search for: sleuthkit

Small cosmetic changes. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c index ce738e3..e642731 100644 --- a/daemon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -47,7 +47,8 @@ do_download_inode (const mountable_t *mountable, int64_t inode) } /* Construct...

In order to support the new features I am renaming the file with a better name. The file sleuthkit.c will contain the code depending on the sleuthkit package. The original tsk.c file will contain the logic built using libtsk which is the sleuthkit core library. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/sleuthkit_rename Signed-off-by: Matte...

Thanks, I have pushed this patch series. Could you consider changing: > + optional = Some "icat"; I think it would be nice to have a single feature, and to call the feature "sleuthkit" or "forensics" or something like that. We don't need to have one feature per API since installation of a single package (sleuthkit) is sufficient to make all the APIs available. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my pr...

>From 'available icat' to 'available sleuthkit'. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/tsk.c | 6 +++--- generator/actions.ml | 2 +- tests/tsk/test-icat.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/daemon/tsk.c b/daemon/tsk.c index 647d1e7..0fe1250 100644 --- a/daemon...

On Tuesday 29 March 2016 22:56:29 Matteo Cafasso wrote: > In order to support the new features I am renaming the file with a better name. > > The file sleuthkit.c will contain the code depending on the sleuthkit package. > > The original tsk.c file will contain the logic built using libtsk > which is the sleuthkit core library. Makes sense, pushed to git with two small changes: > This patch is ready for review. > Code available at: >...

...wing the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3): Rename icat command in download_inode Improve download_inode documentation string. Code cleanup in daemon/sleuthkit.c daemon/sleuthkit.c | 50 ++++++++++++++++++++----------------- generator/actions.ml | 10 +++++--- tests/tsk/Makefile.am | 2 +- tests/tsk/test-download-inode.sh | 53 ++++++++++++++++++++++++++++++++++++++++ tests/tsk/test-icat.sh | 53 ----------...

...which might be replaced at any time with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". download_inode is more clear and descriptive. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 2 +- generator/actions.ml | 2 +- tests/tsk/Makefile.am | 2 +- tests/tsk/test-download-inode.sh | 53 ++++++++++++++++++++++++++++++++++++++++ tests/tsk/test-icat.sh | 53 ---------------------------------------- 5 files changed, 56 insertions...

...rectory and am facing the problem of retrieving some of the deleted data. I have search the web for this matter, but the only information I found is, that it's not possible for a program to do this and that I have to puzzle the files together by scanning the disk (or disk image) with tools like sleuthkit (www.sleuthkit.org) or lde (lde.sourceforge.net). That's ok, since the only files I like to recover are text files (c and java sourcecode). But even though I read the ext2-undelete-minihowto (which doesn't apply to ext3, I know) I honestly don't know how to start. The partition is 11GB...

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 79 ++++++++++++++++++++++++++++------------------------ generator/actions.ml | 6 ++-- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c index 0fe1250..536febb 100644 --- a/daemon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -29,55 +29,55 @@...

v2: - Rebase on top of master Matteo Cafasso (2): New API: download_blocks Added download_blocks API test daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++- generator/actions.ml | 24 ++++++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 1 + tests/tsk/test-download-blocks.sh | 58 ++++++++++++++++++++++++...

Resort to a version check for them, as they do not exist in older versions. --- daemon/tsk.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/daemon/tsk.c b/daemon/tsk.c index af803d749..ad10d74fe 100644 --- a/daemon/tsk.c +++ b/daemon/tsk.c @@ -241,6 +241,9 @@ file_type (TSK_FS_FILE *fsfile) case TSK_FS_NAME_TYPE_SHAD: return 'h'; case TSK_FS_NAME_TYPE_WHT: return

...ost of the available filesystems. The function allows to extract data units (blocks) within a given range from a partition. The tests show an example on how the function can be used to retrieve deleted data. Matteo Cafasso (2): New API: download_blocks Added download_blocks API test daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++- generator/actions.ml | 24 ++++++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 1 + tests/tsk/test-download-blocks.sh | 58 ++++++++++++++++++++++++...

...same time I cleaned up a bit the code and improved it's readability and code comments. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (2): rename icat API to download_inode updated download_inode tests daemon/sleuthkit.c | 79 ++++++++++++++++++++++------------------ generator/actions.ml | 6 ++- tests/tsk/Makefile.am | 2 +- tests/tsk/test-download-inode.sh | 53 +++++++++++++++++++++++++++ tests/tsk/test-icat.sh | 53 --------------------------- 5 files changed,...

...t; + TSK_DADDR_T blkaddr, char *buf, size_t size, > + TSK_FS_BLOCK_FLAG_ENUM flags, void *data) > +{ > + findblk_data *blkdata = (findblk_data *) data; > + > + if (blkaddr == blkdata->block) { > + blkdata->found = true; If I read the sleuthkit API docs, blkaddr will be meaningful only if flags contains TSK_FS_BLOCK_FLAG_RAW. Should attrwalk_callback check for it? Thanks, -- Pino Toscano

Hi, I've a nasty feeling I know the answer to this post, but I'm gonna ask and pray anyway :-) I just made a rather stupid commandline ordering error and managed to delete a whole load of data (mostly word files/some pics fwiw) with rsync -delete. I know, I'm an idiot (and a big one at that). To make matters worse this was off an ext3 partition, which from what I can find out

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is still partially or totally sto...

On 07/03/16 21:45, Richard W.M. Jones wrote: > Thanks, I have pushed this patch series. > > Could you consider changing: > >> + optional = Some "icat"; > I think it would be nice to have a single feature, and to call the > feature "sleuthkit" or "forensics" or something like that. We don't > need to have one feature per API since installation of a single > package (sleuthkit) is sufficient to make all the APIs available. This was something I was a bit confused about. For what I've got, libguestfs checks th...

...l "idifference" compares file system states and enumerates differences, using the Digital Forensics XML output from Fiwalk. A research publication on the forensic differencing process and idifference is here: http://dfrws.org/2012/proceedings/DFRWS2012-6.pdf Fiwalk is a component of The SleuthKit, here: https://github.com/sleuthkit/sleuthkit If you wish to use Fiwalk on your images, you should convert any of your disk images to a raw image or Expert Witness Format. Actually, I don't suppose qemu-img has a FUSE-like wrapper that exposes the underlying image as a raw file? DFXML has an e...

...esponse in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art tool such as The Sleuth Kit it would turn it into a pretty powerful forensic tool. http://www.sleuthkit.org/ I played around with some proof-of-concept and the idea seems to work. The question I'd like to ask is if this feature would interest the libguestfs community or if I shall fork the project (libguestforensic?) and, if so, what is the preferable way to do it. Thank you.

...of COMPRESSED blocks, the callback will be called for all the attributes no matter whether they are on disk or not (sparse). In such cases, the block address will be 0. [2] So we do not have to enforce the blocks to be RAW as we would be missing COMPRESSED ones (NTFS only). [1] https://github.com/sleuthkit/sleuthkit/pull/721 [2] http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.2/group__fslib.html#ga3ce8349107b00e1b1502c86a5d6c0727 Matteo Cafasso (3): New API: internal_find_block New API: find_block find_block: added API tests daemon/tsk.c | 96 ++++++++++++++++++++++++++++++...