22 thoughts on “The Sleutkit 2.06 and Autopsy 2.08”

  1. While I applaud Brian’s efforts and release of the Sleuthkit tools for Windows, I’d also really like to see Autopsy come out in a similar version…without the requirement for Cygwin.

  2. I used TSK since 1.6x with CYGWIN gcc. I happend to meet Brain at a conference spring 2004 and told him about the „enhanced“ windows features of his toolset. He was quite surprised 😉

    PS: There are many needs for CYGWIN during live repsonse anyway, so I’m happy with that – except the Speed 😉

  3. yes good work but I can’t install sleuthkit 2.06 into cygwin ambient, because when I tried „make“ I receive this:
    make: Leaving directory `/usr/local/sleuthkit-2.06/src/auxtools‘
    make[1]: Leaving directory `/usr/local/sleuthkit-2.06/src/auxtools‘
    make -C src/afflib/lib AFFLIB=“../../../lib/libtsk.a“
    make[1]: Entering directory `/usr/local/sleuthkit-2.06/src/afflib/lib‘
    g++ -c -g -Wall -I/usr/local/ssl/include -I/usr/sfw/include -I. -Ilib -o aff_d
    b.o aff_db.cpp
    In file included from aff_db.cpp:8:
    afflib_i.h:62:26: openssl/rand.h: No such file or directory
    afflib_i.h:63:25: openssl/md5.h: No such file or directory
    make[1]: *** [aff_db.o] Error 1
    make[1]: Leaving directory `/usr/local/sleuthkit-2.06/src/afflib/lib‘
    make: *** [no-perl] Error 2
    WHy? How can I solve this problem?

  4. I think so…
    But if I havn’t what have I to do? What have I to download? And what is the install procedure for cywin ambient?
    PS: what’s about the perl error?

  5. Ok problem solved! I re-install the Openssl using cygwin setup and now
    Sleuthkit is working… 😉
    This time it worked …
    Thank you

  6. hi
    i have cygwin running on my windows 2000 pc with sleuthkit 1.70 and autopsy 2.01 installed the problems are

    1) when i start the autopsy by ./autopsy it asks me to open
    http://localhost:9999/autopsy in a web browser
    but when i do that am not getin connected.

    2)how to take an image of an entire drive??? i tried with dd as
    dd if=/cygwin/c (thats my c drive) of=drive.img
    but it says 0 bytes copied since it is a directory!

    plz help!

  7. 1)i guess sleuthkit requires an image taken through dd??!!!
    if not on which images does sleuthkit work?
    2) i have set the browser to bypass the proxy for the given address
    wat else should i do?!

  8. oh yes
    autopsy worked- i reconfigured the proxy!
    thanx a lot Alexander Geschonneck
    1)but let me know on what image sleuthkit works or how to take an image to work with skeuthkit

  9. s, as i already told u cygwin-dd says “ 0 bytes copied since its a directory“
    when i try to take an image of my c drive
    with this command „dd if=/cygdrive/c/“
    but when i do it for a file its successfully done!

    does this mean that dd will not work with directories????
    if so how am i to take image of my enire drive c: ????

  10. Anwer, you have to use the physical device as source.

    First of all, I suggest to use George Garner’s Forensic Acquisition Utilities (FAU). A more powerfull dd and other tools are included in FAU.

    How to address the physical device? Here are some examples for FAU, but the device addressing is the same with „plain“ cygwin dd:

    dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5


    dd if=\\?\Volume{87c34910-d826-11d4-987c-00a0b6741049} of=d:\images\e_drive.img –md5sum –verifymd5 md5out=d:\images\PhysicalDrive0.img.md5

    dd.exe if=\\.\D: of=d:\images\d_drive.img conv=noerror --sparse --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log

    dd.exe if=\\.\D: of=d:\images\d_drive.img.gz conv=noerror,comp --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log

    mount.exe or df.exe brings you the physical device, but you can also use \\.\DRIVELETTER:

  11. thanx alexander
    i tried that physical drive stuff with dd but still it doesnt work!
    i’l go with fau and i will get back to you shortly!

  12. hi
    i somwhow managed to take a dd image of my usbdrive(124 MB using a linux pc) which
    has a fat16 fs!

    now i created a new case and a host, with it i added this image
    now when i add the image it prompts for the fs type!

    i specified it as fat16!
    but it says its not a fat16

    then i tried by specifying it as a raw image! it worked!
    but now it showed only two options: dataunit and keyword search!

    while i try to view them(data unit) it says unrecognized file type
    but when i give a keyword search it shows the hits!

    now what is the problem
    where am i going wrong!?!

  13. s both have the ame hash value!
    tried fsstat with the stick but it says „superblock read: is a directory“

    however i tried fdisk -l with my linux pc it says its fat16 for the stick
    but when i mention the same in the autopsy for the sticks image
    it says“the image is not fat16″

    however i used mmls with the image it showed the following!

    Slot Start End Length Description
    00: —– 0000000000 0000000000 0000000001 Primary Table (#0)
    01: —– 0000000001 0000000031 0000000031 Unallocated
    02: 00:00 0000000032 0000254975 0000254944 DOS FAT16 (0x06)

    i guess mmls is the only tool to work with usb images
    i’l try taking an image of my 4 GB hard disk!
    and then work with the autopsy!!

Comments are closed.