The Sleutkit 2.06 and Autopsy 2.08
Brain Carrier just released new version of his disk forensics tools. You can download The Sleuthkit 2.06 an Autopsy 2.08 from http://www.sleuthkit.org/.
Update:
There is a new windows version available.
geschonneck.com
This is the private security page of Alexander Geschonneck (Berlin, Germany).
Author
© 1995-2008 Alexander Geschonneck.
Feel free to contact me for comments.Pages
Archives
Categories
- Admin (13)
- Articles (4)
- Events (9)
- Forensics (54)
- Guidelines (4)
- Humor (14)
- Live Response (10)
- Mobile Devices (1)
- On my behalf (6)
- Resources (1)
- Security (47)
- Speeches (6)
- Stories (20)
- Tools (18)
September 29th, 2006 at 12:54
While I applaud Brian’s efforts and release of the Sleuthkit tools for Windows, I’d also really like to see Autopsy come out in a similar version…without the requirement for Cygwin.
September 29th, 2006 at 14:19
I used TSK since 1.6x with CYGWIN gcc. I happend to meet Brain at a conference spring 2004 and told him about the “enhanced” windows features of his toolset. He was quite surprised
PS: There are many needs for CYGWIN during live repsonse anyway, so I’m happy with that - except the Speed
October 26th, 2006 at 11:16
yes good work but I can’t install sleuthkit 2.06 into cygwin ambient, because when I tried “make” I receive this:
Subscribedmake: Leaving directory `/usr/local/sleuthkit-2.06/src/auxtools’
make[1]: Leaving directory `/usr/local/sleuthkit-2.06/src/auxtools’
make -C src/afflib/lib AFFLIB=”../../../lib/libtsk.a”
make[1]: Entering directory `/usr/local/sleuthkit-2.06/src/afflib/lib’
g++ -c -g -Wall -I/usr/local/ssl/include -I/usr/sfw/include -I. -Ilib -o aff_d
b.o aff_db.cpp
In file included from aff_db.cpp:8:
afflib_i.h:62:26: openssl/rand.h: No such file or directory
afflib_i.h:63:25: openssl/md5.h: No such file or directory
make[1]: *** [aff_db.o] Error 1
make[1]: Leaving directory `/usr/local/sleuthkit-2.06/src/afflib/lib’
make: *** [no-perl] Error 2
WHy? How can I solve this problem?
PS: I HAVE PERL INSTALLED
October 26th, 2006 at 11:41
Do you have all the cygwin openssl packages installed?
Alex
October 26th, 2006 at 12:10
I think so…
SubscribedBut if I havn’t what have I to do? What have I to download? And what is the install procedure for cywin ambient?
Thank
PS: what’s about the perl error?
Greetings
October 26th, 2006 at 15:47
You can add cygwin packages with the cygwin setup tool. It resolves dependencies automaticaly.
October 26th, 2006 at 15:51
already done….but it doesn’t work…I don’t know what I have to download that I haven’t downloaded….(almost all)
SubscribedThank you
October 29th, 2006 at 07:41
Ok problem solved! I re-install the Openssl using cygwin setup and now
SubscribedSleuthkit is working…
This time it worked …
Thank you
October 29th, 2006 at 10:38
Good. There is also a pre-compiled sleuthkit version available, but I compiled autopsy & sleuthtkit by myself too.
Alex
December 28th, 2006 at 12:38
hi
i have cygwin running on my windows 2000 pc with sleuthkit 1.70 and autopsy 2.01 installed the problems are
1) when i start the autopsy by ./autopsy it asks me to open
http://localhost:9999/autopsy in a web browser
but when i do that am not getin connected.
2)how to take an image of an entire drive??? i tried with dd as
dd if=/cygwin/c (thats my c drive) of=drive.img
but it says 0 bytes copied since it is a directory!
plz help!
SubscribedDecember 28th, 2006 at 16:56
Why do u want use cywin for making a disk image? There are many tools for windows to do that….
