Thread: [sleuthkit-users] NSRL question
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Michael D. <sle...@du...> - 2003-12-31 21:38:35
|
I've been using autopsy for some time now, but not with the NSRL
database. I've downloaded the entire database, format-15. It is in
many ZIP files. How does one make this work with autopsy? I know you
indicate the location of the NSRL DB during installation, but what is
one to do with all these zip files? Do you unzip them all, then append
the data in the files in the zip files to one big file?
If there are scripts written to do this, I'd like to know where one can
get a copy? If not, happy to write them, but don't understand the end
goal? Maybe I'm making this too complicated. Any help appreciated.
Thanks,
/Mike.
--
----------------------------------------------------------------------
People above policy, reason above rule, common sense above compliance.
- Anonymous
|
|
From: Brian C. <ca...@sl...> - 2004-01-02 05:33:30
|
Mike, You want to have one big NSRLFile.txt file. I'm not sure of the details of all of the NSRL versions, but some of the distributions have multiple NSRLFile.txt files because they don't all fit on once CD. Concatenate the NSRLFile.txt files together into one file and give that location to Autopsy. So, it would be something like: cat NSRLFile-1.txt NSRLFile-2.txt > NSRLFile.txt That database will need to be indexed by Autopsy / Sleuth Kit and then it can be used. brian On Wednesday, December 31, 2003, at 04:38 PM, Michael Dundas wrote: > I've been using autopsy for some time now, but not with the NSRL > database. I've downloaded the entire database, format-15. It is in > many ZIP files. How does one make this work with autopsy? I know you > indicate the location of the NSRL DB during installation, but what is > one to do with all these zip files? Do you unzip them all, then > append the data in the files in the zip files to one big file? If > there are scripts written to do this, I'd like to know where one can > get a copy? If not, happy to write them, but don't understand the end > goal? Maybe I'm making this too complicated. Any help appreciated. |
|
From: Paul S. <pa...@vn...> - 2004-01-31 06:56:29
|
Hi all,
I just wrote a little script that does this. I d/l'ed the NSRL 2.3 in=20
format-15 (1.5?) and wrote a little script that takes the NSRLFile.txt=20
directly from the zip file and sticks it in an output file NSRLFile.txt. Is=
=20
fromat-15 the correct one to use? I couldn't find any doc on that.
Here's the script I used:
#!/bin/bash
# remove NSRLfile.txt to eliminate possibility of duplicating the database
rm NSRLFile.txt
for x in `ls *.zip`
do unzip -qq -c $x NSRLFile.txt >> NSRLFile.txt
done
Run it from the directory where you downloaded all of the .zip, .sha, and .=
md5=20
files. It'll give you the big database file as described below. Beware...=
=20
it is BIG - 2.6G big :-) Caveat - I did absolutely no error checking but i=
t=20
seems to work. Autopsy's make uses it with the following output. Any info=
=20
on what the 2,602 errors might be and how I could eliminate them would be=20
appreciated.
Enter the directory where you installed it:
/Forensics/NSRL
NSRL database was found (NSRLFile.txt)
NSRL Index file not found, do you want it created? (y/n) [n]:
y
=2D------------- begin hfind output --------------
Extracting Data from Database (/Forensics/NSRL/NSRLFile.txt)
Valid Database Entries: 17292990
Invalid Database Entries (headers or errors): 2602
Index File Entries (optimized): 16572711
Sorting Index (/Forensics/NSRL/NSRLFile.txt-md5.idx)
=2D-------------- end hfind output ---------------
Paul
On Friday 02 January 2004 00:33, Brian Carrier wrote:
> Mike,
>
> You want to have one big NSRLFile.txt file. I'm not sure of the
> details of all of the NSRL versions, but some of the distributions have
> multiple NSRLFile.txt files because they don't all fit on once CD.
> Concatenate the NSRLFile.txt files together into one file and give that
> location to Autopsy. So, it would be something like:
>
> cat NSRLFile-1.txt NSRLFile-2.txt > NSRLFile.txt
>
> That database will need to be indexed by Autopsy / Sleuth Kit and then
> it can be used.
>
> brian
>
> On Wednesday, December 31, 2003, at 04:38 PM, Michael Dundas wrote:
> > I've been using autopsy for some time now, but not with the NSRL
> > database. I've downloaded the entire database, format-15. It is in
> > many ZIP files. How does one make this work with autopsy? I know you
> > indicate the location of the NSRL DB during installation, but what is
> > one to do with all these zip files? Do you unzip them all, then
> > append the data in the files in the zip files to one big file? If
> > there are scripts written to do this, I'd like to know where one can
> > get a copy? If not, happy to write them, but don't understand the end
> > goal? Maybe I'm making this too complicated. Any help appreciated.
>
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
> Free Linux Tutorials. Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=3D1278&alloc_id=3D3371&op=3Dclick
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: Brian C. <ca...@sl...> - 2004-01-31 16:16:42
|
On Jan 29, 2004, at 10:38 PM, Paul Stillwell wrote: > Hi all, > > I just wrote a little script that does this. Great. > Autopsy's make uses it with the following output. Any info > on what the 2,602 errors might be and how I could eliminate them would > be > appreciated. [...] > -------------- begin hfind output -------------- > Extracting Data from Database (/Forensics/NSRL/NSRLFile.txt) > Valid Database Entries: 17292990 > Invalid Database Entries (headers or errors): 2602 > Index File Entries (optimized): 16572711 > Sorting Index (/Forensics/NSRL/NSRLFile.txt-md5.idx) > --------------- end hfind output --------------- There is a header entry on top of all of the hash files. It looks like (or similar depending on the format version): "SHA -1","FileName","FileSize","ProductCode","OpSystemCode","MD4","MD5","CRC3 2"," SpecialCode" Those are considered 'invalid' and the NSRL site says there are over 2600 sets, so they are probably from that. Check out how many zip files you downloaded. brian |
|
From: Paul S. <pa...@vn...> - 2004-01-31 23:46:22
|
On Saturday 31 January 2004 11:16, Brian Carrier wrote: > There is a header entry on top of all of the hash files. It looks like >[...] > Those are considered 'invalid' and the NSRL site says there are over > 2600 sets, so they are probably from that. Check out how many zip > files you downloaded. Cool... Although, I have 2,603 files, and 2,602 errors. Does hfind ignore = the=20 first error by default because it expects at least one at the top of the=20 file? Paul |
|
From: Brian C. <ca...@sl...> - 2004-02-01 14:36:55
|
>> There is a header entry on top of all of the hash files. It looks >> like >> [...] >> Those are considered 'invalid' and the NSRL site says there are over >> 2600 sets, so they are probably from that. Check out how many zip >> files you downloaded. > > Cool... Although, I have 2,603 files, and 2,602 errors. Does hfind > ignore the > first error by default because it expects at least one at the top of > the > file? Yea, it reads the first entry to get the database format version and then ignores it. I just updated the code to add that entry to the final number of ignored entries. brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2004-03-29 12:23:14
|
Hello, I've dd'd 5 NTFS images to one drive and I'm trying to load each image individually into Autopsy. When I specify an image location as : /dev/hdd/hdd1/17g.dd It says it can't find the image file, although the image file is defintely there. My only option that actually worked was to point it to: /dev/hdd which is the entire 200gig drive and takes a long time to search. I'd like to be able to search the individual dd files. Any ideas? Niall. |
|
From: Brian C. <ca...@sl...> - 2004-03-29 14:14:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > When I specify an image location as : > > /dev/hdd/hdd1/17g.dd > > It says it can't find the image file, although the image file > is defintely there. > > My only option that actually worked was to point it to: > > /dev/hdd What operating system are you using? If this is Linux, then /dev/hdd is typically a block device file and it makes sense that you can read it. You shouldn't be able to make files inside of /dev/hdd, so I'm not sure how you could have created the files (unless the OS has changed the device layout and /dev/hdd/ is actually a directory). What do you get if you do an 'ls -l' on /dev/hdd/hdd1/17g.dd ? Typically you would mount /dev/hdd1 to some directory (/mnt/ say) and specify /mnt/17g.dd. Unless the OS does some type of automounting. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAaC89OK1gLsdFTIsRAt8kAJ9cjp+dDbuZJzSoc7+lzuUaZfJgMQCfel46 VycU8LliD4EqhS1tzxbqPv0= =ECt+ -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X