Thread: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: <spa...@gi...> - 2004-07-06 23:05:31
|
Hello, I have a harddisk which has two partitions on it (one of type 0x41, one of type 0x83 which is Linux ext2). By accident I started a script which recreated the two partitions, recreated the two filesystems and recreated the directory structure the same way as it was before. So I can still mount the ext2 partition and have access to all my previous directories. But now they are empty :( I tried to search for the inodes of the missing files without success. How do I actually have to proceed? My second question concerns autopsy. I start autopsy with "./autopsy 9999 192.168.1.109" (192.168.1.109 is the IP address of another machine). I enter the long URL into a browser on the other machine but get HTTP 403 denied. Am I missing something? Ciao, Christof |
|
From: <spa...@gi...> - 2004-07-06 23:11:22
|
Actually it is not a HTTP 403, but a HTTP 200 just saying "Access denied" ;) ----- Original Message -----=20 From: "Christof Baumg=E4rtner" <spa...@gi...> To: <sle...@li...> Sent: Wednesday, July 07, 2004 1:06 AM Subject: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble > Hello, > I have a harddisk which has two partitions on it (one of type 0x41, one > of type 0x83 which is Linux ext2). By accident I started a script which > recreated the two partitions, recreated the two filesystems and > recreated the directory structure the same way as it was before. So I > can still mount the ext2 partition and have access to all my previous > directories. But now they are empty :( > I tried to search for the inodes of the missing files without success. > How do I actually have to proceed? > > My second question concerns autopsy. I start autopsy with "./autopsy > 9999 192.168.1.109" (192.168.1.109 is the IP address of another > machine). I enter the long URL into a browser on the other machine but > get HTTP 403 denied. Am I missing something? > > Ciao, > Christof > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: <spa...@gi...> - 2004-07-07 14:48:10
|
I did. Actually the URL looks like http://192.168.1.150:9999/verylongnumericalstuff/autopsy Ciao, Christof ----- Original Message -----=20 From: "Matthew M. Shannon" <msh...@th...> To: "Christof Baumg=E4rtner" <spa...@gi...> Sent: Wednesday, July 07, 2004 2:18 PM Subject: Re: [sleuthkit-users] Overwritten parition and filesystem and someAutopsy trouble Unless I'm not following you correctly, you need to add autopsy to the address line. http://XX.XXX.XX.XXX:8080/autopsy M Shannon On Tue, 2004-07-06 at 19:12, Christof Baumg=C3=A4rtner wrote: > Actually it is not a HTTP 403, but a HTTP 200 just saying "Access > denied" ;) > > ----- Original Message -----=20 > From: "Christof Baumg=C3=A4rtner" <spa...@gi...> > To: <sle...@li...> > Sent: Wednesday, July 07, 2004 1:06 AM > Subject: [sleuthkit-users] Overwritten parition and filesystem and some > Autopsy trouble > > > > Hello, > > I have a harddisk which has two partitions on it (one of type 0x41, > one > > of type 0x83 which is Linux ext2). By accident I started a script > which > > recreated the two partitions, recreated the two filesystems and > > recreated the directory structure the same way as it was before. So I > > can still mount the ext2 partition and have access to all my previous > > directories. But now they are empty :( > > I tried to search for the inodes of the missing files without > success. > > How do I actually have to proceed? > > > > My second question concerns autopsy. I start autopsy with "./autopsy > > 9999 192.168.1.109" (192.168.1.109 is the IP address of another > > machine). I enter the long URL into a browser on the other machine > but > > get HTTP 403 denied. Am I missing something? > > > > Ciao, > > Christof > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: <spa...@gi...> - 2004-07-07 15:18:11
|
OK. I was thinking of standard cookies (i.e. embedded into the HTTP request body itself). Anyway: I just receive "document contains no data" with this modification :( Ciao, Christof ----- Original Message -----=20 From: "Matthew M. Shannon" <msh...@th...> To: "Christof Baumg=E4rtner" <spa...@gi...> Sent: Wednesday, July 07, 2004 5:13 PM Subject: Re: [sleuthkit-users] Overwritten parition and filesystem andsomeAutopsy trouble Unless required by policy, don't use the cookie restrictions. What version of Autopsy are you using? ./autopsy -C 9090 [IP Address] The -C will force the URL to not use the "long number" cookie restriction. M On Wed, 2004-07-07 at 10:48, Christof Baumg=C3=A4rtner wrote: > I did. > Actually the URL looks like > http://192.168.1.150:9999/verylongnumericalstuff/autopsy > > Ciao, > Christof > > ----- Original Message -----=20 > From: "Matthew M. Shannon" <msh...@th...> > To: "Christof Baumg=C3=A4rtner" <spa...@gi...> > Sent: Wednesday, July 07, 2004 2:18 PM > Subject: Re: [sleuthkit-users] Overwritten parition and filesystem and > someAutopsy trouble > > > Unless I'm not following you correctly, you need to add autopsy to the > address line. > > > http://XX.XXX.XX.XXX:8080/autopsy > > > M Shannon > > > > On Tue, 2004-07-06 at 19:12, Christof Baumg=C3f=C2=A4rtner wrote: > > Actually it is not a HTTP 403, but a HTTP 200 just saying "Access > > denied" ;) > > > > ----- Original Message -----=20 > > From: "Christof Baumg=C3f=C2=A4rtner" <spa...@gi...> > > To: <sle...@li...