RE: [sleuthkit-users] Question regarding keyword search

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Brian,

Sorry for not giving more details.

I am searching a dead image, FAT32, WIN95, 6 Gigs. single partition.

It's a wrongful death case and I'm searching for conversations between
a daughter and her deceased father, about his doctor, named "Linda".

>> Is it just the unallocated space or all of the
>>partition?

As far as I can tell, I'm searching the entire partition. The page is
titled "Keyword search on images/hdb1 - which is the name of the
image.

I left the defaults with regard to Strings file etc. However, when I
unchecked
the MD5 options, in an effort to speed searching, I got the same error in
the
LHS frame : "Error identifying block size (dcat -s output)", and of course
no results.

No, I repeated the search for Linda, and got a different result but still
a blank ascii data page. The message was :

ASII Contents of Sector 1205162 (512 bytes) in images/hdb1

and that was all that was displayed.

I clicked on the Hex tab and it displayed the data in that sector.

When I clicked on the Ascii tab after that the ASCII characters were
displayed.

Could this be a browser problem? I'm using Konqueror 3.03 (using KDE 3.03)

Another anomaly, I've found that clicking the Ascii link several times
eventually (sometimes
2, sometimes 4 clicks) brings up the data.

I have not edited the files you referred to as of yet.

Regards,

Niall.

-----Original Message-----
From: Brian Carrier [mailto:bca...@at...]
Sent: Tuesday, March 11, 2003 12:27 AM
To: Eagle Investigative Services
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Question regarding keyword search

> I'm searching a drive for a keyword "Linda".
>
> It returns 143 hits, all listed like this::
>
>   438592 (Hex - Ascii)
>     offset 419 bytes

The 438592 is the data unit address that contains the keyword.  You can
also view this via the 'Data Unit' interface.  The 419 means that the
string is 419 bytes into the data unit.

> However, some of these show data and some do not.
> Example I could have another hit that has a size of 419 bytes
> and when I click on the Ascii link, all I get is:
>
> Error identifying block size (dcat -s output)
>
> How can I see what's there?

That is strange.  Can you edit the 'autopsyfunc.pm' file and add the
following:

		print "$dcat_out\n";

after line 8148:
		print "Error identifying block size (dcat -s output)\n";

So, you should have:

		print "Error identifying block size (dcat -s output)\n";
		print "$dcat_out\n";
		exit(1);

Restart Autopsy and try the search again.

What are you searching?  Is it a live device or a dead image?  What
file system type?  Is it just the unallocated space or all of the
partition?  Did you make a strings file?

What happens when you enter the address from the Data Unit mode?  Is
the message in the top half, the bottom half, or both halves of the
right-side of the screen?  Does the link always generate the error, or
just sometimes?  Does it happen for both Ascii and Hex mode?

thanks,
brian