Thread: [sleuthkit-users] Newbie question on autopsy3
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Netexpress <Net...@ti...> - 2013-09-03 21:12:44
|
Hi, I am new of autopsy,. I am using autopsy 3.0.6 on windows 2003 and on win 7. I create a case, insert keyword to search and run ingest modules on data source. And now the problems: 1- I get a message on bottom "no known bad database set" ; where and how to set it? 2- If I use keyword search on top on right I get this message: "No files are indexed, please index an image before searching" who can i do? 3- If i go on view three and select deleted files all seems to be freeze, and even if I know that are present many deleted files i do not find noone of them. Perhaps I am newbie of autopsy, and my question cuold seems to be stupid but are many days I try and try to understand and solve it. Last question, can someone suggest a good tutorial for autopsy3 realistic use ? NetExpress |
|
From: Brian C. <ca...@sl...> - 2013-09-04 13:00:20
|
On Sep 3, 2013, at 5:12 PM, Netexpress <Net...@ti...> wrote: > Hi, > I am new of autopsy,. I am using autopsy 3.0.6 on windows 2003 and on win 7. Sounds good. For future reference for everyone, there is a quick start guide on the web: http://sleuthkit.org/autopsy/docs/quick/ > I create a case, insert keyword to search and run ingest modules on data source. And now the problems: > 1- I get a message on bottom “no known bad database set” ; where and how to set it? 2 ways. - If you are adding a disk image / data source, choose the Hash Lookup module when you get the list of ingest modules and then choose "Advanced". It will allow you to import NSRL databases (which you can download from https://sourceforge.net/projects/autopsy/files/NSRL/) of 'known' files that will be ignored by other ingest modules or you can add a database of 'known bad'. We don't distribute 'known bad' databases. We support EnCase, Hashkeeper, and md5sum formats. - From within the tool, you can choose the Tools menu and then Options -> Hash Database and get to the same panel. > 2- If I use keyword search on top on right I get this message: “No files are indexed, please index an image before searching” who can i do? Was the Keyword Search ingest module enabled when you added the disk image. It is responsible for adding files to the index. If it was enabled, you may need to wait (I'll review that message to see if it can be made more clear). The currently released version of Autopsy "commits" its index every 10 minutes while ingest is occurring. The faster you commit, the longer the ingest takes. The next version changes that value to 5 minutes. That means that for 10 minutes, new files will not be visible to you in the index. I think we updated the message to be more clear about why there are no results, but I'll double check. > 3- If i go on view three and select deleted files all seems to be freeze, and even if I know that are present many deleted files i do not find noone of them. Meaning that the entire system freezes? I haven't seen that yet, but can certainly make some test images to stress that feature. If you select "Deleted Files", it should show two child entries (File System and All). What are the numbers next to those? > Perhaps I am newbie of autopsy, and my question cuold seems to be stupid but are many days I try and try to understand and solve it. > > Last question, can someone suggest a good tutorial for autopsy3 realistic use ? We haven't built one yet besides the other docs. Sorry. Perhaps someone else can ... :) thanks, brian |
|
From: Brian C. <ca...@sl...> - 2013-09-04 15:26:13
|
On Sep 4, 2013, at 6:58 AM, Brian Carrier <ca...@sl...> wrote: > > On Sep 3, 2013, at 5:12 PM, Netexpress <Net...@ti...> wrote: > >> 2- If I use keyword search on top on right I get this message: “No files are indexed, please index an image before searching” who can i do? > > Was the Keyword Search ingest module enabled when you added the disk image. It is responsible for adding files to the index. If it was enabled, you may need to wait (I'll review that message to see if it can be made more clear). The currently released version of Autopsy "commits" its index every 10 minutes while ingest is occurring. The faster you commit, the longer the ingest takes. The next version changes that value to 5 minutes. That means that for 10 minutes, new files will not be visible to you in the index. I think we updated the message to be more clear about why there are no results, but I'll double check. I just updated the message to be more detailed if the search is conducted when ingest is ongoing and there are no files. |
|
From: Netexpress <Net...@ti...> - 2013-09-04 21:25:37
|
