Notifications
Clear all

Cygwin

10 Posts
3 Users
0 Likes
601 Views
nsbuck
(@nsbuck)
Posts: 91
Trusted Member
Topic starter
 

I am trying to compile Sleuthkit and I keep getting the following message when running the ‘Make’ command -

***No targets specified and no makefile found. Stop.

I am using Cygwin with Windows 8 64 bit & I’ve tried a number of options, such as installing – autoconf, automake, libtool, flex & bison

My aim is to fix or assign exfat partition to a Windows 7.5 file structure from a chip off extraction (phone was too badly damaged) so that I can use OS Forensics.

I can recover lost partitions with X-ways but can do anything else (ie. Export folder structure).
Help or a nod in the right direction (if I have deviated) would be much appreciated.

Regards,

NSB

 
Posted : 27/08/2015 3:03 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My aim is to fix or assign exfat partition to a Windows 7.5 file structure from a chip off extraction (phone was too badly damaged) so that I can use OS Forensics.

What do you mean "assign"?
An exFAT partition has a "normal" 0x07 "protective ID" in the MBR.

You have just the volume/filesystem?
I.e. *something* which first sector is the filesystem bootsector (or PBR or VBR)?
You can use IMDISK (or the corresponding OSforensics tool OFSmount)
http//www.ltr-data.se/opencode.html/
http//www.osforensics.com/tools/mount-disk-images.html
to mount the volume.
IMDISK has also the possibility to create a "new image" with a MBR added to it (though it has to be seen how it behaves in your case), but writing a partition table by hand is not that much a problem, you only need the values in the bootsector
http//ntfs.com/exfat-boot-sector.htm
PartitionOffset and VolumeLength, and write them as LBA values (there is no need on modern NT systems for the CHS part) in a partition table entry.
Since you don't want to change anything in the image, you will need to create a file (that will become the "header" of the full image) the exact size in sectors of the PartitionOffset value.

Or what (EXACTLY) do you have as a result of the extraction (what are the contents of the first sector of the *whatever* you have)?
(you are talking of "recovering lost partitions in X-ways" and of course there won't be any if all you have is a volume)

jaclaz

 
Posted : 27/08/2015 3:25 pm
(@athulin)
Posts: 1156
Noble Member
 

I am trying to compile Sleuthkit and I keep getting the following message when running the ‘Make’ command -

***No targets specified and no makefile found. Stop.

You better believe it. If your current working directory does not contain a makefile (and you didn't specify a makefile of a different name), that's the message you get.

One reason for that could be that you haven't run 'configure', or that it failed (for example, the Java compiler may have failed, or not be present, or something else may be missing from your system).

The config.log is usually worth examining. Look for 'fatal error' or just 'error'.

 
Posted : 27/08/2015 9:52 pm
nsbuck
(@nsbuck)
Posts: 91
Trusted Member
Topic starter
 

[You can use IMDISK (or the corresponding OSforensics tool OFSmount)

Thanks for your advise - unfortunately the computer wants to format the virtual drive, but useful tools when I get the file structure sorted - Thanks.

 
Posted : 28/08/2015 1:51 pm
nsbuck
(@nsbuck)
Posts: 91
Trusted Member
Topic starter
 

One reason for that could be that you haven't run 'configure', or that it failed (for example, the Java compiler may have failed, or not be present, or something else may be missing from your system).

The config.log is usually worth examining. Look for 'fatal error' or just 'error'.

Thanks for the tip. I have tried to configure and everything seems to work but nothing happens with the make command. As this is out of my comfort zone, I'm not sure if what I am doing is correct!! I guess I know what I'll be upto this weekend -)

Cant find the config.log file - can you give me a hint where to locate it?

 
Posted : 28/08/2015 2:02 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Help or a nod in the right direction (if I have deviated) would be much appreciated.

Consider this as a nod in the (hopefully) right direction

Most probably you are falling for the XYZ issue 😯
http//homepage.ntlworld.com/jonathan.deboynepollard/FGA/put-down-the-chocolate-covered-banana.html

You are somehow convinced that once you will be able to compile the Sleuthkit it will magically fix any issue you are having, but while this might well be correct, it is unlikely, at least not until you will have diagnosed what the actual issue is.

Why can't you use the pre-compiled versions?
http//www.sleuthkit.org/autopsy/download.php
http//www.sleuthkit.org/sleuthkit/download.php

jaclaz

 
Posted : 28/08/2015 2:13 pm
nsbuck
(@nsbuck)
Posts: 91
Trusted Member
Topic starter
 

Consider this as a nod in the (hopefully) right direction

Most probably you are falling for the XYZ issue 😯
http//homepage.ntlworld.com/jonathan.deboynepollard/FGA/put-down-the-chocolate-covered-banana.html

LOL - My goal is -

I have chip off data from a Windows 7 phone and the partitions should be Exfat with one FAT16, however the main partition is unknown. I have in the past fixed this but can't remember how I did it (& I can't locate my notes, yet & using a new computer!!).

My goal is to apply ExFat to this user partition and open the file in OS forensics so that I can work on the ESEDB file, phone & internet containers.

I can remember using scripting language similar to command prompts in Windows.

 
Posted : 28/08/2015 6:17 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

LOL - My goal is -

I have chip off data from a Windows 7 phone and the partitions should be Exfat with one FAT16, however the main partition is unknown. I have in the past fixed this but can't remember how I did it (& I can't locate my notes, yet & using a new computer!!).

My goal is to apply ExFat to this user partition and open the file in OS forensics so that I can work on the ESEDB file, phone & internet containers.

I can remember using scripting language similar to command prompts in Windows.

No. (in the sense that there is no such thing as a "main" partition and you do not "apply" ExFat to anything), most probably there is a misunderstanding in terminology.

What you have is either
1. a "whole device" image (and as such is first sector is a MBR and contains a partition table)
2. an image of a partition or volume (and as such its first sector is a bootsector or PBR or VBR)
3. *something else*

Then this image is either
a. readable "as is" (with common tools)
b. needing some repairs/changes

The expected result of a "proper" chip-off would be a 1.a, i.e. a normal, plain "hard disk" dd-like image.

From what you report it is case b. but nothing you posted till now allows to understand whether it is 1, 2 or 3.

It is rather simple to fix 1.b or 2.b (though the methods/tools for 1 vs. 2 are different), but a "direct chip off" is likely to have produced a 3, the EXACT, detailed way (and tools/methods involved) you created the image and the actual source (specific brand/model device) does matter.

jaclaz

 
Posted : 28/08/2015 6:45 pm
nsbuck
(@nsbuck)
Posts: 91
Trusted Member
Topic starter
 

I can see the store.vol file in autopsy but it not in an interpretable manner. I've tried windows utilities tool to try and fix the file so that I can view it in OS forensics ESEDB viewer.

Has anyone had any success with opening a Windows 7 store.vol file?

So far I used testdisk to export the folder structure, autopsy has recover internet files from the logical folder structure (for some reason, it does open from a dd dump using testdisk).

I'm currently working through the application list for social media files,

 
Posted : 03/09/2015 5:41 pm
(@athulin)
Posts: 1156
Noble Member
 

Cant find the config.log file - can you give me a hint where to locate it?

Default placement is in the same directory where you normally run configure.

 
Posted : 03/09/2015 6:33 pm
Share: