Thread: [sleuthkit-users] Autopsy beginner question
Brought to you by:
carrier
From: Eagle I. S. <in...@ea...> - 2003-02-14 14:23:57
|
When I specified the Evidence Locker I specified it as the "base" directory that was in the Autopsy folder. Is this correct? I wasn't sure where to put it. Also, I have dual boot machine, Linux and Win2K. My plan is to work with TASK/Autopsy to examine the Win2K partition. For example, I will do something in Win2K then delete it, and then switch to Linux to find it. Is this going to be possible? Thank you in advance for reading this one. Niall. |
From: Brian C. <bca...@at...> - 2003-02-14 17:45:30
|
On Fri, Feb 14, 2003 at 09:17:19AM -0500, Eagle Investigative Services wrote: > When I specified the Evidence Locker I specified it as the "base" > directory > that was in the Autopsy folder. Is this correct? I wasn't sure where > to put it. The Evidence Locker is where all of your case data will be saved. So, no it should not be the installation folder. It will work, but it is not recommended. You could use something like /usr/local/forensics/locker. > > Also, I have dual boot machine, Linux and Win2K. My plan is to work > with TASK/Autopsy to examine the Win2K partition. > > For example, I will do something in Win2K then delete it, and then > switch to Linux to find it. Is this going to be possible? Yes. Make a case and host in Autopsy and make a symlink from /dev/hda1 (or whichever partition it is) to the 'images' directory. % ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images Autopsy must be running as root so that it has read permissions on the device. brian |
From: Eagle I. S. <in...@ea...> - 2003-03-07 14:04:00
|
Brian. With regard to your message below. I logged in as root and started Autopsy. My Settings are as follows: Case Name: Thismachine Host: WIN2000 I tried to create the following symbolic link as you suggested and entered it as you outlines below and also as the directory appeared in the autopsy screen (i.e with the two "//" before Thismachine/) i.e. ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images and ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images I entered both exactly as typed above. In both cases when I hit refresh there was no sign of my link/image. /dev/hda1 is definitely the name of my Win2k partition. What am I missing, or doing wrong? Thanks in advance, Niall. -----Original Message----- From: Brian Carrier [mailto:bca...@at...] Sent: Friday, February 14, 2003 12:44 PM To: Eagle Investigative Services Cc: sle...@li... Subject: Re: [sleuthkit-users] Autopsy beginner question On Fri, Feb 14, 2003 at 09:17:19AM -0500, Eagle Investigative Services wrote: > When I specified the Evidence Locker I specified it as the "base" > directory > that was in the Autopsy folder. Is this correct? I wasn't sure where > to put it. The Evidence Locker is where all of your case data will be saved. So, no it should not be the installation folder. It will work, but it is not recommended. You could use something like /usr/local/forensics/locker. > > Also, I have dual boot machine, Linux and Win2K. My plan is to work > with TASK/Autopsy to examine the Win2K partition. > > For example, I will do something in Win2K then delete it, and then > switch to Linux to find it. Is this going to be possible? Yes. Make a case and host in Autopsy and make a symlink from /dev/hda1 (or whichever partition it is) to the 'images' directory. % ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images Autopsy must be running as root so that it has read permissions on the device. brian |
From: Brian C. <ca...@at...> - 2003-03-07 14:44:48
|
> > i.e. > > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > > and > > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images > > I entered both exactly as typed above. In both cases when I hit refresh > there was no sign of my link/image. > What does ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 show? brian |
From: Silent P. <sp...@si...> - 2003-03-07 21:09:19
|
Quoting: "Brian Carrier": > > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > > > > and > > > > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images > > > > I entered both exactly as typed above. In both cases when I hit refresh > > there was no sign of my link/image. > > > What does > > ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 > > show? Here is a step by step guide to achieve what you are trying to achieve, and verify as you are going along, composed in mini-howto style: ***** Step 1, use the GUI, but empower yourself with the command line I login to my linux box, and I bring up an xterm / "command prompt" and I get: dindang:~ # ***** Step 2, know your hard disk. I know that there is an IDE hard disk in my machine that contains a partition which I would like to analyse, to get more info, I examine what the kernel knows about IDE hard disks in my machine, and I already know they get mounted as /dev/hd??? so I use the dmesg command, I can use the man command to find out more about dmesg: dindang:~ # man dmesg NAME dmesg - print or control the kernel ring buffer SYNOPSIS dmesg [ -c ] [ -n level ] [ -s bufsize ] DESCRIPTION dmesg is used to examine or control the kernel ring buffer. The program helps users to print out their bootup mes sages. Instead of copying the messages by hand, the user need only: dmesg > boot.messages and mail the boot.messages file to whoever can debug their problem. Basically at boot / start of any system device will result in a message being posted to the kernel ring buffer, you hotplug a USB device, what the kernel does with it gets noted here.... so we are looking for kernel messages relating to hda or if it was a scsi disk we would have used sda etc. Dmesg on its own will give back a lot of information, but I will pipe the output of it using | into the grep command which I will use to filter for hda dindang:~ # dmesg | grep hda ide0: BM-DMA at 0xfcd0-0xfcd7, BIOS settings: hda:pio, hdb:pio hda: IC25N020ATCS04-0, ATA DISK drive hda: safely enabled flush hda: 39070080 sectors (20004 MB) w/1768KiB Cache, CHS=41344/15/63, UDMA(33) hda: hda1 hda2 hda3 hda4 I could have just searched for hda1 and got: dindang:~ # dmesg | grep hda1 hda: hda1 hda2 hda3 hda4 But basically I know from the above that there is a drive on my system mounted as hda and it has 4 partitions, hda1-4 To find out whats in thos partitions use fdisk: dindang:~ # fdisk Usage: fdisk [-l] [-b SSZ] [-u] device E.g.: fdisk /dev/hda (for the first IDE disk) or: fdisk /dev/sdc (for the third SCSI disk) or: fdisk /dev/eda (for the first PS/2 ESDI drive) or: fdisk /dev/rd/c0d0 or: fdisk /dev/ida/c0d0 (for RAID devices) ... Woops! I forgot that I must specify a paramater, the parameter must be a device, not a partition, so /dev/hda1 can't be fdisked becuase its not a disk, but /dev/hda can: dindang:~ # fdisk /dev/hda The number of cylinders for this disk is set to 41344. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/hda: 15 heads, 63 sectors, 41344 cylinders Units = cylinders of 945 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 19672 9294988+ c Win95 FAT32 (LBA) /dev/hda2 * 19673 19714 19845 83 Linux /dev/hda3 19715 20795 510772+ 82 Linux swap /dev/hda4 20796 41344 9709402+ 83 Linux Command (m for help): q dindang:~ # From this I can see that /dev/hda1 is the windows partition using a FAT32 filesystem, and this I want to analyse / play with! ***** Step 3, checkout your current directory. first I check to see where I am, this is important because all operations that I do will take place wherever I am, unless I fully qualify the paths. I check this with the print working directory command: dindang:~ # pwd /root dindang:~ # I am currently in /root, and lets see what I've got here, do a directory listing: dindang:~ # dindang:~ # dindang:~ # ls . .bash_history .jbuilder4 .qt .w3m Desktop .. .exrc .kde .skel .wmrc KDesktop .ICEauthority .gnupg .mcop .ssh .xinitrc bin .Xauthority .gtkrc-kde .mcoprc .viminfo .xsession-errors lucent dindang:~ # Now I am going to make a directory test, this is to hold my "images", and is the equivalent of the task / autopsy image hold directory: dindang:~ # dindang:~ # mkdir test dindang:~ # Now, it makes sense to VERIFY what you've done, so do another directory listing: dindang:~ # ls . .exrc .mcop .viminfo Desktop .. .gnupg .mcoprc .w3m KDesktop .ICEauthority .gtkrc-kde .qt .wmrc bin .Xauthority .jbuilder4 .skel .xinitrc lucent .bash_history .kde .ssh .xsession-errors test Yes, test is there, its in the list, lets see whats in the directory test: dindang:~ # ls test . .. dindang:~ # just . and .. which are direcory navigation stubs, so the directory is empty. dindang:~ # ln -s /dev/hda1 /root/test dindang:~ # ls test . .. hda1 dindang:~ # cd test dindang:~/test # ls -l total 8 drwxr-xr-x 2 root root 4096 Mar 7 20:03 . drwx------ 15 root root 4096 Mar 7 20:03 .. lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1 dindang:~/test # ***** Step 4, Link the partition you want to analyse into the "hold" directoy To do this, we use the ln command, its the equivalent of making an alias to somthing on a mac or a shortcut to somthing in windows. first a little info on the ln command: dindang:~/test # man ln NAME ln - make links between files SYNOPSIS ln [OPTION]... TARGET [LINK_NAME] ln [OPTION]... TARGET... DIRECTORY ln [OPTION]... --target-directory=DIRECTORY TARGET... DESCRIPTION Create a link to the specified TARGET with optional LINK_NAME. If LINK_NAME is omitted, a link with the same basename as the TARGET is created in the current direc tory. When using the second form with more than one TAR GET, the last argument must be a directory; create links in DIRECTORY to each TARGET. Create hard links by default, symbolic links with --symbolic. When creating hard links, each TARGET must exist. Btw.... I'm deliberately not showing all the info that man throws back, try the command youself to get the full picture. Next I will link /dev/hda1 into /root/test using the ln command: dindang:~ # ln -s /dev/hda1 /root/test Now if I do a directory listing of test: dindang:~ # ls test . .. hda1 dindang:~ # I can see that along with the navigation stubs, there is somthing called hda1 in there. Lets change our working directory from /root into /root/test and