Re: [sleuthkit-users] Refining keyword searches
Brought to you by:
carrier
From: Silent P. <sp...@si...> - 2003-03-27 23:22:21
|
Quoting: "Brian Carrier" Sent: Monday, March 17, > On Sat, Mar 15, 2003 at 09:51:58PM -0000, Silent Partner wrote: > > Quoting: "Brian Carrier" > > > Your best bet would be to mount the image in loopback and run a grep > > > script. I have no clue exactly what it would be though. It would look > > > something like this for one keyword: > > > > Task/Autopsy have information regarding hidden / deleted files. When it works > > with images, does it undelete such files into the image so that they are > > available for manual searching if the image is mounted in loopback? > > No! That would be very bad since it would modify the image and any > integrity checks would fail. TASK isn't an automated file recovery > tool yet. It gives you all the information about where stuff is on the > disk, but in general it requires manual recovery. > > brian Am revisiting this point..... more in light of your recent postings to the list saying that a new version of the tools are being cooked at present..... and apologies for not just trying this out myself, have had to wipe my linux partitions... Is it correct to say that in terms of a forensic analysis involving Task / Autopsy : (1) It performs limited searches on files, hidden or unhidden (2) Hyperlink to view the not-hidden files (3) No support to show the contents of the hidden files found in a basic search if discovered. (4) Suggest mounting a partition in loopback for extensive searches, but outside autopsy, but have no access to the hidden files that the Task/Autopsy tools finds in its basic searches. Also, in forensic analysis, a master image is obtained, checksummed and stored. You work from a copy of this. In this instance, shouldn't it be the case that task/autopsy undeletes hidden files into the image and re-checksums? or automatically creates a duplicate image of this nature in the locker? as long as the master is available to have the same process performed on it and can match the new checksummed image, then its fine. I agree that it is inherently "bad" to tamper with an image. But.... I also think its inherently bad for a forensic "evidence" gathering tool not to cater for hidden files. Don't crooks delete files with "interesting" info?? Any plans to extend the searching capabilities in the Autopsy interface? The timeline stuff is great, but so much of the evidence gathering process hinges on searching for info, and trying to discover evidence of info that was once on the disk that is intentionally concealed. Sid. |