sleuthkit-users

[sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download. 

Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?

Simson

Re: [sleuthkit-users] fiwalk

[Brian C. <ca...@sl...>]

We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.





On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:

> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download. 
> 
> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
> 
> Simson
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

I see. 

The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb. 

Is anyone other than me using fiwalk at this point?

Simson


> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
> 
> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
> 
> 
> 
> 
> 
> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
> 
>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download. 
>> 
>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>> 
>> Simson
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 

Re: [sleuthkit-users] fiwalk

[Derrick K. <dk...@gm...>]

I am still using fiwalk but have been transitioning to tsk_loaddb.

My primary reason is that my forensic indexer (Xapian) automatically
indexes fiwalk text output and I haven't configured it to include
sqlite files yet.  It's a simple config change for me to fully
transition over.

Derrick


On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...> wrote:
> I see.
>
> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>
> Is anyone other than me using fiwalk at this point?
>
> Simson
>
>
>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
>>
>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>>
>>
>>
>>
>>
>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
>>
>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>>>
>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>>>
>>> Simson
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

Derrick,

My recommendation is that you transition away from fiwalk.

My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file. 



> On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
> 
> I am still using fiwalk but have been transitioning to tsk_loaddb.
> 
> My primary reason is that my forensic indexer (Xapian) automatically
> indexes fiwalk text output and I haven't configured it to include
> sqlite files yet.  It's a simple config change for me to fully
> transition over.
> 
> Derrick
> 
> 
> On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...> wrote:
>> I see.
>> 
>> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>> 
>> Is anyone other than me using fiwalk at this point?
>> 
>> Simson
>> 
>> 
>>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
>>> 
>>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
>>> 
>>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>>>> 
>>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>>>> 
>>>> Simson
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org

Re: [sleuthkit-users] fiwalk

[Ketil F. <ke...@fr...>]

I've had the same problem with character sets and python. Would be
nice if tsk_loaddb could detect the file system's character set and
normalize it as UTF-8 in the database, or store the encoding as well.
I'm not certain it's necessarily any easier there, though. It would
appear that many file systems can store just about any string as the
character set, then I guess it's actually up to the application
writing the file to choose the character set. If that's the case, you
could see multiple encodings when reading a single file system.

Examples:
- ext4 is reported to allow file names containing "Any byte except NUL and /"
- HFS is reported to allow file names containing "Any byte except :"

Reference: http://en.wikipedia.org/wiki/Comparison_of_file_systems#Limits

Cheers, Ketil

On 10 November 2014 21:18, Simson Garfinkel <si...@ac...> wrote:
> Derrick,
>
> My recommendation is that you transition away from fiwalk.
>
> My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file.
>
>
>
>> On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
>>
>> I am still using fiwalk but have been transitioning to tsk_loaddb.
>>
>> My primary reason is that my forensic indexer (Xapian) automatically
>> indexes fiwalk text output and I haven't configured it to include
>> sqlite files yet.  It's a simple config change for me to fully
>> transition over.
>>
>> Derrick
>>
>>
>> On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...> wrote:
>>> I see.
>>>
>>> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>>>
>>> Is anyone other than me using fiwalk at this point?
>>>
>>> Simson
>>>
>>>
>>>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
>>>>
>>>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
>>>>
>>>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>>>>>
>>>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>>>>>
>>>>> Simson
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sleuthkit-users mailing list
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>> http://www.sleuthkit.org
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org



-- 
-Ketil

Re: [sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

fiwalk normalizes the filename to valid UTF-8, and uses Python escaping for sequences that aren't valid UTF-8.

