Thread: RE: [sleuthkit-users] RE: Sleuthkit install problem
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Chris P. <po...@na...> - 2004-05-25 18:54:13
|
Anyone recommend a distro for forensics other than FC2, since I am = obviously having probs with that. I just installed the OS last night, = and although I am not thrilled about downloading new isos and = reinstalling, I really want to give linux forensics a try. Chris. __________________________________________________________________ << ella for Spam Control >> has removed Spam messages and set aside = Newsletters for me You can use it too - and it's FREE! http://www.ellaforspam.com |
|
From: Chris P. <po...@na...> - 2004-05-26 12:30:53
|
Brian,=20 I issued your dls command on a 40GB NTFS partition and received no = errors. I have to admit that I am on a different machine than the one I = started with, so I will try it again at work when I can (assuming the = install works there). Chris. -----Original Message----- From: sle...@li... on behalf of Brian = Carrier Sent: Tue 5/25/2004 7:10 PM To: Angus Marshall Cc: sle...@li... Subject: Re: [sleuthkit-users] RE: Sleuthkit install problem -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 25, 2004, at 6:11 PM, Angus Marshall wrote: > Not sure which is the case - but here's a thought (don't scream) - if > src/makedefs is modified to change the "-DLINUX2" to read = "-DOPENBSD3", > sleuthkit seems to compile just fine. What happens when you examine a >2GB disk? The custom lseek was added=20 in TCT because the lseek with Linux did not seek beyond the 2GB limit. =20 So, I guess the test is to see if the syscall was fixed and it now=20 works for large files or that change has reverted the code back to the=20 limited version. Test it with the following: # dls -e -f FILESYSTEM /dev/hdaX > /dev/null on a large partition. thanks, brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAs+6DOK1gLsdFTIsRAmtiAJ9AO/4nNDvRD0qFlw1VNBr+p95c3gCfVa76 FOVV9Xg4AMHBkRBFI0ASINg=3D =3DuUaL -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. = Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D8166&op=3Dclick _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Chris P. <po...@na...> - 2004-05-26 21:34:43
|
That brings up a good point.... Where does one find out what has been tested and accepted as far as = linux forensics go? I just intalled the 2.6 kernel, and have never = thought that its use might not be validated as of yet. (Good thing I am = still only "playing"). People (I) have a tendency to go for the latest = and greatest...but sometimes it takes years for new practices or systems = to become accepted by the forensic community. I don't want to be the = guy on the stand explaining why I am the only one who uses a particular = practice. That may be a little extreme since I am aware, and practice, = personal validation of tools prior to enlisting their use full time. = Just humor me a little with some ideas. It's easy to pay $2500 for a = windows based utility with corporate backing and full time courtroom = experts who will fly out on your behalf for a nominal fee. =20 -- Regards,=20 Chris Poldervaart, Investigator Natrona County Sheriff's Office 201 N David St Casper, WY 82601 307-235-9282 po...@na... <mailto:po...@na...> =20 CONFIDENTIALITY NOTICE: This e-mail message including attachments, if = any, is intended only for the person or entity to which it is addressed = and may contain confidential and/or privileged material. Any = unauthorized review, use, disclosure or distribution is prohibited. If = you are not the intended recipient, please contact the sender by reply = e-mail and destroy all copies of the original message. If you are the = intended recipient but do not wish to receive communications through = this medium, please so advise the sender immediately.=20 -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Angus Marshall Sent: Wednesday, May 26, 2004 2:17 PM To: Brian Carrier Cc: sle...@li... Subject: Re: [sleuthkit-users] RE: Sleuthkit install problem On Wednesday 26 May 2004 09:11, Angus Marshall wrote: Ok - ignore EVERYTHING I have said on this issue up to this point. = Having done=20 some more work on it - it looks (to me - and I could be wrong, I = frequently=20 am) like the problem is being caused by the definition of syscall5 = moving=20 into a different header file. Adding a #include <linux/unistd.h>=20 to mylseek.c immediately after the #include <syscall.h> line seems to work for me (testing on SK1.67 currently). I get a successful compilation after doing this and a good dls on a 8Gb=20 partition - no errors visible at all. This still uses the custom lseek, which I prefer since it has been = accepted in=20 court, unlike the Linux 2.6 kernel. ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. = Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3D3149&alloc_id=3D8166&op=3Dclick _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org __________________________________________________________________ << ella for Spam Control >> has removed Spam messages and set aside = Newsletters for me You can use it too - and it's FREE! http://www.ellaforspam.com |
|
From: Brian C. <ca...@sl...> - 2004-05-27 05:14:54
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Where does one find out what has been tested and accepted as far as > linux forensics go? Where does one find out what has been tested and accepted as far as windows-based forensics goes? What does it mean to be accepted? What does it mean to not be accepted? What tools are not accepted? (I'm still waiting for someone to start making a list of tools that have been determined to be not accepted.) > I just intalled the 2.6 kernel, and have never thought that its use > might not be validated as of yet. (Good thing I am still only > "playing"). This brings up a good point that it is more than just the analysis software that needs to be "tested and validated". All software relies on the operating system, which changes with each service pack and patch. The version of libraries is also important. Is each version of Windows-based software "tested and validated" with each service pack and combination of patches? Is each version of Linux-based software tested with each patch and version of libc? There are some software companies that focus on court acceptance, but it is not clear (to me at least) what that means. If being accepted is difficult, then what tools have failed to pass the test? Where is the bar? If you look at the Daubert guidelines for entering technical evidence into a US court, I don't think any of the computer forensic tools can currently meet them. Error rates? Published procedures? What does it mean to test a tool for NTFS file systems? The lack of answers for these questions is partly why I have started to release the test images on dftt.sf.net so that there is some basic concept of tool testing. These images have found bugs in all of the popular Windows-based forensic tools, even though they were "accepted". I agree with you that in the short run, it could be safer to stick with the Windows-based tools because they have an impressive court record. I understand the concern, but I'm more worried about the bigger picture. If it is not clear where the acceptance bar is, who knows if the currently accepted tools will always be considered accepted? > People (I) have a tendency to go for the latest and greatest...but > sometimes it takes years for new practices or systems to become > accepted by the forensic community. Maybe. I think it takes a long time for a tool company to be accepted, but when the latest major version comes out, which may have included an entire rewrite of the internal code, people are fairly quick to accept it. > I don't want to be the guy on the stand explaining why I am the only > one who uses a particular practice. That may be a little extreme > since I am aware, and practice, personal validation of tools prior to > enlisting their use full time. Just humor me a little with some > ideas. It's easy to pay $2500 for a windows based utility with > corporate backing and full time courtroom experts who will fly out on > your behalf for a nominal fee. I can understand that and if that is what you are looking for, then the commercial tools (including the Linux-based SMART) are probably a better option. I would not phrase the support issue as Linux versus Windows, I would phrase it as free versus commercial. I think, that open source tools are the better option in the long run (even if they are commercial). It makes more sense to me that any person with programming and file system experience can read through the code and explain how it works to the court instead of relying on a vendor-sponsored expert. thanks, brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAtXlBOK1gLsdFTIsRApSrAJ91zC85Z9fEtcUoDHjuqeMp8HMM/QCfTf1G 22byiZ4fR+n8k2TO/5mGo2w= =KrNh -----END PGP SIGNATURE----- |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X