|

»

»

»

sleuthkit-users

Install Problem

View: New views

7 Messages — Rating Filter: Alert me

	Install Problem by Amy_Cox :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi I have tried installing Autopsy in a Ubuntu 7.1 VM. The latest Sleuth Kit seems to have installed and configured OK. However, when I try to configure Autopsy I get the following error Can't open log: autopsy.log at /home/jars/Desktop/autopsy-2.21/lib//Print.pm line 383 I have gone to the Print.pm file and the following is line 383 open AUTLOG, ">>$::LOCKDIR/$lname" or die "Can't open log: $lname"; I have tried 2.20 and 2.21 of autopsy and get the same error. I thought it may be where I had put my evidence dir but moved that and got the same error. I am a little lost as to what I have done wrong can any one help me?? Thanks in advance and apologies if it is something daft. Ames This e mail carries a disclaimer, a copy of which may be read at: http://www.gmp.police.uk/mainsite/pages/copyright.htm ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: Install Problem by eric smith-25 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I am no expert but It looks like you have an extra / in the path, when you set up autopsy you mightt have had a trailing / in the path. Eric On Jul 20, 2009, at 1:31 AM, Amy_Cox@... wrote: Hi I have tried installing Autopsy in a Ubuntu 7.1 VM. The latest Sleuth Kit seems to have installed and configured OK. However, when I try to configure Autopsy I get the following error Can't open log: autopsy.log at /home/jars/Desktop/autopsy-2.21/lib//Print.pm line 383 I have gone to the Print.pm file and the following is line 383 open AUTLOG, ">>$::LOCKDIR/$lname" or die "Can't open log: $lname"; I have tried 2.20 and 2.21 of autopsy and get the same error. I thought it may be where I had put my evidence dir but moved that and got the same error. I am a little lost as to what I have done wrong can any one help me?? Thanks in advance and apologies if it is something daft. Ames This e mail carries a disclaimer, a copy of which may be read at: http://www.gmp.police.uk/mainsite/pages/copyright.htm ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge_______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: Install Problem by Amy_Cox :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks Guys thats great - all sorted!! This e mail carries a disclaimer, a copy of which may be read at: http://www.gmp.police.uk/mainsite/pages/copyright.htm ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	blkls -a by Lehr, John :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Good Morning Group, I have a question about blkls, particularly the –a option. I am creating keyword search files with blkls and srch_strings, and I wanted to distinguish between allocated and unallocated, created one two text files for each type of block (ascii and unicode). For unallocated, I used something like: # blkls partition.dd \| srch_strings –t d > text.file This produced a text file of ascii strings with byte offset from unallocated blocks as desired. For allocated, I tried: # blkls –a partition.dd \| srch_strings –t d > text.file But, surprisingly, it looks like all blocks were exported from the partition, not just allocated blocks. (I piped blkls through ‘pv’ to meter the output and instead of getting the 83gb of allocated space, I got the whole 221gb partition). My first question is: Did I make an error in my command or am I failing to understand something? My second question is: Assuming I can properly export allocated blocks alone, how do I use blkcalc to determine the block in the partition? Blkcalc has the –d option for the whole partition image (which would operate on ‘blkls –e’ output), the –s option for slack (blkls –s), and –u option for unallocated (‘blkls –A’ or simply ‘blkls’, but nothing for allocated blocks alone. I’m sure this one is sitting right in front of my face, but I’m not seeing the solution today. I have TSK 3.0.1 installed on Ubuntu 8.04. Thanks, John ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: blkls -a by RB-14 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Tue, Jul 21, 2009 at 09:54, Lehr, John<jlehr@...