> On Nov 10, 2014, at 4:17 PM, Ketil Froyn <ke...@fr...> wrote:
> 
> I've had the same problem with character sets and python. Would be
> nice if tsk_loaddb could detect the file system's character set and
> normalize it as UTF-8 in the database, or store the encoding as well.
> I'm not certain it's necessarily any easier there, though. It would
> appear that many file systems can store just about any string as the
> character set, then I guess it's actually up to the application
> writing the file to choose the character set. If that's the case, you
> could see multiple encodings when reading a single file system.
> 
> Examples:
> - ext4 is reported to allow file names containing "Any byte except NUL and /"
> - HFS is reported to allow file names containing "Any byte except :"
> 
> Reference: http://en.wikipedia.org/wiki/Comparison_of_file_systems#Limits
> 
> Cheers, Ketil
> 
> On 10 November 2014 21:18, Simson Garfinkel <si...@ac...> wrote:
>> Derrick,
>> 
>> My recommendation is that you transition away from fiwalk.
>> 
>> My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file.
>> 
>> 
>> 
>>> On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
>>> 
>>> I am still using fiwalk but have been transitioning to tsk_loaddb.
>>> 
>>> My primary reason is that my forensic indexer (Xapian) automatically
>>> indexes fiwalk text output and I haven't configured it to include
>>> sqlite files yet.  It's a simple config change for me to fully
>>> transition over.
>>> 
>>> Derrick
>>> 
>>> 
>>> On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...> wrote:
>>>> I see.
>>>> 
>>>> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>>>> 
>>>> Is anyone other than me using fiwalk at this point?
>>>> 
>>>> Simson
>>>> 
>>>> 
>>>>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
>>>>> 
>>>>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
>>>>> 
>>>>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>>>>>> 
>>>>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>>>>>> 
>>>>>> Simson
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> _______________________________________________
>>>>>> sleuthkit-users mailing list
>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>>> http://www.sleuthkit.org
>>>>> 
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>> 
>> 
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 
> 
> 
> -- 
> -Ketil

Re: [sleuthkit-users] fiwalk

[Alex N. <ajn...@cs...>]

Hi Simson, all,

I'm making extensive use of Fiwalk.  I believe the BitCurator folks are as
well.

--Alex



On Mon, Nov 10, 2014 at 3:18 PM, Simson Garfinkel <si...@ac...> wrote:

> Derrick,
>
> My recommendation is that you transition away from fiwalk.
>
> My one concern with tsk_loaddb is that the filenames it produces are not
> necessarily UTF-8. It seems to be putting in the database whatever is on
> the disk, which can cause problems in post-analysis.  I'm not sure how
> others are dealing with this. My problem is that on Windows, I'm reading
> these values with Python and I'm getting exceptions when I attempt to write
> them to a file.
>
>
>
> > On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
> >
> > I am still using fiwalk but have been transitioning to tsk_loaddb.
> >
> > My primary reason is that my forensic indexer (Xapian) automatically
> > indexes fiwalk text output and I haven't configured it to include
> > sqlite files yet.  It's a simple config change for me to fully
> > transition over.
> >
> > Derrick
> >
> >
> > On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...>
> wrote:
> >> I see.
> >>
> >> The other approach would be to abandon fiwalk and move the things that
> use it over to using the database produced by tsk_loaddb.
> >>
> >> Is anyone other than me using fiwalk at this point?
> >>
> >> Simson
> >>
> >>
> >>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...>
> wrote:
> >>>
> >>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it
> would be much easier to include if there were a visual studio project for
> it.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...>
> wrote:
> >>>
> >>>> Hi. I see that fiwalk.exe is not being compiled as part of the
> pre-compiled SleuthKit download.
> >>>>
> >>>> Is there some reason why fiwalk is not included, and is there any
> packaging change that I could make to make it more likely to include the
> executable in the future?
> >>>>
> >>>> Simson
> >>>>
> >>>>
> >>>>
> ------------------------------------------------------------------------------
> >>>> _______________________________________________
> >>>> sleuthkit-users mailing list
> >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >>>> http://www.sleuthkit.org
> >>>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] fiwalk

[Brian C. <ca...@sl...>]

Re Encoding:  At one point in TSK's life, we did cleanup of the names to ensure that they were stored in a 'printable' way.  The request was then make (from Simson, as I recall) to not do this cleanup so that there was an accurate representation of what was on disk and it was up to the user of the data to then clean it up as it saw fit for writing to disk or displaying to the user.   If people would rather return to the days of cleaning up in TSK, then we can certainly revisit that. 