see more whats in there: dindang:~ # cd test dindang:~/test # ls -l total 8 drwxr-xr-x 2 root root 4096 Mar 7 20:03 . drwx------ 15 root root 4096 Mar 7 20:03 .. lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1 dindang:~/test # The output of the ls -l tells us quite a bit: drwxr-xr-x tells us that entry is a directory, it belongs to user root in the group root, and time stamps associated with the file, and finally its name lrwxrwxrwx tells us its a link, and after the hda1 (the file name) there is a -> /dev/hda1 which tells us that its linked to /dev/hda1 ***** Step 5, lets get our image another way. The way above links the physical partition to the "image file" that will be analysed by task / autopsy, anything we do to this will modify the original item, so maybe we should actually image the partition instead of just creating a shortcut to it. This we do using the dd command. First we delete the symbolic link: dindang:~ /test# rm hda1 verify its gone.... dindang:~/test # ls . .. Get some info on dd..... dindang:~/test # man dd NAME dd - convert and copy a file SYNOPSIS dd [OPTION]... DESCRIPTION Copy a file, converting and formatting according to the options. dindang:~/test # Run DD using the options required: dindang:~/test # dd if=/dev/hda1 of=/root/test/hda1 Lets verify what it's done: dindang:~/test # dindang:~/test # ls . .. hda1 dindang:~/test # The difference here is that this is not a link, its an actual image to work on, and it consumes disk space etc. ***** Step 6, get help if it don't work If you run the commands above, but it just don't happen, and you want to contact a list, then give a bit of info about the system you run. The OS / Distribution etc, Output above was generated on SuSE 8.0 with a custom built kernel that I made a long time ago, hmm... don't know / can't remember the kernel? uname will help dindang:~ # uname -a Linux dindang 2.4.18-4GB #1 Thu May 16 13:22:19 GMT 2002 i686 unknown I should post that info, along with references to the SuSE 8.0 in a brief into paragraph. Maybe theres somthing wrong with the binaries on my platform. Also, what user are you logged in as? Do you have access to the devices as this user? Notice I done everything as root, if I was a restricted user I could have run into problems... (I don;t actually know for sure with the above commands, and I dont particularly care to reboot and find out). ***** Step 7, have fun, happy sluething.... HTH, Sid. |
From: Eagle I. S. <in...@ea...> - 2003-03-08 16:24:30
|
Ok, My machine is a 18GHz P4, 512 RAM, 60 Gig WD 7200 HD, Win2k installed on 20 Gigs, and SuSE 8.1 installed on the 404 Gig portion. After walking through Sid's descriptions, and checks, I was able to add the link. I won't bore you with the details. Thanks for the descriptions Sid, it provided a flashlight in an otherwise dark tunnel. So I got my image to appear in Autopsy. However, when I went to add the image I ran into a snag, which I believe is due to the mounting point parameter. I entered the following attempts /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 0 All to no avail. The Konqueror browser would attempt to load the data and then stall. What should I enter as the mounting point? I was running Autopsy as the root user (i.e. from the prompt linux:/home/niallc) At a loss at what to try next - any ideas greatly appreciated. Thank you all again, Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Silent Partner Sent: Friday, March 07, 2003 4:09 PM To: Sleuthkit-Users@Lists. Sourceforge. Net Subject: Re: [sleuthkit-users] RE: Problem adding image Quoting: "Brian Carrier": > > ln -s /dev/hda1 /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > > > > and > > > > ln -s /dev/hda1 /home/niallc/Desktop/Locker//Thismachine/WIN2000/images > > > > I entered both exactly as typed above. In both cases when I hit refresh > > there was no sign of my link/image. > > > What does > > ls -l /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 > > show? Here is a step by step guide to achieve what you are trying to achieve, and verify as you are going along, composed in mini-howto style: ***** Step 1, use the GUI, but empower yourself with the command line I login to my linux box, and I bring up an xterm / "command prompt" and I get: dindang:~ # ***** Step 2, know your hard disk. I know that there is an IDE hard disk in my machine that contains a partition which I would like to analyse, to get more info, I examine what the kernel knows about IDE hard disks in my machine, and I already know they get mounted as /dev/hd??? so I use the dmesg command, I can use the man command to find out more about dmesg: dindang:~ # man dmesg NAME dmesg - print or control the kernel ring buffer SYNOPSIS dmesg [ -c ] [ -n level ] [ -s bufsize ] DESCRIPTION dmesg is used to examine or control the kernel ring buffer. The program helps users to print out their bootup mes sages. Instead of copying the messages by hand, the user need only: dmesg > boot.messages and mail the boot.messages file to whoever can debug their problem. Basically at boot / start of any system device will result in a message being posted to the kernel ring