ekristen
commented
3 years ago Please provide version details of host and of the sleuthkit package.
Closed ghb1912 closed 3 years ago
ekristen
commented
3 years ago Please provide version details of host and of the sleuthkit package.
ghb1912
commented
3 years ago Greetings -- my apologies for leaving out details. The following is from the downloaded OVA from https://digital-forensics.sans.org/community/downloads; however, I get identical results when I spin up a generic Ubuntu 18.04 VM and use sift CLI v1.9.2 to build my own:
sansforensics@siftworkstation: ~
$ mmls -i list
Supported image format types:
raw (Single or split raw file (dd))
sansforensics@siftworkstation: ~
$ dpkg -l |grep sleuthkit
ii sleuthkit 4.7.0-1ppa1~bionic amd64 Collection of command line tools that allow you to analyzing disk images
sansforensics@siftworkstation: ~
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS"
Thank you.
ekristen
commented
3 years ago I recently found the cause of this. It’s not the SIFT version being installed but from a repo we are dependent on which seems to be compiled with very little.
I don’t have the command at the moment to install the right version.
Sent from my iPhone
On Oct 4, 2020, at 00:20, ghb1912 notifications@github.com wrote:
Greetings -- my apologies for leaving out details. The following is from the downloaded OVA from https://digital-forensics.sans.org/community/downloads; however, I get identical results when I spin up a generic Ubuntu 18.04 VM and use sift CLI v1.9.2 to build my own:
sansforensics@siftworkstation: ~ $ mmls -i list Supported image format types: raw (Single or split raw file (dd)) sansforensics@siftworkstation: ~ $ dpkg -l |grep sleuthkit ii sleuthkit 4.7.0-1ppa1~bionic amd64 Collection of command line tools that allow you to analyzing disk images sansforensics@siftworkstation: ~ $ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS"
Thank you.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
ghb1912
commented
3 years ago Ok. Thank you very much for checking and for the info.
ghb1912
commented
3 years ago In case it helps others: a workaround that worked for me was to download the sleuthkit source and compile it myself. It's very straightforward. I just unpacked v.4.10.0 and did './configure --prefix=/usr/local; make; sudo make install'. Since /usr/local/bin is already ahead of /usr/bin in PATH, that's all I needed to do (SIFT's sleuthkit binaries are in /usr/bin, so this won't clobber them), other than log off/on. Result:
sansforensics@siftworkstation: ~
$ which mmls
/usr/local/bin/mmls
sansforensics@siftworkstation: ~
$ mmls -i list
Supported image format types:
raw (Single or split raw file (dd))
aff (Advanced Forensic Format)
afd (AFF Multiple File)
afm (AFF with external metadata)
afflib (All AFFLIB image formats (including beta ones))
ewf (Expert Witness Format (EnCase))
sansforensics@siftworkstation: ~
$ mmls -V
The Sleuth Kit ver 4.10.0
Cheers, and thanks again.
ekristen
commented
3 years ago Thanks for the update. For you and everyone else you definitely don't need to compile but that's an options.
You can manually install the version that has support.
apt-get install sleuthkit==4.6.7-1sift1~bionicOR
apt-get install sleuthkit==4.6.7-1sift1~focal4.7.0 is being built right now, but will look at up-ing to 4.10.0 soonish?
ekristen
commented
3 years ago apt-get install sleuthkit==4.7.0-2ppa1~focal
It appears that sleuthkit was not built with libewf or much of anything else. On SIFT workstation, whether from the OVA or from scratch:
and
On generic Ubuntu installs, on the other hand, we have:
and
Shouldn't sleuthkit support at least ewf?