There are certainly things that fiwalk can do that tsk_loaddb doesn't do:
- SHA-1
- Can limit output to certain files (based on arguments defined here: http://sancho.ccd.uniroma2.it/cgi-bin/man/man2html?fiwalk+1). 

I thought there used to be a bunch of regular expression and bloom filter stuff too, but don't see them mentioned in the man page. 

There seem to be three options:
1) Update fiwalk to compile with Visual Studio (i thought the regular expression libraries were an issue here, but I could be wrong -- it's been a while since I tried)
2) Force everyone to start using SQLite
3) Expand  tsk_loaddb to output DFXML instead of SQLite and as many of the other features as needed that are in fiwalk and not in tsk_loaddb that people want to have transferred.


On Nov 10, 2014, at 3:18 PM, Simson Garfinkel <si...@ac...> wrote:

> Derrick,
> 
> My recommendation is that you transition away from fiwalk.
> 
> My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file. 
> 
> 
> 
>> On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
>> 
>> I am still using fiwalk but have been transitioning to tsk_loaddb.
>> 
>> My primary reason is that my forensic indexer (Xapian) automatically
>> indexes fiwalk text output and I haven't configured it to include
>> sqlite files yet.  It's a simple config change for me to fully
>> transition over.
>> 
>> Derrick
>> 
>> 
>> On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...> wrote:
>>> I see.
>>> 
>>> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>>> 
>>> Is anyone other than me using fiwalk at this point?
>>> 
>>> Simson
>>> 
>>> 
>>>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
>>>> 
>>>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
>>>> 
>>>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>>>>> 
>>>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>>>>> 
>>>>> Simson
>>>>> 
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> _______________________________________________
>>>>> sleuthkit-users mailing list
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>> http://www.sleuthkit.org
>>>> 
>>> 
>>> 
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
> 
> 
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

Hi, Brian.

fiwalk uses regular expressions to allow people to specify glob patterns of which files to process and which to ignore, as well as for processing plug-ins.   

For compiling under Windows, the correct thing to do would be to modify fiwalk to use the Microsoft regular expression library. As you indicate, this requires someone building and maintaining a Visual Studio profile. 

I don't recall the exact discussion we had about the file and path names  that TSK returns. I thought that the TSK functions were returning UTF-8, even when data in the file system are stored in UCS-2.  There is a function called tsk_UTF16toUTF8  which receives significant use. Clearly there is some transformation happening, even now.

As Alex indicated, it seems unlikely that we will be able to get current DFXML users to move to SQLite at this point.

I suspect that the correct way forward is your #3 - modify tsk_loaddb to output DFXML and incorporate the other features that are in fiwalk.  But realistically I don't think that anyone is going to do that at this point, since most of the DFXML users are on Linux, not Windows. What they have works.




> On Nov 11, 2014, at 12:26 PM, Brian Carrier <ca...@sl...> wrote:
> 
> Re Encoding:  At one point in TSK's life, we did cleanup of the names to ensure that they were stored in a 'printable' way.  The request was then make (from Simson, as I recall) to not do this cleanup so that there was an accurate representation of what was on disk and it was up to the user of the data to then clean it up as it saw fit for writing to disk or displaying to the user.   If people would rather return to the days of cleaning up in TSK, then we can certainly revisit that. 
> 
> There are certainly things that fiwalk can do that tsk_loaddb doesn't do:
> - SHA-1
> - Can limit output to certain files (based on arguments defined here: http://sancho.ccd.uniroma2.it/cgi-bin/man/man2html?fiwalk+1). 
> 
> I thought there used to be a bunch of regular expression and bloom filter stuff too, but don't see them mentioned in the man page. 
> 
> There seem to be three options:
> 1) Update fiwalk to compile with Visual Studio (i thought the regular expression libraries were an issue here, but I could be wrong -- it's been a while since I tried)
> 2) Force everyone to start using SQLite
> 3) Expand  tsk_loaddb to output DFXML instead of SQLite and as many of the other features as needed that are in fiwalk and not in tsk_loaddb that people want to have transferred.
> 
> 
> On Nov 10, 2014, at 3:18 PM, Simson Garfinkel <si...@ac...> wrote:
> 
>> Derrick,
>> 
>> My recommendation is that you transition away from fiwalk.
>> 
>> My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file. 
>> 
>> 
>> 
>>> On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
>>> 
>>> I am still using fiwalk but have been transitioning to tsk_loaddb.
>>> 
>>> My primary reason is that my forensic indexer (Xapian) automatically
>>> indexes fiwalk text output and I haven't configured it to include
>>> sqlite files yet.  It's a simple config change for me to fully
>>> transition over.
>>> 
>>> Derrick
>>> 
>>> 
>>> On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...> wrote:
>>>> I see.
>>>> 
>>>> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>>>> 
>>>> Is anyone other than me using fiwalk at this point?
>>>> 
>>>> Simson
>>>> 
>>>> 
>>>>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...> wrote:
>>>>> 
>>>>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...> wrote:
>>>>> 
>>>>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>>>>>> 
>>>>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>>>>>> 
>>>>>> Simson
>>>>>> 
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> _______________________________________________
>>>>>> sleuthkit-users mailing list
>>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>>> http://www.sleuthkit.org
>>>>> 
>>>> 
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>> 
>> 
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> 

Re: [sleuthkit-users] fiwalk

[Jason W. <jwr...@gm...>]

Simson et al,

In my organization, we still use fiwalk too. We use it to gather as much
file metadata as possible, to include file signatures, MD5, SHA1, and
SHA256, and byte runs for file allocation along with the regular complement
from the MFT indices. We have not used tsk_loaddb and if need be we can
switch to that, provided we still get all of that info. Does it provide
that breadth of detail?

V/R,

Jason

On Mon, Nov 10, 2014 at 3:43 PM, Alex Nelson <ajn...@cs...> wrote:

> Hi Simson, all,
>
> I'm making extensive use of Fiwalk.  I believe the BitCurator folks are as
> well.
>
> --Alex
>
>
>
> On Mon, Nov 10, 2014 at 3:18 PM, Simson Garfinkel <si...@ac...> wrote:
>
>> Derrick,
>>
>> My recommendation is that you transition away from fiwalk.
>>
>> My one concern with tsk_loaddb is that the filenames it produces are not
>> necessarily UTF-8. It seems to be putting in the database whatever is on
>> the disk, which can cause problems in post-analysis.  I'm not sure how
>> others are dealing with this. My problem is that on Windows, I'm reading
>> these values with Python and I'm getting exceptions when I attempt to write
>> them to a file.
>>
>>
>>
>> > On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
>> >
>> > I am still using fiwalk but have been transitioning to tsk_loaddb.
>> >
>> > My primary reason is that my forensic indexer (Xapian) automatically
>> > indexes fiwalk text output and I haven't configured it to include
>> > sqlite files yet.  It's a simple config change for me to fully
>> > transition over.
>> >
>> > Derrick
>> >
>> >
>> > On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...>
>> wrote:
>> >> I see.
>> >>
>> >> The other approach would be to abandon fiwalk and move the things that
>> use it over to using the database produced by tsk_loaddb.
>> >>
>> >> Is anyone other than me using fiwalk at this point?
>> >>
>> >> Simson
>> >>
>> >>
>> >>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...>
>> wrote:
>> >>>
>> >>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So,
>> it would be much easier to include if there were a visual studio project
>> for it.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...>
>> wrote:
>> >>>
>> >>>> Hi. I see that fiwalk.exe is not being compiled as part of the
>> pre-compiled SleuthKit download.
>> >>>>
>> >>>> Is there some reason why fiwalk is not included, and is there any
>> packaging change that I could make to make it more likely to include the
>> executable in the future?
>> >>>>
>> >>>> Simson
>> >>>>
>> >>>>
>> >>>>
>> ------------------------------------------------------------------------------
>> >>>> _______________________________________________
>> >>>> sleuthkit-users mailing list
>> >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >>>> http://www.sleuthkit.org
>> >>>
>> >>
>> >>
>> >>
>> ------------------------------------------------------------------------------
>> >> _______________________________________________
>> >> sleuthkit-users mailing list
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> >> http://www.sleuthkit.org
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

Re: [sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

Hi, Jason.

Sadly, tsk_loaddb does not grab file signatures. It can hash, but I don't know if it just does MD5 or if it does SHA1. It does not do SHA256.  The byte runs are available.

I gather you are running fiwalk on Linux?



> On Nov 12, 2014, at 11:23 AM, Jason Wright <jwr...@gm...> wrote:
> 
> Simson et al,
> 
> In my organization, we still use fiwalk too. We use it to gather as much file metadata as possible, to include file signatures, MD5, SHA1, and SHA256, and byte runs for file allocation along with the regular complement from the MFT indices. We have not used tsk_loaddb and if need be we can switch to that, provided we still get all of that info. Does it provide that breadth of detail?
> 
> V/R,
> 
> Jason
> 
> On Mon, Nov 10, 2014 at 3:43 PM, Alex Nelson <ajn...@cs... <mailto:ajn...@cs...>> wrote:
> Hi Simson, all,
> 
> I'm making extensive use of Fiwalk.  I believe the BitCurator folks are as well.
> 
> --Alex
> 
> 
> 
> On Mon, Nov 10, 2014 at 3:18 PM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
> Derrick,
> 
> My recommendation is that you transition away from fiwalk.
> 
> My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file.
> 
> 
> 
> > On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm... <mailto:dk...@gm...>> wrote:
> >
> > I am still using fiwalk but have been transitioning to tsk_loaddb.
> >
> > My primary reason is that my forensic indexer (Xapian) automatically
> > indexes fiwalk text output and I haven't configured it to include
> > sqlite files yet.  It's a simple config change for me to fully
> > transition over.
> >
> > Derrick
> >
> >
> > On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
> >> I see.
> >>
> >> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
> >>
> >> Is anyone other than me using fiwalk at this point?
> >>
> >> Simson
> >>
> >>
> >>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl... <mailto:ca...@sl...>> wrote:
> >>>
> >>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
> >>>
> >>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
> >>>>
> >>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
> >>>>
> >>>> Simson
> >>>>
> >>>>
> >>>> ------------------------------------------------------------------------------
> >>>> _______________________________________________
> >>>> sleuthkit-users mailing list
> >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> >>>> http://www.sleuthkit.org <http://www.sleuthkit.org/>
> >>>
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> >> http://www.sleuthkit.org <http://www.sleuthkit.org/>
> 
> 
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> http://www.sleuthkit.org <http://www.sleuthkit.org/>
> 
> 
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
> http://www.sleuthkit.org <http://www.sleuthkit.org/>
> 
> 

Re: [sleuthkit-users] fiwalk

[Jason W. <jwr...@gm...>]

Separately from this, but somewhat related, given the chatter regarding MD5
of late, e.g.
http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-windows-update-goes-mainstream-in-amazon-cloud/,
is there any concern for relying on MD5 in digital forensics?

I ask because it seems that tsk_loaddb only calculates MD5s for an
image.Typically, we use fiwalk to gather MD5, SHA1, and SHA256 from files
in a drive image. We use those for whitelisting/blacklisting, but do turn
immediately to MD5 for filtering knowns (good and bad) from unknowns. SHA1,
and then of course SHA256, are secondary to that process. Outside of this
article, has there been any other MD5 collisions encountered?


On Wed, Nov 12, 2014 at 11:59 AM, Simson Garfinkel <si...@ac...> wrote:

> Hi, Jason.
>
> Sadly, tsk_loaddb does not grab file signatures. It can hash, but I don't
> know if it just does MD5 or if it does SHA1. It does not do SHA256.  The
> byte runs are available.
>
> I gather you are running fiwalk on Linux?
>
>
>
> On Nov 12, 2014, at 11:23 AM, Jason Wright <jwr...@gm...> wrote:
>
> Simson et al,
>
> In my organization, we still use fiwalk too. We use it to gather as much
> file metadata as possible, to include file signatures, MD5, SHA1, and
> SHA256, and byte runs for file allocation along with the regular complement
> from the MFT indices. We have not used tsk_loaddb and if need be we can
> switch to that, provided we still get all of that info. Does it provide
> that breadth of detail?
>
> V/R,
>
> Jason
>
> On Mon, Nov 10, 2014 at 3:43 PM, Alex Nelson <ajn...@cs...> wrote:
>
>> Hi Simson, all,
>>
>> I'm making extensive use of Fiwalk.  I believe the BitCurator folks are
>> as well.
>>
>> --Alex
>>
>>
>>
>> On Mon, Nov 10, 2014 at 3:18 PM, Simson Garfinkel <si...@ac...>
>> wrote:
>>
>>> Derrick,
>>>
>>> My recommendation is that you transition away from fiwalk.
>>>
>>> My one concern with tsk_loaddb is that the filenames it produces are not
>>> necessarily UTF-8. It seems to be putting in the database whatever is on
>>> the disk, which can cause problems in post-analysis.  I'm not sure how
>>> others are dealing with this. My problem is that on Windows, I'm reading
>>> these values with Python and I'm getting exceptions when I attempt to write
>>> them to a file.
>>>
>>>
>>>
>>> > On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm...> wrote:
>>> >
>>> > I am still using fiwalk but have been transitioning to tsk_loaddb.
>>> >
>>> > My primary reason is that my forensic indexer (Xapian) automatically
>>> > indexes fiwalk text output and I haven't configured it to include
>>> > sqlite files yet.  It's a simple config change for me to fully
>>> > transition over.
>>> >
>>> > Derrick
>>> >
>>> >
>>> > On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac...>
>>> wrote:
>>> >> I see.
>>> >>
>>> >> The other approach would be to abandon fiwalk and move the things
>>> that use it over to using the database produced by tsk_loaddb.
>>> >>
>>> >> Is anyone other than me using fiwalk at this point?
>>> >>
>>> >> Simson
>>> >>
>>> >>
>>> >>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl...>
>>> wrote:
>>> >>>
>>> >>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So,
>>> it would be much easier to include if there were a visual studio project
>>> for it.
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac...>
>>> wrote:
>>> >>>
>>> >>>> Hi. I see that fiwalk.exe is not being compiled as part of the
>>> pre-compiled SleuthKit download.
>>> >>>>
>>> >>>> Is there some reason why fiwalk is not included, and is there any
>>> packaging change that I could make to make it more likely to include the
>>> executable in the future?
>>> >>>>
>>> >>>> Simson
>>> >>>>
>>> >>>>
>>> >>>>
>>> ------------------------------------------------------------------------------
>>> >>>> _______________________________________________
>>> >>>> sleuthkit-users mailing list
>>> >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> >>>> http://www.sleuthkit.org
>>> >>>
>>> >>
>>> >>
>>> >>
>>> ------------------------------------------------------------------------------
>>> >> _______________________________________________
>>> >> sleuthkit-users mailing list
>>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> >> http://www.sleuthkit.org
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Comprehensive Server Monitoring with Site24x7.
>>> Monitor 10 servers for $9/Month.
>>> Get alerted through email, SMS, voice calls or mobile push notifications.
>>> Take corrective actions from your mobile device.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>
>

Re: [sleuthkit-users] fiwalk

[RB <ao...@gm...>]

On Wed, Nov 12, 2014 at 10:19 AM, Jason Wright <jwr...@gm...> wrote:
> Separately from this, but somewhat related, given the chatter regarding MD5
> of late, e.g.
> http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-windows-update-goes-mainstream-in-amazon-cloud/,
> is there any concern for relying on MD5 in digital forensics?

I'd love to jump right in there.  MD5 is passing its use-by date
should generally not be used for new projects, but it's not quite the
"abandon ship" picture the original author and everyone else seems to
want to paint.  Hooray for headline-chasing rather than realism.
Let's inject a little of the latter.

The linked attack takes two dissimilar images of the same size and
requires their differences be "of a particular form."  Someone closer
to cryptography can explain the "particular form" better than I, but
what it boils down to is that it is NOT a generalized attack for any
file type.  The attack then modifies _both_ files progressively,
adding semi-random data until their MD5 matches, something of a
"birthday attack meets in the middle" approach.

This is bad, but any analyst with their head on their shoulders will
recognize that:
a) to be exploited it would require access to modify the "original" as
well as the "new" file and
b) the data added is non-meaningful

Full stop.  Nobody has figured out a way to change "mary had a little
lamb" to "drink your ovaltine", this is random data appended to an
already lossy format in a highly detectable manner.  Those files you
have with only md5 checksums from 10 years ago are still mostly safe
so long as your attacker doesn't have access to modify them as well.

Should you use more than just MD5 to track or identify files?  Yes.
Size and multiple checksums are a great way to guard against this kind
of attack.

Should new applications depend solely on MD5?  Probably not, there are
better alternatives whose additional cost (both programming and
computational) are effectively zero.

Someone wake me up when (or at least stop the sensationalism until) an
attacker can generate an arbitrary, meaningful file with minimal size
difference from and the same MD5 as the original without altering the
original.  Then MD5 is completely dead.

Re: [sleuthkit-users] fiwalk

[Simson G. <si...@ac...>]

My take:

- MD5 collisions are generally not an issue in digital forensics if you are looking for known content. If you have the MD5 of a piece of stolen IP, it is unlikely that an adversary will attempt to craft multiple files to have the same MD5 as that stolen IP. 

- MD5 collisions may be an issue if you are using MD5s as an "ignore" list rather than as an "alert" list. That is, if you have a list of MD5s that you routinely ignore (e.g. executables), then there is a chance that an adversary may modify the MD5 of one of their files to match one of the files that you ignore. However it's hard. Currently it's possible to make two files have the same MD5, but I'm not aware that it is possible to tune a second file to match the MD5 of an arbitrary first file. That is, MD5 no longer has collision resistance, but I believe it still has preimage resistance.

In your case below, using MD5 for filtering known bads from unknowns is fine. However, using them for known goods is potentially problematic if you think that the adversary can get their known good into your known goods list.

Simson



> On Nov 12, 2014, at 12:19 PM, Jason Wright <jwr...@gm...> wrote:
> 
> Separately from this, but somewhat related, given the chatter regarding MD5 of late, e.g. http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-windows-update-goes-mainstream-in-amazon-cloud/ <http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-windows-update-goes-mainstream-in-amazon-cloud/>, is there any concern for relying on MD5 in digital forensics? 
> 
> I ask because it seems that tsk_loaddb only calculates MD5s for an image.Typically, we use fiwalk to gather MD5, SHA1, and SHA256 from files in a drive image. We use those for whitelisting/blacklisting, but do turn immediately to MD5 for filtering knowns (good and bad) from unknowns. SHA1, and then of course SHA256, are secondary to that process. Outside of this article, has there been any other MD5 collisions encountered? 
> 
> 
> On Wed, Nov 12, 2014 at 11:59 AM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
> Hi, Jason.
> 
> Sadly, tsk_loaddb does not grab file signatures. It can hash, but I don't know if it just does MD5 or if it does SHA1. It does not do SHA256.  The byte runs are available.
> 
> I gather you are running fiwalk on Linux?
> 
> 
> 
>> On Nov 12, 2014, at 11:23 AM, Jason Wright <jwr...@gm... <mailto:jwr...@gm...>> wrote:
>> 
>> Simson et al,
>> 
>> In my organization, we still use fiwalk too. We use it to gather as much file metadata as possible, to include file signatures, MD5, SHA1, and SHA256, and byte runs for file allocation along with the regular complement from the MFT indices. We have not used tsk_loaddb and if need be we can switch to that, provided we still get all of that info. Does it provide that breadth of detail?
>> 
>> V/R,
>> 
>> Jason
>> 
>> On Mon, Nov 10, 2014 at 3:43 PM, Alex Nelson <ajn...@cs... <mailto:ajn...@cs...>> wrote:
>> Hi Simson, all,
>> 
>> I'm making extensive use of Fiwalk.  I believe the BitCurator folks are as well.
>> 
>> --Alex
>> 
>> 
>> 
>> On Mon, Nov 10, 2014 at 3:18 PM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
>> Derrick,
>> 
>> My recommendation is that you transition away from fiwalk.
>> 
>> My one concern with tsk_loaddb is that the filenames it produces are not necessarily UTF-8. It seems to be putting in the database whatever is on the disk, which can cause problems in post-analysis.  I'm not sure how others are dealing with this. My problem is that on Windows, I'm reading these values with Python and I'm getting exceptions when I attempt to write them to a file.
>> 
>> 
>> 
>> > On Nov 10, 2014, at 1:17 PM, Derrick Karpo <dk...@gm... <mailto:dk...@gm...>> wrote:
>> >
>> > I am still using fiwalk but have been transitioning to tsk_loaddb.
>> >
>> > My primary reason is that my forensic indexer (Xapian) automatically
>> > indexes fiwalk text output and I haven't configured it to include
>> > sqlite files yet.  It's a simple config change for me to fully
>> > transition over.
>> >
>> > Derrick
>> >
>> >
>> > On Mon, Nov 10, 2014 at 10:43 AM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
>> >> I see.
>> >>
>> >> The other approach would be to abandon fiwalk and move the things that use it over to using the database produced by tsk_loaddb.
>> >>
>> >> Is anyone other than me using fiwalk at this point?
>> >>
>> >> Simson
>> >>
>> >>
>> >>> On Nov 10, 2014, at 12:40 PM, Brian Carrier <ca...@sl... <mailto:ca...@sl...>> wrote:
>> >>>
>> >>> We don't use mingw for the TSK packaging.  Just Visual Studio.  So, it would be much easier to include if there were a visual studio project for it.
>> >>>
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> On Nov 10, 2014, at 12:16 PM, Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote:
>> >>>
>> >>>> Hi. I see that fiwalk.exe is not being compiled as part of the pre-compiled SleuthKit download.
>> >>>>
>> >>>> Is there some reason why fiwalk is not included, and is there any packaging change that I could make to make it more likely to include the executable in the future?
>> >>>>
>> >>>> Simson
>> >>>>
>> >>>>
>> >>>> ------------------------------------------------------------------------------
>> >>>> _______________________________________________
>> >>>> sleuthkit-users mailing list
>> >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>> >>>> http://www.sleuthkit.org <http://www.sleuthkit.org/>
>> >>>
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> _______________________________________________
>> >> sleuthkit-users mailing list
>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>> >> http://www.sleuthkit.org <http://www.sleuthkit.org/>
>> 
>> 
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk>
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>> http://www.sleuthkit.org <http://www.sleuthkit.org/>
>> 
>> 
>> ------------------------------------------------------------------------------
>> Comprehensive Server Monitoring with Site24x7.
>> Monitor 10 servers for $9/Month.
>> Get alerted through email, SMS, voice calls or mobile push notifications.
>> Take corrective actions from your mobile device.
>> http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk>
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users>
>> http://www.sleuthkit.org <http://www.sleuthkit.org/>
>> 
>> 
> 
>