buffer, you hotplug a USB device, what the kernel does with it gets noted here.... so we are looking for kernel messages relating to hda or if it was a scsi disk we would have used sda etc. Dmesg on its own will give back a lot of information, but I will pipe the output of it using | into the grep command which I will use to filter for hda dindang:~ # dmesg | grep hda ide0: BM-DMA at 0xfcd0-0xfcd7, BIOS settings: hda:pio, hdb:pio hda: IC25N020ATCS04-0, ATA DISK drive hda: safely enabled flush hda: 39070080 sectors (20004 MB) w/1768KiB Cache, CHS=41344/15/63, UDMA(33) hda: hda1 hda2 hda3 hda4 I could have just searched for hda1 and got: dindang:~ # dmesg | grep hda1 hda: hda1 hda2 hda3 hda4 But basically I know from the above that there is a drive on my system mounted as hda and it has 4 partitions, hda1-4 To find out whats in thos partitions use fdisk: dindang:~ # fdisk Usage: fdisk [-l] [-b SSZ] [-u] device E.g.: fdisk /dev/hda (for the first IDE disk) or: fdisk /dev/sdc (for the third SCSI disk) or: fdisk /dev/eda (for the first PS/2 ESDI drive) or: fdisk /dev/rd/c0d0 or: fdisk /dev/ida/c0d0 (for RAID devices) ... Woops! I forgot that I must specify a paramater, the parameter must be a device, not a partition, so /dev/hda1 can't be fdisked becuase its not a disk, but /dev/hda can: dindang:~ # fdisk /dev/hda The number of cylinders for this disk is set to 41344. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/hda: 15 heads, 63 sectors, 41344 cylinders Units = cylinders of 945 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 19672 9294988+ c Win95 FAT32 (LBA) /dev/hda2 * 19673 19714 19845 83 Linux /dev/hda3 19715 20795 510772+ 82 Linux swap /dev/hda4 20796 41344 9709402+ 83 Linux Command (m for help): q dindang:~ # >From this I can see that /dev/hda1 is the windows partition using a FAT32 filesystem, and this I want to analyse / play with! ***** Step 3, checkout your current directory. first I check to see where I am, this is important because all operations that I do will take place wherever I am, unless I fully qualify the paths. I check this with the print working directory command: dindang:~ # pwd /root dindang:~ # I am currently in /root, and lets see what I've got here, do a directory listing: dindang:~ # dindang:~ # dindang:~ # ls dindang:~ # Now I am going to make a directory test, this is to hold my "images", and is the equivalent of the task / autopsy image hold directory: dindang:~ # dindang:~ # mkdir test dindang:~ # Now, it makes sense to VERIFY what you've done, so do another directory listing: dindang:~ # ls Yes, test is there, its in the list, lets see whats in the directory test: dindang:~ # ls test dindang:~ # just . and .. which are direcory navigation stubs, so the directory is empty. dindang:~ # ln -s /dev/hda1 /root/test dindang:~ # ls test dindang:~ # cd test dindang:~/test # ls -l total 8 drwxr-xr-x 2 root root 4096 Mar 7 20:03 . drwx------ 15 root root 4096 Mar 7 20:03 .. lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1 dindang:~/test # ***** Step 4, Link the partition you want to analyse into the "hold" directoy To do this, we use the ln command, its the equivalent of making an alias to somthing on a mac or a shortcut to somthing in windows. first a little info on the ln command: dindang:~/test # man ln NAME ln - make links between files SYNOPSIS ln [OPTION]... TARGET [LINK_NAME] ln [OPTION]... TARGET... DIRECTORY ln [OPTION]... --target-directory=DIRECTORY TARGET... DESCRIPTION Create a link to the specified TARGET with optional LINK_NAME. If LINK_NAME is omitted, a link with the same basename as the TARGET is created in the current direc tory. When using the second form with more than one TAR GET, the last argument must be a directory; create links in DIRECTORY to each TARGET. Create hard links by default, symbolic links with --symbolic. When creating hard links, each TARGET must exist. Btw.... I'm deliberately not showing all the info that man throws back, try the command youself to get the full picture. Next I will link /dev/hda1 into /root/test using the ln command: dindang:~ # ln -s /dev/hda1 /root/test Now if I do a directory listing of test: dindang:~ # ls test dindang:~ # I can see that along with the navigation stubs, there is somthing called hda1 in there. Lets change our working directory from /root into /root/test and see more whats in there: dindang:~ # cd test dindang:~/test # ls -l total 8 drwxr-xr-x 2 root root 4096 Mar 7 20:03 . drwx------ 15 root root 4096 Mar 7 20:03 .. lrwxrwxrwx 1 root root 9 Mar 7 20:03 hda1 -> /dev/hda1 dindang:~/test # The output of the ls -l tells us quite a bit: drwxr-xr-x tells us that entry is a directory, it belongs to user root in the group root, and time stamps associated with the file, and finally its name lrwxrwxrwx tells us its a link, and after the hda1 (the file name) there is a -> /dev/hda1 which tells us that its linked to /dev/hda1 ***** Step 5, lets get our image another way. The way above links the physical partition to the "image file" that will be analysed by task / autopsy, anything we do to this will modify the original item, so maybe we should actually image the partition instead of just creating a shortcut to it. This we do using the dd command. First we delete the symbolic link: dindang:~ /test# rm hda1 verify its gone.... dindang:~/test # ls Get some info on dd..... dindang:~/test # man dd NAME dd - convert and copy a file SYNOPSIS dd [OPTION]... DESCRIPTION Copy a file, converting and formatting according to the options. dindang:~/test # Run DD using the options required: dindang:~/test # dd if=/dev/hda1 of=/root/test/hda1 Lets verify what it's done: dindang:~/test # dindang:~/test # ls dindang:~/test # The difference here is that this is not a link, its an actual image to work on, and it consumes disk space etc. ***** Step 6, get help if it don't work If you run the commands above, but it just don't happen, and you want to contact a list, then give a bit of info about the system you run. The OS / Distribution etc, Output above was generated on SuSE 8.0 with a custom built kernel that I made a long time ago, hmm... don't know / can't remember the kernel? uname will help dindang:~ # uname -a Linux dindang 2.4.18-4GB #1 Thu May 16 13:22:19 GMT 2002 i686 unknown I should post that info, along with references to the SuSE 8.0 in a brief into paragraph. Maybe theres somthing wrong with the binaries on my platform. Also, what user are you logged in as? Do you have access to the devices as this user? Notice I done everything as root, if I was a restricted user I could have run into problems... (I don;t actually know for sure with the above commands, and I dont particularly care to reboot and find out). ***** Step 7, have fun, happy sluething.... HTH, Sid. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
From: Sid P. - S. P. <sp...@si...> - 2003-03-09 14:58:35
|
On Saturday 08 March 2003 16:19, Eagle Investigative Services wrote: > Ok, My machine is a 18GHz P4, 512 RAM, 60 Gig WD 7200 HD, Win2k install= ed > on 20 Gigs, and SuSE 8.1 installed on the 404 Gig portion. 20Gigs is the size of the partition you're analysing then.... > So I got my image to appear in Autopsy. However, when I went to add the > image > I ran into a snag, which I believe is due to the mounting point paramet= er. It looks like you don't understand the concept of a mounting point, and I= =20 notice that its not documented in the online help. Here is my explainatio= n=20 for it, and others can pick up on where I go wrong or make wrong assumpti= ons=20 regarding task / autopsy. A hard disk is a physical device that is loaded into your system. It typi= cally=20 is very large, in your case 60Gigs. You have broken your disk into two, a= nd I=20 suspect 5 partitions. Windows gets a 20 gig partition, linux /boot maybe = gets=20 a 20Mb partition, linux swap gets probably 128Mb, and the balance goes fo= r=20 root. Your disk will have primary partition /dev/hda1 and also partitions /dev/= hda2=20 /dev/hda3 /dev/hda4 These /dev/hdx are how we reference the partitions in linux, this informa= tion=20 is linux specific. Windows does not provide you with addressible device=20 labels such as this and internally references the partitions somthing lik= e=20 ide0:1 to say first partition on IDE Bus 0 The target operating system that uses the partitions mounts them into mou= nt=20 points. In linux your partitions might get mounted as: /dev/hda1 could get mounted to /windows/C /dev/hda2 could get mounted to /boot /dev/hda3 might not get mounted at all as it is swap /dev/hda4 might get mounted as / I could have another disk, /dev/hdb that I use for /var/logs in which cas= e=20 /devhdb1 would get mounted to /var/logs If I ran windows on the same machine, windows would probably mount /dev/h= da1=20 as C: (this is not guaranteed). If I had filesystem drivers for windows t= o=20 read the linux partitions, it might mount /dev/hda2 as E: (assuming CD is= =20 D:), /dev/hda4 as F: , and /dev/hdb1 as F: These are all mount points, / /boot C: D: E: F: There is no information in the imaged partition to say what they are moun= ted=20 as under a specific operating system, and can be mounted under multiple=20 operating systems as different mountpoints and used withing the confines = of=20 that os as that mountpoint. Autopsy has no way then of knowing what the full path of a file was on a=20 target system. It finds a deleted file temp/bossescc#.txt and on the orig= inal=20 system that would have possibly been C:/temp/bossescc#.txt On a linux system it might have been /temp/bossescc#.txt C: and / are the mount points on the two respective systems, and this=20 information needs to be given to autopsy in order for it to give you prop= er=20 file paths back in its reports. > I entered the following attempts > > /dev/hda1 > /home/niallc/Desktop/Locker/Thismachine/WIN2000/images > /home/niallc/Desktop/Locker/Thismachine/WIN2000/images/hda1 > 0 The mounting point is just a label that autopsy is going to stick infront= of=20 all file paths that it gathers, so all of the above are relevant and "ok"= to=20 provide as mount points, but not necessarily correct when compaired with = the=20 actual file system that you are analysing. They would not cause you any=20 problems though. > All to no avail. The Konqueror