sleuthkit-users

[sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

I am trying to extract the strings from an image of an NTFS hard disk drive=
.

Periodically, autopsy gives this error:
Use of uninitialized value in concatenation (.) or string at
/sleuthkit/autopsy/lib//Caseman.pm line 3751.

It continues running, but spawns a new perl, dls, and srch_strings
process.  Occasionally, it will start a new output file, too.  It will
write data to both output files.

Looking at that line in Caseman.pm, I am not sure what I could change to fi=
x it.

The section of code looks like this:
3743=09    my $base_name =3D $Caseman::vol2sname{$vol};
3744=09
3745=09    if ($ascii =3D=3D 1) {
3746=09        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
3747=09        my $fname     =3D "$::host_dir" . "$fname_rel";
3748=09
3749=09        if (-e "$fname") {
3750=09            my $i =3D 1;
3751=09            $i++ while (-e "$::host_dir"
3752=09                . "$::DATA_DIR/"
3753=09                . "${base_name}-$ftype-$i.asc");
3754=09
3755=09            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc";
3756=09            $fname     =3D "$::host_dir" . "$fname_rel";
3757=09        }
3758=09
3759=09        print
3760=09"Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</tt><br=
>\n";
3761=09
3762=09        Print::log_host_inv(
3763=09            "$Caseman::vol2sname{$vol}: Saving ASCII strings to
$fname_rel");
3764=09
3765=09        local *OUT;

-Jason

Re: [sleuthkit-users] Errors with Autopsy

[Paul B. <p.j...@br...>]

3752	                . "$::DATA_DIR/"
? In the other lines I see  $DATADIR withouth the _
Is this a typo from your side? Or is this actually present in the file. (I don't have the files present now, so I can't check)

But all other elements in that statement are already used in lines 3746 and 3747, so I think it might lay with that.

Paul Bakker



DePriest, Jason R. wrote:

>I am trying to extract the strings from an image of an NTFS hard disk drive.
>
>Periodically, autopsy gives this error:
>Use of uninitialized value in concatenation (.) or string at
>/sleuthkit/autopsy/lib//Caseman.pm line 3751.
>
>It continues running, but spawns a new perl, dls, and srch_strings
>process.  Occasionally, it will start a new output file, too.  It will
>write data to both output files.
>
>Looking at that line in Caseman.pm, I am not sure what I could change to fix it.
>
>The section of code looks like this:
>3743	    my $base_name = $Caseman::vol2sname{$vol};
>3744	
>3745	    if ($ascii == 1) {
>3746	        my $fname_rel = "$::DATADIR/${base_name}-$ftype.asc";
>3747	        my $fname     = "$::host_dir" . "$fname_rel";
>3748	
>3749	        if (-e "$fname") {
>3750	            my $i = 1;
>3751	            $i++ while (-e "$::host_dir"
>3752	                . "$::DATA_DIR/"
>3753	                . "${base_name}-$ftype-$i.asc");
>3754	
>3755	            $fname_rel = "$::DATADIR/${base_name}-$ftype-$i.asc";
>3756	            $fname     = "$::host_dir" . "$fname_rel";
>3757	        }
>3758	
>3759	        print
>3760	"Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</tt><br>\n";
>3761	
>3762	        Print::log_host_inv(
>3763	            "$Caseman::vol2sname{$vol}: Saving ASCII strings to
>$fname_rel");
>3764	
>3765	        local *OUT;
>
>-Jason
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org
>
>
>
>  
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

It is in there with the underscore twice.

A70067@ebizsrvb /sleuthkit/autopsy/lib
$ grep -n 'DATA_DIR' Caseman.pm
3752:                . "$::DATA_DIR/"
3976:            . "$::DATA_DIR/"
A70067@ebizsrvb /sleuthkit/autopsy/lib
$ grep -n 'DATADIR' Caseman.pm
484:    print CASE_CONFIG "data         $::DATADIR\n";
1724:    unless (mkdir "$::host_dir" . "$::DATADIR", $::MKDIR_MASK) {
1727:        Print::print_err("Error making $::host_dir" . "$::DATADIR");
1732:        rmdir "$::host_dir" . "$::DATADIR";
1741:        rmdir "$::host_dir" . "$::DATADIR";
1751:        rmdir "$::host_dir" . "$::DATADIR";
3746:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
3755:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc";
3843:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.uni";
3849:                . "$::DATADIR/"
3852:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.uni";
3970:    my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.unalloc";
3979:        $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.unalloc"

On 3/15/06, Paul Bakker <> wrote:
> 3752                    . "$::DATA_DIR/"
> ? In the other lines I see  $DATADIR withouth the _
> Is this a typo from your side? Or is this actually present in the file. (=
I don't have the files present now, so I can't check)
>
> But all other elements in that statement are already used in lines 3746 a=
nd 3747, so I think it might lay with that.
>
> Paul Bakker
>
>
>
> DePriest, Jason R. wrote:
>
> >I am trying to extract the strings from an image of an NTFS hard disk dr=
ive.
> >
> >Periodically, autopsy gives this error:
> >Use of uninitialized value in concatenation (.) or string at
> >/sleuthkit/autopsy/lib//Caseman.pm line 3751.
> >
> >It continues running, but spawns a new perl, dls, and srch_strings
> >process.  Occasionally, it will start a new output file, too.  It will
> >write data to both output files.
> >
> >Looking at that line in Caseman.pm, I am not sure what I could change to=
 fix it.
> >
> >The section of code looks like this:
> >3743       my $base_name =3D $Caseman::vol2sname{$vol};
> >3744
> >3745       if ($ascii =3D=3D 1) {
> >3746           my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
> >3747           my $fname     =3D "$::host_dir" . "$fname_rel";
> >3748
> >3749           if (-e "$fname") {
> >3750               my $i =3D 1;
> >3751               $i++ while (-e "$::host_dir"
> >3752                   . "$::DATA_DIR/"
> >3753                   . "${base_name}-$ftype-$i.asc");
> >3754
> >3755               $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc=
";
> >3756               $fname     =3D "$::host_dir" . "$fname_rel";
> >3757           }
> >3758
> >3759           print
> >3760   "Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</tt>=
<br>\n";
> >3761
> >3762           Print::log_host_inv(
> >3763               "$Caseman::vol2sname{$vol}: Saving ASCII strings to
> >$fname_rel");
> >3764
> >3765           local *OUT;
> >
> >-Jason

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

Forgot to mention: I have replaced both DATA_DIR instances with
DATADIR and I am doing the extraction again.  I may take a few hours
for me to get to a section that generated the errors, so I probably
won't post a pass / fail message until tomorrow.

