The Sleutkit 2.06 and Autopsy 2.08

Posted onSamstag, 2. September 2006Sonntag, 11. Februar 2007AuthorAlexander Geschonneck22 Comments

Brain Carrier just released new version of his disk forensics tools. You can download The Sleuthkit 2.06 an Autopsy 2.08 from http://www.sleuthkit.org/.

Update:
There is a new windows version available.

22 thoughts on “The Sleutkit 2.06 and Autopsy 2.08”

keydet89 says:

Freitag, 29. September 2006 at 12:54

While I applaud Brian’s efforts and release of the Sleuthkit tools for Windows, I’d also really like to see Autopsy come out in a similar version…without the requirement for Cygwin.
Alexander Geschonneck says:

Freitag, 29. September 2006 at 14:19

I used TSK since 1.6x with CYGWIN gcc. I happend to meet Brain at a conference spring 2004 and told him about the „enhanced“ windows features of his toolset. He was quite surprised 😉

PS: There are many needs for CYGWIN during live repsonse anyway, so I’m happy with that – except the Speed 😉
forensicman says:

Donnerstag, 26. Oktober 2006 at 11:16

yes good work but I can’t install sleuthkit 2.06 into cygwin ambient, because when I tried „make“ I receive this:
make: Leaving directory `/usr/local/sleuthkit-2.06/src/auxtools‘
make[1]: Leaving directory `/usr/local/sleuthkit-2.06/src/auxtools‘
make -C src/afflib/lib AFFLIB=“../../../lib/libtsk.a“
make[1]: Entering directory `/usr/local/sleuthkit-2.06/src/afflib/lib‘
g++ -c -g -Wall -I/usr/local/ssl/include -I/usr/sfw/include -I. -Ilib -o aff_d
b.o aff_db.cpp
In file included from aff_db.cpp:8:
afflib_i.h:62:26: openssl/rand.h: No such file or directory
afflib_i.h:63:25: openssl/md5.h: No such file or directory
make[1]: *** [aff_db.o] Error 1
make[1]: Leaving directory `/usr/local/sleuthkit-2.06/src/afflib/lib‘
make: *** [no-perl] Error 2
WHy? How can I solve this problem?
PS: I HAVE PERL INSTALLED 😉
Alexander Geschonneck says:

Donnerstag, 26. Oktober 2006 at 11:41

Do you have all the cygwin openssl packages installed?

Alex
forensicman says:

Donnerstag, 26. Oktober 2006 at 12:10

I think so…
But if I havn’t what have I to do? What have I to download? And what is the install procedure for cywin ambient?
Thank
PS: what’s about the perl error?
Greetings
Alexander Geschonneck says:

Donnerstag, 26. Oktober 2006 at 15:47

You can add cygwin packages with the cygwin setup tool. It resolves dependencies automaticaly.
forensicman says:

Donnerstag, 26. Oktober 2006 at 15:51

already done….but it doesn’t work…I don’t know what I have to download that I haven’t downloaded….(almost all)
Thank you
forensicman says:

Sonntag, 29. Oktober 2006 at 07:41

Ok problem solved! I re-install the Openssl using cygwin setup and now
Sleuthkit is working… 😉
This time it worked …
Thank you
Alexander Geschonneck says:

Sonntag, 29. Oktober 2006 at 10:38

Good. There is also a pre-compiled sleuthkit version available, but I compiled autopsy & sleuthtkit by myself too.
Alex
anwer says:

Donnerstag, 28. Dezember 2006 at 12:38

hi
i have cygwin running on my windows 2000 pc with sleuthkit 1.70 and autopsy 2.01 installed the problems are

1) when i start the autopsy by ./autopsy it asks me to open
http://localhost:9999/autopsy in a web browser
but when i do that am not getin connected.

2)how to take an image of an entire drive??? i tried with dd as
dd if=/cygwin/c (thats my c drive) of=drive.img
but it says 0 bytes copied since it is a directory!

plz help!
forensicman says:

Donnerstag, 28. Dezember 2006 at 16:56

Why do u want use cywin for making a disk image? There are many tools for windows to do that….
Helix cd
FTK IMager
etc.

For your first problem I don’t know why it happpens..
Alexander Geschonneck says:

Donnerstag, 28. Dezember 2006 at 17:40

@anwer:
1) did you check your browsers proxy config?

