You are currently browsing the archives for 11 January 2011.
Displaying 1 - 2 of 2 entries.

FTK: “Runtime error” on raw-image

  • Posted on January 11, 2011 at 23:07

Today we discovered some strange behavior of Forensic ToolKit opening a raw image.

We use different software to acquire evidence:

  1. rdd-copy (my favorite)
  2. FTK Imager
  3. Tableau IMager

Description
Fortunately we now only use uncompressed raw images*. And depending on the situation we create them with one of the above mentioned tools. For some strange reason FTK crashed immediately after adding a raw image made by rdd-copy. My colleague appeared to be so patient and eager to find the reason for this strange behavior that he acquired that same harddrive again. Even though rdd-copy didn’t report any errors on the device! And this time he used Tableau IMager….

After all that was done, he added the raw-image, made by Tableau IMager, to the case… And to our big surprise: It worked flawlessly! And it got even more strange when we checked the hashes, The MD5s were the same! Go figure…

Cause
The extension! WTF! Our default choice for an evidence-extension is .IMG. (Works pretty nice with OS X)
And this was causing that runtime error!

Remedy
We changed .IMG to .DMG. Keeping the powerful functions of OS X available.
Everybody happy.

*If you want discussions about EnCase Evidencefiles again,
If you honestly really don’t know why not,
Or if you just want to make me mad,
Send an email to ‘whatssodamnhorribleaboutencaseevidencefiles@krujs.nl

SABnzbd and Gentoo

  • Posted on January 11, 2011 at 01:15

Apparently the portage-tree doesn’t contain SABnzbd. Too bad! I really needed some binary newsgroup downloader. And I did have some experience with running it on my local machine, a MacPro. Wonderful App! Or tool, or server, or whatever…

But there I was, left alone, helpless and disillusioned…
What to do now?

Well, basically…… This!
(keep in mind, I’m using a PPC64)

Installing
Edit /etc/portage/package.keywords, and add:
# SABnzbd
dev-python/* **
app-arch/par2cmdline *

And now run (not specifically in this order):

# emerge dev-python/pysqlite
# emerge dev-python/cheetah
# emerge dev-python/pyopenssl
# emerge sqlite
# emerge par2cmdline
# emerge unrar

Download the SABnzbd-sources:

# wget http://sourceforge.net/projects/sabnzbdplus/files/sabnzbdplus/sabnzbd-0.5.6/SABnzbd-0.5.6-src.tar.gz

Unzip/Unpack SABnzbd.zip to an appropriate directory,
cd into newly made directory,
Edit /.sabnzbd/sabnzbd.ini, and change the host-value ‘localhost’ to 0.0.0.0,
Now run SABnzbd.py and you can configure the rest of SABnzdb using your browser, (Ahhhhh….)

# ./SABnzbd.py

Security
Although this post isn’t about security, be aware that in this particular example SABnzbd is now running as root. And that ain’t necessary at all!

It is possible, and advised by me ;-), to create a sabnzbd-user, and let it run under that newly created sabnzbd-account.
Naturally, you have to do some chowning to the SABnzbd-directory. (Also to the .-directories which are ignored by default by chown!)

Fun stuff
Further more a tip for extra fun and carefree usage:
Create a SABnznbd-writeable directory /var/log/sabnzdb,
In the sabnzbd.ini in the ./sabnzbd-dir: Change the logdir (logs) to /var/log/sabnzbd

You are maybe asking yourself: “What’s the fun of that?”
Well, just take a look at xtail.pl, and you’ll find out!