On 3/15/06, DePriest, Jason R. <> wrote:
> It is in there with the underscore twice.
>
> A70067@ebizsrvb /sleuthkit/autopsy/lib
> $ grep -n 'DATA_DIR' Caseman.pm
> 3752:                . "$::DATA_DIR/"
> 3976:            . "$::DATA_DIR/"
> A70067@ebizsrvb /sleuthkit/autopsy/lib
> $ grep -n 'DATADIR' Caseman.pm
> 484:    print CASE_CONFIG "data         $::DATADIR\n";
> 1724:    unless (mkdir "$::host_dir" . "$::DATADIR", $::MKDIR_MASK) {
> 1727:        Print::print_err("Error making $::host_dir" . "$::DATADIR");
> 1732:        rmdir "$::host_dir" . "$::DATADIR";
> 1741:        rmdir "$::host_dir" . "$::DATADIR";
> 1751:        rmdir "$::host_dir" . "$::DATADIR";
> 3746:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
> 3755:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.asc";
> 3843:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.uni";
> 3849:                . "$::DATADIR/"
> 3852:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.uni";
> 3970:    my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.unalloc";
> 3979:        $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.unalloc"
>
> On 3/15/06, Paul Bakker <> wrote:
> > 3752                    . "$::DATA_DIR/"
> > ? In the other lines I see  $DATADIR withouth the _
> > Is this a typo from your side? Or is this actually present in the file.=
 (I don't have the files present now, so I can't check)
> >
> > But all other elements in that statement are already used in lines 3746=
 and 3747, so I think it might lay with that.
> >
> > Paul Bakker
> >
> >
> >
> > DePriest, Jason R. wrote:
> >
> > >I am trying to extract the strings from an image of an NTFS hard disk =
drive.
> > >
> > >Periodically, autopsy gives this error:
> > >Use of uninitialized value in concatenation (.) or string at
> > >/sleuthkit/autopsy/lib//Caseman.pm line 3751.
> > >
> > >It continues running, but spawns a new perl, dls, and srch_strings
> > >process.  Occasionally, it will start a new output file, too.  It will
> > >write data to both output files.
> > >
> > >Looking at that line in Caseman.pm, I am not sure what I could change =
to fix it.
> > >
> > >The section of code looks like this:
> > >3743       my $base_name =3D $Caseman::vol2sname{$vol};
> > >3744
> > >3745       if ($ascii =3D=3D 1) {
> > >3746           my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
> > >3747           my $fname     =3D "$::host_dir" . "$fname_rel";
> > >3748
> > >3749           if (-e "$fname") {
> > >3750               my $i =3D 1;
> > >3751               $i++ while (-e "$::host_dir"
> > >3752                   . "$::DATA_DIR/"
> > >3753                   . "${base_name}-$ftype-$i.asc");
> > >3754
> > >3755               $fname_rel =3D "$::DATADIR/${base_name}-$ftype-$i.a=
sc";
> > >3756               $fname     =3D "$::host_dir" . "$fname_rel";
> > >3757           }
> > >3758
> > >3759           print
> > >3760   "Extracting ASCII strings from <tt>$Caseman::vol2sname{$vol}</t=
t><br>\n";
> > >3761
> > >3762           Print::log_host_inv(
> > >3763               "$Caseman::vol2sname{$vol}: Saving ASCII strings to
> > >$fname_rel");
> > >3764
> > >3765           local *OUT;
> > >
> > >-Jason
>

Re: [sleuthkit-users] Errors with Autopsy

[Brian C. <ca...@sl...>]

Yea, those should be DATADIR.  Those are the only two instances of =20
that.  I just fixed that.

thanks,
brian


On Mar 15, 2006, at 6:08 PM, DePriest, Jason R. wrote:

> Forgot to mention: I have replaced both DATA_DIR instances with
> DATADIR and I am doing the extraction again.  I may take a few hours
> for me to get to a section that generated the errors, so I probably
> won't post a pass / fail message until tomorrow.
>
> On 3/15/06, DePriest, Jason R. <> wrote:
>> It is in there with the underscore twice.
>>
>> A70067@ebizsrvb /sleuthkit/autopsy/lib
>> $ grep -n 'DATA_DIR' Caseman.pm
>> 3752:                . "$::DATA_DIR/"
>> 3976:            . "$::DATA_DIR/"
>> A70067@ebizsrvb /sleuthkit/autopsy/lib
>> $ grep -n 'DATADIR' Caseman.pm
>> 484:    print CASE_CONFIG "data         $::DATADIR\n";
>> 1724:    unless (mkdir "$::host_dir" . "$::DATADIR", $::MKDIR_MASK) {
>> 1727:        Print::print_err("Error making $::host_dir" . =20
>> "$::DATADIR");
>> 1732:        rmdir "$::host_dir" . "$::DATADIR";
>> 1741:        rmdir "$::host_dir" . "$::DATADIR";
>> 1751:        rmdir "$::host_dir" . "$::DATADIR";
>> 3746:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.asc";
>> 3755:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-=20
>> $i.asc";
>> 3843:        my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.uni";
>> 3849:                . "$::DATADIR/"
>> 3852:            $fname_rel =3D "$::DATADIR/${base_name}-$ftype-=20
>> $i.uni";
>> 3970:    my $fname_rel =3D "$::DATADIR/${base_name}-$ftype.unalloc";
>> 3979:        $fname_rel =3D =
"$::DATADIR/${base_name}-$ftype-$i.unalloc"
>>
>> On 3/15/06, Paul Bakker <> wrote:
>>> 3752                    . "$::DATA_DIR/"
>>> ? In the other lines I see  $DATADIR withouth the _
>>> Is this a typo from your side? Or is this actually present in the =20=

>>> file. (I don't have the files present now, so I can't check)
>>>
>>> But all other elements in that statement are already used in =20
>>> lines 3746 and 3747, so I think it might lay with that.
>>>
>>> Paul Bakker
>>>
>>>
>>>
>>> DePriest, Jason R. wrote:
>>>
>>>> I am trying to extract the strings from an image of an NTFS hard =20=

