RE: [sleuthkit-users] Question regarding keyword search
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Question regarding keyword search
|
From: Eagle I. S. <in...@ea...> - 2003-03-11 14:53:29
|
Brian, Sorry for not giving more details. I am searching a dead image, FAT32, WIN95, 6 Gigs. single partition. It's a wrongful death case and I'm searching for conversations between a daughter and her deceased father, about his doctor, named "Linda". >> Is it just the unallocated space or all of the >>partition? As far as I can tell, I'm searching the entire partition. The page is titled "Keyword search on images/hdb1 - which is the name of the image. I left the defaults with regard to Strings file etc. However, when I unchecked the MD5 options, in an effort to speed searching, I got the same error in the LHS frame : "Error identifying block size (dcat -s output)", and of course no results. No, I repeated the search for Linda, and got a different result but still a blank ascii data page. The message was : ASII Contents of Sector 1205162 (512 bytes) in images/hdb1 and that was all that was displayed. I clicked on the Hex tab and it displayed the data in that sector. When I clicked on the Ascii tab after that the ASCII characters were displayed. Could this be a browser problem? I'm using Konqueror 3.03 (using KDE 3.03) Another anomaly, I've found that clicking the Ascii link several times eventually (sometimes 2, sometimes 4 clicks) brings up the data. I have not edited the files you referred to as of yet. Regards, Niall. -----Original Message----- From: Brian Carrier [mailto:bca...@at...] Sent: Tuesday, March 11, 2003 12:27 AM To: Eagle Investigative Services Cc: sle...@li... Subject: Re: [sleuthkit-users] Question regarding keyword search > I'm searching a drive for a keyword "Linda". > > It returns 143 hits, all listed like this:: > > 438592 (Hex - Ascii) > offset 419 bytes The 438592 is the data unit address that contains the keyword. You can also view this via the 'Data Unit' interface. The 419 means that the string is 419 bytes into the data unit. > However, some of these show data and some do not. > Example I could have another hit that has a size of 419 bytes > and when I click on the Ascii link, all I get is: > > Error identifying block size (dcat -s output) > > How can I see what's there? That is strange. Can you edit the 'autopsyfunc.pm' file and add the following: print "$dcat_out\n"; after line 8148: print "Error identifying block size (dcat -s output)\n"; So, you should have: print "Error identifying block size (dcat -s output)\n"; print "$dcat_out\n"; exit(1); Restart Autopsy and try the search again. What are you searching? Is it a live device or a dead image? What file system type? Is it just the unallocated space or all of the partition? Did you make a strings file? What happens when you enter the address from the Data Unit mode? Is the message in the top half, the bottom half, or both halves of the right-side of the screen? Does the link always generate the error, or just sometimes? Does it happen for both Ascii and Hex mode? thanks, brian |
