Wednesday, December 15, 2010

Sleuthkit 3.2.0 on Ubuntu 10.10

Some time ago I have written a short "how-to" in relation to installing the Sleuthkit on Ubuntu. Recently I have tried to install the latest Sleuthkit 3.2.0 on Ubuntu 10.10 (32-bit) and ran into a problem when compiling it. It took me some time to figure out how to get it working.

Step 1:

sudo apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev libssl-dev

Step 2:

Download and extract afflib 3.6.4
In terminal go to the extracted directory and run the usual
sudo make install

Step 3:

Download Sleuthkit 3.2.0 and extract it. Next I had to apply a quick fix by adding LDFLAGS link option to file located inside the extracted sleuthkit-3.2.0 directory. Adding the following line LDFLAGS="$LDFLAGS -lsqlite3 -lpthread -ldl" seems to fix the problem.

I then navigated to sleuthkit-3.2.0 directory in terminal and run

sudo make install


Tuesday, December 7, 2010

iSCSI initiator on Win 7

F-Responce (and  Helix3 Pro) both can be handy for imaging over iSCSI.  Win 7 iSCSI initiator looks slightly different to Win XP.

Typing iscsicpl and hitting enter brings the initiator.

In Discovery tab press Discover Portal. This should open another window Discover Targt Portal. Enter IP address and port (if not default) and click Advanced button.

In Advanced Settings window mark Enable CHAP log on and enter username and password as per F-Responce target configuration.

The target(s) should appear in Discovery tab.

In Targets tab there should be the drive with status indicated as Inactive.
Click connect button.

Another window will open and there will be an option to add this disk to favorite targets. It is up to you if you 'd like to do that or not. Click Advanced button.

The same proceedure here, Enabling CHAP log on and entering username and password.

The drive should be connected now.