>>>> disk drive.
>>>>
>>>> Periodically, autopsy gives this error:
>>>> Use of uninitialized value in concatenation (.) or string at
>>>> /sleuthkit/autopsy/lib//Caseman.pm line 3751.
>>>>
>>>> It continues running, but spawns a new perl, dls, and srch_strings
>>>> process.  Occasionally, it will start a new output file, too.  =20
>>>> It will
>>>> write data to both output files.
>>>>
>>>> Looking at that line in Caseman.pm, I am not sure what I could =20
>>>> change to fix it.
>>>>
>>>> The section of code looks like this:
>>>> 3743       my $base_name =3D $Caseman::vol2sname{$vol};
>>>> 3744
>>>> 3745       if ($ascii =3D=3D 1) {
>>>> 3746           my $fname_rel =3D "$::DATADIR/${base_name}-=20
>>>> $ftype.asc";
>>>> 3747           my $fname     =3D "$::host_dir" . "$fname_rel";
>>>> 3748
>>>> 3749           if (-e "$fname") {
>>>> 3750               my $i =3D 1;
>>>> 3751               $i++ while (-e "$::host_dir"
>>>> 3752                   . "$::DATA_DIR/"
>>>> 3753                   . "${base_name}-$ftype-$i.asc");
>>>> 3754
>>>> 3755               $fname_rel =3D "$::DATADIR/${base_name}-$ftype-=20=

>>>> $i.asc";
>>>> 3756               $fname     =3D "$::host_dir" . "$fname_rel";
>>>> 3757           }
>>>> 3758
>>>> 3759           print
>>>> 3760   "Extracting ASCII strings from <tt>$Caseman::vol2sname=20
>>>> {$vol}</tt><br>\n";
>>>> 3761
>>>> 3762           Print::log_host_inv(
>>>> 3763               "$Caseman::vol2sname{$vol}: Saving ASCII =20
>>>> strings to
>>>> $fname_rel");
>>>> 3764
>>>> 3765           local *OUT;
>>>>
>>>> -Jason
>>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting =20
> language
> that extends applications into web and mobile media. Attend the =20
> live webcast
> and join the prime developer group breaking into this new coding =20
> territory!
> http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=110944&bid$1720&dat=121642=

> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

While I am not getting the error with Caseman.pm, I am still having
strange issues.  It continues to spawn multiple sets of perl, dls, and
srch_strings.  And it continues to create multiple output files.
The extraction I started yesterday is still running and here is what
the running programs and file system look like.
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-
A70067@ebizsrvb ~
$ ps -s
    PID TTY     STIME COMMAND
    300   0  16:56:56 /usr/bin/rxvt
   2452   1  16:56:57 /usr/bin/bash
   3680   1  17:02:52 /usr/bin/perl
   6128   1  17:03:55 /usr/bin/perl
   4648   1  17:03:56 /usr/bin/sh
   3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
   4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4772   1  18:03:58 /usr/bin/perl
   3064   1  18:04:04 /usr/bin/sh
   3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
   3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4844   1  19:04:03 /usr/bin/perl
   6036   1  19:04:06 /usr/bin/sh
    664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
   4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5000   1  20:04:08 /usr/bin/perl
   2344   1  20:04:16 /usr/bin/sh
   5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
   5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5548   1  21:04:16 /usr/bin/perl
   5480   1  21:04:27 /usr/bin/sh
   4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
    660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   6136   1  22:04:22 /usr/bin/perl
    824   1  22:04:27 /usr/bin/sh
   3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
   2360   1  23:04:27 /usr/bin/perl
   1484   1  23:04:30 /usr/bin/sh
   1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
   5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5668   1  00:04:28 /usr/bin/perl
    420   1  00:04:32 /usr/bin/sh
   4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
   4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4124   1  01:04:29 /usr/bin/perl
   4820   1  01:04:35 /usr/bin/sh
   3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
   5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   6112   1  02:04:30 /usr/bin/perl
   4360   1  02:04:33 /usr/bin/sh
   5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
   4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5788   1  03:04:32 /usr/bin/perl
   6072   1  03:04:34 /usr/bin/sh
   4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
   5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   1412   1  04:04:33 /usr/bin/perl
   3244   1  04:04:34 /usr/bin/sh
   5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
   5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5536   1  05:04:34 /usr/bin/perl
   4512   1  05:04:38 /usr/bin/sh
   5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
   5996   1  06:04:37 /usr/bin/perl
   4528   1  06:04:38 /usr/bin/sh
   4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
   5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   1924   1  07:04:38 /usr/bin/perl
   4472   1  07:04:41 /usr/bin/sh
   3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
   5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5828   1  08:04:40 /usr/bin/perl
    228   1  08:04:43 /usr/bin/sh
   5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
   4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5820   1  09:04:42 /usr/bin/perl
   2748   1  09:04:43 /usr/bin/sh
   5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
   3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   5560   2  10:00:33 /usr/bin/rxvt
   4188   3  10:00:38 /usr/bin/bash
   4208   1  10:04:46 /usr/bin/perl
   6108   1  10:04:48 /usr/bin/sh
   4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
   3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
   4548   3  10:05:20 /usr/bin/ps
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-
F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
 Volume in drive F is Store01
 Volume Serial Number is E8EA-BBB0

 Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output

03/16/2006  10:04 AM    <DIR>          .
03/16/2006  10:04 AM    <DIR>          ..
03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
              18 File(s) 18,959,677,440 bytes
               2 Dir(s)  71,763,845,120 bytes free
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-

Is this normal, expected behavior?