browser would attempt to load the data a= nd > then > stall. I assume that you saw "Stalled" in the status bar of Konqueror? That means that Konqueror is stalled, waiting for more information, it do= es=20 not mean that the process has failed. You were trying to load a 20gig=20 partition, in my test I loaded a 10gig partition in the same manner as yo= u,=20 and it probably took a whole 10 mins to load, I actually left it run and = came=20 back to it a while later and went again and came back to find: ----- Begin Sample Output ----- Calculating MD5 of images/hda1 Current MD5: 81C534B8FA3AACDC70E507A2975223A7 <BR>Image: images/hda1 added to config file [OK] ----- End Sample Output ----- Sounds to me like you didnt wait long enough for the processing to get th= is=20 far, 20gigs is a LOT of data to load, imagine how long it would take to l= oad=20 a text file 20gigs in size..... > What should I enter as the mounting point? Whatever the partitions mounting point was on the original system, presum= ably,=20 but not always C: in terms of the first partition on a windows system. It is conceivable that on some machines, running dual OS, that a partitio= n=20 could get mounted under both OS, and you might have to run your analyses=20 twice one for each OS context. An example from my machine is my windows=20 C:/documents and settings/administrator/my documents folder is actually a= =20 link that points to E:/home/dindang/Documents so that both my windows and= =20 linux profiles share the same "documents" folder. Obviously in the window= s=20 context the mount point for the partition that holds this folder is E: bu= t on=20 linux its / > I was running Autopsy as the root user (i.e. from the prompt > linux:/home/niallc) Sounds ok, little scary, but ok. Havent actually tried to run autopsy as = an=20 unprivilaged user, would probably work just fine as user niallc maybe som= eone=20 can confirm? > At a loss at what to try next - any ideas greatly appreciated. Do it again, and this time instead of panic'ing, go and have a few beers. The "Stalled" status in Konqueror is not a panic signal, you should have = been=20 able to hear plenty of disk activity going on, and the "cog" in the top r= ight=20 hand corner of Konqueror's window should have been spinning. When that st= ops=20 spinning, and you havent got your output, then panic! > Thank you all again, More than welcome, HTH, Sid. |
From: Sid P. - S. P. <sp...@si...> - 2003-03-09 15:16:18
|
On Sunday 09 March 2003 14:58, Sid Porter - Silent Partner wrote: > Your disk will have primary partition /dev/hda1 and also partitions > /dev/hda2 /dev/hda3 /dev/hda4 When I compiled this information I presented actual data from my own syst= em=20 which is a notebook computer with a single IDE disk partitioned as above. However, when I got the above labels from Fdisk, I had to delete a large = chunk=20 of my pre-composed info that talked about a disk having max two partition= s,=20 primary and extended, and the extended holding logical partitions. My own= =20 setup contradicts this, and I can't even remember installing this system = its=20 that long ago.=20 What happened to the notion of extended partitions? Is this now obsolete = with=20 new IDE technology? Or just uncessary for linux, and still used by Window= s? Sid. |
From: Eagle I. S. <in...@ea...> - 2003-03-09 22:48:08
|
It appears that Autopsy takes a looong time to load the image. 3 hours for my 20 Gig partition. Only to find that I had forgotten to select NTFS on the drop down and was greeted with "error - not an FFS system". Some other newbie points: I found I could only create the symbolic link to dev/hda1 when I had navigated to the images directory within which I wished to create the symbolic link. Maybe this is something all experts of Unix know you should do, but I was logged in as root, so I assumed I had God-like powers to create links and directories at will. Not so, at least in my case. When I did a dmesg on my drive, it came back with the following: hda1 hda2 <hda3 hda4 hda5> Can anyone explain what's between the angled brackets? Hidden partitions? I know there's only two partitions on the drive. Thanks for all the advice so far, and any pointers on the above. Niall. Also, is there an archive of these messages anywhere? Maybe some of my future questions have already been discussed and I'd like not to waste anyone's time. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Sid Porter - Silent Partner Sent: Sunday, March 09, 2003 10:16 AM To: sle...@li... Subject: [sleuthkit-users] Extended Partitions [was] RE: Problem adding image On Sunday 09 March 2003 14:58, Sid Porter - Silent Partner wrote: > Your disk will have primary partition /dev/hda1 and also partitions > /dev/hda2 /dev/hda3 /dev/hda4 When I compiled this information I presented actual data from my own system which is a notebook computer with a single IDE disk partitioned as above. However, when I got the above labels from Fdisk, I had to delete a large chunk of my pre-composed info that talked about a disk having max two partitions, primary and extended, and the extended holding logical partitions. My own setup contradicts this, and I can't even remember installing this system its that long ago. What happened to the notion of extended partitions? Is this now obsolete with new IDE technology? Or just uncessary for linux, and still used by Windows? Sid. ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
