Comments on: The Sleutkit 2.06 and Autopsy 2.08

By: anwer

anwer — Wed, 03 Jan 2007 09:05:19 +0000

s both have the ame hash value!
tried fsstat with the stick but it says “superblock read: is a directory”

however i tried fdisk -l with my linux pc it says its fat16 for the stick
but when i mention the same in the autopsy for the sticks image
it says”the image is not fat16″

however i used mmls with the image it showed the following!

Slot Start End Length Description
00: —– 0000000000 0000000000 0000000001 Primary Table (#0)
01: —– 0000000001 0000000031 0000000031 Unallocated
02: 00:00 0000000032 0000254975 0000254944 DOS FAT16 (0×06)

i guess mmls is the only tool to work with usb images
i’l try taking an image of my 4 GB hard disk!
and then work with the autopsy!!

By: Alexander Geschonneck

Alexander Geschonneck — Tue, 02 Jan 2007 11:49:14 +0000

It looks that TSK is not recognizing the file systeme of your image. Can you check the hashes of the image and the usb stick? They should be the same. Does fsstat identify the file system on the stick correctly?

By: anwer

anwer — Tue, 02 Jan 2007 05:52:07 +0000

hi
i somwhow managed to take a dd image of my usbdrive(124 MB using a linux pc) which
has a fat16 fs!

now i created a new case and a host, with it i added this image
now when i add the image it prompts for the fs type!

i specified it as fat16!
but it says its not a fat16

then i tried by specifying it as a raw image! it worked!
but now it showed only two options: dataunit and keyword search!

while i try to view them(data unit) it says unrecognized file type
but when i give a keyword search it shows the hits!

now what is the problem
where am i going wrong!?!

By: Alexander Geschonneck

Alexander Geschonneck — Fri, 29 Dec 2006 21:55:27 +0000

hmmm. In your case in cygwin dd.exe if=\\.\C: of=d:\image.dd should work.

By: anwer

anwer — Fri, 29 Dec 2006 10:57:37 +0000

thanx alexander
i tried that physical drive stuff with dd but still it doesnt work!
anyways
i’l go with fau and i will get back to you shortly!

By: Alexander Geschonneck

Alexander Geschonneck — Fri, 29 Dec 2006 09:24:05 +0000

Anwer, you have to use the physical device as source.

First of all, I suggest to use George Garner’s Forensic Acquisition Utilities (FAU). A more powerfull dd and other tools are included in FAU.

How to address the physical device? Here are some examples for FAU, but the device addressing is the same with “plain” cygwin dd:

dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5


--md5out=d:\images\PhysicalDrive0.img.md5
dd if=\\?\Volume{87c34910-d826-11d4-987c-00a0b6741049} of=d:\images\e_drive.img –md5sum –verifymd5 md5out=d:\images\PhysicalDrive0.img.md5
dd.exe if=\\.\D: of=d:\images\d_drive.img conv=noerror --sparse --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log

dd.exe if=\\.\D: of=d:\images\d_drive.img.gz conv=noerror,comp --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log

mount.exe or df.exe brings you the physical device, but you can also use \\.\DRIVELETTER:

By: anwer

anwer — Fri, 29 Dec 2006 09:07:40 +0000

s, as i already told u cygwin-dd says ” 0 bytes copied since its a directory”
when i try to take an image of my c drive
with this command “dd if=/cygdrive/c/”
but when i do it for a file its successfully done!

does this mean that dd will not work with directories????
if so how am i to take image of my enire drive c: ????

By: Alexander Geschonneck

Alexander Geschonneck — Fri, 29 Dec 2006 07:53:21 +0000

anwer, you need definitely a dd image. You can make it with cygwin-dd, with dd from the Helix CD or with Access Data’s FTK-Imager or even with Encase.

By: anwer

anwer — Fri, 29 Dec 2006 03:47:31 +0000

oh yes
autopsy worked- i reconfigured the proxy!
thanx a lot Alexander Geschonneck
1)but let me know on what image sleuthkit works or how to take an image to work with skeuthkit

By: anwer

anwer — Fri, 29 Dec 2006 03:40:01 +0000

1)i guess sleuthkit requires an image taken through dd??!!!
if not on which images does sleuthkit work?
2) i have set the browser to bypass the proxy for the given address
wat else should i do?!

By: Alexander Geschonneck

Alexander Geschonneck — Thu, 28 Dec 2006 16:40:26 +0000

@anwer:
1) did you check your browsers proxy config?

2) First of all it’s “cygdrive”. But, you should use the physical device as the image source.

By: forensicman

forensicman — Thu, 28 Dec 2006 15:56:22 +0000

Why do u want use cywin for making a disk image? There are many tools for windows to do that….
Helix cd
FTK IMager
etc.

For your first problem I don’t know why it happpens..