Fiwalk on running system

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Fiwalk on running system

Rolf Inator
Hi list,

I wonder if it's possible to run fiwalk on a live system? The documentation says
user@forensicbox:~$ fiwalk
usage: fiwalk [options] iso-name

The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.

I hope that was clear :)

Kind regards,
Rolf

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Fiwalk on running system

Michael Cohen-5
Does it work if you give it the volume name? fiwalk \\.\C:

On 18 September 2015 at 14:50, Rolf Inator <[hidden email]> wrote:

> Hi list,
>
> I wonder if it's possible to run fiwalk on a live system? The documentation says
> user@forensicbox:~$ fiwalk
> usage: fiwalk [options] iso-name
>
> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
>
> I hope that was clear :)
>
> Kind regards,
> Rolf
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Fiwalk on running system

Derrick Karpo
Hi Rolf.

I'm not sure if Michael's suggestion works with the latest fiwalk or
not but if it doesn't, have you looked at tsk_loaddb as an alternative
to fiwalk?  fiwalk hasn't been getting as much development lately but
tsk_loaddb is actively developed and outputs all the results into a
SQLite database.  Something like this would work with tsk_loaddb:

  tsk_loaddb -d myimage.db \\.\c:

Alternatively, for physical disks:

  wmic diskdrive list
  tsk_loaddb -d myimage.db \\.\PhysicalDrive0

Derrick


On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <[hidden email]> wrote:

> Does it work if you give it the volume name? fiwalk \\.\C:
>
> On 18 September 2015 at 14:50, Rolf Inator <[hidden email]> wrote:
>> Hi list,
>>
>> I wonder if it's possible to run fiwalk on a live system? The documentation says
>> user@forensicbox:~$ fiwalk
>> usage: fiwalk [options] iso-name
>>
>> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
>>
>> I hope that was clear :)
>>
>> Kind regards,
>> Rolf
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>
> ------------------------------------------------------------------------------
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Fiwalk on running system

Rolf Inator
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!

So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).

Thanks again!
--Rolf


> Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> Von: "Derrick Karpo" <[hidden email]>
> An: "Rolf Inator" <[hidden email]>, "sleuthkit-users users" <[hidden email]>
> Betreff: Re: [sleuthkit-users] Fiwalk on running system
>
> Hi Rolf.
>
> I'm not sure if Michael's suggestion works with the latest fiwalk or
> not but if it doesn't, have you looked at tsk_loaddb as an alternative
> to fiwalk?  fiwalk hasn't been getting as much development lately but
> tsk_loaddb is actively developed and outputs all the results into a
> SQLite database.  Something like this would work with tsk_loaddb:
>
>   tsk_loaddb -d myimage.db \\.\c:
>
> Alternatively, for physical disks:
>
>   wmic diskdrive list
>   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
>
> Derrick
>
>
> On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <[hidden email]> wrote:
> > Does it work if you give it the volume name? fiwalk \\.\C:
> >
> > On 18 September 2015 at 14:50, Rolf Inator <[hidden email]> wrote:
> >> Hi list,
> >>
> >> I wonder if it's possible to run fiwalk on a live system? The documentation says
> >> user@forensicbox:~$ fiwalk
> >> usage: fiwalk [options] iso-name
> >>
> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
> >>
> >> I hope that was clear :)
> >>
> >> Kind regards,
> >> Rolf
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Fiwalk on running system

Ketil Froyn

You have to specify the -h option to calculate md5sums.

http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html

Ketil

On 20 Sep 2015 18:38, "Rolf Inator" <[hidden email]> wrote:
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!

So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).

Thanks again!
--Rolf


> Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> Von: "Derrick Karpo" <[hidden email]>
> An: "Rolf Inator" <[hidden email]>, "sleuthkit-users users" <[hidden email]>
> Betreff: Re: [sleuthkit-users] Fiwalk on running system
>
> Hi Rolf.
>
> I'm not sure if Michael's suggestion works with the latest fiwalk or
> not but if it doesn't, have you looked at tsk_loaddb as an alternative
> to fiwalk?  fiwalk hasn't been getting as much development lately but
> tsk_loaddb is actively developed and outputs all the results into a
> SQLite database.  Something like this would work with tsk_loaddb:
>
>   tsk_loaddb -d myimage.db \\.\c:
>
> Alternatively, for physical disks:
>
>   wmic diskdrive list
>   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
>
> Derrick
>
>
> On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <[hidden email]> wrote:
> > Does it work if you give it the volume name? fiwalk \\.\C:
> >
> > On 18 September 2015 at 14:50, Rolf Inator <[hidden email]> wrote:
> >> Hi list,
> >>
> >> I wonder if it's possible to run fiwalk on a live system? The documentation says
> >> user@forensicbox:~$ fiwalk
> >> usage: fiwalk [options] iso-name
> >>
> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
> >>
> >> I hope that was clear :)
> >>
> >> Kind regards,
> >> Rolf
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Fiwalk on running system

Rolf Inator
This happens when you expect something else...
I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^).
 
