Thread: [sleuthkit-users] Fiwalk on running system
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Rolf I. <rol...@gm...> - 2015-09-18 12:50:12
|
Hi list, I wonder if it's possible to run fiwalk on a live system? The documentation says user@forensicbox:~$ fiwalk usage: fiwalk [options] iso-name The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. I hope that was clear :) Kind regards, Rolf |
|
From: Michael C. <scu...@gm...> - 2015-09-18 14:05:49
|
Does it work if you give it the volume name? fiwalk \\.\C: On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: > Hi list, > > I wonder if it's possible to run fiwalk on a live system? The documentation says > user@forensicbox:~$ fiwalk > usage: fiwalk [options] iso-name > > The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. > > I hope that was clear :) > > Kind regards, > Rolf > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Derrick K. <dk...@gm...> - 2015-09-18 15:14:41
|
Hi Rolf. I'm not sure if Michael's suggestion works with the latest fiwalk or not but if it doesn't, have you looked at tsk_loaddb as an alternative to fiwalk? fiwalk hasn't been getting as much development lately but tsk_loaddb is actively developed and outputs all the results into a SQLite database. Something like this would work with tsk_loaddb: tsk_loaddb -d myimage.db \\.\c: Alternatively, for physical disks: wmic diskdrive list tsk_loaddb -d myimage.db \\.\PhysicalDrive0 Derrick On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote: > Does it work if you give it the volume name? fiwalk \\.\C: > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: >> Hi list, >> >> I wonder if it's possible to run fiwalk on a live system? The documentation says >> user@forensicbox:~$ fiwalk >> usage: fiwalk [options] iso-name >> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. >> >> I hope that was clear :) >> >> Kind regards, >> Rolf >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Rolf I. <rol...@gm...> - 2015-09-20 16:37:06
|
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb! So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row. Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ). Thanks again! --Rolf > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr > Von: "Derrick Karpo" <dk...@gm...> > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <sle...@li...> > Betreff: Re: [sleuthkit-users] Fiwalk on running system > > Hi Rolf. > > I'm not sure if Michael's suggestion works with the latest fiwalk or > not but if it doesn't, have you looked at tsk_loaddb as an alternative > to fiwalk? fiwalk hasn't been getting as much development lately but > tsk_loaddb is actively developed and outputs all the results into a > SQLite database. Something like this would work with tsk_loaddb: > > tsk_loaddb -d myimage.db \\.\c: > > Alternatively, for physical disks: > > wmic diskdrive list > tsk_loaddb -d myimage.db \\.\PhysicalDrive0 > > Derrick > > > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote: > > Does it work if you give it the volume name? fiwalk \\.\C: > > > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: > >> Hi list, > >> > >> I wonder if it's possible to run fiwalk on a live system? The documentation says > >> user@forensicbox:~$ fiwalk > >> usage: fiwalk [options] iso-name > >> > >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. > >> > >> I hope that was clear :) > >> > >> Kind regards, > >> Rolf > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > |
|
From: Ketil F. <ke...@fr...> - 2015-09-20 18:36:41
|
You have to specify the -h option to calculate md5sums. http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html Ketil On 20 Sep 2015 18:38, "Rolf Inator" <rol...@gm...> wrote: > Thanks a lot to both of you! So far I tried tsk_loaddb, since it was > included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk > another try as soon as I tried out tsk_loaddb! > > So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 > machine and it worked out pretty good! The sqlite DB was written do disk- > the only thing I noticed (and what is a little bit weird), is that the > column "md5" in tsk_files is null for every row. > Do you have any idea why this is happening? (I started the cmd as > Administrator for C:, so the rights should be fine ;) ). > > Thanks again! > --Rolf > > > > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr > > Von: "Derrick Karpo" <dk...