Re: [sleuthkit-users] Question regarding keyword search
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Question regarding keyword search
|
From: Brian C. <bca...@at...> - 2003-03-11 05:28:36
|
> I'm searching a drive for a keyword "Linda". > > It returns 143 hits, all listed like this:: > > 438592 (Hex - Ascii) > offset 419 bytes The 438592 is the data unit address that contains the keyword. You can also view this via the 'Data Unit' interface. The 419 means that the string is 419 bytes into the data unit. > However, some of these show data and some do not. > Example I could have another hit that has a size of 419 bytes > and when I click on the Ascii link, all I get is: > > Error identifying block size (dcat -s output) > > How can I see what's there? That is strange. Can you edit the 'autopsyfunc.pm' file and add the following: print "$dcat_out\n"; after line 8148: print "Error identifying block size (dcat -s output)\n"; So, you should have: print "Error identifying block size (dcat -s output)\n"; print "$dcat_out\n"; exit(1); Restart Autopsy and try the search again. What are you searching? Is it a live device or a dead image? What file system type? Is it just the unallocated space or all of the partition? Did you make a strings file? What happens when you enter the address from the Data Unit mode? Is the message in the top half, the bottom half, or both halves of the right-side of the screen? Does the link always generate the error, or just sometimes? Does it happen for both Ascii and Hex mode? thanks, brian |
