[sleuthkit-users] Splitting keywords across cluster boundaries?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Splitting keywords across cluster boundaries?
|
From: Brent D. <bre...@te...> - 2002-07-23 21:41:40
|
Hello, (primarily Brian since no one else is signed up yet probably) I'm thinking about the fundamental way I'm going about doing a keyword search. I'm using autopsy/task to do the searches (well - the same commands). I'm getting the strings output of the entire image with decimal offsets (strings -a -t d <image>). This is on a large image with most of the image being free space. It's fat. I'm using the resulting strings file to do searches against for keywords. My question being: What if a keyword fell across a cluster boundary? Example: I'm searching for "Forensics Investigator" and it just so happens that "Forensics" is on a different cluster than "Investigator" - the current method would not catch this. First - should I even worry about this? Second - I could make my search strings redundant (Have a "Forensics Investigator" and a "Investigator" or "Investigat" or something). Third - the surefire method - mount the image read-only, recurse through, and strings each file - recover deleted files and strings each of them as well. Thoughts? Brent Deterding GSEC, GCFW, GCIA, GCIH, RHCE Security Engineer TechGuard Security E-Mail: bre...@te... Phone: (636) 519-4848 "NOTE: EMAIL IS NOT NECESSARILY SECURE" NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient or believe that you may have received this communication in error, please reply to the sender indicating that fact and delete the copy you have received. In addition, you should not print, copy, retransmit, disseminate or otherwise use the information." |