@gm...> > > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" < > sle...@li...> > > Betreff: Re: [sleuthkit-users] Fiwalk on running system > > > > Hi Rolf. > > > > I'm not sure if Michael's suggestion works with the latest fiwalk or > > not but if it doesn't, have you looked at tsk_loaddb as an alternative > > to fiwalk? fiwalk hasn't been getting as much development lately but > > tsk_loaddb is actively developed and outputs all the results into a > > SQLite database. Something like this would work with tsk_loaddb: > > > > tsk_loaddb -d myimage.db \\.\c: > > > > Alternatively, for physical disks: > > > > wmic diskdrive list > > tsk_loaddb -d myimage.db \\.\PhysicalDrive0 > > > > Derrick > > > > > > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> > wrote: > > > Does it work if you give it the volume name? fiwalk \\.\C: > > > > > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> > wrote: > > >> Hi list, > > >> > > >> I wonder if it's possible to run fiwalk on a live system? The > documentation says > > >> user@forensicbox:~$ fiwalk > > >> usage: fiwalk [options] iso-name > > >> > > >> The problem I am facing is, that if I want to run fiwalk over a > bitlocker encrypted dd image, I have to install Dislocker (a new driver) on > my Linux system. It would be more decent if I could just run the fiwalk > Windows executable while the suspects system is still running. > > >> > > >> I hope that was clear :) > > >> > > >> Kind regards, > > >> Rolf > > >> > > >> > ------------------------------------------------------------------------------ > > >> _______________________________________________ > > >> sleuthkit-users mailing list > > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > >> http://www.sleuthkit.org > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Rolf I. <rol...@gm...> - 2015-09-20 21:33:04
|
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div> <div>This happens when you expect something else...</div> <div>I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^).</div> <div> </div> <div>However, thanks guys, this works great on a running Windows!</div> <div>--Rolf</div> <div> <div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"> <div style="margin:0 0 10px 0;"><b>Gesendet:</b> Sonntag, 20. September 2015 um 20:09 Uhr<br/> <b>Von:</b> "Ketil Froyn" <ke...@fr...><br/> <b>An:</b> "Rolf Inator" <rol...@gm...><br/> <b>Cc:</b> sleuthkit-users <sle...@li...>, "Derrick Karpo" <dk...@gm...><br/> <b>Betreff:</b> Re: [sleuthkit-users] Fiwalk on running system</div> <div name="quoted-content"> <p>You have to specify the -h option to calculate md5sums.</p> <p><a href="http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html" target="_blank">http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html</a></p> <p>Ketil</p> <div class="gmail_quote">On 20 Sep 2015 18:38, "Rolf Inator" <<a href="rol...@gm..." target="_parent">rol...@gm...</a>> wrote: <blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex;border-left: 1.0px rgb(204,204,204) solid;padding-left: 1.0ex;">Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!<br/> <br/> So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.<br/> Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).<br/> <br/> Thanks again!<br/> --Rolf<br/> <br/> <br/> > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr<br/> > Von: "Derrick Karpo" <<a href="dk...@gm..." target="_parent">dk...@gm...</a>><br/> > An: "Rolf Inator" <<a href="rol...@gm..." target="_parent">rol...@gm...</a>>, "sleuthkit-users users" <<a href="sle...@li..." target="_parent">sle...@li...</a>><br/> > Betreff: Re: [sleuthkit-users] Fiwalk on running system<br/> ><br/> > Hi Rolf.<br/> ><br/> > I'm not sure if Michael's suggestion works with the latest fiwalk or<br/> > not but if it doesn't, have you looked at tsk_loaddb as an alternative<br/> > to fiwalk? fiwalk hasn't been getting as much development lately but<br/> > tsk_loaddb is actively developed and outputs all the results into a<br/> > SQLite database. Something like this would work with tsk_loaddb:<br/> ><br/> > tsk_loaddb -d myimage.db \\.\c:<br/> ><br/> > Alternatively, for physical disks:<br/> ><br/> > wmic diskdrive list<br/> > tsk_loaddb -d myimage.db \\.\PhysicalDrive0<br/> ><br/> > Derrick<br/> ><br/> ><br/> > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <<a href="scu...