sleuthkit-users

[sleuthkit-users] Autopsy keyword search returns no results - but should

[Stephen M. <mat...@ya...>]

Hi there.  I recently fired up Autopsy installed from the Ubuntu Gutsy package 
(I believe Autopsy and Sleuth Kit are version 2.08).

I have a 108 GB NTFS image from which I have extracted strings for both 
allocated and unallocated space.  The .asc files are 37 GB and 28 GB 
respectively. No matter what I search for, my keyword search runs for 5-10 
minutes and then comes up with no results.   If I manually grep through 
the .asc files, there are plenty of results there. The Autopsy data directory 
is NFS mounted off of FreeNAS.

Can any provide any insight as to why my searches are coming up empty?

thanks

-Steve

Re: [sleuthkit-users] Autopsy keyword search returns no results - but should

[RB <ao...@gm...>]

On Thu, Nov 6, 2008 at 09:43, Stephen Mathezer <mat...@ya...> wrote:
> Can any provide any insight as to why my searches are coming up empty?

Look at the log for your case, it should have the search terms there.
My guess is that your manual grep terms and those coming through
Autopsy's syntax-escapes differ.  Autopsy also runs its searches
through srch_strings to reduce your search set by string length, so
that may have some effect if you're doing a lot of regex work.


RB

Re: [sleuthkit-users] Autopsy keyword search returns no results - but should

[Stephen M. <mat...@ya...>]

On November 6, 2008 13:19:04 RB wrote:
> On Thu, Nov 6, 2008 at 09:43, Stephen Mathezer <mat...@ya...> wrote:
> > Can any provide any insight as to why my searches are coming up empty?
>
> Look at the log for your case, it should have the search terms there.
> My guess is that your manual grep terms and those coming through
> Autopsy's syntax-escapes differ.  Autopsy also runs its searches
> through srch_strings to reduce your search set by string length, so
> that may have some effect if you're doing a lot of regex work.
>
>
> RB

Even basic strings weren't working, so I don't think the search term was a 
problem, but I didn't realize how far out of date I was in terms of software 
version, so upgrading seemed like a good idea until I ran into this:

Error: invalid entry in /data1/autopsy/case1/Laptop/host.aut:12
dls vol4 vol1 output/sdb1.img-0-0-ntfs.unalloc

I this easily fixed, or do I have to re-extract everything from the image?  
Given the size of the image, that takes longer than I would like.

thanks

-Steve

[sleuthkit-users] CAINE New Linux Forensics Distro

[Nanni B. <na...@li...>]

Hi All,
I'm glad to announce this new Linux Forensics Live Distro:
http://www.caine-live.net/en/index.html

There are many news on it...the most important is the automatic reporting 
and the GUI for launching many tools.
Try it ;)
bye
 -------------------------------------------------------------
Dott. Nanni Bassetti
 Consulente Informatico
 http://www.nannibassetti.com/
 CFI - http://www.cfitaly.net
INDAGINI DIGITALI - http://www.lulu.com/content/1356430
Selective File Dumper - http://sfdumper.sourceforge.net/ 


-- 
Io utilizzo la versione gratuita di SPAMfighter. Siamo una comunità di 5,6 milioni di utenti che combattono lo spam. 
Sino ad ora
 ha rimosso 60003 mail spam. 
 Gli utenti paganti non hanno questo messaggio nelle loro email .
 Prova gratuitamente SPAMfighter qui:http://www.spamfighter.com/lit

Re: [sleuthkit-users] Autopsy keyword search returns no results - but should

[Brian C. <ca...@sl...>]

Hi Stephen,

Updating should not make a difference.  This code hasn't changed in a  
while.

Can you look at the exec_log to see what grep command is being used  
and if it generates results when you manually execute it?

That is a bug that you found in the new Autopsy.  Edit the file  
mentioned and change line 12 from "dls ...." to "blkls ..."

brian


On Nov 6, 2008, at 5:30 PM, Stephen Mathezer wrote:

> On November 6, 2008 13:19:04 RB wrote:
>> On Thu, Nov 6, 2008 at 09:43, Stephen Mathezer  
>> <mat...@ya...> wrote:
>>> Can any provide any insight as to why my searches are coming up  
>>> empty?
>>
>> Look at the log for your case, it should have the search terms there.
>> My guess is that your manual grep terms and those coming through
>> Autopsy's syntax-escapes differ.  Autopsy also runs its searches
>> through srch_strings to reduce your search set by string length, so
>> that may have some effect if you're doing a lot of regex work.
>>
>>
>> RB
>
> Even basic strings weren't working, so I don't think the search  
> term was a
> problem, but I didn't realize how far out of date I was in terms of  
> software
> version, so upgrading seemed like a good idea until I ran into this:
>
> Error: invalid entry in /data1/autopsy/case1/Laptop/host.aut:12
> dls vol4 vol1 output/sdb1.img-0-0-ntfs.unalloc
>
> I this easily fixed, or do I have to re-extract everything from the  
> image?
> Given the size of the image, that takes longer than I would like.
>
> thanks
>
> -Steve
>
>
> ---------------------------------------------------------------------- 
> ---
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Autopsy keyword search returns no results - but should

[Stephen M. <mat...@ya...>]

Well, updating didn't really help.  I made a backup copy of the host.aut file 
and just deleted the last three lines. A search still came up empty - my 
search term was a simple four letter word. The command in the exec log was 
correct, and in fact when running it manually, I obtained the expected 
non-zero results.

In the end I just started over with the latest version of sleuthkit and 
autopsy and so far that has worked well.  I only extracted ascii strings from 
allocated space, but searches on that did turn up results.  I am now 
extracting unallocated space and strings etc, but so far so good

thanks for the help

-Steve


On Friday 07 November 2008 14:24:56 Brian Carrier wrote:
> Hi Stephen,
>
> Updating should not make a difference.  This code hasn't changed in a
> while.
>
> Can you look at the exec_log to see what grep command is being used
> and if it generates results when you manually execute it?
>
> That is a bug that you found in the new Autopsy.  Edit the file
> mentioned and change line 12 from "dls ...." to "blkls ..."
>
> brian
>
> On Nov 6, 2008, at 5:30 PM, Stephen Mathezer wrote:
> > On November 6, 2008 13:19:04 RB wrote:
> >> On Thu, Nov 6, 2008 at 09:43, Stephen Mathezer
> >>
> >> <mat...@ya...> wrote:
> >>> Can any provide any insight as to why my searches are coming up
> >>> empty?
> >>
> >> Look at the log for your case, it should have the search terms there.
> >> My guess is that your manual grep terms and those coming through
> >> Autopsy's syntax-escapes differ.  Autopsy also runs its searches
> >> through srch_strings to reduce your search set by string length, so
> >> that may have some effect if you're doing a lot of regex work.
> >>
> >>
> >> RB
> >
> > Even basic strings weren't working, so I don't think the search
> > term was a
> > problem, but I didn't realize how far out of date I was in terms of
> > software
> > version, so upgrading seemed like a good idea until I ran into this:
> >
> > Error: invalid entry in /data1/autopsy/case1/Laptop/host.aut:12
> > dls vol4 vol1 output/sdb1.img-0-0-ntfs.unalloc
> >
> > I this easily fixed, or do I have to re-extract everything from the
> > image?
> > Given the size of the image, that takes longer than I would like.
> >
> > thanks
> >
> > -Steve
> >
> >
> > ----------------------------------------------------------------------
> > ---
> > This SF.Net email is sponsored by the Moblin Your Move Developer's
> > challenge
> > Build the coolest Linux based applications with Moblin SDK & win
> > great prizes
> > Grand prize is a trip for two to an Open Source event anywhere in
> > the world
> > http://moblin-contest.org/redirect.php?banner_id=100&url=/
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org