> > > Sent: Wednesday, July 07, 2004 1:06 AM > > Subject: [sleuthkit-users] Overwritten parition and filesystem and > some > > Autopsy trouble > > > > > > > Hello, > > > I have a harddisk which has two partitions on it (one of type 0x41, > > one > > > of type 0x83 which is Linux ext2). By accident I started a script > > which > > > recreated the two partitions, recreated the two filesystems and > > > recreated the directory structure the same way as it was before. So > I > > > can still mount the ext2 partition and have access to all my > previous > > > directories. But now they are empty :( > > > I tried to search for the inodes of the missing files without > > success. > > > How do I actually have to proceed? > > > > > > My second question concerns autopsy. I start autopsy with > "./autopsy > > > 9999 192.168.1.109" (192.168.1.109 is the IP address of another > > > machine). I enter the long URL into a browser on the other machine > > but > > > get HTTP 403 denied. Am I missing something? > > > > > > Ciao, > > > Christof > > > > > > > > > > > > ------------------------------------------------------- > > > This SF.Net email sponsored by Black Hat Briefings & Training. > > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > > digital self defense, top technical experts, no vendor pitches, > > > unmatched networking opportunities. Visit www.blackhat.com > > > _______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > > > > > > > ------------------------------------------------------- > > This SF.Net email sponsored by Black Hat Briefings & Training. > > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > > digital self defense, top technical experts, no vendor pitches, > > unmatched networking opportunities. Visit www.blackhat.com > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > ------------------------------------------------------- > This SF.Net email sponsored by Black Hat Briefings & Training. > Attend Black Hat Briefings & Training, Las Vegas July 24-29 - > digital self defense, top technical experts, no vendor pitches, > unmatched networking opportunities. Visit www.blackhat.com > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2004-07-07 16:57:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 6, 2004, at 6:06 PM, Christof Baumg=E4rtner wrote: > Hello, > I have a harddisk which has two partitions on it (one of type 0x41, = one > of type 0x83 which is Linux ext2). By accident I started a script = which > recreated the two partitions, recreated the two filesystems and > recreated the directory structure the same way as it was before. So I > can still mount the ext2 partition and have access to all my previous > directories. But now they are empty :( > I tried to search for the inodes of the missing files without success. > How do I actually have to proceed? If the file system data is gone (which probably occured when your=20 recreated the file systems), then your only bet is to use the=20 "application-level" techniques for recovery and use a tool like=20 foremost or another tool that looks at file headers. > My second question concerns autopsy. I start autopsy with "./autopsy > 9999 192.168.1.109" (192.168.1.109 is the IP address of another > machine). I enter the long URL into a browser on the other machine but > get HTTP 403 denied. Am I missing something? <later> > Anyway: I just receive "document contains no data" with this > modification :( If using '-C' helped, then you were probably copying the cookie value=20 incorrectly. Are you using IE as a client? I have had bad luck with=20 IE giving the document contains no data errors and use Mozilla. I=20 thought I fixed most of the problems a long time ago though. I also=20 seen those errors from running autopsy from within some versions of=20 Cygwin. Check the autopsy log in the evidence locker for more information on=20 why the original connection was being denied. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFA7CuGOK1gLsdFTIsRAi8PAJ9iKte0sRi6iJEBxQa1pSamrxejRQCdHK5x ad8Wza3uoLN2othykM15Jw8=3D =3DrxqN -----END PGP SIGNATURE----- |
|
From: <spa...@gi...> - 2004-07-07 20:18:35
|
Oh dear. Unfortunately I can't use any application level techniques as the file in question is a raw 2GB MPEG TransportStream which does not carry any header or so :( The disk was built into a digital set-top box and the file is an important evidence in a case... Seems I am out of luck today... Any other idea? Hmm, after thinking about it On the other problem: I copied the URL properly but it didn't work. Neither with IE6 nor Firefox 0.91. Anyway I finally got it working with the -C option. Ciao, Christof ----- Original Message -----=20 From: "Brian Carrier" <ca...@sl...> To: "Christof Baumg=E4rtner" <spa...@gi...> Cc: <sle...@li...> Sent: Wednesday, July 07, 2004 6:57 PM Subject: Re: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 6, 2004, at 6:06 PM, Christof Baumg=E4rtner wrote: > Hello, > I have a harddisk which has two partitions on it (one of type 0x41, one > of type 0x83 which is Linux ext2). By accident I started a script which > recreated the two partitions, recreated the two filesystems and > recreated the directory structure the same way as it was before. So I > can still mount the ext2 partition and have access to all my previous > directories. But now they are empty :( > I tried to search for the inodes of the missing files without success. > How do I actually have to proceed? If the file system data is gone (which probably occured when your recreated the file systems), then your only bet is to use the "application-level" techniques for recovery and use a tool like foremost or another tool that looks at file headers. > My second question concerns autopsy. I start autopsy with "./autopsy > 9999 192.168.1.109" (192.168.1.109 is the IP address of another > machine). I enter the long URL into a browser on the other machine but > get HTTP 403 denied. Am I missing something? <later> > Anyway: I just receive "document contains no data" with this > modification :( If using '-C' helped, then you were probably copying the cookie value incorrectly. Are you using IE as a client? I have had bad luck with IE giving the document contains no data errors and use Mozilla. I thought I fixed most of the problems a long time ago though. I also seen those errors from running autopsy from within some versions of Cygwin. Check the autopsy log in the evidence locker for more information on why the original connection was being denied. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFA7CuGOK1gLsdFTIsRAi8PAJ9iKte0sRi6iJEBxQa1pSamrxejRQCdHK5x ad8Wza3uoLN2othykM15Jw8=3D =3DrxqN -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X