-Jason

Re: [sleuthkit-users] Errors with Autopsy

[Brian C. <ca...@sl...>]

That is strange.  It looks they they are starting every hour.  Is your 
web browser refreshing somehow and starting a new process.  Every time 
the page loads the extraction will start again (kind of like how 
refreshing a web page can cause your credit card to be charged twice).

brian

DePriest, Jason R. wrote:
> While I am not getting the error with Caseman.pm, I am still having
> strange issues.  It continues to spawn multiple sets of perl, dls, and
> srch_strings.  And it continues to create multiple output files.
> The extraction I started yesterday is still running and here is what
> the running programs and file system look like.
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> A70067@ebizsrvb ~
> $ ps -s
>     PID TTY     STIME COMMAND
>     300   0  16:56:56 /usr/bin/rxvt
>    2452   1  16:56:57 /usr/bin/bash
>    3680   1  17:02:52 /usr/bin/perl
>    6128   1  17:03:55 /usr/bin/perl
>    4648   1  17:03:56 /usr/bin/sh
>    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
>    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4772   1  18:03:58 /usr/bin/perl
>    3064   1  18:04:04 /usr/bin/sh
>    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
>    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4844   1  19:04:03 /usr/bin/perl
>    6036   1  19:04:06 /usr/bin/sh
>     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
>    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5000   1  20:04:08 /usr/bin/perl
>    2344   1  20:04:16 /usr/bin/sh
>    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
>    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5548   1  21:04:16 /usr/bin/perl
>    5480   1  21:04:27 /usr/bin/sh
>    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
>     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    6136   1  22:04:22 /usr/bin/perl
>     824   1  22:04:27 /usr/bin/sh
>    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
>    2360   1  23:04:27 /usr/bin/perl
>    1484   1  23:04:30 /usr/bin/sh
>    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
>    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5668   1  00:04:28 /usr/bin/perl
>     420   1  00:04:32 /usr/bin/sh
>    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
>    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4124   1  01:04:29 /usr/bin/perl
>    4820   1  01:04:35 /usr/bin/sh
>    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
>    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    6112   1  02:04:30 /usr/bin/perl
>    4360   1  02:04:33 /usr/bin/sh
>    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
>    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5788   1  03:04:32 /usr/bin/perl
>    6072   1  03:04:34 /usr/bin/sh
>    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
>    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    1412   1  04:04:33 /usr/bin/perl
>    3244   1  04:04:34 /usr/bin/sh
>    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
>    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5536   1  05:04:34 /usr/bin/perl
>    4512   1  05:04:38 /usr/bin/sh
>    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
>    5996   1  06:04:37 /usr/bin/perl
>    4528   1  06:04:38 /usr/bin/sh
>    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
>    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    1924   1  07:04:38 /usr/bin/perl
>    4472   1  07:04:41 /usr/bin/sh
>    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
>    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5828   1  08:04:40 /usr/bin/perl
>     228   1  08:04:43 /usr/bin/sh
>    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
>    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5820   1  09:04:42 /usr/bin/perl
>    2748   1  09:04:43 /usr/bin/sh
>    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
>    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    5560   2  10:00:33 /usr/bin/rxvt
>    4188   3  10:00:38 /usr/bin/bash
>    4208   1  10:04:46 /usr/bin/perl
>    6108   1  10:04:48 /usr/bin/sh
>    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
>    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
>    4548   3  10:05:20 /usr/bin/ps
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
>  Volume in drive F is Store01
>  Volume Serial Number is E8EA-BBB0
> 
>  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> 
> 03/16/2006  10:04 AM    <DIR>          .
> 03/16/2006  10:04 AM    <DIR>          ..
> 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
>               18 File(s) 18,959,677,440 bytes
>                2 Dir(s)  71,763,845,120 bytes free
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
> Is this normal, expected behavior?
> 
> -Jason
> 
> 

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

The browser shouldn't be refreshing on its own.

The hard disk drive image and the sleuthkit evidence locker are on an
external hard disk drive connected via firewire.  Is it possible that
there is a latency issue?

I ask that because the drive is connected to a Windows 2003 Server,
and the server has Diskeeper on it, and Diskeeper was set with its
'Set it and forget settings' and was trying to defrag the drive at the
same time I was extracting strings.

The once an hour time frame would fit with Diskeeper being the culprit
as it tries to run approximately every hour.

The external drive is low on disk space, so I am moving my disk image
files from a 300 GB external drive to a 1 TB external drive and I will
hopefully try the extraction again tomorrow after disabling Diskeeper.

-Jason

On 3/16/06, Brian Carrier <> wrote:
> That is strange.  It looks they they are starting every hour.  Is your
> web browser refreshing somehow and starting a new process.  Every time
> the page loads the extraction will start again (kind of like how
> refreshing a web page can cause your credit card to be charged twice).
>
> brian
>
> DePriest, Jason R. wrote:
> > While I am not getting the error with Caseman.pm, I am still having
> > strange issues.  It continues to spawn multiple sets of perl, dls, and
> > srch_strings.  And it continues to create multiple output files.
> > The extraction I started yesterday is still running and here is what
> > the running programs and file system look like.
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > A70067@ebizsrvb ~
> > $ ps -s
> >     PID TTY     STIME COMMAND
> >     300   0  16:56:56 /usr/bin/rxvt
> >    2452   1  16:56:57 /usr/bin/bash
> >    3680   1  17:02:52 /usr/bin/perl
> >    6128   1  17:03:55 /usr/bin/perl
> >    4648   1  17:03:56 /usr/bin/sh
> >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4772   1  18:03:58 /usr/bin/perl
> >    3064   1  18:04:04 /usr/bin/sh
> >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4844   1  19:04:03 /usr/bin/perl
> >    6036   1  19:04:06 /usr/bin/sh
> >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5000   1  20:04:08 /usr/bin/perl
> >    2344   1  20:04:16 /usr/bin/sh
> >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5548   1  21:04:16 /usr/bin/perl
> >    5480   1  21:04:27 /usr/bin/sh
> >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    6136   1  22:04:22 /usr/bin/perl
> >     824   1  22:04:27 /usr/bin/sh
> >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> >    2360   1  23:04:27 /usr/bin/perl
> >    1484   1  23:04:30 /usr/bin/sh
> >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5668   1  00:04:28 /usr/bin/perl
> >     420   1  00:04:32 /usr/bin/sh
> >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4124   1  01:04:29 /usr/bin/perl
> >    4820   1  01:04:35 /usr/bin/sh
> >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    6112   1  02:04:30 /usr/bin/perl
> >    4360   1  02:04:33 /usr/bin/sh
> >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5788   1  03:04:32 /usr/bin/perl
> >    6072   1  03:04:34 /usr/bin/sh
> >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1412   1  04:04:33 /usr/bin/perl
> >    3244   1  04:04:34 /usr/bin/sh
> >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5536   1  05:04:34 /usr/bin/perl
> >    4512   1  05:04:38 /usr/bin/sh
> >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5996   1  06:04:37 /usr/bin/perl
> >    4528   1  06:04:38 /usr/bin/sh
> >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    1924   1  07:04:38 /usr/bin/perl
> >    4472   1  07:04:41 /usr/bin/sh
> >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5828   1  08:04:40 /usr/bin/perl
> >     228   1  08:04:43 /usr/bin/sh
> >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5820   1  09:04:42 /usr/bin/perl
> >    2748   1  09:04:43 /usr/bin/sh
> >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    5560   2  10:00:33 /usr/bin/rxvt
> >    4188   3  10:00:38 /usr/bin/bash
> >    4208   1  10:04:46 /usr/bin/perl
> >    6108   1  10:04:48 /usr/bin/sh
> >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> >    4548   3  10:05:20 /usr/bin/ps
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> >  Volume in drive F is Store01
> >  Volume Serial Number is E8EA-BBB0
> >
> >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> >
> > 03/16/2006  10:04 AM    <DIR>          .
> > 03/16/2006  10:04 AM    <DIR>          ..
> > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> >               18 File(s) 18,959,677,440 bytes
> >                2 Dir(s)  71,763,845,120 bytes free
> > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> >
> > Is this normal, expected behavior?
> >
> > -Jason
> >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

