Thread: RE: [sleuthkit-users] Analyzing FreeBSD Partition
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brooks, P. <pre...@tw...> - 2006-02-24 20:52:49
Attachments:
PGPexch.htm.pgp
|
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMjU2DQoNClRvIHBy b3ZpZGUgbW9yZSBpbmZvcm1hdGlvbiwgaWYgSSB0ZWxsIGF1dG9wc3kgdG8gdHJlYXQgbXkgb3Jp Z2luYWwgaW1hZ2UgYXMgYSBkaXNrLCB0aGlzIGlzIHdoYXQgaXQgaWRlbnRpZmllcyB3aXRoaW46 DQogDQpBbmFseXNpcyBvZiB0aGUgaW1hZ2UgZmlsZSBzaG93cyB0aGUgZm9sbG93aW5nIHBhcnRp dGlvbnM6CSANCiANCiANClBhcnRpdGlvbiAxIChUeXBlOiBTd2FwICgweDAxKSkJDQogDQogIA0K QWRkIHRvIGNhc2U/IA0KIA0KICANClNlY3RvciBSYW5nZTogNjMgdG8gMjYyMjA2DQogDQogIA0K TW91bnQgUG9pbnQ6ICBGaWxlIFN5c3RlbSBUeXBlOiBleHQgZmF0IG50ZnMgdWZzIC0tLS0tIGZh dDEyIGZhdDE2IGZhdDMyIGJzZGkgZnJlZWJzZCBvcGVuYnNkIHNvbGFyaXMgPT09PT09IHJhdyBz d2FwCQ0KIA0KIAkNClBhcnRpdGlvbiAyIChUeXBlOiBVbnVzZWQgKDB4MDApKQkNCiANCiAgDQpB ZGQgdG8gY2FzZT8gDQogDQogIA0KU2VjdG9yIFJhbmdlOiA2MyB0byAxOTUzNTAzOQ0KIA0KICAN Ck1vdW50IFBvaW50OiAgRmlsZSBTeXN0ZW0gVHlwZTogZXh0IGZhdCBudGZzIHVmcyAtLS0tLSBm YXQxMiBmYXQxNiBmYXQzMiBic2RpIGZyZWVic2Qgb3BlbmJzZCBzb2xhcmlzID09PT09PSByYXcg c3dhcAkNCiANCiAJDQpQYXJ0aXRpb24gMyAoVHlwZTogNC4yQlNEICgweDA3KSkJDQogDQogIA0K QWRkIHRvIGNhc2U/IA0KIA0KICANClNlY3RvciBSYW5nZTogMjYyMjA3IHRvIDE5NTM1MDM5DQog DQogIA0KTW91bnQgUG9pbnQ6ICBGaWxlIFN5c3RlbSBUeXBlOiBleHQgZmF0IG50ZnMgdWZzIC0t LS0tIGZhdDEyIGZhdDE2IGZhdDMyIGJzZGkgZnJlZWJzZCBvcGVuYnNkIHNvbGFyaXMgPT09PT09 IHJhdyBzd2FwCQ0KIA0KIAkNCiANCiANCkl0IGlzIFBhcnRpdGlvbiAzIHRoYXQgaXMgaW50ZXJl c3RpbmcgdG8gbWUuDQogDQogDQpQcmVudGlzIEJyb29rcw0KIA0KIA0KDQpfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fXw0KDQpGcm9tOiBzbGV1dGhraXQtdXNlcnMtYWRtaW5AbGlzdHMu c291cmNlZm9yZ2UubmV0IFttYWlsdG86c2xldXRoa2l0LXVzZXJzLWFkbWluQGxpc3RzLnNvdXJj ZWZvcmdlLm5ldF0gT24gQmVoYWxmIE9mIEJyb29rcywgUHJlbnRpcw0KU2VudDogRnJpZGF5LCBG ZWJydWFyeSAyNCwgMjAwNiAxMDowNyBBTQ0KVG86IHNsZXV0aGtpdC11c2Vyc0BsaXN0cy5zb3Vy Y2Vmb3JnZS5uZXQNClN1YmplY3Q6IFtzbGV1dGhraXQtdXNlcnNdIEFuYWx5emluZyBGcmVlQlNE IFBhcnRpdGlvbg0KDQoNCkhleSBBbGwsDQogICAgSSBuZWVkIHNvbWUgaGVscCB0cnlpbmcgdG8g Z2V0IHNsZXV0aGtpdCB0byByZWFkIGFuIGltYWdlIHB1bGxlZCBmcm9tIGEgKHJlcG9ydGVkbHkp IEZyZWVCU0Qgc3lzdGVtLiAgVGhlIGltYWdlIHdhcyB0YWtlbiB1c2luZyBkZCBvZiAvZGV2L2hk YTEuICBBdHRlbXB0cyB0byBwb2ludCBhdXRvcHN5IGF0IHRoZSBpbWFnZSBmaWxlIHVzaW5nIHVm cywgZnJlZWJzZCwgYW5kIG9wZW5ic2QsIGFsbCBmYWlsIHJlcG9ydGluZyB0aGF0IHRoZSBpbWFn