sleuthkit-users

[sleuthkit-users] TSK Installation Issues

[Brian S. <Br...@Pe...>]

Hi everyone,

I have installed Red Hat 9.0.  I am a little unsure as to how I get Sleuth
Kit on my hard disk now.  Here is what I have done:

Downloaded the source code from your website.  Extracted the archived
contents to my /home/brian directory.  There is now a folder called
Sleuthkit-2.00.  I opened up the terminal window and logged in as root.  I
then went to the directory /home/brian/sleuthkit-2.00 and typed 'make'.
After it finished I attempted to use fls, and it said the tool is not found.
What am I doing wrong?  I am obviously not a linux guru. 

 

Also, one other question.  Is it possible to recover a deleted file created
from within a previous operating system.  For example, let's say I created a
Microsoft Excel file using Windows 98.  Then, I decided to format my entire
hard disk and install Windows ME.  I now have the image of the hard disk
with the Windows ME operating system on it.  Assuming the new operating
system has not written to any of the sectors the Excel file is stored in, is
it possible to restore the Excel file to its .xls format, or can we only
view the strings from that file (keyword search through unallocated space)?
A simple yes or no will really help.  

Thanks so much!  

Brian

-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Thursday, March 24, 2005 7:00 PM
To: Brian Starr
Subject: Re: [sleuthkit-users] dls



On Mar 24, 2005, at 5:13 PM, Brian Starr wrote:

> Thanks, Brian.  I guess the dls file does not have a number.  I guess 
> I need
> to figure out how to get from a byte offset to the exact location in 
> the
> image.  I just ordered your book.  Does it go into all of this??

No.  The book is more general and not specific about Linux or TSK.

How did you make the file?  What did you type? Or, where did you get it 
from?

> Anyways, I have another issue.  I am using the Penquin Sleuth Kit 
> Bootable
> CD.  When running the sorter on my image (using the command line), I 
> get the
> following error:

The error is because the people who made the CD compiled TSK in one 
location and then moved it to a different one on the CD.  I have 
nothing to do with the people who make the CD, they just have similar 
names.

brian

Re: [sleuthkit-users] TSK Installation Issues

[Barry J. G. <bg...@im...>]

On Tue, 2005-04-05 at 11:54 -0700, Brian Starr wrote:

> After it finished I attempted to use fls, and it said the tool is not found.
> What am I doing wrong?  

/home/brian/sleuthkit-2.00/bin is not in your path, so when you try and
execute fls, you get a not found error.  Unlike DOS/Win, Linux only
looks in your path, not in the current directory.  you have to be
explicit.  The commands are located in the sleuthkit-2.00/bin directory.
Change into that dir and use "./" in front of the command to execute
from the current dir.  "./fls -o xxxxx..etc" or use the full path to the
command: "~brian/sleuthkit-2.00/bin/fls -o xxx..etc".

You could also just move all the bins to a directory in your path, but I
prefer to leave them where they are.

> Is it possible to recover a deleted file created
> from within a previous operating system.  
<snip>
> A simple yes or no will really help.  

Possible, yes.  Trivial, no.
  
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] TSK Installation Issues

[Brian C. <ca...@sl...>]

On Apr 5, 2005, at 1:54 PM, Brian Starr wrote:

> Hi everyone,
>
> I have installed Red Hat 9.0.  I am a little unsure as to how I get 
> Sleuth
> Kit on my hard disk now.  Here is what I have done:
>
> Downloaded the source code from your website.  Extracted the archived
> contents to my /home/brian directory.  There is now a folder called
> Sleuthkit-2.00.  I opened up the terminal window and logged in as 
> root.  I
> then went to the directory /home/brian/sleuthkit-2.00 and typed 'make'.
> After it finished I attempted to use fls, and it said the tool is not 
> found.
> What am I doing wrong?  I am obviously not a linux guru.

As Barry said, edit your path or just go into the bin directory in TSK 
and use './fls'.

> Also, one other question.  Is it possible to recover a deleted file 
> created
> from within a previous operating system.  For example, let's say I 
> created a
> Microsoft Excel file using Windows 98.  Then, I decided to format my 
> entire
> hard disk and install Windows ME.  I now have the image of the hard 
> disk
> with the Windows ME operating system on it.  Assuming the new operating
> system has not written to any of the sectors the Excel file is stored 
> in, is
> it possible to restore the Excel file to its .xls format, or can we 
> only
> view the strings from that file (keyword search through unallocated 
> space)?
> A simple yes or no will really help.

The files may still be there if they have not been overwritten, but TSK 
will not find them.   You need a carving tool, such as foremost 
(http://foremost.sf.net).

brian