It is still creating new files every hour.
I will give the details of the environment so you can understand what
is going on.

I have a Windows 2003 Server with Service Pack 1.  This server has two
external hard disk drives connected via a FireWire PCI card.  One of
them is about two years old; it is a Maxtor OneTouch with 300 GB of
space.  The other is a relatively new La Cie drive with 1 TB of space.
I used to do all of my investigations on my laptop with the 300 GB
drive.  As hard disk drives have gotten larger, I found myself having
to leave my laptop cable-locked to my desk overnight and over weekends
just to work with the gigantic images.
The server was an attempt to let things run as long as they needed to
without keeping me from doing other things.

The server runs Cygwin which is what I compiled sleuthkit and
configured autopsy under.  I have to make a slight change to the
autopsy launcher to include some paths in the environment, but other
than that, I get no errors or problems.  I was using the same set up
on my laptop for the last two years.

I disabled Diskeeper, set exceptions in the anti-virus software for
all directories involved, and turned off the ISS server sensor.

Every hour after I start a scan, it kicks off new processes (while
keeping the old ones running) and starts writing to a new file (while
still writing to the old one, as well).

I have tried linking to the image as a raw disk image with three
volume images, and as a single large partition image.

Both lead to the same problem.

I am open to suggestions, as I did not have this problem when I was
using my laptop as the investigation platform.  My laptop is running
Windows XP Professional with SP1 and I used a PCMCIA FireWire card.=20
Other than that, the setups are similar.  If anything I have more junk
software installed on my laptop than I do on the server.

On 3/16/06, DePriest, Jason R. <> wrote:
> The browser shouldn't be refreshing on its own.
>
> The hard disk drive image and the sleuthkit evidence locker are on an
> external hard disk drive connected via firewire.  Is it possible that
> there is a latency issue?
>
> I ask that because the drive is connected to a Windows 2003 Server,
> and the server has Diskeeper on it, and Diskeeper was set with its
> 'Set it and forget settings' and was trying to defrag the drive at the
> same time I was extracting strings.
>
> The once an hour time frame would fit with Diskeeper being the culprit
> as it tries to run approximately every hour.
>
> The external drive is low on disk space, so I am moving my disk image
> files from a 300 GB external drive to a 1 TB external drive and I will
> hopefully try the extraction again tomorrow after disabling Diskeeper.
>
> -Jason
>
> On 3/16/06, Brian Carrier <> wrote:
> > That is strange.  It looks they they are starting every hour.  Is your
> > web browser refreshing somehow and starting a new process.  Every time
> > the page loads the extraction will start again (kind of like how
> > refreshing a web page can cause your credit card to be charged twice).
> >
> > brian
> >
> > DePriest, Jason R. wrote:
> > > While I am not getting the error with Caseman.pm, I am still having
> > > strange issues.  It continues to spawn multiple sets of perl, dls, an=
d
> > > srch_strings.  And it continues to create multiple output files.
> > > The extraction I started yesterday is still running and here is what
> > > the running programs and file system look like.
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > > A70067@ebizsrvb ~
> > > $ ps -s
> > >     PID TTY     STIME COMMAND
> > >     300   0  16:56:56 /usr/bin/rxvt
> > >    2452   1  16:56:57 /usr/bin/bash
> > >    3680   1  17:02:52 /usr/bin/perl
> > >    6128   1  17:03:55 /usr/bin/perl
> > >    4648   1  17:03:56 /usr/bin/sh
> > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4772   1  18:03:58 /usr/bin/perl
> > >    3064   1  18:04:04 /usr/bin/sh
> > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4844   1  19:04:03 /usr/bin/perl
> > >    6036   1  19:04:06 /usr/bin/sh
> > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5000   1  20:04:08 /usr/bin/perl
> > >    2344   1  20:04:16 /usr/bin/sh
> > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5548   1  21:04:16 /usr/bin/perl
> > >    5480   1  21:04:27 /usr/bin/sh
> > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    6136   1  22:04:22 /usr/bin/perl
> > >     824   1  22:04:27 /usr/bin/sh
> > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    2360   1  23:04:27 /usr/bin/perl
> > >    1484   1  23:04:30 /usr/bin/sh
> > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5668   1  00:04:28 /usr/bin/perl
> > >     420   1  00:04:32 /usr/bin/sh
> > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4124   1  01:04:29 /usr/bin/perl
> > >    4820   1  01:04:35 /usr/bin/sh
> > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    6112   1  02:04:30 /usr/bin/perl
> > >    4360   1  02:04:33 /usr/bin/sh
> > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5788   1  03:04:32 /usr/bin/perl
> > >    6072   1  03:04:34 /usr/bin/sh
> > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1412   1  04:04:33 /usr/bin/perl
> > >    3244   1  04:04:34 /usr/bin/sh
> > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5536   1  05:04:34 /usr/bin/perl
> > >    4512   1  05:04:38 /usr/bin/sh
> > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5996   1  06:04:37 /usr/bin/perl
> > >    4528   1  06:04:38 /usr/bin/sh
> > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    1924   1  07:04:38 /usr/bin/perl
> > >    4472   1  07:04:41 /usr/bin/sh
> > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5828   1  08:04:40 /usr/bin/perl
> > >     228   1  08:04:43 /usr/bin/sh
> > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5820   1  09:04:42 /usr/bin/perl
> > >    2748   1  09:04:43 /usr/bin/sh
> > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    5560   2  10:00:33 /usr/bin/rxvt
> > >    4188   3  10:00:38 /usr/bin/bash
> > >    4208   1  10:04:46 /usr/bin/perl
> > >    6108   1  10:04:48 /usr/bin/sh
> > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > >    4548   3  10:05:20 /usr/bin/ps
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > >  Volume in drive F is Store01
> > >  Volume Serial Number is E8EA-BBB0
> > >
> > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > >
> > > 03/16/2006  10:04 AM    <DIR>          .
> > > 03/16/2006  10:04 AM    <DIR>          ..
> > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > >               18 File(s) 18,959,677,440 bytes
> > >                2 Dir(s)  71,763,845,120 bytes free
> > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-
> > >
> > > Is this normal, expected behavior?
> > >
> > > -Jason
> > >
> > >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

I may have found my problem.

