 ;-)

2017-03-02 22:04 GMT+01:00 Nanni Bassetti <dig...@gm...>:

> NBTempoW is a forensic tool for making timelines from block devices image
> files (raw, ewf,etc.). It uses TSK (The Sleuthkit) and it has been
> developed with Lazarus V. 1.6.2 ( Delphi compatible cross-platform IDE for
> Rapid Application Development). It runs only in Windows. If the device
> image file is splitted, you can select just the first chunk.
> https://github.com/nannib/NBTEMPOW
>
> Enjoy it! ;-)
>
> Dott. Nanni Bassetti
> www.nannibassetti.com
>



-- 
Dott. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

[sleuthkit-users] NBTempoW - timeline in Windows

From: Nanni B. <dig...@gm...> - 2017-03-02 21:04:16

NBTempoW is a forensic tool for making timelines from block devices image
files (raw, ewf,etc.). It uses TSK (The Sleuthkit) and it has been
developed with Lazarus V. 1.6.2 ( Delphi compatible cross-platform IDE for
Rapid Application Development). It runs only in Windows. If the device
image file is splitted, you can select just the first chunk.
https://github.com/nannib/NBTEMPOW

Enjoy it! ;-)

Dott. Nanni Bassetti
www.nannibassetti.com

[sleuthkit-users] Bug: free used instead of tsk_fs_free

From: Lloyd <llo...@gm...> - 2017-02-24 06:08:28

Hi,

In ntfs.c file there is a function named "ntfs_open". In that, a memory is
allocated with "tsk_fs_malloc" , line no. 4829

if ((ntfs = (NTFS_INFO *) tsk_fs_malloc(sizeof(*ntfs))) == NULL)

But it is freed at the end using "free" (5131) instead of "tsk_fs_free". My
VS 2015 debugger breaks here. Can anybody please verify it?

Thanks,
  Lloyd