@gm..." target="_parent">scu...@gm...</a>> wrote:<br/> > > Does it work if you give it the volume name? fiwalk \\.\C:<br/> > ><br/> > > On 18 September 2015 at 14:50, Rolf Inator <<a href="rol...@gm..." target="_parent">rol...@gm...</a>> wrote:<br/> > >> Hi list,<br/> > >><br/> > >> I wonder if it's possible to run fiwalk on a live system? The documentation says<br/> > >> user@forensicbox:~$ fiwalk<br/> > >> usage: fiwalk [options] iso-name<br/> > >><br/> > >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.<br/> > >><br/> > >> I hope that was clear :)<br/> > >><br/> > >> Kind regards,<br/> > >> Rolf<br/> > >><br/> > >> ------------------------------------------------------------------------------<br/> > >> _______________________________________________<br/> > >> sleuthkit-users mailing list<br/> > >> <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/> > >> <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a><br/> > ><br/> > > ------------------------------------------------------------------------------<br/> > > _______________________________________________<br/> > > sleuthkit-users mailing list<br/> > > <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/> > > <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a><br/> ><br/> <br/> ------------------------------------------------------------------------------<br/> _______________________________________________<br/> sleuthkit-users mailing list<br/> <a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br/> <a href="http://www.sleuthkit.org" target="_blank">http://www.sleuthkit.org</a></blockquote> </div> </div> </div> </div> </div></div></body></html> |
|
From: Richer, M. (CIV) <mhr...@np...> - 2015-09-20 22:10:36
|
While folks might usually want hashes, it's an expensive operation to perform on every file on a large source. I assume that's why it's an option. I suppose -m could be for md5, -s for sha1 etc so as not to be confused with help. My 2 cents (likely worth as much), Mark On Sep 20, 2015, at 17:33, Rolf Inator <rol...@gm...<mailto:rol...@gm...>> wrote: This happens when you expect something else... I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^). However, thanks guys, this works great on a running Windows! --Rolf Gesendet: Sonntag, 20. September 2015 um 20:09 Uhr Von: "Ketil Froyn" <ke...@fr...<mailto:ke...@fr...>> An: "Rolf Inator" <rol...@gm...<mailto:rol...@gm...>> Cc: sleuthkit-users <sle...@li...<mailto:sle...@li...>>, "Derrick Karpo" <dk...@gm...<mailto:dk...@gm...>> Betreff: Re: [sleuthkit-users] Fiwalk on running system You have to specify the -h option to calculate md5sums. http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html Ketil On 20 Sep 2015 18:38, "Rolf Inator" <rol...@gm...> wrote: Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb! So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row. Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ). Thanks again! --Rolf > Gesendet: Freitag, 18. September 2015 um 17:14 Uhr > Von: "Derrick Karpo" <dk...@gm...> > An: "Rolf Inator" <rol...@gm...>, "sleuthkit-users users" <sle...@li...> > Betreff: Re: [sleuthkit-users] Fiwalk on running system > > Hi Rolf. > > I'm not sure if Michael's suggestion works with the latest fiwalk or > not but if it doesn't, have you looked at tsk_loaddb as an alternative > to fiwalk? fiwalk hasn't been getting as much development lately but > tsk_loaddb is actively developed and outputs all the results into a > SQLite database. Something like this would work with tsk_loaddb: > > tsk_loaddb -d myimage.db \\.\c: > > Alternatively, for physical disks: > > wmic diskdrive list > tsk_loaddb -d myimage.db \\.\PhysicalDrive0 > > Derrick > > > On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote: > > Does it work if you give it the volume name? fiwalk \\.\C: > > > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: > >> Hi list, > >> > >> I wonder if it's possible to run fiwalk on a live system? The documentation says > >> user@forensicbox:~$ fiwalk > >> usage: fiwalk [options] iso-name > >> > >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. > >> > >> I hope that was clear :) > >> > >> Kind regards, > >> Rolf > >> > >> ------------------------------------------------------------------------------ > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X