Thread: [sleuthkit-users] extracting .E01 and .Ex01 metadata
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Bala <bal...@cs...> - 2013-09-12 07:42:55
|
Hi Guys I'm a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files 1. Extract metadata from the forensic image 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Environment TSK Version 4.1.0 Core ( not the framework) OS version window 7/ windows 2008 R2 Regards Bala |
|
From: Simson G. <si...@ac...> - 2013-09-12 12:17:18
|
Why do you want to use classes and methods? For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? For #2 - Perhaps you want to use tsk_recover? On Sep 12, 2013, at 3:27 AM, "Bala" <bal...@cs...> wrote: > Hi Guys > > I’m a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files > > 1. Extract metadata from the forensic image > 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. > > Environment > TSK Version 4.1.0 Core ( not the framework) > OS version window 7/ windows 2008 R2 > > > > Regards > Bala > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Bala <bal...@cs...> - 2013-09-13 05:50:21
|
Simson I presume ewfinfo & tsk_recover would suit me ideally according to the descriptions that I find, however I' unable to locate both their method signature which could help me write a manged .Net code to call them. Could you help me find them (method signatures) in this please. http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html Regards Bala From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel Sent: Thursday, September 12, 2013 5:47 PM To: Bala Cc: sle...@li... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata Why do you want to use classes and methods? For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? For #2 - Perhaps you want to use tsk_recover? On Sep 12, 2013, at 3:27 AM, "Bala" <bal...@cs...> wrote: Hi Guys I'm a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files 1. Extract metadata from the forensic image 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Environment TSK Version 4.1.0 Core ( not the framework) OS version window 7/ windows 2008 R2 Regards Bala ---------------------------------------------------------------------------- -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks <http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_ ______________________________________________ sleuthkit-users mailing list <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <http://www.sleuthkit.org> http://www.sleuthkit.org |
|
From: Simson G. <si...@ac...> - 2013-09-13 12:45:11
|
Bala, I think that you have a fundamental misunderstanding about the tools you are using. There are no "method signatures" here. ewfinfo and tsk_recover are both command-line C++ tools. ewfinfo is built upon libewf, which is a C library. There is also libewfcs which is a C# implementation of the EWF format. tsk_recover is based on The SleuthKit, which is a C/C++ library. There is no managed code interface, but I believe that there is a JNI interface that you could call from Java. I'm not sure what you are trying to do, but I suspect that you need to focus on your desired outcome, rather than on the toolset. On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote: > Simson > > I presume ewfinfo & tsk_recover would suit me ideally according to the descriptions that I find, however I’ unable to locate both their method signature which could help me write a manged .Net code to call them. > > Could you help me find them (method signatures) in this please. > http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html > > > Regards > Bala > > From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel > Sent: Thursday, September 12, 2013 5:47 PM > To: Bala > Cc: sle...@li... > Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata > > Why do you want to use classes and methods? > > For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? > For #2 - Perhaps you want to use tsk_recover? > > > > On Sep 12, 2013, at 3:27 AM, "Bala" <bal...@cs...> wrote: > > > Hi Guys > > I’m a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files > > 1. Extract metadata from the forensic image > 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. > > Environment > TSK Version 4.1.0 Core ( not the framework) > OS version window 7/ windows 2008 R2 > > > > Regards > Bala > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Bala <bal...@cs...> - 2013-09-16 09:24:14
|
Simson Here's what I'm trying to do. Develop a program on .Net platform to do the following. 1. Extract metadata from the forensic image (Investigator, case number etc.) 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files I can't use the tools (.exe) which you have mentioned as they are. The best would be to write my own wrapper in a .Net language and make calls to the sleuth kit API to do the above. Hence the reason for me to ask my previous question BTW tsk_recover doesn't seem to iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Is there another tool which I could use for this purpose ? Regards Bala From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel Sent: Friday, September 13, 2013 6:15 PM To: Bala Cc: sle...@li...; si...@gm... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata Bala, I think that you have a fundamental misunderstanding about the tools you are using. There are no "method signatures" here. ewfinfo and tsk_recover are both command-line C++ tools. ewfinfo is built upon libewf, which is a C library. There is also libewfcs which is a C# implementation of the EWF format. tsk_recover is based on The SleuthKit, which is a C/C++ library. There is no managed code interface, but I believe that there is a JNI interface that you could call from Java. I'm not sure what you are trying to do, but I suspect that you need to focus on your desired outcome, rather than on the toolset. On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote: Simson I presume ewfinfo & tsk_recover would suit me ideally according to the descriptions that I find, however I' unable to locate both their method signature which could help me write a manged .Net code to call them. Could you help me find them (method signatures) in this please. <http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html> http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html Regards Bala From: Simson Garfinkel [mailto:simsong@ <http://gmail.com> gmail.com] On Behalf Of Simson Garfinkel Sent: Thursday, September 12, 2013 5:47 PM To: Bala Cc: <mailto:sle...