From: Brian C. <bca...@at...> - 2003-03-10 02:51:52
|
On Sun, Mar 09, 2003 at 05:42:53PM -0500, Eagle Investigative Services wrote: > It appears that Autopsy takes a looong time to load the image. > 3 hours for my 20 Gig partition. Only to find that I had forgotten > to select NTFS on the drop down and was greeted with "error - not > an FFS system". As sid alluded to, it took so long because it was calculating the MD5 value of the partition (Although that is really long and slow!). Uncheck the 'Calculate MD5' if you need to to go faster. Also, if you choose the wrong file system type, you can just edit the 'host.aut' file by hand and change the 'bsdi' field to 'ntfs'. > > Some other newbie points: > > I found I could only create the symbolic link to dev/hda1 when I had > navigated to the images directory within which I wished to create the > symbolic link. Maybe this is something all experts > of Unix know you should do, but I was logged in as root, so I assumed > I had God-like powers to create links and directories at will. Not so, at > least > in my case. Symbolic links can be tricky about where they point to. In general, it is best to provide full paths for the source and destination. For example: ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images/hda1 > > When I did a dmesg on my drive, it came back with the following: > > hda1 hda2 <hda3 hda4 hda5> > > Can anyone explain what's between the angled brackets? Hidden > partitions? I know there's only two partitions on the drive. They are partitions. Use 'mount' to find out how many you are actually using. > Also, is there an archive of these messages anywhere? Maybe some of my > future > questions have already been discussed and I'd like not to waste anyone's > time. There should be on the sourceforge site. brian |
From: Eagle I. S. <in...@ea...> - 2003-03-10 04:12:50
|
Thanks Brian, >>Also, if you >>choose the wrong file system type, you can just edit the 'host.aut' >>file by hand and change the 'bsdi' field to 'ntfs'. That's good to know. I'm up and running with Autopsy now. I have to re-red the docs, but when I ran a keyword search on the string " *.eml ", it was still searching after an hour and a half. Is this normal? I know that Encase uses a version of grep that takes all night to search its proprietary images. Is there a way to speed up the process in Autopsy? For example if I was looking for a person's name that I know is contained in a deleted email. Is there a way to quickly search for that or do I need to sit it out? Thanks again in advance for all the help..... Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Sunday, March 09, 2003 9:51 PM To: Eagle Investigative Services Cc: sle...@li... Subject: Re: [sleuthkit-users] RE: Problem adding image On Sun, Mar 09, 2003 at 05:42:53PM -0500, Eagle Investigative Services wrote: > It appears that Autopsy takes a looong time to load the image. > 3 hours for my 20 Gig partition. Only to find that I had forgotten > to select NTFS on the drop down and was greeted with "error - not > an FFS system". As sid alluded to, it took so long because it was calculating the MD5 value of the partition (Although that is really long and slow!). Uncheck the 'Calculate MD5' if you need to to go faster. Also, if you choose the wrong file system type, you can just edit the 'host.aut' file by hand and change the 'bsdi' field to 'ntfs'. > > Some other newbie points: > > I found I could only create the symbolic link to dev/hda1 when I had > navigated to the images directory within which I wished to create the > symbolic link. Maybe this is something all experts > of Unix know you should do, but I was logged in as root, so I assumed > I had God-like powers to create links and directories at will. Not so, at > least > in my case. Symbolic links can be tricky about where they point to. In general, it is best to provide full paths for the source and destination. For example: ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images/hda1 > > When I did a dmesg on my drive, it came back with the following: > > hda1 hda2 <hda3 hda4 hda5> > > Can anyone explain what's between the angled brackets? Hidden > partitions? I know there's only two partitions on the drive. They are partitions. Use 'mount' to find out how many you are actually using. > Also, is there an archive of these messages anywhere? Maybe some of my > future > questions have already been discussed and I'd like not to waste anyone's > time. There should be on the sourceforge site. brian ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
From: Brian C. <bca...@at...> - 2003-03-11 00:04:00
|