After lots of experimenting with shutting down services and moving
files to different drives, it looks like it was the web browser after
all.

I have no idea why, but it does "something" every hour that kicks off
a new set of apps to extract the strings.  Maybe if the page being
displayed doesn't change for an hour, it automatically refreshes it or
something.

I just closed IE after the extraction started.  It has been 1 hour and
10 minutes, and I still only have one set of processes and one file of
extracted strings.

-Jason

On 3/17/06, DePriest, Jason R. <> wrote:
> It is still creating new files every hour.
> I will give the details of the environment so you can understand what
> is going on.
>
> I have a Windows 2003 Server with Service Pack 1.  This server has two
> external hard disk drives connected via a FireWire PCI card.  One of
> them is about two years old; it is a Maxtor OneTouch with 300 GB of
> space.  The other is a relatively new La Cie drive with 1 TB of space.
> I used to do all of my investigations on my laptop with the 300 GB
> drive.  As hard disk drives have gotten larger, I found myself having
> to leave my laptop cable-locked to my desk overnight and over weekends
> just to work with the gigantic images.
> The server was an attempt to let things run as long as they needed to
> without keeping me from doing other things.
>
> The server runs Cygwin which is what I compiled sleuthkit and
> configured autopsy under.  I have to make a slight change to the
> autopsy launcher to include some paths in the environment, but other
> than that, I get no errors or problems.  I was using the same set up
> on my laptop for the last two years.
>
> I disabled Diskeeper, set exceptions in the anti-virus software for
> all directories involved, and turned off the ISS server sensor.
>
> Every hour after I start a scan, it kicks off new processes (while
> keeping the old ones running) and starts writing to a new file (while
> still writing to the old one, as well).
>
> I have tried linking to the image as a raw disk image with three
> volume images, and as a single large partition image.
>
> Both lead to the same problem.
>
> I am open to suggestions, as I did not have this problem when I was
> using my laptop as the investigation platform.  My laptop is running
> Windows XP Professional with SP1 and I used a PCMCIA FireWire card.
> Other than that, the setups are similar.  If anything I have more junk
> software installed on my laptop than I do on the server.
>
> On 3/16/06, DePriest, Jason R. <> wrote:
> > The browser shouldn't be refreshing on its own.
> >
> > The hard disk drive image and the sleuthkit evidence locker are on an
> > external hard disk drive connected via firewire.  Is it possible that
> > there is a latency issue?
> >
> > I ask that because the drive is connected to a Windows 2003 Server,
> > and the server has Diskeeper on it, and Diskeeper was set with its
> > 'Set it and forget settings' and was trying to defrag the drive at the
> > same time I was extracting strings.
> >
> > The once an hour time frame would fit with Diskeeper being the culprit
> > as it tries to run approximately every hour.
> >
> > The external drive is low on disk space, so I am moving my disk image
> > files from a 300 GB external drive to a 1 TB external drive and I will
> > hopefully try the extraction again tomorrow after disabling Diskeeper.
> >
> > -Jason
> >
> > On 3/16/06, Brian Carrier <> wrote:
> > > That is strange.  It looks they they are starting every hour.  Is you=
r
> > > web browser refreshing somehow and starting a new process.  Every tim=
e
> > > the page loads the extraction will start again (kind of like how
> > > refreshing a web page can cause your credit card to be charged twice)=
.
> > >
> > > brian
> > >
> > > DePriest, Jason R. wrote:
> > > > While I am not getting the error with Caseman.pm, I am still having
> > > > strange issues.  It continues to spawn multiple sets of perl, dls, =
and
> > > > srch_strings.  And it continues to create multiple output files.
> > > > The extraction I started yesterday is still running and here is wha=
t
> > > > the running programs and file system look like.
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > A70067@ebizsrvb ~
> > > > $ ps -s
> > > >     PID TTY     STIME COMMAND
> > > >     300   0  16:56:56 /usr/bin/rxvt
> > > >    2452   1  16:56:57 /usr/bin/bash
> > > >    3680   1  17:02:52 /usr/bin/perl
> > > >    6128   1  17:03:55 /usr/bin/perl
> > > >    4648   1  17:03:56 /usr/bin/sh
> > > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4772   1  18:03:58 /usr/bin/perl
> > > >    3064   1  18:04:04 /usr/bin/sh
> > > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4844   1  19:04:03 /usr/bin/perl
> > > >    6036   1  19:04:06 /usr/bin/sh
> > > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5000   1  20:04:08 /usr/bin/perl
> > > >    2344   1  20:04:16 /usr/bin/sh
> > > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5548   1  21:04:16 /usr/bin/perl
> > > >    5480   1  21:04:27 /usr/bin/sh
> > > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    6136   1  22:04:22 /usr/bin/perl
> > > >     824   1  22:04:27 /usr/bin/sh
> > > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    2360   1  23:04:27 /usr/bin/perl
> > > >    1484   1  23:04:30 /usr/bin/sh
> > > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5668   1  00:04:28 /usr/bin/perl
> > > >     420   1  00:04:32 /usr/bin/sh
> > > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4124   1  01:04:29 /usr/bin/perl
> > > >    4820   1  01:04:35 /usr/bin/sh
> > > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    6112   1  02:04:30 /usr/bin/perl
> > > >    4360   1  02:04:33 /usr/bin/sh
> > > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5788   1  03:04:32 /usr/bin/perl
> > > >    6072   1  03:04:34 /usr/bin/sh
> > > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1412   1  04:04:33 /usr/bin/perl
> > > >    3244   1  04:04:34 /usr/bin/sh
> > > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5536   1  05:04:34 /usr/bin/perl
> > > >    4512   1  05:04:38 /usr/bin/sh
> > > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5996   1  06:04:37 /usr/bin/perl
> > > >    4528   1  06:04:38 /usr/bin/sh
> > > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    1924   1  07:04:38 /usr/bin/perl
> > > >    4472   1  07:04:41 /usr/bin/sh
> > > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5828   1  08:04:40 /usr/bin/perl
> > > >     228   1  08:04:43 /usr/bin/sh
> > > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5820   1  09:04:42 /usr/bin/perl
> > > >    2748   1  09:04:43 /usr/bin/sh
> > > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    5560   2  10:00:33 /usr/bin/rxvt
> > > >    4188   3  10:00:38 /usr/bin/bash
> > > >    4208   1  10:04:46 /usr/bin/perl
> > > >    6108   1  10:04:48 /usr/bin/sh
> > > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > >    4548   3  10:05:20 /usr/bin/ps
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > > >  Volume in drive F is Store01
> > > >  Volume Serial Number is E8EA-BBB0
> > > >
> > > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > > >
> > > > 03/16/2006  10:04 AM    <DIR>          .
> > > > 03/16/2006  10:04 AM    <DIR>          ..
> > > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > > >               18 File(s) 18,959,677,440 bytes
> > > >                2 Dir(s)  71,763,845,120 bytes free
> > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > >
> > > > Is this normal, expected behavior?
> > > >
> > > > -Jason
> > > >
> > > >
> > >
> >
>