Hi Brian, thanks very much for your help. I fill your tips with more data. > > 3- If i go on view three and select deleted files all seems to be freeze, > and even if I know that are present many deleted files i do not find noone of > them. > > Meaning that the entire system freezes? I haven't seen that yet, but can > certainly make some test images to stress that feature. If you select "Deleted > Files", it should show two child entries (File System and All). What are the > numbers next to those? Let me explain more about my lab of analysis I have autopy on Windows 2003 virtual machine with 4GB Ram and 2 Processor. I am using vmware server 2.0 running on linux; and I connect to windows 2003 to use autopsy with terminal server using administator user; a bit complitated scenario? :-) The image on witch I am working is on original image of 36GB that police have duplicated to lawyer on 500GB disk via dd or logicube, not a dd raw image file but dd output on disk device of 500 GB, and when I made raw image from this disk I get an image of 500GB, the one on witch I am working. Something mistake in the process? Now I will try to explai more about the problem The system is ok i notice a fixed use of 50% of cpu from autopsy. everyhing I choose on menu and view of autopsy is too slow and many times i cannot change view. Furthermore if I iconize autopys it doesnt return to full windows. If I try to kill processi t goes on state "not responding" On deleted files view autopsy report: File System 883162 All 883162 But I am not able to vew the list of files Looking into event viewer I have found this, only one occurence, if can help Application: Event Type: Error Event Source: Application Hang Event Category: (101) Event ID: 1002 Date: 28/08/2013 Time: 23.30.36 User: N/A Computer: LABORATORIO Description: Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 48 61 6e 67 ion Hang 0010: 20 20 61 75 74 6f 70 73 autops 0018: 79 2e 65 78 65 20 30 2e y.exe 0. 0020: 30 2e 30 2e 30 20 69 6e 0.0.0 in 0028: 20 68 75 6e 67 61 70 70 hungapp 0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0 0038: 20 61 74 20 6f 66 66 73 at offs 0040: 65 74 20 30 30 30 30 30 et 00000 0048: 30 30 30 000 I have used autopy 2 on linux and found this new versioni very good more intuitive and better for general view of the case. The only two things could be of help, for me, should be a log of what is doing with a marker of activity, and a dialog box telling to wait for process to complete, sometimes the user things that all was completed even if it's going on. Sorry for my bad english, and thanks very much for your help. Alessandro Fiorenzi |
|
From: Brian C. <ca...@sl...> - 2013-09-06 01:27:18
|
883162 files is probably more files than we have tried to send to the table area at a single time. We'll run some tests. Does it hang only when you try to view all deleted files? We've certainly analyzed images that are larger than 36GB before. That being said, the scenario you describe below is a bit confusing. If the image that you want to analyze is only 36GB and that is a file inside of the 500GB image, then you may not get the results that you expect because it will be analyzing the 500GB drive and not the 36GB drive. Autopsy does not currently have the functionality to detect a disk image inside of a disk image and process it. thanks, brian On Sep 4, 2013, at 5:25 PM, Netexpress wrote: > Hi Brian, thanks very much for your help. I fill your tips with more data. > >>> 3- If i go on view three and select deleted files all seems to be > freeze, >> and even if I know that are present many deleted files i do not find noone > of >> them. >> >> Meaning that the entire system freezes? I haven't seen that yet, but can >> certainly make some test images to stress that feature. If you select > "Deleted >> Files", it should show two child entries (File System and All). What are > the >> numbers next to those? > > Let me explain more about my lab of analysis > I have autopy on Windows 2003 virtual machine with 4GB Ram and 2 Processor. > I am using vmware server 2.0 running on linux; and I connect to windows 2003 > to use autopsy with terminal server using administator user; a bit > complitated scenario? :-) > The image on witch I am working is on original image of 36GB that police > have duplicated to lawyer on 500GB disk via dd or logicube, not a dd raw > image file but dd output on disk device of 500 GB, and when I made raw > image from this disk I get an image of 500GB, the one on witch I am > working. Something mistake in the process? > > Now I will try to explai more about the problem > The system is ok i notice a fixed use of 50% of cpu from autopsy. everyhing > I choose on menu and view of autopsy is too slow and many times i cannot > change view. > Furthermore if I iconize autopys it doesnt return to full windows. If I try > to kill processi t goes on state "not responding" > > On deleted files view autopsy report: > File System 883162 > All 883162 > But I am not able to vew the list of files > > > Looking into event viewer I have found this, only one occurence, if can > help > > Application: > Event Type: Error > Event Source: Application Hang > Event Category: (101) > Event ID: 1002 > Date: 28/08/2013 > Time: 23.30.36 > User: N/A > Computer: LABORATORIO > Description: > Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp, > version 0.0.0.0, hang address 0x00000000. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 41 70 70 6c 69 63 61 74 Applicat > 0008: 69 6f 6e 20 48 61 6e 67 ion Hang > 0010: 20 20 61 75 74 6f 70 73 autops > 0018: 79 2e 65 78 65 20 30 2e y.exe 0. > 0020: 30 2e 30 2e 30 20 69 6e 0.0.0 in > 0028: 20 68 75 6e 67 61 70 70 hungapp > 0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0 > 0038: 20 61 74 20 6f 66 66 73 at offs > 0040: 65 74 20 30 30 30 30 30 et 00000 > 0048: 30 30 30 000 > > > I have used autopy 2 on linux and found this new versioni very good more > intuitive and better for general view of the case. The only two things could > be of help, for me, should be a log of what is doing with a marker of > activity, and a dialog box telling to wait for process to complete, > sometimes the user things that all was completed even if it's going on. > > Sorry for my bad english, and thanks very much for your help. > > Alessandro Fiorenzi > > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Netexpress <Net...@ti...> - 2013-09-06 16:19:18
