sleuthkit-users

Re: [sleuthkit-users] Error in sorter - what am I missing?

[Jennifer S. <g33...@li...>]

Ok, I got the offset from mmls (thanks Barry, that was exactly what I neede=
d to do!) and now sorter is running beautifully, with just one hangup.

It appears that there are some file system compressed files in this image a=
nd when sorter gets to them it throws out an error that it can not access N=
TFS compressed files and then it aborts trying to access that particular fi=
le. These appear to be file system compressed files, not standard archive f=
iles, since it was able to sort and catalog .cab, .dat, and .zip files with=
 no problem.

According to some research on this end, it seems that NTFS uses something s=
imilar to DriveSpace3 for it's compression (please correct me if I'm wrong)=
 - has anyone found/created any method to work through this error with sort=
er so that instead of aborting the file, it uncompresses it and sorts it as=
 intended?

farmer dude, thanks for the response - any suggestions on sites to look for=
 practice images (especially if they include a "results" list, so I know if=
 I actually find everything); also, is there a how-to anywhere on creating =
images for practicing?

Thanks again for all the help,
gg




--=20
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

Re: [sleuthkit-users] Error in sorter - what am I missing?

[DePriest, J. R. <jrd...@gm...>]

Reading the NTFS entry in Wikipedia states that NTFS compresses uses
the same compression algorithm as regular Zip files (LZ77):
http://en.wikipedia.org/wiki/Ntfs

That article had a link to the Microsoft website here:
http://msdn.microsoft.com/library/default.asp?url=3D/library/en-us/fileio/f=
s/file_compression_and_decompression.asp

The site is pretty high level and doesn't really give much more detail
than what apps or functions to call to perform an operation.

It looks like someone would need to recreate the functionality of
LzExpand.dll in an open source manner and I have no idea if any
development is being done on this.  I also don't know what the
existing NTFS drivers and bolt-ons for Linux can already do natively.

You could always note the files that cannot be decompressed, manually
pull them out of the image and then use a Windows system to decompress
them.  Of course, that would compromise your evidence, but it is an
idea.

-Jason

On 4/19/06, Jennifer Smith <> wrote:
> Ok, I got the offset from mmls (thanks Barry, that was exactly what I nee=
ded to do!) and now sorter is running beautifully, with just one hangup.
>
> It appears that there are some file system compressed files in this image=
 and when sorter gets to them it throws out an error that it can not access=
 NTFS compressed files and then it aborts trying to access that particular =
file. These appear to be file system compressed files, not standard archive=
 files, since it was able to sort and catalog .cab, .dat, and .zip files wi=
th no problem.
>
> According to some research on this end, it seems that NTFS uses something=
 similar to DriveSpace3 for it's compression (please correct me if I'm wron=
g) - has anyone found/created any method to work through this error with so=
rter so that instead of aborting the file, it uncompresses it and sorts it =
as intended?
>
> farmer dude, thanks for the response - any suggestions on sites to look f=
or practice images (especially if they include a "results" list, so I know =
if I actually find everything); also, is there a how-to anywhere on creatin=
g images for practicing?
>
> Thanks again for all the help,
> gg
>
>

Re: [sleuthkit-users] Error in sorter - what am I missing?

[Brian C. <ca...@sl...>]

Support for NTFS compressed files will exist in a near future release. 
The next release will be next week.

brian

DePriest, Jason R. wrote:
> Reading the NTFS entry in Wikipedia states that NTFS compresses uses
> the same compression algorithm as regular Zip files (LZ77):
> http://en.wikipedia.org/wiki/Ntfs
> 
> That article had a link to the Microsoft website here:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/file_compression_and_decompression.asp
> 
> The site is pretty high level and doesn't really give much more detail
> than what apps or functions to call to perform an operation.
> 
> It looks like someone would need to recreate the functionality of
> LzExpand.dll in an open source manner and I have no idea if any
> development is being done on this.  I also don't know what the
> existing NTFS drivers and bolt-ons for Linux can already do natively.
> 
> You could always note the files that cannot be decompressed, manually
> pull them out of the image and then use a Windows system to decompress
> them.  Of course, that would compromise your evidence, but it is an
> idea.
> 
> -Jason
> 
> On 4/19/06, Jennifer Smith <> wrote:
>> Ok, I got the offset from mmls (thanks Barry, that was exactly what I needed to do!) and now sorter is running beautifully, with just one hangup.
>>
>> It appears that there are some file system compressed files in this image and when sorter gets to them it throws out an error that it can not access NTFS compressed files and then it aborts trying to access that particular file. These appear to be file system compressed files, not standard archive files, since it was able to sort and catalog .cab, .dat, and .zip files with no problem.
>>
>> According to some research on this end, it seems that NTFS uses something similar to DriveSpace3 for it's compression (please correct me if I'm wrong) - has anyone found/created any method to work through this error with sorter so that instead of aborting the file, it uncompresses it and sorts it as intended?
>>
>> farmer dude, thanks for the response - any suggestions on sites to look for practice images (especially if they include a "results" list, so I know if I actually find everything); also, is there a how-to anywhere on creating images for practicing?
>>
>> Thanks again for all the help,
>> gg
>>
>>
> 
> 
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=k&kid0709&bid&3057&dat1642
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Error in sorter - what am I missing?

[Barry J. G. <bg...@im...>]

On Thu, 2006-04-20 at 06:21 +0800, Jennifer Smith wrote:
> farmer dude, thanks for the response - any suggestions on sites to
> look for practice images (especially if they include a "results" list,
> so I know if I actually find everything); also, is there a how-to
> anywhere on creating images for practicing?

There is a "practice" image included with the "Law Enforcement and
Forensic Examiner's Introduction to Linux, a Beginner's Guide":

ftp://ftp.hq.nasa.gov/pub/ig/ccd/linuxintro/

The guide includes a fairly indepth section on creating images using dd
(indepth from a beginner's standpoint).  The guide is due for an update,
but it might help you out now.

Barry
-- 
/***************************************
Special Agent Barry J. Grundy
NASA Office of Inspector General
Computer Crimes Division 
Goddard Space Flight Center
Code 190
Greenbelt Rd.
Greenbelt, MD 20771
(301)286-3358
**************************************/

Re: [sleuthkit-users] Error in sorter - what am I missing?

[Patrick F. <fo...@ch...>]

Jennifer Smith wrote:

>Ok, I got the offset from mmls (thanks Barry, that was exactly what I needed to do!) and now sorter is running beautifully, with just one hangup.
>
>It appears that there are some file system compressed files in this image and when sorter gets to them it throws out an error that it can not access NTFS compressed files and then it aborts trying to access that particular file. These appear to be file system compressed files, not standard archive files, since it was able to sort and catalog .cab, .dat, and .zip files with no problem.
>
>According to some research on this end, it seems that NTFS uses something similar to DriveSpace3 for it's compression (please correct me if I'm wrong) - has anyone found/created any method to work through this error with sorter so that instead of aborting the file, it uncompresses it and sorts it as intended?
>
>  
>
The unofficial NTFS driver for Linux handles compressed files. By 
loop-back mounting the image (read-only) you can get to the non-deleted 
compressed files. This shouldn't compromise the evidence as long as it 
is repeatable and yo can prove the image hasn't been modified (checksum 
you images). Unfortunately this method doesn't work for deleted files.

I still find loop-back mounting the image file a great help in 
investigating since it's so much easier than just using TSK utilities.

/Patrick