SystemIndex gthr lo...
 
Notifications
Clear all

SystemIndex gthr logs  

  RSS
MissMari
(@missmari)
New Member

I have some .gthr log files that I need to read that are SystemIndex.gthr files from the Windows Indexing System in Windows Vista. According to the research I have done, there is a utility called gthrlog.vbs that Microsoft shipped with their OS as an 'unsupported' utility. It may have been in Windows 2000 and/or Windows Server 2003 and/or Sharepoint portal server

I installed a VMware session of Windows Server 2003 and could not find the file gthrlog.vbs

Has anybody used this utility, or know where I can find it, or another way to view these files? You can open them in a text editor as they appear to be plain text, however, I believe some of the columns contain date and time fields that need to be converted.

For more information on the .gthr files

http//support.microsoft.com/kb/289653

Thanks!

Quote
Posted : 26/01/2011 3:31 am
jaclaz
(@jaclaz)
Community Legend

It seems like that .vbs is part of
SharePoint Portal Server 2001 CD-ROM
http//support.microsoft.com/kb/318468/en-us
I presume it is also on the 2003 and later versions
http//www.gridview.org/kb/Sharepoint_Portal_2001/This-article-contains-the-complete-text-of-the-ToolsHowTo-txt-file-that-is-located-in-the-Support-Tools-folder-of-the-Mi.aspx
But it should be on "SharePoint Portal Server 2003", NOT on "Windows Server 2003".
and most probably on Exchange Server
http//support.microsoft.com/kb/270058/en-us

But there is a New gthrlog.vbs utility, smartly named Ngthrlog.vbs
http//support.microsoft.com/kb/839857/en-us

Which you can ask to MS support.

jaclaz

ReplyQuote
Posted : 26/01/2011 1:53 pm
MissMari
(@missmari)
New Member

Thanks for the information. I did find research indicating the utility to be available on Exchange Server 2003

http//books.google.com/books?id=FT6B7_69D7IC&lpg=PA165&ots=_jNb1XApsy&dq=open%20.gthr%20file%20server%202003&pg=PA165#v=onepage&q&f=false

It seems I installed the Standard Edition of Sever 2003 which does not included Exchange Server 2003.

Back to VMWare to install Small Business Sever 2003 which includes Exchange….

ReplyQuote
Posted : 26/01/2011 9:31 pm
MissMari
(@missmari)
New Member

I was able to find the gthrlog.vbs in Exchange Server 2003, however, I don't think it was able to properly parse the SystemIndex.gthr file.

I am not too surprised by this as the documentation says the utility is used to read index files created by Exchange, or in the case of Ngthrlog.vbs, Microsoft Office SharePoint Portal Server . I was *hoping* that since they were both Microsoft created files and contained the same extension, this gthrlog.vbs utility would help….

These SystemIndex.gthr files when opened with a text editor contain paths to files that appear to have been indexed by Windows. The other fields I am interested in contain sets of numbers, which I am hope might be file sizes or perhaps dates. Here is an example of an entry

6ddfb305 1c81a80 c\Users\Public\filename.ext 80000005 0 0 1 4294967378 4580

Has anyone pulled any data from these files (other then the filename and paths?)

ReplyQuote
Posted : 27/01/2011 12:26 am
jaclaz
(@jaclaz)
Community Legend

Has anyone pulled any data from these files (other then the filename and paths?)

YES.
http//homepages.tesco.net/J.deBoynePollard/FGA/questions-with-yes-or-no-answers.html
twisted

Check this
http//forensicsfromthesausagefactory.blogspot.com/2010/07/gatherer-transaction-log-files-windows.html
wink

jaclaz

ReplyQuote
Posted : 28/01/2011 1:06 am
MissMari
(@missmari)
New Member

Has anyone pulled any data from these files (other then the filename and paths?)