However, thanks guys, this works great on a running Windows!
--Rolf
 
Gesendet: Sonntag, 20. September 2015 um 20:09 Uhr
Von: "Ketil Froyn" <[hidden email]>
An: "Rolf Inator" <[hidden email]>
Cc: sleuthkit-users <[hidden email]>, "Derrick Karpo" <[hidden email]>
Betreff: Re: [sleuthkit-users] Fiwalk on running system

You have to specify the -h option to calculate md5sums.

http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html

Ketil

On 20 Sep 2015 18:38, "Rolf Inator" <rolfinator3000@...> wrote:
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!

So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).

Thanks again!
--Rolf


> Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> Von: "Derrick Karpo" <dkarpo@...>
> An: "Rolf Inator" <rolfinator3000@...>, "sleuthkit-users users" <sleuthkit-users@...>
> Betreff: Re: [sleuthkit-users] Fiwalk on running system
>
> Hi Rolf.
>
> I'm not sure if Michael's suggestion works with the latest fiwalk or
> not but if it doesn't, have you looked at tsk_loaddb as an alternative
> to fiwalk?  fiwalk hasn't been getting as much development lately but
> tsk_loaddb is actively developed and outputs all the results into a
> SQLite database.  Something like this would work with tsk_loaddb:
>
>   tsk_loaddb -d myimage.db \\.\c:
>
> Alternatively, for physical disks:
>
>   wmic diskdrive list
>   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
>
> Derrick
>
>
> On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scudette@...> wrote:
> > Does it work if you give it the volume name? fiwalk \\.\C:
> >
> > On 18 September 2015 at 14:50, Rolf Inator <rolfinator3000@...> wrote:
> >> Hi list,
> >>
> >> I wonder if it's possible to run fiwalk on a live system? The documentation says
> >> user@forensicbox:~$ fiwalk
> >> usage: fiwalk [options] iso-name
> >>
> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
> >>
> >> I hope that was clear :)
> >>
> >> Kind regards,
> >> Rolf
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Fiwalk on running system

Richer, Mark (CIV)
While folks might usually want hashes, it's an expensive operation to perform on every file on a large source. I assume that's why it's an option. I suppose -m could be for md5, -s for sha1 etc so as not to be confused with help.

My 2 cents (likely worth as much),
Mark

On Sep 20, 2015, at 17:33, Rolf Inator <[hidden email]> wrote:

This happens when you expect something else...
I thought the hashes are automatically calculated and didn't expect the "-h" switch to be the hash switch (expected "help" when using "h" ^^).
 
However, thanks guys, this works great on a running Windows!
--Rolf
 
Gesendet: Sonntag, 20. September 2015 um 20:09 Uhr
Von: "Ketil Froyn" <[hidden email]>
An: "Rolf Inator" <[hidden email]>
Cc: sleuthkit-users <[hidden email]>, "Derrick Karpo" <[hidden email]>
Betreff: Re: [sleuthkit-users] Fiwalk on running system

You have to specify the -h option to calculate md5sums.

http://www.sleuthkit.org/sleuthkit/man/tsk_loaddb.html

Ketil

On 20 Sep 2015 18:38, "Rolf Inator" <rolfinator3000@...> wrote:
Thanks a lot to both of you! So far I tried tsk_loaddb, since it was included in the sleuthkit 4.2.0 on sourceforge. However, I will give fiwalk another try as soon as I tried out tsk_loaddb!

So, tsk_loaddb is very promising! I tried your suggestion on a Windows 8.1 machine and it worked out pretty good! The sqlite DB was written do disk- the only thing I noticed (and what is a little bit weird), is that the column "md5" in tsk_files is null for every row.
Do you have any idea why this is happening? (I started the cmd as Administrator for C:, so the rights should be fine ;) ).

Thanks again!
--Rolf


> Gesendet: Freitag, 18. September 2015 um 17:14 Uhr
> Von: "Derrick Karpo" <dkarpo@...>
> An: "Rolf Inator" <rolfinator3000@...>, "sleuthkit-users users" <sleuthkit-users@...>
> Betreff: Re: [sleuthkit-users] Fiwalk on running system
>
> Hi Rolf.
>
> I'm not sure if Michael's suggestion works with the latest fiwalk or
> not but if it doesn't, have you looked at tsk_loaddb as an alternative
> to fiwalk?  fiwalk hasn't been getting as much development lately but
> tsk_loaddb is actively developed and outputs all the results into a
> SQLite database.  Something like this would work with tsk_loaddb:
>
>   tsk_loaddb -d myimage.db \\.\c:
>
> Alternatively, for physical disks:
>
>   wmic diskdrive list
>   tsk_loaddb -d myimage.db \\.\PhysicalDrive0
>
> Derrick
>
>
> On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scudette@...> wrote:
> > Does it work if you give it the volume name? fiwalk \\.\C:
> >
> > On 18 September 2015 at 14:50, Rolf Inator <rolfinator3000@...> wrote:
> >> Hi list,
> >>
> >> I wonder if it's possible to run fiwalk on a live system? The documentation says
> >> user@forensicbox:~$ fiwalk
> >> usage: fiwalk [options] iso-name
> >>
> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running.
> >>
> >> I hope that was clear :)
> >>
> >> Kind regards,
> >> Rolf
> >>
> >> ------------------------------------------------------------------------------
> >> _______________________________________________
> >> sleuthkit-users mailing list
> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> >> http://www.sleuthkit.org
> >
> > ------------------------------------------------------------------------------
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>

------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
------------------------------------------------------------------------------
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org