> wrote: > My first question is: Did I make an error in my command or am I failing to > understand something? Confirmed on 3.0.1/Gentoo: [test@test sleuthtest] dd if=/dev/zero of=ext2.img bs=1024 count=1024 1024+0 records in 1024+0 records out 1048576 bytes (1.0 MB) copied, 0.00636198 s, 165 MB/s [test@test sleuthtest] mkfs.ext2 -q ext2.img [test@test sleuthtest] md5sum ext2.img 3adb3f90e51cde1277036247809a051e ext2.img [test@test sleuthtest] blkls -a ext2.img \| md5sum - 3adb3f90e51cde1277036247809a051e - [test@test sleuthtest] blkls -e ext2.img \| md5sum - 3adb3f90e51cde1277036247809a051e - [test@test sleuthtest] blkls -A ext2.img \| md5sum - b04822bb7365e95e9e73b770c8f44508 - > My second question is: Assuming I can properly export allocated blocks > alone, how do I use blkcalc to determine the block in the partition? > Blkcalc has the –d option for the whole partition image (which would operate > on ‘blkls –e’ output), the –s option for slack (blkls –s), and –u option for > unallocated (‘blkls –A’ or simply ‘blkls’, but nothing for allocated blocks > alone. I’m sure this one is sitting right in front of my face, but I’m not > seeing the solution today. I don't see an option for calculating allocated blocks, but never thought to look for it either. This is most likely due to not approaching analysis with such orthogonality - if what I'm looking for is in allocated blocks, I tend to use the filesystem instead of low-level forensic tools. However, I definitely see programmatic value in doing both sides. ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: Install Problem by Brian Carrier-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Ames, Can you write to the evidence locker directory? You can test by trying to create a text file in the directory. thanks, brian On Jul 20, 2009, at 2:31 AM, Amy_Cox@... wrote: > > Hi > > I have tried installing Autopsy in a Ubuntu 7.1 VM. The latest > Sleuth Kit seems to have installed and configured OK. > However, when I try to configure Autopsy I get the following error > > Can't open log: autopsy.log at /home/jars/Desktop/autopsy-2.21/lib// > Print.pm line 383 > > I have gone to the Print.pm file and the following is line 383 > open AUTLOG, ">>$::LOCKDIR/$lname" or die "Can't open log: $lname"; > > I have tried 2.20 and 2.21 of autopsy and get the same error. I > thought it may be where I had put my evidence dir but moved that and > got the same error. I am a little lost as to what I have done wrong > can any one help me?? > Thanks in advance and apologies if it is something daft. > Ames > This e mail carries a disclaimer, a copy of which may be read at: > > > http://www.gmp.police.uk/mainsite/pages/copyright.htm > ------------------------------------------------------------------------------ > Enter the BlackBerry Developer Challenge > This is your chance to win up to $100,000 in prizes! For a limited > time, > vendors submitting new applications to BlackBerry App World(TM) will > have > the opportunity to enter the BlackBerry Developer Challenge. See > full prize > details at: http://p.sf.net/sfu/Challenge_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: blkls -a by Brian Carrier-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Jul 21, 2009, at 11:54 AM, Lehr, John wrote: > Good Morning Group, > > I have a question about blkls, particularly the –a option. I am > creating keyword search files with blkls and srch_strings, and I > wanted to distinguish between allocated and unallocated, created one > two text files for each type of block (ascii and unicode). > > For unallocated, I used something like: > # blkls partition.dd \| srch_strings –t d > text.file > > This produced a text file of ascii strings with byte offset from > unallocated blocks as desired. > > For allocated, I tried: > # blkls –a partition.dd \| srch_strings –t d > text.file > > But, surprisingly, it looks like all blocks were exported from the > partition, not just allocated blocks. (I piped blkls through ‘pv’ to > meter the output and instead of getting the 83gb of allocated space, > I got the whole 221gb partition). > > My first question is: Did I make an error in my command or am I > failing to understand something? Nope, it seems to be a bug. Thanks for the confirmation RB. I just created a bug report for it. > > My second question is: Assuming I can properly export allocated > blocks alone, how do I use blkcalc to determine the block in the > partition? Blkcalc has the –d option for the whole partition image > (which would operate on ‘blkls –e’ output), the –s option for slack > (blkls –s), and –u option for unallocated (‘blkls –A’ or simply > ‘blkls’, but nothing for allocated blocks alone. I’m sure this one > is sitting right in front of my face, but I’m not seeing the > solution today. There isn't a feature for this. I'll create a feature request for it. thanks, brian ------------------------------------------------------------------------------ _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org