sleuthkit-users

[sleuthkit-users] Using mac-robber

[Thanh T. <ttr...@ya...>]

Hi,
I'm thinking of moving from "grave-robber" to
"mac-robber".  Could anyone tell me if "mac-robber"
has everything that "grave-robber" has and more?  Or
"grave-robber" has some functionalities that
"mac-robber" doesn't have.  Thanks.
  

__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

Re: [sleuthkit-users] Using mac-robber

[Brian C. <ca...@sl...>]

> I'm thinking of moving from "grave-robber" to
> "mac-robber".  Could anyone tell me if "mac-robber"
> has everything that "grave-robber" has and more?  Or
> "grave-robber" has some functionalities that
> "mac-robber" doesn't have.  Thanks.

Tranh,

They are MUCH different.  mac-robber only grabs the MAC time info 
(grave-robber -m I think) and that is it. grave-robber copies binaries, 
grabs logs and lots of other things that I have forgotten.  I found 
grave-robber to be too big for incident response and this is the more 
focused version.  mac-robber can send the data to a remote host with 
netcat, which can't be done in grave-robber (which writes data to the 
local system or a network share).  I actually find mac-robber only 
useful in scenarios where The Sleuth Kit doesn't support the platform.  
The Sleuth Kit will give you the timelines with deleted files and it 
can bypass the kernel rootkits.

brian

[sleuthkit-users] Zombies

[Angus M. <an...@n-...>]

I've been running some fairly long analysis sessions using Autopsy 
1.75/Sleuthkit 1.66 recently and have noticed my system running slower and 
slower over time.....

Checking ps shows that there are a *lot* of zombied processes hanging around 
in the system. Closer inspection suggeste it may be some unwanted interaction 
between KDE-launched mozilla and autopsy in fact. Here's the ps output for 
the latest session (just started) :

500       2264  0.0  0.4  4416 1064 ?        S    12:44   0:00 /bin/bash -c ps 
x |grep -q '[m]ozilla' && mozilla -remote "openURL(`echo 
'http://localhost:9000/37201582871632651365/autopsy'`, new-window)" || mozil     
la 'http://localhost:9000/37201582871632651365/autopsy'
500       2283  4.5 11.7 49740 29296 ?       S    12:44   0:48 
/usr/lib/mozilla-1.4.1/mozilla-bin http://l     
ocalhost:9000/37201582871632651365/autopsy
500       2292  0.0 11.7 49740 29296 ?       S    12:44   0:00 
/usr/lib/mozilla-1.4.1/mozilla-bin http://l     
ocalhost:9000/37201582871632651365/autopsy
500       2293  0.0 11.7 49740 29296 ?       S    12:44   0:00 
/usr/lib/mozilla-1.4.1/mozilla-bin http://l     
ocalhost:9000/37201582871632651365/autopsy
500       2294  0.0 11.7 49740 29296 ?       S    12:44   0:00 
/usr/lib/mozilla-1.4.1/mozilla-bin http://l     
ocalhost:9000/37201582871632651365/autopsy
500       2296  0.0 11.7 49740 29296 ?       S    12:44   0:00 
/usr/lib/mozilla-1.4.1/mozilla-bin http://l     
ocalhost:9000/37201582871632651365/autopsy
500       2318  0.0 11.7 49740 29296 ?       S    12:44   0:00 
/usr/lib/mozilla-1.4.1/mozilla-bin http://l     
ocalhost:9000/37201582871632651365/autopsy
root      2401  0.0  0.0     0    0 pts/1    Z    12:44   0:00 [autopsy 
<defunct>]
root      2417  0.0  0.0     0    0 pts/1    Z    12:45   0:00 [autopsy 
<defunct>]
root      2429  0.0  0.0     0    0 pts/1    Z    12:45   0:00 [autopsy 
<defunct>]
root      2431  0.0  0.0     0    0 pts/1    Z    12:45   0:00 [autopsy 
<defunct>]
root      2454  0.0  0.0     0    0 pts/1    Z    12:45   0:00 [autopsy 
<defunct>]
root      2455  0.0  0.0     0    0 pts/1    Z    12:45   0:00 [autopsy 
<defunct>]
root      2458  0.0  0.0     0    0 pts/1    Z    12:45   0:00 [autopsy 
<defunct>]
root      2467  0.0  0.9 10620 2296 pts/1    S    12:45   0:00 /usr/bin/perl 
-wT ./autopsy 9000 localhost


Anyone happen to know of a cure for this ? 

(Fedora Core1, custom 2.4.22 kernel)

And on an unrelated note - would anyone object to me posting a call for papers 
for a conference (digital evidence), that I'm chairing early next year, on 
this list ? 

Re: [sleuthkit-users] Zombies

[Brian C. <ca...@sl...>]

On Saturday, December 13, 2003, at 08:04  AM, Angus Marshall wrote:

> I've been running some fairly long analysis sessions using Autopsy
> 1.75/Sleuthkit 1.66 recently and have noticed my system running slower 
> and
> slower over time.....
>
> Checking ps shows that there are a *lot* of zombied processes hanging 
> around
> in the system. Closer inspection suggeste it may be some unwanted 
> interaction
> between KDE-launched mozilla and autopsy in fact. Here's the ps output 
> for
> the latest session (just started) :

Wow, these all exist just from opening the main menu window?  Autopsy 
does a wait for the children processes, so I wonder what is unique 
about this setup that causes the children to stay around.  I'm 
surprised that Mozilla is in a non-zombie state.  I'll add a bug entry 
and look into this.  Can you try a different browser and see if the 
same thing happens (lynx will even work).

