Thread: [sleuthkit-users] DD images for sun
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: <Bri...@kp...> - 2007-01-24 22:10:29
|
I have acquired my DD images from a SUN server... however I am only able to perform keyword searches... no data analysis. I have never performed analysis on Sun - - - so I am kind of at a loss here. Anyone know what I can do in order to access the file system, time sequencing, etc? Keywords is all I can get and that is enabled in Autopsy. NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you. |
|
From: farmer d. <far...@ya...> - 2007-01-26 02:45:35
|
--- Bri...@kp... wrote: > I have acquired my DD images from a SUN server... May we know how you made your acquisition? Also, are these physical images (of each disk in the server) or logical images (of each partition/file system/slice)? > however I am only able > to perform keyword searches... no data analysis. Why is this so? Are you limited by the tool(s) you're using or you cannot mount the file system to view logical structure and active files? > I > have never performed > analysis on Sun - - - so I am kind of at a loss > here. This is not for a real case, or anything important, then, is it? ;) > Anyone know what I > can do in order to access the file system, time > sequencing, etc? You obviously don't need to mount a file system to analyze the contents. Mounting it may make it easier to view and see things, though. What is the disk layout and the file system type(s) for each slice/partition? You will need to specify the ufs type to Linux mount command. You could use SMART for Linux as well. Finally, there is my CD, THE FARMER'S BOOT CD. I know each of these supports UFS types and enable you to mount Sun file systems. regards, farmerdude ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited |
|
From: <Bri...@kp...> - 2007-01-26 18:08:58
|
They are straight DD images of each partition of the drive copied accross the network. I am using autopsy to perform the analysis, but it does not appear to be able to ascertaing the file system... just able to keyword search, checksums and the like. And no, this is not a critical situation - - - just exploratory on some strage events on the server. Just never had this happen before. NOTICE TO RECIPIENT: If you are not the intended recipient of this e-mail, you are prohibited from sharing, copying, or otherwise using or disclosing its contents. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and permanently delete this e-mail and any attachments without reading, forwarding or saving them. Thank you. farmer dude <far...@ya...> 01/25/2007 06:45 PM To Brian Hanson/PO/KAIPERM@Kaiperm, sle...@li... cc Subject Re: [sleuthkit-users] DD images for sun --- Bri...@kp... wrote: > I have acquired my DD images from a SUN server... May we know how you made your acquisition? Also, are these physical images (of each disk in the server) or logical images (of each partition/file system/slice)? > however I am only able > to perform keyword searches... no data analysis. Why is this so? Are you limited by the tool(s) you're using or you cannot mount the file system to view logical structure and active files? > I > have never performed > analysis on Sun - - - so I am kind of at a loss > here. This is not for a real case, or anything important, then, is it? ;) > Anyone know what I > can do in order to access the file system, time > sequencing, etc? You obviously don't need to mount a file system to analyze the contents. Mounting it may make it easier to view and see things, though. What is the disk layout and the file system type(s) for each slice/partition? You will need to specify the ufs type to Linux mount command. You could use SMART for Linux as well. Finally, there is my CD, THE FARMER'S BOOT CD. I know each of these supports UFS types and enable you to mount Sun file systems. regards, farmerdude ____________________________________________________________________________________ Yahoo! Music Unlimited Access over 1 million songs. http://music.yahoo.com/unlimited |
|
From: <rob...@us...> - 2007-01-26 20:10:10
|
Have you tried mounting the images (or a safe copy of them!)? mount -o loop my_image /mymountpoint You might need: -t ufs Linux *should* support reading UFS without any additional work needed. It's possible to mount filesystems from within an entire disk image too, you just have to specify the offset. I hope this is what you're asking. mhdd should give some clues too if you're not sure it's UFS. ROBERT C. CIPRIANI 1LT, SC, FLARNG Operations Officer, A/146TH ESB "VOICE OF COMMAND" H:(813) 349-6879 W:(727) 329-2000 x74264 M:(727) 365-1231 "Whenever you do a thing, act as if all the world were watching." - Thomas Jefferson |
|
From: farmer d. <far...@ya...> - 2007-01-26 20:47:28
|
--- rob...@us... wrote: > You might need: -t ufs > > Linux *should* support reading UFS without any > additional work needed. > Depending upon your Linux system you _may_ need to pass another option to your 'mount' command, and that is of the UFS type. 'mount' defaults to the "old" UFS type if you do not specify the type. 'man mount' is your friend, and specifically you most likely may pass "ufstype=sun" for UFS initialized by SunOS or Solaris on the Sparc platform or "ufstype=sunx86" for the same but on Intel architecture. > --- Bri...@kp... wrote: > > They are straight DD images of each partition of > the > drive copied accross > the network. Can you elaborate? Take each drive and share verbosely what you did, and command syntax if you remember. This would allow everyone to help much faster and minimize the speculation that results from lack of knowledge about variables. > I am using autopsy to perform the > analysis, but it does not > appear to be able to ascertaing the file system... Have you substantiated this with any other forensic program, be it SMART, FTK, etc.? regards, farmerdude ____________________________________________________________________________________ Food fight? Enjoy some healthy debate in the Yahoo! Answers Food & Drink Q&A. http://answers.yahoo.com/dir/?link=list&sid=396545367 |
|
From: <rob...@us...> - 2007-01-26 20:57:14
|
Good call! ROBERT C. CIPRIANI 1LT, SC, FLARNG Operations Officer, A/146TH ESB "VOICE OF COMMAND" H:(813) 349-6879 W:(727) 329-2000 x74264 M:(727) 365-1231 "Whenever you do a thing, act as if all the world were watching." - Thomas Jefferson ----- Original Message ----- From: farmer dude <far...@ya...> Date: Friday, January 26, 2007 3:47 pm Subject: Re: [sleuthkit-users] DD images for sun > --- rob...@us... wrote: > > You might need: -t ufs > > > > Linux *should* support reading UFS without any > > additional work needed. > > > > Depending upon your Linux system you _may_ need to > pass another option to your 'mount' command, and that > is of the UFS type. 'mount' defaults to the "old" UFS > type if you do not specify the type. 'man mount' is > your friend, and specifically you most likely may pass > "ufstype=sun" for UFS initialized by SunOS or Solaris > on the Sparc platform or "ufstype=sunx86" for the same > but on Intel architecture. > > > > --- Bri...@kp... wrote: > > > They are straight DD images of each partition of > > the > > drive copied accross > > the network. > > Can you elaborate? Take each drive and share > verbosely what you did, and command syntax if you > remember. This would allow everyone to help much > faster and minimize the speculation that results from > lack of knowledge about variables. > > > > > I am using autopsy to perform the > > analysis, but it does not > > appear to be able to ascertaing the file system... > > Have you substantiated this with any other forensic > program, be it SMART, FTK, etc.? > > > regards, > > farmerdude > > > > ____________________________________________________________________________________ > Food fight? Enjoy some healthy debate > in the Yahoo! Answers Food & Drink Q&A. > http://answers.yahoo.com/dir/?link=list&sid=396545367 > > ------------------------------------------------------------------- > ------ > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
Thanks for helping keep SourceForge clean.
X