Thread: [sleuthkit-users] Problems with Sorter
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brent K. <bre...@gm...> - 2006-11-16 21:54:36
|
I have a dd image of an NTFS disk. I'm using the most recent build of TSK under Cygwin on a XP machine. When I run sorter on the dd image and specify "-f ntfs", I get back an error message "Incorrect file system type (-f ntfs)". Running fsstat on the same dd image returns recognition that this image is indeed an NTFS file system. Any suggestions? For reference, here is the complete sorter command I am running: >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/" -f ntfs -i raw /usr/local/images/analysis.dd By the way, from within Autopsy the same error is generated. Many thanks. Brent |
|
From: Brian C. <ca...@sl...> - 2006-11-17 22:00:20
|
Are you getting a dialog box about not being able to find the OpenSSL
dlls? When I just did a similar test, that is what I got and then got
the same error. The problem is that sorter clears the PATH, but Cygwin
needs to find the OpenSSL dlls for AFFLib. The quick fix is to edit
bin/sorter and comment out line 21 (add a #):
#$ENV{PATH} = '';
brian
Brent Kidwell wrote:
> I have a dd image of an NTFS disk. I'm using the most recent build of
> TSK under Cygwin on a XP machine.
>
> When I run sorter on the dd image and specify "-f ntfs", I get back an
> error message "Incorrect file system type (-f ntfs)".
>
> Running fsstat on the same dd image returns recognition that this image
> is indeed an NTFS file system.
>
> Any suggestions?
>
> For reference, here is the complete sorter command I am running:
>
> >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/"
> -f ntfs -i raw /usr/local/images/analysis.dd
>
> By the way, from within Autopsy the same error is generated.
>
> Many thanks.
>
> Brent
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: Brent K. <bre...@gm...> - 2006-11-18 02:41:20
|
Thanks for the email.
No, I'm not receiving any message about OpenSSL.
The only message returned is "incorrect file system type" reported back.
Below is the output after I put some print statements into the Perl code to
debug (the modified code is below the output).
Everything seems fine, but the $out variable is empty after execution of the
fsstat command. Here's the code that feeds $out:
my $out = `\"$SK_FSSTAT\" $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG`;
What is strange is that, when I manually run the exact same command
parameters in Cygwin with "fsstat", I get back the string "ntfs", which is
what I presume sorter wants to see.
I cannot determine why $out is not being populated with "ntfs".
Any ideas?
[output of modified code]
$ sorter -d / -f ntfs -i raw /usr/local/evidence/analysis.dd
SK_DIR: /usr/local/sleuthkit-2.06/
BIN_DIR: /usr/local/sleuthkit-2.06//bin/
sk_fsstat: /usr/local/sleuthkit- 2.06//bin/fsstat
IMGTYPE: -i raw
IMGOFF: 0
FSTYPE: -f ntfs
IMG: "/usr/local/evidence/analysis.dd"
command: /usr/local/sleuthkit-2.06//bin/fsstat -i raw -o 0 -f ntfs -t
"/usr/local/evidence/analysis.dd"
Command Result:
Incorrect file system type (-f ntfs)
[modified code]
else {
print "SK_DIR: $SK_DIR\n";
print "BIN_DIR: $BIN_DIR\n";
print "sk_fsstat: $SK_FSSTAT\n";
print "IMGTYPE: $IMGTYPE\n";
print "IMGOFF: $IMGOFF\n";
print "FSTYPE: $FSTYPE\n";
print "IMG: $IMG\n";
my $command = "\ $SK_FSSTAT\ $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG";
print "command: $command\n";
my $out = `\"$SK_FSSTAT\" $IMGTYPE -o $IMGOFF $FSTYPE -t $IMG`;
print "Command Result: $out\n";
unless ($out =~ /^([\w\d\-]+)$/) {
print "Incorrect file system type ($FSTYPE)\n";
exit(1);
}
}
On 11/17/06, Brian Carrier <ca...@sl...> wrote:
>
> Are you getting a dialog box about not being able to find the OpenSSL
> dlls? When I just did a similar test, that is what I got and then got
> the same error. The problem is that sorter clears the PATH, but Cygwin
> needs to find the OpenSSL dlls for AFFLib. The quick fix is to edit
> bin/sorter and comment out line 21 (add a #):
>
> #$ENV{PATH} = '';
>
> brian
>
>
> Brent Kidwell wrote:
> > I have a dd image of an NTFS disk. I'm using the most recent build of
> > TSK under Cygwin on a XP machine.
> >
> > When I run sorter on the dd image and specify "-f ntfs", I get back an
> > error message "Incorrect file system type (-f ntfs)".
> >
> > Running fsstat on the same dd image returns recognition that this image
> > is indeed an NTFS file system.
> >
> > Any suggestions?
> >
> > For reference, here is the complete sorter command I am running:
> >
> > >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/"
> > -f ntfs -i raw /usr/local/images/analysis.dd
> >
> > By the way, from within Autopsy the same error is generated.
> >
> > Many thanks.
> >
> > Brent
> >
> >
> > ------------------------------------------------------------------------
> >
> >
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> > opinions on IT & business topics through brief surveys - and earn cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
|
|
From: Brian C. <ca...@sl...> - 2006-11-21 04:34:00
|
Brent Kidwell wrote:
> Thanks for the email.
>
> No, I'm not receiving any message about OpenSSL.
Did you make the change I mentioned and remove the PATH statement? I
was getting the same error message you did with Cygwin and that fixed it.
brian
>
> The only message returned is "incorrect file system type" reported back.
>
>
> On 11/17/06, *Brian Carrier* < ca...@sl...
> <mailto:ca...@sl...>> wrote:
>
> Are you getting a dialog box about not being able to find the OpenSSL
> dlls? When I just did a similar test, that is what I got and then got
> the same error. The problem is that sorter clears the PATH, but Cygwin
> needs to find the OpenSSL dlls for AFFLib. The quick fix is to edit
> bin/sorter and comment out line 21 (add a #):
>
> #$ENV{PATH} = '';
>
> brian
>
>
> Brent Kidwell wrote:
> > I have a dd image of an NTFS disk. I'm using the most recent
> build of
> > TSK under Cygwin on a XP machine.
> >
> > When I run sorter on the dd image and specify "-f ntfs", I get
> back an
> > error message "Incorrect file system type (-f ntfs)".
> >
> > Running fsstat on the same dd image returns recognition that this
> image
> > is indeed an NTFS file system.
> >
> > Any suggestions?
> >
> > For reference, here is the complete sorter command I am running:
> >
> > >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m
> "E:/"
> > -f ntfs -i raw /usr/local/images/analysis.dd
> >
> > By the way, from within Autopsy the same error is generated.
> >
> > Many thanks.
> >
> > Brent
> >
> >
> >
> ------------------------------------------------------------------------
>
> >
> >
> -------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> > opinions on IT & business topics through brief surveys - and earn
> cash
> >
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV>
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
|
From: Simson L. G. <si...@ac...> - 2006-11-18 01:16:56
|
Since the only OpenSSL function that AFF currently uses are MD5 and SHA-1,
should I just embed my own implementations of those?
----- Original Message -----
From: "Brian Carrier" <ca...@sl...>
To: "Brent Kidwell" <bre...@gm...>
Cc: <sle...@li...>
Sent: Friday, November 17, 2006 5:00 PM
Subject: Re: [sleuthkit-users] Problems with Sorter
> Are you getting a dialog box about not being able to find the OpenSSL
> dlls? When I just did a similar test, that is what I got and then got
> the same error. The problem is that sorter clears the PATH, but Cygwin
> needs to find the OpenSSL dlls for AFFLib. The quick fix is to edit
> bin/sorter and comment out line 21 (add a #):
>
> #$ENV{PATH} = '';
>
> brian
>
>
> Brent Kidwell wrote:
>> I have a dd image of an NTFS disk. I'm using the most recent build of
>> TSK under Cygwin on a XP machine.
>>
>> When I run sorter on the dd image and specify "-f ntfs", I get back an
>> error message "Incorrect file system type (-f ntfs)".
>>
>> Running fsstat on the same dd image returns recognition that this image
>> is indeed an NTFS file system.
>>
>> Any suggestions?
>>
>> For reference, here is the complete sorter command I am running:
>>
>> >> sorter -d c:\\output -h -s -n /usr/local/nsrl/NSRLFile.txt -m "E:/"
>> -f ntfs -i raw /usr/local/images/analysis.dd
>>
>> By the way, from within Autopsy the same error is generated.
>>
>> Many thanks.
>>
>> Brent
>>
>>
>> ------------------------------------------------------------------------
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to share
>> your
>> opinions on IT & business topics through brief surveys - and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
|
Thanks for helping keep SourceForge clean.
X