Re: [sleuthkit-users] Refining keyword searches
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Refining keyword searches
|
From: Brian C. <bca...@at...> - 2003-03-17 04:16:11
|
On Sat, Mar 15, 2003 at 09:51:58PM -0000, Silent Partner wrote: > Quoting: "Brian Carrier" > > Your best bet would be to mount the image in loopback and run a grep > > script. I have no clue exactly what it would be though. It would look > > something like this for one keyword: > > Task/Autopsy have information regarding hidden / deleted files. When it works > with images, does it undelete such files into the image so that they are > available for manual searching if the image is mounted in loopback? No! That would be very bad since it would modify the image and any integrity checks would fail. TASK isn't an automated file recovery tool yet. It gives you all the information about where stuff is on the disk, but in general it requires manual recovery. brian |
