Thread: [sleuthkit-users] Some guidance required
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Owen O' S. <owe...@gm...> - 2015-06-10 15:49:33
|
Hi, I have a job to do, got 15 hard disks from an office and need to find out who wrote a nasty letter. My initial thought was to copy the live files from each disk, then carve out unallocated with blkls and then run foremost on the unallocated, index the lot and search for my keywords. Decided instead to give autopsy a go, so I cranked up a windows host, inputted my keywords and got it to ingest the first disk. Left it overnight, but in reality, it hadn't progressed, as autopsy had already run out of resources and was non responsive when I left it. There was a red dot in the bottom right that I couldn't get info out of, a console with a message saying image was no longer accessible and read error, a status bar on the bottom saying analyzing image 19% complete, and 8 hours later, the status of all was still the same. Autopsy had used all available RAM on the pc, which is a Corei7 pc running windows 8.1 pro 64bit with 4GB ram. When I restarted autopsy, the red dot revealed an error that my security software might be blocking the search server, ok that'll be easy to sort, but my questions are: 1) Exactly how much ram should I wedge into this system for Autopsy to run comfortably? 2) How can I verify if autopsy successfully ingested the full hard disk? 3) By clicking all the options on the ingest, am I safe to assume that it is looking for my keywords in unallocated? 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, or for resource management should I be giving each disk its own case? 5) I assume, if ingesting all disks into this one case, i can name the individual disks after I ingest so that if get a keyword hit that I can determine who the culprit was? Would appreciate some guidance before I go much further. I'd like to evaluate autopsy on this simple exercise, so don't really want to switch back to the linux command line just yet. Thanks, Owen. |
|
From: Simson G. <si...@ac...> - 2015-06-10 17:36:55
|
Hi, Owen. You didn't say how big your hard drives that you are ingesting, or how much storage you have on your analysis system. However, from the sounds of it, your analysis system is under powered. What kind of computer are you running on --- laptop or desktop --- how far can you expand the RAM, and how big is your storage? On Wed, Jun 10, 2015 at 11:49 AM, Owen O' Shaughnessy < owe...@gm...> wrote: > Hi, > > I have a job to do, got 15 hard disks from an office and need to find out > who wrote a nasty letter. My initial thought was to copy the live files > from each disk, then carve out unallocated with blkls and then run foremost > on the unallocated, index the lot and search for my keywords. > > Decided instead to give autopsy a go, so I cranked up a windows host, > inputted my keywords and got it to ingest the first disk. > > Left it overnight, but in reality, it hadn't progressed, as autopsy had > already run out of resources and was non responsive when I left it. There > was a red dot in the bottom right that I couldn't get info out of, a > console with a message saying image was no longer accessible and read > error, a status bar on the bottom saying analyzing image 19% complete, and > 8 hours later, the status of all was still the same. > > Autopsy had used all available RAM on the pc, which is a Corei7 pc running > windows 8.1 pro 64bit with 4GB ram. > > When I restarted autopsy, the red dot revealed an error that my security > software might be blocking the search server, ok that'll be easy to sort, > but my questions are: > > 1) Exactly how much ram should I wedge into this system for Autopsy to run > comfortably? > 2) How can I verify if autopsy successfully ingested the full hard disk? > 3) By clicking all the options on the ingest, am I safe to assume that it > is looking for my keywords in unallocated? > 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, > or for resource management should I be giving each disk its own case? > 5) I assume, if ingesting all disks into this one case, i can name the > individual disks after I ingest so that if get a keyword hit that I can > determine who the culprit was? > > Would appreciate some guidance before I go much further. I'd like to > evaluate autopsy on this simple exercise, so don't really want to switch > back to the linux command line just yet. > > Thanks, > > Owen. > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Owen O' S. <owe...@gm...> - 2015-06-11 08:23:12
|
