Re: [sleuthkit-users] What's the difference between foremost and manual extraction using dd and sleuthkit?

[Michael H. <lin...@gm...>]

have you used Icat to carve the file using the inode-which if i read
correctly is 22? Do the hashes match then?

On 6/13/06, Jelle S. <fo...@em...> wrote:
>
> Hi list,
>
>  I'm running some tests on an image with foremost and dd and I bumped upon
> this which I can't really explain:
>
>  #istat floppy1.001 22
>
>  Directory Entry: 22
>  Allocated
>  File Attributes: File, Archive
>  Size: 51712
>  Name: REPORT~1.DOC
>
>  Directory Entry Times:
>  Written:        Thu Apr 27 17:56:34 2006
>  Accessed:       Wed May 24 00:00:00 2006
>  Created:        Wed May 24 09:21:08 2006
>
>  Sectors:
>  33 34 35 36 37 38 39 40
>  41 42 43 44 45 46 47 48
>  49 50 51 52 53 54 55 56
>  57 58 59 60 61 62 63 64
>  65 66 67 68 69 70 71 72
>  73 74 75 76 77 78 79 80
>  81 82 83 84 85 86 87 88
>  89 90 91 92 93 94 95 96
>  97 98 99 100 101 102 103 104
>  105 106 107 108 109 110 111 112
>  113 114 115 116 117 118 119 120
>  121 122 123 124 125 126 127 128
>  129 130 131 132 133
>
>
>  Given this information we do 133-33+1= 101 and use this for the count
> parameter.
>
>  #dd if=../../floppy1.001 of=./test_recovery-1.doc skip=33 count=101
>  #md5sum test_recovery-1.doc
>  9a1715b9b66de7839d8010496d027c05  test_recovery-1.doc
>
>
>  When using foremost to carve through this image a .doc file is found.
>  The foremost audit.txt file contains this information:
>
>     Foremost version 1.2 by Jesse Kornblum, Kris Kendall, and Nick Mikus
>     Audit File
>
>     Foremost started at Thu Jun  1 20:07:09 2006
>     Invocation: /usr/local/bin/foremost -t all -i floppy1.001
>     Output directory: /home/jelle/forensics/output
>     Configuration file: /usr/local/etc/foremost.conf
>
> ------------------------------------------------------------------
>     File: floppy1.001
>     Start: Thu Jun  1 20:07:09 2006
>     Length: 1 MB (1474560 bytes)
>
>     Num     Name (bs=512)           Size     File Offset     Comment
>
>     0:            33.doc           51 KB           16896
>     1:           190.doc           80 KB           97280
>     2:           253.png           15 KB          129607       (800 x 600)
>     3:           285.png           13 KB          146153       (800 x 600)
>     Finish: Thu Jun  1 20:07:09 2006
>
>     4 FILES EXTRACTED
>     ole:= 2
>     png:= 2
>
> ------------------------------------------------------------------
>
>     Foremost finished at Thu Jun  1 20:07:09 2006
>
>  when I check the MD5 sum of file 33.doc I get:
>  aa7f9b9be2ca9be17a668eb00e2ea209  00000033.doc
>
>
>  This means the 2 files we're talking about arent the same.
>  While I'm pretty shure they should be the same!
>  Even better:
>
>  dd if=../../floppy1.001 of=./test_recovery-2.doc skip=33 count=103
>  When I check the MD5 sum of the file test_recovery-2.doc I get:
>  aa7f9b9be2ca9be17a668eb00e2ea209 est_recovery-2.doc
>
>
>  Which Is the same hash as the file foremost has recovered!
>
>
>  Now my question is:
>
>  why do I need to count 103 sectors? Shouldn't I based upon the output of
> the istat command only count 101 sectors?
>  quid?
>
>  Thanks in advance,
>
>  Jelle S.
>
>
>
>
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>


-- 
Ave caesar! Morituri te salutamus