Helix cd
FTK IMager
etc.
For your first problem I don’t know why it happpens..
SubscribedDecember 28th, 2006 at 17:40
@anwer:
1) did you check your browsers proxy config?
2) First of all it’s “cygdrive”. But, you should use the physical device as the image source.
December 29th, 2006 at 04:40
1)i guess sleuthkit requires an image taken through dd??!!!
Subscribedif not on which images does sleuthkit work?
2) i have set the browser to bypass the proxy for the given address
wat else should i do?!
December 29th, 2006 at 04:47
oh yes
Subscribedautopsy worked- i reconfigured the proxy!
thanx a lot Alexander Geschonneck
1)but let me know on what image sleuthkit works or how to take an image to work with skeuthkit
December 29th, 2006 at 08:53
anwer, you need definitely a dd image. You can make it with cygwin-dd, with dd from the Helix CD or with Access Data’s FTK-Imager or even with Encase.
December 29th, 2006 at 10:07
s, as i already told u cygwin-dd says ” 0 bytes copied since its a directory”
when i try to take an image of my c drive
with this command “dd if=/cygdrive/c/”
but when i do it for a file its successfully done!
does this mean that dd will not work with directories????
Subscribedif so how am i to take image of my enire drive c: ????
December 29th, 2006 at 10:24
Anwer, you have to use the physical device as source.
First of all, I suggest to use George Garner’s Forensic Acquisition Utilities (FAU). A more powerfull dd and other tools are included in FAU.
How to address the physical device? Here are some examples for FAU, but the device addressing is the same with “plain” cygwin dd:
dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5
--md5out=d:\images\PhysicalDrive0.img.md5
dd if=\\?\Volume{87c34910-d826-11d4-987c-00a0b6741049} of=d:\images\e_drive.img –md5sum –verifymd5 md5out=d:\images\PhysicalDrive0.img.md5
dd.exe if=\\.\D: of=d:\images\d_drive.img conv=noerror --sparse --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log
dd.exe if=\\.\D: of=d:\images\d_drive.img.gz conv=noerror,comp --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log
mount.exe or df.exe brings you the physical device, but you can also use \\.\DRIVELETTER:
December 29th, 2006 at 11:57
thanx alexander
Subscribedi tried that physical drive stuff with dd but still it doesnt work!
anyways
i’l go with fau and i will get back to you shortly!
December 29th, 2006 at 22:55
hmmm. In your case in cygwin
dd.exe if=\\.\C: of=d:\image.ddshould work.January 2nd, 2007 at 06:52
hi
i somwhow managed to take a dd image of my usbdrive(124 MB using a linux pc) which
has a fat16 fs!
now i created a new case and a host, with it i added this image
now when i add the image it prompts for the fs type!
i specified it as fat16!
but it says its not a fat16
then i tried by specifying it as a raw image! it worked!
but now it showed only two options: dataunit and keyword search!
while i try to view them(data unit) it says unrecognized file type
but when i give a keyword search it shows the hits!
now what is the problem
Subscribedwhere am i going wrong!?!
January 2nd, 2007 at 12:49
It looks that TSK is not recognizing the file systeme of your image. Can you check the hashes of the image and the usb stick? They should be the same. Does fsstat identify the file system on the stick correctly?
January 3rd, 2007 at 10:05
s both have the ame hash value!
tried fsstat with the stick but it says “superblock read: is a directory”
however i tried fdisk -l with my linux pc it says its fat16 for the stick
but when i mention the same in the autopsy for the sticks image
it says”the image is not fat16″
however i used mmls with the image it showed the following!
Slot Start End Length Description
00: —– 0000000000 0000000000 0000000001 Primary Table (#0)
01: —– 0000000001 0000000031 0000000031 Unallocated
02: 00:00 0000000032 0000254975 0000254944 DOS FAT16 (0×06)
i guess mmls is the only tool to work with usb images
Subscribedi’l try taking an image of my 4 GB hard disk!
and then work with the autopsy!!