ZSBpcyBub3QgdGhvc2UgZmlsZXN5c3RlbSB0eXBlcy4gIEFmdGVyIHJlYWRpbmcgdm9sdW1lIDEy IG9mIHRoZSBpbmZvcm1lciwgSSBkZWNpZGVkIHRvIHRyeSByaXBwaW5nIHRoZSA0LjJCU0QgaW1h Z2Ugb3V0Og0KIA0KbW1scyBvdXRwdXQgb2YgdGhlIHJlc3VsdGluZyBpbWFnZSBmaWxlOg0KIA0K IC91c3IvbG9jYWwvc2xldXRoa2l0L2Jpbi9tbWxzIC10IGJzZCBoZGExLmltZyAgICAgICAgICBC U0QgRGlzayBMYWJlbA0KU2VjdG9yOiAxDQpVbml0cyBhcmUgaW4gNTEyLWJ5dGUgc2VjdG9ycw0K IA0KICAgICBTbG90ICAgIFN0YXJ0ICAgICAgICBFbmQgICAgICAgICAgTGVuZ3RoICAgICAgIERl c2NyaXB0aW9uDQowMDogIC0tLS0tICAgMDAwMDAwMDAwMCAgIDAwMDAwMDAwNjIgICAwMDAwMDAw MDYzICAgVW5hbGxvY2F0ZWQNCjAxOiAgMDEgICAgICAwMDAwMDAwMDYzICAgMDAwMDI2MjIwNiAg IDAwMDAyNjIxNDQgICBTd2FwICgweDAxKQ0KMDI6ICAwMiAgICAgIDAwMDAwMDAwNjMgICAwMDE5 NTM1MDM5ICAgMDAxOTUzNDk3NyAgIFVudXNlZCAoMHgwMCkNCjAzOiAgMDAgICAgICAwMDAwMjYy MjA3ICAgMDAxOTUzNTAzOSAgIDAwMTkyNzI4MzMgICA0LjJCU0QgKDB4MDcpDQogDQogDQpVc2lu ZyB0aGUgZm9sbG93aW5nIGRkIGNvbW1hbmQ6IGRkIGlmPWhkYTEuaW1nIGJzPTUxMiBvZj1mcmVl YnNkLmRkIHNraXA9MjYyMjA3IGNvdW50PTE5MjcyODMzDQogDQpob3dldmVyLCB0aGUgcmVzdWx0 aW5nIGZyZWVic2QuZGQgaW1hZ2UgaGFzIHRoZSBzYW1lIGZhaWx1cmVzIGFzIHRoZSBwcmV2aW91 cy4gIEkgaGF2ZSBsb29rZWQgZm9yIGFueSBvdGhlciByZWZlcmVuY2VzIHRvIHRoZSA0LjJCU0Qg YnV0IGhhdmVuJ3QgZm91bmQgYW55dGhpbmcgaW4gcGFydGljdWxhciBhYm91dCBpdC4gIEFtIEkg bWlzc2luZyBzb21ldGhpbmc/ICBBbnkgaGVscCB3aWxsIGJlIGdyZWF0bHkgYXBwcmVjaWF0ZWQu DQogDQpQcmVudGlzIEJyb29rcw0KRW50ZXJwcmlzZSBTZWN1cml0eSBUZWNobmljYWwgTWFuYWdl cg0Kb2ZmaWNlOiA3MDQtNzMxLTM0MDggDQpBSU06IFRXQ1BhbGFkaW4gDQplbWFpbDogcHJlbnRp cy5icm9va3NAdHdjYWJsZS5jb20NCiANCg0KLS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0N ClZlcnNpb246IFBHUCBEZXNrdG9wIDkuMC41IChCdWlsZCA1MDUwKQ0KDQppUUVWQXdVQlEvOXlC RkxhdjFsVmMwUXJBUWpZb3dmN0IyL2dyYzUwaEpVQVRwZnN4UVlNQlYvTGIxaXQ4cXpiDQpRK3JD OFJPTndIODdqSUM2T0FpNnM2R2pESVJjUWkrSmMydDhNNGhWemVaV2tMNEhQeDFhT0d5Yk1VS0ZY V2wzDQpKeHU0T1dXTmtOeTFVRmFCN1FtWWFucEdFVFZSblU4R2xlWlkvM0crMElXa0F0QTRhNGZS WmRxYzZRYUtVR3NsDQpiZ3R0TDJTYVVQcWMwV2daWU01eFppWlVEd1VJTzQ2OXVCSHl3NUpJdVlY SG5va0tzY2xqWXB4YmtCS21OZU1WDQpLakYzQ2dqRVZyVTBITHlrczBwRFRSQzBNbGRETzZ2a3B3 djVBaEEvcmszcUh5VndzZnFleFVaREE5SlVCU2wrDQpQVEFZaHA0aXlhK2JyaXNrSWxZc1pTUWkv U3IzMGFkcjN6dTYxM2dPNk5WZ096RXhXZWNLR0E9PQ0KPTBEbHINCi0tLS0tRU5EIFBHUCBTSUdO QVRVUkUtLS0tLQ0KDQo= |
|
From: Brooks, P. <pre...@tw...> - 2006-02-24 22:07:34
|
