Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
|
From: Simson G. <si...@ac...> - 2009-11-22 18:35:35
|
On Nov 21, 2009, at 11:00 AM, Al Grant wrote: > > Sure I would love it thanks Simson. > > I still however want to do it the manual way a few times first, else there > is no learning :-) Al, I would politely disagree with this statement. I do not think that there is much value in everyone's learning the low-level details of SleuthKit, just as there is no reason to learn the low-level details of assembly language or RTL (resistor transistor logic). Forensics is so complicated that people must specialize --- there is simply too much to learn. We need higher-level tools for creating forensic tools, so that it is easier to automate tasks and pass along each other's knowledge. Guidance Software's scripting language (escript) is a good first step. Unfortunately, the language is quite inefficient, poorly documented outside of the company's manuals (which are not freely available), and the only implementation is inside EnCase. The main problem with EnCase is that, as a GUI application, it is hard to use in a forensics pipeline. Because it only runs from a Windows GUI, you can't use EnCase on a cluster, even if you have thousands of disk images that you want to analyze in parallel. Simson |