On Sun, Mar 09, 2003 at 11:07:27PM -0500, Eagle Investigative Services wrote: > Thanks Brian, > > I have to re-red the docs, but when I ran a keyword search on > the string " *.eml ", it was still searching after an hour and a half. > Is this normal? For your file system size and based on how long your MD5 took, yes. > Is there a way to speed up the process in Autopsy? For example > if I was looking for a person's name that I know is contained in > a deleted email. Is there a way to quickly search for that or do I need > to sit it out? Use the 'Extract Strings' button from the bottom of the keyword search screen. brian |
From: Silent P. <sp...@si...> - 2003-03-10 12:36:40
|
Brian, > As sid alluded to, it took so long because it was calculating the MD5 > value of the partition (Although that is really long and slow!). Perhaps an animated gif on the page to give people the feeling they've not been forgotten about? Just something to consider for roadmap / wishlist. Sid |
From: Brian C. <bca...@at...> - 2003-03-11 00:10:18
|
On Mon, Mar 10, 2003 at 12:36:43PM -0000, Silent Partner wrote: > Brian, > > > As sid alluded to, it took so long because it was calculating the MD5 > > value of the partition (Although that is really long and slow!). > > Perhaps an animated gif on the page to give people the feeling they've not been > forgotten about? Just something to consider for roadmap / wishlist. I've thought of that, but there are two issues: 1. This would require two pages. One that displays the progress bar and the second that displays the "results" (either an MD5 value or search results). The current design does not really handle that. 2. I'm not a graphics guy and have no clue how to make an animated gif and will not use javascript. This is one of the limitations of only using basic HTML. brian |
From: Silent P. <sp...@si...> - 2003-03-10 09:46:27
|
Quoting: "Eagle Investigative Services" > Also, is there an archive of these messages anywhere? Maybe some of my > future > questions have already been discussed and I'd like not to waste anyone's > time. List-Help: <mailto:sle...@li...?subject=help> List-Post: <mailto:sle...@li...> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>, <mailto:sle...@li...?subject=subscribe> List-Id: TASK Discussion List <sleuthkit-users.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>, <mailto:sle...@li...?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum=sleuthkit-users> This type of information is usually always to be found inside the headers of mailing list email. Sid. |
From: Brian C. <bca...@at...> - 2003-03-10 02:42:26
|
> What happened to the notion of extended partitions? Is this now obsolete with > new IDE technology? Or just uncessary for linux, and still used by Windows? Extended are still needed. The partition table in the first block of the disk has four entries in it. So, you can describe three primary partitions and then fill the rest of the disk with an extended partition. The extended partition has another table in it that is used to describe partitions in it. This repeats until all needed partitions can be described. brian |
From: Silent P. <sp...@si...> - 2003-03-10 12:45:57
|
Quoting: "Brian Carrier" > Extended are still needed. The partition table in the first block of > the disk has four entries in it. So, you can describe three primary > partitions and then fill the rest of the disk with an extended > partition. The extended partition has another table in it that is used > to describe partitions in it. This repeats until all needed partitions > can be described. Just been doing some digging on this and have found out that a "pc style" partition map can have up to four primary partitions in it, but that the microsoft tools only allow the creation of 1 primary partition. Microsoft can use and read up to four primary partitions created by other tools. The notion of an extended partition was apparently a microsoft hack to get around the limitation of 4 primary partitions, and to allow its own tools to create more than 1 primary partition. The extended partition consumes the remainder of the disk space not consumed by the primary partition, and holds its own partition table to reference the "logical" drives as Brian points out. I've not discovered any limitation to the number of partitions / logical drives that an extended partition can have. Just some partition-trivia..... Sid. |
From: Silent P. <sp...@si...> - 2003-03-10 13:45:25
|
Quoting: "Silent Partner" > I've not discovered any limitation to the number of partitions / logical drives > that an extended partition can have. Now I have, its 32. > Just some partition-trivia..... > > Sid. > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > |
From: Brian C. <bca...@at...> - 2003-03-10 02:31:50
|
On Sat, Mar 08, 2003 at 11:19:05AM -0500, Eagle Investigative Services wrote: > > All to no avail. The Konqueror browser would attempt to load the data and > then > stall. > > What should I enter as the mounting point? The mounting point is purely cosmetic for reports and other places where the full path is given. It should be something like '/usr/' if the device is for the user partition or C: if it is from a Windows system. Does it hang when the image is first opened or just with certain directories? Many browsers will hang when opening a large directory such as '/dev/' and some Windows directories. brian |