Re: [sleuthkit-users] Errors with Autopsy

[DePriest, J. R. <jrd...@gm...>]

On the laptop I used to use for investigations, I used Firefox.  On
the server, I was using IE.  That is likely why I had no issues in the
past.  I have installed Firefox on the server and will see if my
problems go away.

On 3/22/06, DePriest, Jason R. <> wrote:
> I may have found my problem.
>
> After lots of experimenting with shutting down services and moving
> files to different drives, it looks like it was the web browser after
> all.
>
> I have no idea why, but it does "something" every hour that kicks off
> a new set of apps to extract the strings.  Maybe if the page being
> displayed doesn't change for an hour, it automatically refreshes it or
> something.
>
> I just closed IE after the extraction started.  It has been 1 hour and
> 10 minutes, and I still only have one set of processes and one file of
> extracted strings.
>
> -Jason
>
> On 3/17/06, DePriest, Jason R. <> wrote:
> > It is still creating new files every hour.
> > I will give the details of the environment so you can understand what
> > is going on.
> >
> > I have a Windows 2003 Server with Service Pack 1.  This server has two
> > external hard disk drives connected via a FireWire PCI card.  One of
> > them is about two years old; it is a Maxtor OneTouch with 300 GB of
> > space.  The other is a relatively new La Cie drive with 1 TB of space.
> > I used to do all of my investigations on my laptop with the 300 GB
> > drive.  As hard disk drives have gotten larger, I found myself having
> > to leave my laptop cable-locked to my desk overnight and over weekends
> > just to work with the gigantic images.
> > The server was an attempt to let things run as long as they needed to
> > without keeping me from doing other things.
> >
> > The server runs Cygwin which is what I compiled sleuthkit and
> > configured autopsy under.  I have to make a slight change to the
> > autopsy launcher to include some paths in the environment, but other
> > than that, I get no errors or problems.  I was using the same set up
> > on my laptop for the last two years.
> >
> > I disabled Diskeeper, set exceptions in the anti-virus software for
> > all directories involved, and turned off the ISS server sensor.
> >
> > Every hour after I start a scan, it kicks off new processes (while
> > keeping the old ones running) and starts writing to a new file (while
> > still writing to the old one, as well).
> >
> > I have tried linking to the image as a raw disk image with three
> > volume images, and as a single large partition image.
> >
> > Both lead to the same problem.
> >
> > I am open to suggestions, as I did not have this problem when I was
> > using my laptop as the investigation platform.  My laptop is running
> > Windows XP Professional with SP1 and I used a PCMCIA FireWire card.
> > Other than that, the setups are similar.  If anything I have more junk
> > software installed on my laptop than I do on the server.
> >
> > On 3/16/06, DePriest, Jason R. <> wrote:
> > > The browser shouldn't be refreshing on its own.
> > >
> > > The hard disk drive image and the sleuthkit evidence locker are on an
> > > external hard disk drive connected via firewire.  Is it possible that
> > > there is a latency issue?
> > >
> > > I ask that because the drive is connected to a Windows 2003 Server,
> > > and the server has Diskeeper on it, and Diskeeper was set with its
> > > 'Set it and forget settings' and was trying to defrag the drive at th=
e
> > > same time I was extracting strings.
> > >
> > > The once an hour time frame would fit with Diskeeper being the culpri=
t
> > > as it tries to run approximately every hour.
> > >
> > > The external drive is low on disk space, so I am moving my disk image
> > > files from a 300 GB external drive to a 1 TB external drive and I wil=
l
> > > hopefully try the extraction again tomorrow after disabling Diskeeper=
.
> > >
> > > -Jason
> > >
> > > On 3/16/06, Brian Carrier <> wrote:
> > > > That is strange.  It looks they they are starting every hour.  Is y=
our
> > > > web browser refreshing somehow and starting a new process.  Every t=
ime
> > > > the page loads the extraction will start again (kind of like how
> > > > refreshing a web page can cause your credit card to be charged twic=
e).
> > > >
> > > > brian
> > > >
> > > > DePriest, Jason R. wrote:
> > > > > While I am not getting the error with Caseman.pm, I am still havi=
ng
> > > > > strange issues.  It continues to spawn multiple sets of perl, dls=
, and
> > > > > srch_strings.  And it continues to create multiple output files.
> > > > > The extraction I started yesterday is still running and here is w=
hat
> > > > > the running programs and file system look like.
> > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > > A70067@ebizsrvb ~
> > > > > $ ps -s
> > > > >     PID TTY     STIME COMMAND
> > > > >     300   0  16:56:56 /usr/bin/rxvt
> > > > >    2452   1  16:56:57 /usr/bin/bash
> > > > >    3680   1  17:02:52 /usr/bin/perl
> > > > >    6128   1  17:03:55 /usr/bin/perl
> > > > >    4648   1  17:03:56 /usr/bin/sh
> > > > >    3756   1  17:03:56 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4484   1  17:03:57 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4772   1  18:03:58 /usr/bin/perl
> > > > >    3064   1  18:04:04 /usr/bin/sh
> > > > >    3304   1  18:04:06 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    3860   1  18:04:07 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4844   1  19:04:03 /usr/bin/perl
> > > > >    6036   1  19:04:06 /usr/bin/sh