YES.
http//homepages.tesco.net/J.deBoynePollard/FGA/questions-with-yes-or-no-answers.html
twisted

jaclaz

You guys make it very intimidating for anyone to post a question. Being new in this field and not having very many people to discuss issues with and worrying about getting berated does not make for a good place for open exchange…

PS- Thanks for the second link as that was very helpful

ReplyQuote
Posted : 28/01/2011 2:34 am
forensicakb
(@forensicakb)
Active Member

I fail to see how you were berated, you asked "Has anybody used this utility, or know where I can find it," both of those can be answered with yes or no. You then followed that up by asking "Has anyone pulled any data from these files (other then the filename and paths?)" which is also a yes or no question

Jaclaz is a very helpful member, and offers FAR more help than most ppl do. With 5 posts it's hard to say that it's intimidating or that you're being berated.

A lot of times posters put things like google that or other things because the answer is very easy to find and they feel the OP didn't really look, but wanted an easy way out. Also, people phrase questions in certain manners as to get the OP to examine how they asked their question. If you question is has anyone ever used Encase before, you are going to get a ton of Yes answers, but if you say has anyone used Encase PDE before, and what were your experiences with it as compared to other tools you use, then you open it up to getting an answer about Encase and you will probably get answers about other software the examiners use and what they think about it.

You have to have a bit thicker skin than to let something like yes no cause you to think you're being berated.

I can tell you the alternative is to go to another site (which I'm a member of and I love) where you register with your name and agency so that every question you ask is tracked with you and your peers very quickly get a grasp on your level of competency or lack thereof, AND you will at some point probably have posts by you made public in a depo, testimony, or talk of the town.

Sometimes replies are unpleasant, I don't really believe this is one of those times and if it is, I don't believe there was any problems meant for it.

Has anyone pulled any data from these files (other then the filename and paths?)

YES.
http//homepages.tesco.net/J.deBoynePollard/FGA/questions-with-yes-or-no-answers.html
twisted

jaclaz

You guys make it very intimidating for anyone to post a question. Being new in this field and not having very many people to discuss issues with and worrying about getting berated does not make for a good place for open exchange…

PS- Thanks for the second link as that was very helpful

ReplyQuote
Posted : 28/01/2011 10:56 am
Jamie
(@jamie)
Community Legend

C'mon guys/gals, let's move on from this type of thing can we?

@jaclaz - you know this is an ongoing issue in these forums and I don't really see that the first link is warranted in this context in any case. Sometimes less is more -)

@MissMari - forensicakb is right, jaclaz is indeed a very helpful member and I'm certain there's no malice intended here.

Let's get back to the (technical) issues…

Jamie

ReplyQuote
Posted : 28/01/2011 2:40 pm
jaclaz
(@jaclaz)
Community Legend

Sure D , it was only a (friendly, rest assured - that's why emoticons are for, to try and better convey the tone with which something is "said") way to hint that sometimes one should think a bit more about the way he/she asks a questions, as the answer may be affected by the question asked.

It's small - completely innocent - joke. )

The "bad" answer would have been just the "Yes" without the link to the page.

Here are two more references that I often use
http//homepages.tesco.net/J.deBoynePollard/FGA/problem-report-standard-litany.html
http//homepages.tesco.net/J.deBoynePollard/FGA/put-down-the-chocolate-covered-banana.html

If you stay around technical boards a bit of time, you will see how recurring such issues happen.

BTW, I am still a "one and only" guy… wink

jaclaz

ReplyQuote
Posted : 28/01/2011 11:54 pm
Worcesterdee
(@worcesterdee)
New Member

MissMari,

I looked at gatherer-transaction-log-files as part of my MSc a few years ago, as did John Douglas of QCC Forensics.

There was a post on the forensics from the sausage factory blog on the logs Gatherer Log Files

You will also see that the artefacts were first identified by Barrie Stewart in his dissertation Barrie Stewart Dissertation

You will see in the post that there is an EnScript to parse the Log Files although the meanings of the various Windows File Times haven't been definatively identified, although I managed to ascertain the providence of a few of them.

Jim

ReplyQuote
Posted : 02/02/2011 5:06 pm
Share: