Thread: [sleuthkit-users] disk_stat and SATA
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Barry J. G. <bg...@im...> - 2006-07-19 17:54:14
|
(I accidently sent this to sleuthkit-informer...sorry. The wonders of autocompletion) Wondering if anyone has found a patch or workaround for adding SATA support to TSK's disk_stat. We are dealing with more and more SATA drives, and HPA detection with TSK has been useful (since 1.73, anyway). I was thinking of something along the lines of the passthrough ioctl for libata. Any ideas? Barry -- /*************************************** Special Agent Barry J. Grundy Resident Agent in Charge NASA Office of Inspector General Computer Crimes Division Eastern Region (301)286-3358 (w) (202)246-6497 (c) **************************************/ |
|
From: Robert M. <ro...@ze...> - 2006-07-19 23:40:14
|
Barry J. Grundy wrote: >(I accidently sent this to sleuthkit-informer...sorry. The wonders of autocompletion) > >Wondering if anyone has found a patch or workaround for adding SATA >support to TSK's disk_stat. We are dealing with more and more SATA >drives, and HPA detection with TSK has been useful (since 1.73, anyway). > >I was thinking of something along the lines of the passthrough ioctl for >libata. Any ideas? > > Hey! There is already a patch that should help (good for kernels >= 2.6.9) you can take a look at a discussion about it at *http://tinyurl.com/h6wb3 and the actual patch set is at **http://tinyurl.com/5el5w The patch includes exactly what you are suggesting. I haven't used the patch myself **yet** so I can't vouch for the stability -- we are working on some tools that will need it in the near future though. Cheers, Rob McCrea, CISSP ro...@ze... Zebra Logic Inc. - Ensuring Data Survival http://www.zebralogic.ca 1.866.699.3272 ext 101 ** * |
|
From: Eric <er...@ho...> - 2006-07-31 16:51:13
|
I was wondering if someone could point me in the right "free" direction into getting started with some simple commands using sleuth kit, connectivty, and most of all creating images and/or how to specify them. I 've been on the list a while and have realized that most of you are very experienced with the tools, so I don't want to be a bother until I learn more on my own ;) Thank you, Eric |
|
From: <rob...@ve...> - 2006-08-01 13:42:31
|
When compiling the libewf ewfacquire tool run the following command from within the libewf directory to get system specifics working: sh make.sh or sh make.sh remake Otherwhise you'll probably get an 0 size device error. Regards, Robert-Jan Mora. Citeren Brian Carrier <ca...@sl...>: > For those who are looking for the ewfacquire tool, the tools in libewf > and afflib are not compiled with TSK, only the corresponding libraries > are. You'll have to type 'make' in src/libewf or src/afflib to get all > of the tools. > > brian > > > Robert-Jan Mora wrote: >> Hello Eric, >> >> We've just added a tool called 'ewfacquire' within the latest sleuthkit >> 2.05. With the tool you can create disk images for free. The images are >> compatible with Encase or FTK and metadata case information is saved >> within the evidence file created. >> >> ewfacquire can be found in the /sleuthkit/src/libewf directory. >> >> Ewfacquire usage: >> >> ./efwacquire /dev/hda (or sda hard disk devices) After executing it will >> guide you through the process of creating an image. >> >> Or you can always use the dd command to create an image. >> >> Regards, >> >> Robert-Jan Mora. >> >> Eric wrote: >>> I was wondering if someone could point me in the right "free" direction >>> into getting started with some simple commands using sleuth kit, >>> connectivty, and most of all creating images and/or how to specify them. >>> I 've been on the list a while and have realized that most of you are >>> very experienced with the tools, so I don't want to be a bother until I >>> learn more on my own ;) >>> >>> Thank you, >>> Eric >>> >>> ------------------------------------------------------------------------- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to >>> share your >>> opinions on IT & business topics through brief surveys -- and earn cash >>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share your >> opinions on IT & business topics through brief surveys -- and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Robert-Jan M. <rob...@ve...> - 2006-08-03 16:14:30
|
Hello group, If someone is using the ewfacuire tool, we like hear to from you about your experiences with the tool. Maybe you have some suggestions. Let us know. Regards, Robert-Jan Mora. rob...@ve... wrote: > When compiling the libewf ewfacquire tool run the following command > from within the libewf directory to get system specifics working: > > sh make.sh or sh make.sh remake > > Otherwhise you'll probably get an 0 size device error. > > Regards, > > Robert-Jan Mora. > > Citeren Brian Carrier <ca...@sl...