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQ0KSGFzaDogU0hBMjU2DQoNCiANClNv LCBJIHNob3VsZCBoYXZlIGltYWdlZCAvZGV2L2hhZCByYXRoZXIgdGhhbiAvZGV2L2hkYTE/DQoN CkFuZCBubywgbm90IGZpbmRpbmcgYW55ICJ1bml4IGxhYmVsdWZzIiANCg0KQWx0aG91Z2ggeW91 IGhhdmUgZ2l2ZW4gbWUgYW5vdGhlciB0YWN0aWMgdG8gYXR0ZW1wdCBuZXh0IHdlZWsuICBUaGFu a3MNCg0KUHJlbnRpcyBCcm9va3MNCiANCg0KLSAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQ0K RnJvbTogQmFycnkgSi4gR3J1bmR5IFttYWlsdG86YmdydW5keUBpbXguaHEubmFzYS5nb3ZdIA0K U2VudDogRnJpZGF5LCBGZWJydWFyeSAyNCwgMjAwNiA0OjU0IFBNDQpUbzogQnJvb2tzLCBQcmVu dGlzDQpDYzogc2xldXRoa2l0LXVzZXJzQGxpc3RzLnNvdXJjZWZvcmdlLm5ldA0KU3ViamVjdDog UmU6IFtzbGV1dGhraXQtdXNlcnNdIEFuYWx5emluZyBGcmVlQlNEIFBhcnRpdGlvbg0KDQpPbiBG cmksIDIwMDYtMDItMjQgYXQgMTA6MDcgLTA1MDAsIEJyb29rcywgUHJlbnRpcyB3cm90ZToNCg0K PiBob3dldmVyLCB0aGUgcmVzdWx0aW5nIGZyZWVic2QuZGQgaW1hZ2UgaGFzIHRoZSBzYW1lIGZh aWx1cmVzIGFzIHRoZSANCj4gcHJldmlvdXMuICBJIGhhdmUgbG9va2VkIGZvciBhbnkgb3RoZXIg cmVmZXJlbmNlcyB0byB0aGUgNC4yQlNEIGJ1dCANCj4gaGF2ZW4ndCBmb3VuZCBhbnl0aGluZyBp biBwYXJ0aWN1bGFyIGFib3V0IGl0LiAgQW0gSSBtaXNzaW5nIA0KPiBzb21ldGhpbmc/ICBBbnkg aGVscCB3aWxsIGJlIGdyZWF0bHkgYXBwcmVjaWF0ZWQuDQoNCkhpIFByZW50aXMsDQoNCkknbSBn b2luZyB0byBoYXphcmQgYSBndWVzcyBoZXJlLi4uIEl0IGxvb2tzIGxpa2UgdGhlIGZpbGUgaGRh MS5pbWcgaXMgYW4gaW1hZ2UgY3JlYXRlZCB2aWEgZGQgb2YgYSAiZnJlZWJzZCBwYXJ0aXRpb24i LCBwZXJoYXBzIGlkZW50aWZpZWQgYnkgbGludXggZmRpc2sgKG9yIHNmZGlzaywgZXRjLikgSW4g b3RoZXIgd29yZHMgIm5vdCB0aGUgd2hvbGUgZGlzayIuDQoNCllvdXIgbW1scyBjb21tYW5kIHNo b3dzIHlvdSB0aGUgZGlzayBsYWJlbCBmb3VuZCBpbiB0aGF0IHBhcnRpdGlvbiwgYnV0IHRoZSBv ZmZzZXRzIGdpdmVuIHRvIHRoZSBmcmVlYnNkIGZpbGVzeXN0ZW0gYXJlIHJlbGF0aXZlIHRvIHRo ZSAqZGlzayoNCihoZGEpIG5vdCB0aGUgcGFydGl0aW9uIChoZGExKS4gIFNvIGluIHRyeWluZyB0 byBjYXJ2ZSBvdXQgdGhlIGZpbGVzeXN0ZW0sIHlvdSBhcmUgcGFzc2luZyBhbiBvZmZzZXQgdGhh dCBpcyB3cm9uZy4NCg0KVGhhdCBpcyBhICpndWVzcyouDQoNCkhhdmUgeW91IHVzZWQgeHhkIChv ciBvdGhlciB2aWV3ZXIpIHRvIGxvb2sgYXQgdGhlIGltYWdlIGFuZCB0aGUgcmVzdWx0cyBvZiB5 b3VyIGF0dGVtcHRlZCBjYXJ2ZT8gIEFueSAidW5peCBsYWJlbHVmcyIgc3RyaW5ncz8NCiANCi0g LS0NCi8qKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNClNwZWNpYWwgQWdl bnQgQmFycnkgSi4gR3J1bmR5DQpOQVNBIE9mZmljZSBvZiBJbnNwZWN0b3IgR2VuZXJhbA0KQ29t cHV0ZXIgQ3JpbWVzIERpdmlzaW9uDQpHb2RkYXJkIFNwYWNlIEZsaWdodCBDZW50ZXINCkNvZGUg MTkwDQpHcmVlbmJlbHQgUmQuDQpHcmVlbmJlbHQsIE1EIDIwNzcxDQooMzAxKTI4Ni0zMzU4DQoq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKi8NCg0KDQotLS0tLUJFR0lOIFBH