Re: [sleuthkit-users] Question about sorter: speed

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Much of my research at the Naval Postgraduate School is on building a  
large-scale automated computer forensic system.

One of the first parts of this is "fiwalk," a program that uses the  
SleuthKit programmer's interface and builds a large XML, ASCII, or  
ARFF file that includes metadata for all of the files, deleted files,  
and orphan files. There is a plug-in system for metadata extractors.

The goal is to have an automated forensic reporting system.

I've had a bunch of students building parts of this. I'll post more  
details if people are interested.

On Jun 25, 2008, at 8:01 AM, Mark Stam wrote:

> I (as LE) think sorter has a lot of possibilities and I hope it's  
> possible to make it faster.
> Thanks Simson for your reply.
>
> Mark
>
> 2008/6/25 Simson Garfinkel <si...@ac...>:
> Hi, Brian. I wasn't aware that this was on the list.
>
> I could rewrite sorter in C pretty easily. Alternatively, we could  
> move to a new XML-based architecture (possibly using something like  
> fiwalk). What do you think?
>
>
> On Jun 25, 2008, at 5:22 AM, Brian Carrier wrote:
>
> Hi Mark,
>
> The best way to speed up sorter is if it were to be rewritten in
> something besides Perl.  sorter is a script that runs various command
> line tools.  Each command line tool has a certain amount of overhead
> every time it is run.  If sorter were written as a C/C++ program,
> then the overhead would happen only once (instead of thousands of
> times). I'll add that to the list of projects that people could
> undertake.
>
> brian
>
>
> On Jun 25, 2008, at 3:29 AM, Mark Stam wrote:
>
> The last couple of days I'm working with sorter.
> I think the concept is great, but I feel sorter is very, very slow
> (it lasts for days and days before sorter is ready finding all
> relevant data).
> Is it possible to make sorter faster ?
>
> My command:
>
> $ ./sorter -o 63 -d c:/temp/sorted -C /usr/local/share/tsk/sorter/
> images.sort -U -s /dev/sda
>
> (I use Cygwin)
>
> Mark
> ----------------------------------------------------------------------
> ---
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/
> index.php_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org