2) First of all it’s „cygdrive“. But, you should use the physical device as the image source.
anwer says:

Freitag, 29. Dezember 2006 at 04:40

1)i guess sleuthkit requires an image taken through dd??!!!
if not on which images does sleuthkit work?
2) i have set the browser to bypass the proxy for the given address
wat else should i do?!
anwer says:

Freitag, 29. Dezember 2006 at 04:47

oh yes
autopsy worked- i reconfigured the proxy!
thanx a lot Alexander Geschonneck
1)but let me know on what image sleuthkit works or how to take an image to work with skeuthkit
Alexander Geschonneck says:

Freitag, 29. Dezember 2006 at 08:53

anwer, you need definitely a dd image. You can make it with cygwin-dd, with dd from the Helix CD or with Access Data’s FTK-Imager or even with Encase.
anwer says:

Freitag, 29. Dezember 2006 at 10:07

s, as i already told u cygwin-dd says “ 0 bytes copied since its a directory“
when i try to take an image of my c drive
with this command „dd if=/cygdrive/c/“
but when i do it for a file its successfully done!

does this mean that dd will not work with directories????
if so how am i to take image of my enire drive c: ????
Alexander Geschonneck says:

Freitag, 29. Dezember 2006 at 10:24

Anwer, you have to use the physical device as source.

First of all, I suggest to use George Garner’s Forensic Acquisition Utilities (FAU). A more powerfull dd and other tools are included in FAU.

How to address the physical device? Here are some examples for FAU, but the device addressing is the same with „plain“ cygwin dd:

dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img --md5sum --verifymd5
--md5out=d:\images\PhysicalDrive0.img.md5 dd if=\\?\Volume{87c34910-d826-11d4-987c-00a0b6741049} of=d:\images\e_drive.img –md5sum –verifymd5 md5out=d:\images\PhysicalDrive0.img.md5 dd.exe if=\\.\D: of=d:\images\d_drive.img conv=noerror --sparse --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log
dd.exe if=\\.\D: of=d:\images\d_drive.img.gz conv=noerror,comp --md5sum --verifymd5 –md5out=d:\images\d_drive.img.md5 --log=d:\images\d_drive.log

mount.exe or df.exe brings you the physical device, but you can also use \\.\DRIVELETTER:
anwer says:

Freitag, 29. Dezember 2006 at 11:57

thanx alexander
i tried that physical drive stuff with dd but still it doesnt work!
anyways
i’l go with fau and i will get back to you shortly!
Alexander Geschonneck says:

Freitag, 29. Dezember 2006 at 22:55

hmmm. In your case in cygwin dd.exe if=\\.\C: of=d:\image.dd should work.
anwer says:

Dienstag, 2. Januar 2007 at 06:52

hi
i somwhow managed to take a dd image of my usbdrive(124 MB using a linux pc) which
has a fat16 fs!

now i created a new case and a host, with it i added this image
now when i add the image it prompts for the fs type!

i specified it as fat16!
but it says its not a fat16

then i tried by specifying it as a raw image! it worked!
but now it showed only two options: dataunit and keyword search!

while i try to view them(data unit) it says unrecognized file type
but when i give a keyword search it shows the hits!

now what is the problem
where am i going wrong!?!
Alexander Geschonneck says:

Dienstag, 2. Januar 2007 at 12:49

It looks that TSK is not recognizing the file systeme of your image. Can you check the hashes of the image and the usb stick? They should be the same. Does fsstat identify the file system on the stick correctly?
anwer says:

Mittwoch, 3. Januar 2007 at 10:05

s both have the ame hash value!
tried fsstat with the stick but it says „superblock read: is a directory“

however i tried fdisk -l with my linux pc it says its fat16 for the stick
but when i mention the same in the autopsy for the sticks image
it says“the image is not fat16″

however i used mmls with the image it showed the following!

Slot Start End Length Description
00: —– 0000000000 0000000000 0000000001 Primary Table (#0)
01: —– 0000000001 0000000031 0000000031 Unallocated
02: 00:00 0000000032 0000254975 0000254944 DOS FAT16 (0x06)

i guess mmls is the only tool to work with usb images
i’l try taking an image of my 4 GB hard disk!
and then work with the autopsy!!

Comments are closed.