@li...> sle...@li... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata Why do you want to use classes and methods? For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? For #2 - Perhaps you want to use tsk_recover? On Sep 12, 2013, at 3:27 AM, "Bala" < <mailto:bal...@cs...> bal...@cs...> wrote: Hi Guys I'm a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files 1. Extract metadata from the forensic image 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Environment TSK Version 4.1.0 Core ( not the framework) OS version window 7/ windows 2008 R2 Regards Bala ---------------------------------------------------------------------------- -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks <http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_ ______________________________________________ sleuthkit-users mailing list <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <http://www.sleuthkit.org> http://www.sleuthkit.org |
|
From: Greg F. <gre...@gm...> - 2013-09-16 11:58:41
|
Bela, Simon is expert on your question, but so is the team writing plaso. The plaso team is writing in python. Libewf is a c library for working with E01 images and can pull out the metadata for you. It is not part of sleuthkit. I believe it has a lgpl license so you don't have to worry about license issues. I suggest you checkout the plaso choices of libraries and how the workflow proceeds. I've only used it in linux. In linux the plaso workflow is: Use mmls (from sleuthkit) to pull the partition table info. Offsets are in sectors. You can then call log2timeline.py to parse a partition. It requires you pass in the offset. It uses pytsk as a python wrapper around libtsk to parse the filesystem. Libtsk is the core library which sleuthkit provides. In general they don't extract the files, but I think they have a python program that will extract the registry files that you could look at to see how they use libtsk to do that. In linux they have found their multi-threaded app works poorly if pointed directly at the E01 image, they recommend using ewfmount (included in libewf) as a image decoder and cache. It creates a virtual file that is the equivalent of a non-segmented dd image. The user just points log2timeline.py at the virtual dd image. They also use libvshadow to provide access to the volume shadow copies. It too has a lgpl license I believe. Hope that helps, Greg Bala <bal...@cs...> wrote: >Simson > > > >Here's what I'm trying to do. Develop a program on .Net platform to do >the >following. > > > >1. Extract metadata from the forensic image (Investigator, case >number >etc.) > >2. Iterate over files in the file structure on .E01 and .Ex01 >images >and read/copy the files > >I can't use the tools (.exe) which you have mentioned as they are. The >best >would be to write my own wrapper in a .Net language and make calls to >the >sleuth kit API to do the above. Hence the reason for me to ask my >previous >question > > > >BTW tsk_recover doesn't seem to iterate over files in the file >structure on >.E01 and .Ex01 images and read/copy the files. Is there another tool >which I >could use for this purpose ? > > > >Regards > >Bala > > > >From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson >Garfinkel >Sent: Friday, September 13, 2013 6:15 PM >To: Bala >Cc: sle...@li...; si...@gm... >Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata > > > >Bala, > > > >I think that you have a fundamental misunderstanding about the tools >you are >using. > > > >There are no "method signatures" here. ewfinfo and tsk_recover are both >command-line C++ tools. ewfinfo is built upon libewf, which is a C >library. >There is also libewfcs which is a C# implementation of the EWF format. >tsk_recover is based on The SleuthKit, which is a C/C++ library. There >is no >managed code interface, but I believe that there is a JNI interface >that you >could call from Java. > > > >I'm not sure what you are trying to do, but I suspect that you need to >focus >on your desired outcome, rather than on the toolset. > > > > > >On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote: > > > > > >Simson > > > >I presume ewfinfo & tsk_recover would suit me ideally according to the >descriptions that I find, however I' unable to locate both their method >signature which could help me write a manged .Net code to call them. > > > >Could you help me find them (method signatures) in this please. > > <http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html> >http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html > > > > > >Regards > >Bala > > > >From: Simson Garfinkel [mailto:simsong@ <http://gmail.com> gmail.com] >On >Behalf Of Simson Garfinkel >Sent: Thursday, September 12, 2013 5:47 PM >To: Bala >Cc: <mailto:sle...@li...> >sle...@li... >Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata > > > >Why do you want to use classes and methods? > > > >For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? > >For #2 - Perhaps you want to use tsk_recover? > > > > > > > >On Sep 12, 2013, at 3:27 AM, "Bala" < ><mailto:bal...@cs...> >bal...@cs...