>: > > >> For those who are looking for the ewfacquire tool, the tools in libewf >> and afflib are not compiled with TSK, only the corresponding libraries >> are. You'll have to type 'make' in src/libewf or src/afflib to get all >> of the tools. >> >> brian >> >> >> Robert-Jan Mora wrote: >> >>> Hello Eric, >>> >>> We've just added a tool called 'ewfacquire' within the latest sleuthkit >>> 2.05. With the tool you can create disk images for free. The images are >>> compatible with Encase or FTK and metadata case information is saved >>> within the evidence file created. >>> >>> ewfacquire can be found in the /sleuthkit/src/libewf directory. >>> >>> Ewfacquire usage: >>> >>> ./efwacquire /dev/hda (or sda hard disk devices) After executing it will >>> guide you through the process of creating an image. >>> >>> Or you can always use the dd command to create an image. >>> >>> Regards, >>> >>> Robert-Jan Mora. >>> >>> Eric wrote: >>> >>>> I was wondering if someone could point me in the right "free" direction >>>> into getting started with some simple commands using sleuth kit, >>>> connectivty, and most of all creating images and/or how to specify them. >>>> I 've been on the list a while and have realized that most of you are >>>> very experienced with the tools, so I don't want to be a bother until I >>>> learn more on my own ;) >>>> >>>> Thank you, >>>> Eric >>>> >>>> ------------------------------------------------------------------------- >>>> Take Surveys. Earn Cash. Influence the Future of IT >>>> Join SourceForge.net's Techsay panel and you'll get the chance to >>>> share your >>>> opinions on IT & business topics through brief surveys -- and earn cash >>>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>>> >>>> >>> ------------------------------------------------------------------------- >>> Take Surveys. Earn Cash. Influence the Future of IT >>> Join SourceForge.net's Techsay panel and you'll get the chance to share your >>> opinions on IT & business topics through brief surveys -- and earn cash >>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share your >> opinions on IT & business topics through brief surveys -- and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Robert-Jan M. <rob...@ve...> - 2006-07-31 17:02:32
|
Hello Eric, We've just added a tool called 'ewfacquire' within the latest sleuthkit 2.05. With the tool you can create disk images for free. The images are compatible with Encase or FTK and metadata case information is saved within the evidence file created. ewfacquire can be found in the /sleuthkit/src/libewf directory. Ewfacquire usage: ./efwacquire /dev/hda (or sda hard disk devices) After executing it will guide you through the process of creating an image. Or you can always use the dd command to create an image. Regards, Robert-Jan Mora. Eric wrote: > I was wondering if someone could point me in the right "free" direction > into getting started with some simple commands using sleuth kit, > connectivty, and most of all creating images and/or how to specify them. > I 've been on the list a while and have realized that most of you are > very experienced with the tools, so I don't want to be a bother until I > learn more on my own ;) > > Thank you, > Eric > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Simson G. <si...@ac...> - 2006-07-31 17:18:07
|
Hi, Eric. There is a tool that's part of the AFF software system called "aimage". This tool will acquire images in either AFF, raw, or split raw format. It also captures metadata such as the time that the acquisition was made and the drive's serial number. If you run the tool on FreeBSD or Linux, aimage will automatically scan for and attach an ATA, IDE, or SCSI drive. > Eric wrote: >> I was wondering if someone could point me in the right "free" >> direction >> into getting started with some simple commands using sleuth kit, >> connectivty, and most of all creating images and/or how to specify >> them. >> I 've been on the list a while and have realized that most of you are >> very experienced with the tools, so I don't want to be a bother >> until I >> learn more on my own ;) >> >> Thank you, >> Eric >> >> --------------------------------------------------------------------- >> ---- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys -- and earn >> cash >> http://www.techsay.com/default.php? >> page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> |
|
From: Brian C. <ca...@sl...> - 2006-08-01 13:29:27
|
For those who are looking for the ewfacquire tool, the tools in libewf and afflib are not compiled with TSK, only the corresponding libraries are. You'll have to type 'make' in src/libewf or src/afflib to get all of the tools. brian Robert-Jan Mora wrote: > Hello Eric, > > We've just added a tool called 'ewfacquire' within the latest sleuthkit > 2.05. With the tool you can create disk images for free. The images are > compatible with Encase or FTK and metadata case information is saved > within the evidence file created. > > ewfacquire can be found in the /sleuthkit/src/libewf directory. > > Ewfacquire usage: > > ./efwacquire /dev/hda (or sda hard disk devices) After executing it will > guide you through the process of creating an image. > > Or you can always use the dd command to create an image. > > Regards, > > Robert-Jan Mora. > > Eric wrote: >> I was wondering if someone could point me in the right "free" direction >> into getting started with some simple commands using sleuth kit, >> connectivty, and most of all creating images and/or how to specify them. >> I 've been on the list a while and have realized that most of you are >> very experienced with the tools, so I don't want to be a bother until I >> learn more on my own ;) >> >> Thank you, >> Eric >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share your >> opinions on IT & business topics through brief surveys -- and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
Thanks for helping keep SourceForge clean.
X