UCBTSUdOQVRVUkUtLS0tLQ0KVmVyc2lvbjogUEdQIERlc2t0b3AgOS4wLjUgKEJ1aWxkIDUwNTAp DQoNCmlRRVZBd1VCUS8rRGdWTGF2MWxWYzBRckFRaTk3d2Y3QlhwSWNpd25rVi9nenBxeVZ6bENV QUEzU1RyL1JiOGINCnZRK2J5R1lISTBQSUJlYlFuc3BadTlyaGxRT2JWaDFNN1k3NkwzQjBKeDRR dnhmR2NJNkRkSWwydGtjV1lVY24NCkV5Q2Y1WXYybElWZDBLcWllcmRJR1lReHorZEhoWkpzVzRU Tll3TUo3VkxpaVVpcG92Ti9aR0pqQWtvNTY1ZEkNCmFCSkJEQmFaN3VKMmp3MCtzZG0va0hmUUMx eXFEeEg5RktyV3pOUXFwbTlIelhBTm9hTTkvOGRheFNOS3VadGINCmR3MGRqVjZkNlUwWnJNYmdk d0ZhZE5FTER2VTZLb2hPZEhuWjgvOGpSa09PckRiaWxjVXNqNkZWMmtzV2NSVDENCmJ1TjBBM29p V2hLREpnV2NpWFBuODVLZmJxWWxqNW45cW9JR3JGOHQ1ZkhETFVvNXZxY2VWZz09DQo9UXQ4eQ0K LS0tLS1FTkQgUEdQIFNJR05BVFVSRS0tLS0tDQoNCg== |
|
From: Brian C. <ca...@sl...> - 2006-02-28 02:36:53
|
On Feb 24, 2006, at 5:06 PM, Brooks, Prentis wrote: > > So, I should have imaged /dev/had rather than /dev/hda1? Yes, Barry is correct. You should have imaged /dev/hda AND you need to keep in mind that the offsets in the FreeBSD disk label are relative to the start of the disk and not relative to the start of the FreeBSD partition. brian |
|
From: Barry J. G. <bg...@im...> - 2006-02-24 22:15:44
|
On Fri, 2006-02-24 at 17:06 -0500, Brooks, Prentis wrote: > And no, not finding any "unix labelufs" Sorry, if you grep, use -i. The string is in all CAPS. -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes Division Goddard Space Flight Center Code 190 Greenbelt Rd. Greenbelt, MD 20771 (301)286-3358 **************************************/ |
|
From: Brooks, P. <pre...@tw...> - 2006-02-28 03:10:40
|
Thanks Brian and Barry, after imaging /dev/hda, I was successful in gaining access to the = filesystem. I appreciate everyone who provided me these tips regarding = how BSD managed the devices. -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Mon 2/27/2006 9:36 PM To: Brooks, Prentis Cc: bg...@im...; sle...@li... Subject: Re: [sleuthkit-users] Analyzing FreeBSD Partition On Feb 24, 2006, at 5:06 PM, Brooks, Prentis wrote: > > So, I should have imaged /dev/had rather than /dev/hda1? Yes, Barry is correct. You should have imaged /dev/hda AND you need =20 to keep in mind that the offsets in the FreeBSD disk label are =20 relative to the start of the disk and not relative to the start of =20 the FreeBSD partition. brian |
Thanks for helping keep SourceForge clean.
X