|
> -----Messaggio originale----- > Da: Brian Carrier [mailto:ca...@sl...] > Inviato: venerdì 6 settembre 2013 03.27 > A: Netexpress > Cc: sle...@li... > Oggetto: Re: [sleuthkit-users] R: Newbie question on autopsy3 > > 883162 files is probably more files than we have tried to send to the table > area at a single time. We'll run some tests. Does it hang only when you try > to view all deleted files? We've certainly analyzed images that are larger than > 36GB before. [Fiorenzi Alessandro] Yes it hangs and I have never seen the list of deleted files > > That being said, the scenario you describe below is a bit confusing. If the > image that you want to analyze is only 36GB and that is a file inside of the > 500GB image, then you may not get the results that you expect because it > will be analyzing the 500GB drive and not the 36GB drive. Autopsy does not > currently have the functionality to detect a disk image inside of a disk image > and process it. [Fiorenzi Alessandro] Policy have do dd from originale device of 36GB to a destination drive of 500GB dd if=/dev/sdc(36GB) of=/dev/sdd(500GB) > > thanks, > brian > > > On Sep 4, 2013, at 5:25 PM, Netexpress wrote: > > > Hi Brian, thanks very much for your help. I fill your tips with more data. > > > >>> 3- If i go on view three and select deleted files all seems to be > > freeze, > >> and even if I know that are present many deleted files i do not find > >> noone > > of > >> them. > >> > >> Meaning that the entire system freezes? I haven't seen that yet, but > >> can certainly make some test images to stress that feature. If you > >> select > > "Deleted > >> Files", it should show two child entries (File System and All). What > >> are > > the > >> numbers next to those? > > > > Let me explain more about my lab of analysis I have autopy on Windows > > 2003 virtual machine with 4GB Ram and 2 Processor. > > I am using vmware server 2.0 running on linux; and I connect to > > windows 2003 to use autopsy with terminal server using administator > > user; a bit complitated scenario? :-) The image on witch I am working > > is on original image of 36GB that police have duplicated to lawyer on > > 500GB disk via dd or logicube, not a dd raw image file but dd output > > on disk device of 500 GB, and when I made raw image from this disk I > > get an image of 500GB, the one on witch I am > > working. Something mistake in the process? > > > > Now I will try to explai more about the problem The system is ok i > > notice a fixed use of 50% of cpu from autopsy. everyhing I choose on > > menu and view of autopsy is too slow and many times i cannot change > > view. > > Furthermore if I iconize autopys it doesnt return to full windows. If > > I try to kill processi t goes on state "not responding" > > > > On deleted files view autopsy report: > > File System 883162 > > All 883162 > > But I am not able to vew the list of files > > > > > > Looking into event viewer I have found this, only one occurence, if > > can help > > > > Application: > > Event Type: Error > > Event Source: Application Hang > > Event Category: (101) > > Event ID: 1002 > > Date: 28/08/2013 > > Time: 23.30.36 > > User: N/A > > Computer: LABORATORIO > > Description: > > Hanging application autopsy.exe, version 0.0.0.0, hang module hungapp, > > version 0.0.0.0, hang address 0x00000000. > > > > For more information, see Help and Support Center at > > http://go.microsoft.com/fwlink/events.asp. > > Data: > > 0000: 41 70 70 6c 69 63 61 74 Applicat > > 0008: 69 6f 6e 20 48 61 6e 67 ion Hang > > 0010: 20 20 61 75 74 6f 70 73 autops > > 0018: 79 2e 65 78 65 20 30 2e y.exe 0. > > 0020: 30 2e 30 2e 30 20 69 6e 0.0.0 in > > 0028: 20 68 75 6e 67 61 70 70 hungapp > > 0030: 20 30 2e 30 2e 30 2e 30 0.0.0.0 > > 0038: 20 61 74 20 6f 66 66 73 at offs > > 0040: 65 74 20 30 30 30 30 30 et 00000 > > 0048: 30 30 30 000 > > > > > > I have used autopy 2 on linux and found this new versioni very good > > more intuitive and better for general view of the case. The only two > > things could be of help, for me, should be a log of what is doing with > > a marker of activity, and a dialog box telling to wait for process to > > complete, sometimes the user things that all was completed even if it's > going on. > > > > Sorry for my bad english, and thanks very much for your help. > > > > Alessandro Fiorenzi > > > > > > > > ---------------------------------------------------------------------- > > -------- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL > > 2012, more! > > Discover the easy way to master current and previous Microsoft > > technologies and advance your career. Get an incredible 1,500+ hours > > of step-by-step tutorial videos with LearnDevNow. Subscribe today and > save! > > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.c > > lktrk _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org |
Thanks for helping keep SourceForge clean.
X