> > > > >     664   1  19:04:07 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4984   1  19:04:08 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5000   1  20:04:08 /usr/bin/perl
> > > > >    2344   1  20:04:16 /usr/bin/sh
> > > > >    5840   1  20:04:17 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5272   1  20:04:18 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5548   1  21:04:16 /usr/bin/perl
> > > > >    5480   1  21:04:27 /usr/bin/sh
> > > > >    4656   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >     660   1  21:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    6136   1  22:04:22 /usr/bin/perl
> > > > >     824   1  22:04:27 /usr/bin/sh
> > > > >    3720   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    1904   1  22:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    2360   1  23:04:27 /usr/bin/perl
> > > > >    1484   1  23:04:30 /usr/bin/sh
> > > > >    1296   1  23:04:31 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5980   1  23:04:33 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5668   1  00:04:28 /usr/bin/perl
> > > > >     420   1  00:04:32 /usr/bin/sh
> > > > >    4572   1  00:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4904   1  00:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4124   1  01:04:29 /usr/bin/perl
> > > > >    4820   1  01:04:35 /usr/bin/sh
> > > > >    3416   1  01:04:38 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5924   1  01:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    6112   1  02:04:30 /usr/bin/perl
> > > > >    4360   1  02:04:33 /usr/bin/sh
> > > > >    5908   1  02:04:34 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4796   1  02:04:35 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5788   1  03:04:32 /usr/bin/perl
> > > > >    6072   1  03:04:34 /usr/bin/sh
> > > > >    4288   1  03:04:35 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5776   1  03:04:36 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    1412   1  04:04:33 /usr/bin/perl
> > > > >    3244   1  04:04:34 /usr/bin/sh
> > > > >    5440   1  04:04:37 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5208   1  04:04:38 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5536   1  05:04:34 /usr/bin/perl
> > > > >    4512   1  05:04:38 /usr/bin/sh
> > > > >    5180   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    3256   1  05:04:39 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5996   1  06:04:37 /usr/bin/perl
> > > > >    4528   1  06:04:38 /usr/bin/sh
> > > > >    4540   1  06:04:40 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5604   1  06:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    1924   1  07:04:38 /usr/bin/perl
> > > > >    4472   1  07:04:41 /usr/bin/sh
> > > > >    3984   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    5052   1  07:04:42 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5828   1  08:04:40 /usr/bin/perl
> > > > >     228   1  08:04:43 /usr/bin/sh
> > > > >    5756   1  08:04:44 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    4160   1  08:04:45 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5820   1  09:04:42 /usr/bin/perl
> > > > >    2748   1  09:04:43 /usr/bin/sh
> > > > >    5912   1  09:04:45 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    3900   1  09:04:46 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    5560   2  10:00:33 /usr/bin/rxvt
> > > > >    4188   3  10:00:38 /usr/bin/bash
> > > > >    4208   1  10:04:46 /usr/bin/perl
> > > > >    6108   1  10:04:48 /usr/bin/sh
> > > > >    4448   1  10:04:50 /sleuthkit/sleuthkit-2.03/bin/dls
> > > > >    3652   1  10:04:51 /sleuthkit/sleuthkit-2.03/bin/srch_strings
> > > > >    4548   3  10:05:20 /usr/bin/ps
> > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > > F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output>dir
> > > > >  Volume in drive F is Store01
> > > > >  Volume Serial Number is E8EA-BBB0
> > > > >
> > > > >  Directory of F:\sleuthkit-evidence\2006-013\MMA4-T-23GR6\output
> > > > >
> > > > > 03/16/2006  10:04 AM    <DIR>          .
> > > > > 03/16/2006  10:04 AM    <DIR>          ..
> > > > > 03/15/2006  06:04 PM     1,273,554,944 hdd.raw-0-0-ntfs-1.asc
> > > > > 03/16/2006  03:04 AM       294,304,768 hdd.raw-0-0-ntfs-10.asc
> > > > > 03/16/2006  04:04 AM       228,928,512 hdd.raw-0-0-ntfs-11.asc
> > > > > 03/16/2006  05:04 AM       159,662,080 hdd.raw-0-0-ntfs-12.asc
> > > > > 03/16/2006  06:04 AM       114,588,672 hdd.raw-0-0-ntfs-13.asc
> > > > > 03/16/2006  07:04 AM     1,130,283,008 hdd.raw-0-0-ntfs-14.asc
> > > > > 03/16/2006  08:04 AM        59,233,280 hdd.raw-0-0-ntfs-15.asc
> > > > > 03/16/2006  09:04 AM         9,054,208 hdd.raw-0-0-ntfs-16.asc
> > > > > 03/16/2006  10:04 AM            18,432 hdd.raw-0-0-ntfs-17.asc
> > > > > 03/15/2006  07:04 PM       952,222,720 hdd.raw-0-0-ntfs-2.asc
> > > > > 03/15/2006  08:04 PM       651,894,784 hdd.raw-0-0-ntfs-3.asc
> > > > > 03/15/2006  09:04 PM    10,184,050,688 hdd.raw-0-0-ntfs-4.asc
> > > > > 03/15/2006  10:04 PM       425,999,360 hdd.raw-0-0-ntfs-5.asc
> > > > > 03/15/2006  11:04 PM       393,921,536 hdd.raw-0-0-ntfs-6.asc
> > > > > 03/16/2006  12:04 AM       374,238,208 hdd.raw-0-0-ntfs-7.asc
> > > > > 03/16/2006  01:04 AM       345,949,184 hdd.raw-0-0-ntfs-8.asc
> > > > > 03/16/2006  02:04 AM       323,683,328 hdd.raw-0-0-ntfs-9.asc
> > > > > 03/15/2006  05:03 PM     2,038,089,728 hdd.raw-0-0-ntfs.asc
> > > > >               18 File(s) 18,959,677,440 bytes
> > > > >                2 Dir(s)  71,763,845,120 bytes free
> > > > > -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-
> > > > >
> > > > > Is this normal, expected behavior?
> > > > >
> > > > > -Jason
> > > > >
> > > > >
> > > >
> > >
> >
>