> And on an unrelated note - would anyone object to me posting a call 
> for papers
> for a conference (digital evidence), that I'm chairing early next 
> year, on
> this list ?

Nope.  You may want to also consider the DFSci list at 
http://www.dfrws.org/listsrv/.

thanks,
brian

Re: [sleuthkit-users] Zombies

[Angus M. <an...@n-...>]

On Monday 15 December 2003 07:35, Brian Carrier wrote:
> On Saturday, December 13, 2003, at 08:04  AM, Angus Marshall wrote:
> > I've been running some fairly long analysis sessions using Autopsy
> > 1.75/Sleuthkit 1.66 recently and have noticed my system running slower
> > and
> > slower over time.....
> >
> > Checking ps shows that there are a *lot* of zombied processes hanging
> > around
> > in the system. Closer inspection suggeste it may be some unwanted
> > interaction
> > between KDE-launched mozilla and autopsy in fact. Here's the ps output
> > for
> > the latest session (just started) :
>
> Wow, these all exist just from opening the main menu window?  Autopsy
> does a wait for the children processes, so I wonder what is unique
> about this setup that causes the children to stay around.  I'm
> surprised that Mozilla is in a non-zombie state.  I'll add a bug entry
> and look into this.  Can you try a different browser and see if the
> same thing happens (lynx will even work).

OK - tried it with konqueror - openend an existing case and got this : 

root     19727  1.7  2.6 10472 6680 pts/2    S    20:12   0:01 /usr/bin/perl 
-wT ./autopsy 9000 localhost
root     19822  0.2  0.0     0    0 pts/2    Z    20:13   0:00 [autopsy 
<defunct>]
root     19825  0.7  0.0     0    0 pts/2    Z    20:13   0:00 [autopsy 
<defunct>]

The good news - using lynx doesn't cause the same problem. I wonder if there's 
something out of spec about the way konqueror and mozilla are handling the 
HTTP streams - would the HTTP version matter ? (I'm wondering about 
keepalives). Interestingly - they're not what I was brought up to consider 
real zombies. They do die when the parent process is killed.

Re: [sleuthkit-users] Zombies

[Enda C. <en...@co...>]

Quoting: "Angus Marshall"
>
> The good news - using lynx doesn't cause the same problem. I wonder if
there's
> something out of spec about the way konqueror and mozilla are handling the
> HTTP streams - would the HTTP version matter ? (I'm wondering about
> keepalives). Interestingly - they're not what I was brought up to consider
> real zombies. They do die when the parent process is killed.

'http keepalives' are particular to http1.1, which you should be able to
disable in the browser settings and try again!

 -Enda.

Re: [sleuthkit-users] Zombies

[Angus M. <an...@n-...>]

On Sunday 14 December 2003 20:50, Enda Cronnolly wrote:
> Quoting: "Angus Marshall"
>
> > The good news - using lynx doesn't cause the same problem. I wonder if
>
> there's
>
> > something out of spec about the way konqueror and mozilla are handling
> > the HTTP streams - would the HTTP version matter ? (I'm wondering about
> > keepalives). Interestingly - they're not what I was brought up to
> > consider real zombies. They do die when the parent process is killed.
>
> 'http keepalives' are particular to http1.1, which you should be able to
> disable in the browser settings and try again!
>
>  -Enda.

OK - I've tried it with keepalives disabled, pipelining disabled and HTTP/1.0 
forced.

Still getting the zombie problem.

Re: [sleuthkit-users] Zombies

[Brian C. <ca...@sl...>]

>
> OK - tried it with konqueror - openend an existing case and got this :
>
> root     19727  1.7  2.6 10472 6680 pts/2    S    20:12   0:01 
> /usr/bin/perl
> -wT ./autopsy 9000 localhost
> root     19822  0.2  0.0     0    0 pts/2    Z    20:13   0:00 [autopsy
> <defunct>]
> root     19825  0.7  0.0     0    0 pts/2    Z    20:13   0:00 [autopsy
> <defunct>]
>
> The good news - using lynx doesn't cause the same problem. I wonder if 
> there's
> something out of spec about the way konqueror and mozilla are handling 
> the
> HTTP streams - would the HTTP version matter ? (I'm wondering about
> keepalives).

I know I previously ran into systems that would have tons of children 
processes because the parent wasn't getting the signal and the 'wait' 
command was never run, but I can't think of which system it was.  The 
'lynx' testing may not have generated as many zombies because it won't 
download the images for the buttons.  Did this happen with the previous 
version of Autopsy too?  I changed some of the signal handling in the 
last version so that a '.' is printed when the system is performing big 
operations like searching and calculating MD5 hashes.  I can't imagine 
that would cause the child signal to be ignored though.

I can't recreate it here with Redhat 8 or OS X.  It could be an HTTP 
thing.  I haven't been using a Perl module for HTTP, but maybe I should 
:).  I'll look into that since I am doing a big redesign of Autopsy 
right now.

thanks,
brian