> wrote: > > > > > > >Hi Guys > > > >I'm a newbie to TSK. Could someone help me figure out which classes and >methods that I need to use to get the following details from .E01 and >Ex01 >files > > > >1. Extract metadata from the forensic image > >2. Iterate over files in the file structure on .E01 and .Ex01 >images >and read/copy the files. > > > >Environment > >TSK Version 4.1.0 Core ( not the framework) > >OS version window 7/ windows 2008 R2 > > > > > > > >Regards > >Bala > > > >---------------------------------------------------------------------------- >-- >How ServiceNow helps IT people transform IT departments: >1. Consolidate legacy IT systems to a single system of record for IT >2. Standardize and globalize service processes across IT >3. Implement zero-touch automation to replace manual, redundant tasks > ><http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >_______________________________________________> >http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_ >______________________________________________ >sleuthkit-users mailing list > <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > <http://www.sleuthkit.org> http://www.sleuthkit.org > > > > > > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >SharePoint >2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >includes >Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > >------------------------------------------------------------------------ > >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. |
|
From: Simson G. <si...@ac...> - 2013-09-16 12:41:39
|
All, libewfcs is a complete reimplementation of libewf in C#. It is what Bala needs for the first requirement. The second requirement can be done almost entirely with existing tools. Simson |
|
From: Jon S. <jo...@li...> - 2013-09-16 13:07:29
|
It sounds like what you want is TskAuto, which is a C++ class that you inherit from with your own class and then it will iterate over all the files in a device. It is pretty well documented on sleuthkit.org. You will still need to familiarize yourself with the TSK_FS_FILE struct and use related APIs for reading file contents, but TskAuto solves the recursive descent problem and gives you a good starting point. As far as I am aware, nothing other than EnCase reads Ex01 files yet. The spec for it is open, but it doesn't have a lot of detail. Jon On Sep 12, 2013 3:45 AM, "Bala" <bal...@cs...> wrote: > Hi Guys**** > > ** ** > > I’m a newbie to TSK. Could someone help me figure out which *classes and > methods* that I need to use to get the following details from *.E01 and > Ex01* files**** > > ** ** > > **1. **Extract metadata from the forensic image**** > > **2. **Iterate over files in the file structure on .E01 and .Ex01 > images and read/copy the files.**** > > ** ** > > *Environment * > > TSK Version 4.1.0 Core ( not the framework)**** > > OS version window 7/ windows 2008 R2**** > > ** ** > > ** ** > > ** ** > > Regards**** > > Bala**** > > ** ** > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Greg F. <gre...@gm...> - 2013-09-16 13:20:53
|
Jon Stewart <jo...@li...> wrote: >As far as I am aware, nothing other than EnCase reads Ex01 files yet. >The >spec for it is open, but it doesn't have a lot of detail. > Libewf has experimental support of the base format: <http://code.google.com/p/libewf/> I only use E01 (and dd) so I don't know how we'll it works. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. |
|
From: Brian C. <ca...@sl...> - 2013-09-16 13:32:23
|
On Sep 16, 2013, at 5:24 AM, Bala <bal...@cs...> wrote: > Simson > > Here’s what I’m trying to do. Develop a program on .Net platform to do the following. > > 1. Extract metadata from the forensic image (Investigator, case number etc.) > 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files > I can’t use the tools (.exe) which you have mentioned as they are. The best would be to write my own wrapper in a .Net language and make calls to the sleuth kit API to do the above. Hence the reason for me to ask my previous question Have you looked into this project: http://sleuthkitsharp.codeplex.com/ > BTW tsk_recover doesn’t seem to iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Is there another tool which I could use for this purpose ? It should. That's its only purpose in life. Are you getting an error? |
|
From: Bala <bal...@cs...> - 2013-09-17 04:38:09
|
@Brian Tsk_recover says 0 file recovered. I'm yet to figure out what that means Sleuthkitsharp is something that I've tried, however it's got two problems. First it was developed for TSK version 3 and with TSK version 4 it seems to have some errors, second it doesn't have an active developer community, it was last updated on September 2011 and hence then no updates. @Simson Libewfcs is again has the same problem that I mentioned above. It doesn't have an active developer community and that's something very risky for my project. I'd rather write my own wrapper over libewf than use libewfcs. Regards Bala -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Monday, September 16, 2013 7:02 PM To: Bala Cc: 'Simson Garfinkel'; si...@gm...; sle...@li... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata On Sep 16, 2013, at 5:24 AM, Bala <bal...@cs...> wrote: > Simson > > Here's what I'm trying to do. Develop a program on .Net platform to do the following. > > 1. Extract metadata from the forensic image (Investigator, case number etc.) > 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files > I can't use the tools (.exe) which you have mentioned as they are. The best would be to write my own wrapper in a .Net language and make calls to the sleuth kit API to do the above. Hence the reason for me to ask my previous question Have you looked into this project: http://sleuthkitsharp.codeplex.com/ > BTW tsk_recover doesn't seem to iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Is there another tool which I could use for this purpose ? It should. That's its only purpose in life. Are you getting an error? |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X