Thread: [sleuthkit-users] dls
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian S. <Br...@Pe...> - 2005-03-23 17:33:35
|
Hi everyone, From the command line, I used dls to extract the unallocated space from my image file. I then used strings to pull the text out from the dls file. I then used grep to do a keyword search. My question is what does the number (address) mean from the dls file? How can I go from the number in the dls file to the exact location in the image? Or, how would I get to the sector that the data from the search resides in? The image is fat32. If someone can offer explanation how to do this using the command line and autopsy, that would really help out. I reviewed the sleuth-kit informers, but was unable to find how the specifics of how this could be done. I obviously need to study up on fat 32 file system. Any help is mucho appreciated. Also, does anyone know when the book, File System Forensic Analysis will be available? Thanks, Brian |
|
From: Geert V. A. <gee...@pa...> - 2006-05-10 19:41:25
|
Dear brian and list members, two little questions about dls. 1. dls extracts all unallocated data blocks (addressable disk units) Assumption: dls also copies the slack space of an image, as long as these are addressable disk units. Question: What about the bytes between the last byte of a regular file and the beginning of the next data block? Is there a way to copy them out? 2. What is the file structure of a dls output file. dls keeps the byte offset of the fragment, so is it something like: 254: data_of_the_block 289: data_of_another_block ... ? Thanks for your help ! Geert |
|
From: Brian C. <ca...@sl...> - 2006-05-10 21:26:00
|
Geert VAN ACKER wrote: > Dear brian and list members, > > two little questions about dls. > > 1. dls extracts all unallocated data blocks (addressable disk units) > Assumption: dls also copies the slack space of an image, as long as > these are addressable disk units. > Question: What about the bytes between the last byte of a regular file > and the beginning of the next data block? Is there a way to copy them out? They are only copied out if you use the '-s' flag, in which case only the slack space blocks are copied out (and the file data is zeroed out). > 2. What is the file structure of a dls output file. dls keeps the byte > offset of the fragment, so is it something like: > 254: data_of_the_block 289: data_of_another_block ... ? the default output of dls is a raw data file that is block aligned. I.e. if the first unallocated block is block 50 then it would be the first block in the output. You can use dcalc to link between dls addresses and normal addresses. 'dls -l' will also give you that information. brian |
|
From: Jacob K. <jac...@gm...> - 2005-03-23 20:19:33
|
File System Forensic Analysis book: I pre-ordered the book from www.awprofessional.com and received it in the mail yesterday. If you become a "member" of the site (which consists of signing up for a free account) they sell the book for $34.99. AW sends promotional codes for 35% off your next purchase in the notification emails too. Not to toot AW's horn, but it sure beats paying $49.99 at amazon or bn.com. (Hopefully, this doesn't take away from anything that you make Brian. Sorry.) Jacob On Wed, 23 Mar 2005 09:33:13 -0800, Brian Starr <Br...@pe...> wrote: > > Hi everyone, > > From the command line, I used dls to extract the unallocated space from my > image file. I then used strings to pull the text out from the dls file. I > then used grep to do a keyword search. My question is what does the number > (address) mean from the dls file? How can I go from the number in the dls > file to the exact location in the image? Or, how would I get to the sector > that the data from the search resides in? The image is fat32. If someone > can offer explanation how to do this using the command line and autopsy, > that would really help out. I reviewed the sleuth-kit informers, but was > unable to find how the specifics of how this could be done. I obviously > need to study up on fat 32 file system. Any help is mucho appreciated. > > Also, does anyone know when the book, File System Forensic Analysis will be > available? > > Thanks, > Brian > > > > |
|
From: Matthew M S. <mm...@ta...> - 2005-03-23 20:32:41
|
Thanks for the info Jacob.. Now a review of the book would be really great.... M. Shannon On Wed, 2005-03-23 at 15:19, Jacob Kitchel wrote: > File System Forensic Analysis book: > > I pre-ordered the book from www.awprofessional.com and received it in > the mail yesterday. If you become a "member" of the site (which > consists of signing up for a free account) they sell the book for > $34.99. AW sends promotional codes for 35% off your next purchase in > the notification emails too. Not to toot AW's horn, but it sure beats > paying $49.99 at amazon or bn.com. (Hopefully, this doesn't take away > from anything that you make Brian. Sorry.) > > Jacob > > > On Wed, 23 Mar 2005 09:33:13 -0800, Brian Starr <Br...@pe...> wrote: > > > > Hi everyone, > > > > From the command line, I used dls to extract the unallocated space from my > > image file. I then used strings to pull the text out from the dls file. I > > then used grep to do a keyword search. My question is what does the number > > (address) mean from the dls file? How can I go from the number in the dls > > file to the exact location in the image? Or, how would I get to the sector > > that the data from the search resides in? The image is fat32. If someone > > can offer explanation how to do this using the command line and autopsy, > > that would really help out. I reviewed the sleuth-kit informers, but was > > unable to find how the specifics of how this could be done. I obviously > > need to study up on fat 32 file system. Any help is mucho appreciated. > > > > Also, does anyone know when the book, File System Forensic Analysis will be > > available? > > > > Thanks, > > Brian > > > > > > > > > > > ------------------------------------------------------- > This SF.net email is sponsored by Microsoft Mobile & Embedded DevCon 2005 > Attend MEDC 2005 May 9-12 in Vegas. Learn more about the latest Windows > Embedded(r) & Windows Mobile(tm) platforms, applications & content. Register > by 3/29 & save $300 http://ads.osdn.com/?ad_id=6883&alloc_id=15149&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org -- Matthew M. Shannon, CIFI, CISSP Principal Agile Risk Management LLC www.agilerm.net msh...@ag... (c)813.732.5076 (o)1.877.AGILE13 (244.5313) |
|
From: Brian C. <ca...@sl...> - 2005-03-24 05:37:20
|
On Mar 23, 2005, at 12:33 PM, Brian Starr wrote: > Hi everyone, > =A0 > =46rom the command line, I used dls to extract the unallocated space=20= > from my image file.=A0 I then used strings to pull=A0the text out=A0from= the=20 > dls file.=A0 I then used grep to do a keyword search.=A0 My question = is=20 > what does the number (address) mean from the dls file?=A0 What number are you referring to? Is the number from strings? Or=20 grep? If you extract the unallocated content, dls is not giving a=20 number. If grep or stings is, then it is the byte offset. > How can I go from the number=A0in the dls file to the exact location = in=20 > the image?=A0 Check out the dcalc tool. Its purpose is to calculate the location of=20= a block in a dls image to a block in the original image. > Also, does anyone know when the book, File System Forensic Analysis=20 > will be available? It was shipped from the warehouse late last week, so it should be in=20 stores this week and it seems that those who ordered it from the=20 publisher already have it... brian =20= |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X