On Wed, Jun 10, 2015 at 6:36 PM, Simson Garfinkel <si...@ac...> wrote: > Hi, Owen. > > You didn't say how big your hard drives that you are ingesting, > Well, I've only ingested 1 drive, its 500GB, with 29GB in allocated, from a 1 year old system. > or how much storage you have on your analysis system. > The OS is on a 500GB hard drive with about 50GB used, the case is on a 3TB drive totally dedicated to this. The ingestion of the drive the first time used 9gb and the second time 10gb > However, from the sounds of it, your analysis system is under powered. > I think it could do with more ram alright, but other than that its top spec. Unusual that there are no system requirements or suggestions on the site. Its not actually hitting the ram limit, hangs before that, so the system spec doesn't look to be a problem just yet. > What kind of computer are you running on --- laptop or desktop > Desktop > --- how far can you expand the RAM, > up to 16GB is possible, up to 8gb is practical, but the system isn't running out of ram so I don't think it is actually underpowered, it hangs with half a gig of ram free, so upping that to 16gb won't help. > and how big is your storage? > 3.5TB On this second ingestion, I can see that there are 21k errors saying that the image file is unavailable, I think that this is the problem, system isn't handling a local drive properly and is expecting an image file. Methinks its not the tool for this job. I was hoping for the path of least resistance, but this aint it. Owen. |
|
From: ade <adr...@nt...> - 2015-06-10 17:47:45
|
Hi Owen Did you get just the hard disks, or were they still in the computer systems? If you got the full systems, I would cut 15 copies of the CAINE disto and boot all the systems with that. Prepare a keyword list containing unusual words or phrases from the "nasty letter" and feed that into the bulk_extractor "find" module. You essentially need to triage the systems, identify the system(s) containing the nasty letter, then you can either image + forensicate those, or even use the evidence from bulk_extractor. Do you know what format the letter was originally a .docx file then the contents are compressed. If the letter was deleted and ended up in unallocated space, it is no good doing a standard string search. Bulk_extractor has the ability to find compressed data, decompress it in memory then search that for decompressed data for your strings. TBH, I can't think of many cases where I wouldn't use bulk_extractor. Your situation, screams our for triaging the disks with a Linux forensic distro + bulk_extractor. Stumpy On Wednesday 10 Jun 2015 16:49:27 Owen O' Shaughnessy wrote: > Hi, > > I have a job to do, got 15 hard disks from an office and need to find out > who wrote a nasty letter. My initial thought was to copy the live files > from each disk, then carve out unallocated with blkls and then run foremost > on the unallocated, index the lot and search for my keywords. > > Decided instead to give autopsy a go, so I cranked up a windows host, > inputted my keywords and got it to ingest the first disk. > > Left it overnight, but in reality, it hadn't progressed, as autopsy had > already run out of resources and was non responsive when I left it. There > was a red dot in the bottom right that I couldn't get info out of, a > console with a message saying image was no longer accessible and read > error, a status bar on the bottom saying analyzing image 19% complete, and > 8 hours later, the status of all was still the same. > > Autopsy had used all available RAM on the pc, which is a Corei7 pc running > windows 8.1 pro 64bit with 4GB ram. > > When I restarted autopsy, the red dot revealed an error that my security > software might be blocking the search server, ok that'll be easy to sort, > but my questions are: > > 1) Exactly how much ram should I wedge into this system for Autopsy to run > comfortably? > 2) How can I verify if autopsy successfully ingested the full hard disk? > 3) By clicking all the options on the ingest, am I safe to assume that it > is looking for my keywords in unallocated? > 4) This is disk 1 of 15, am I ok to keep ingesting disks into this case, or > for resource management should I be giving each disk its own case? > 5) I assume, if ingesting all disks into this one case, i can name the > individual disks after I ingest so that if get a keyword hit that I can > determine who the culprit was? > > Would appreciate some guidance before I go much further. I'd like to > evaluate autopsy on this simple exercise, so don't really want to switch > back to the linux command line just yet. > > Thanks, > > Owen. |
|
From: Owen O' S. <owe...@gm...> - 2015-06-15 13:25:05
Attachments:
Capture.PNG
|
resending this to the list as I accidentally hit reply instead of replyall/reply tolist. On Thu, Jun 11, 2015 at 11:15 AM, Simson Garfinkel <si...@ac...> wrote: > Can you post the specific error that you are getting for "the image file > is unavailable" ? That seems odd. > Because I had to kill the autopsy when it was hung, i can't show you the 21,000 errors in the bottom right hand corner all of which were this error, but if I load the case now, and run the performance test I can get the error: Very worthwhile exercise, because now that I look at the target disk "disk2" I see that I am not even analysing the whole disk, only the active partition. That is actually valid in this case, but could have been a bad oversight in another case. I'm more used to linux where you point at the filesystem device file I need to make progress on the work, so I am going to go the bulk extractor route. I hope the above is useful to the developers to work out what is wrong with the build and maybe to suggest that they give some system requirements on the site based on the various resource requirements of the modules. Owen. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X