Re: [sleuthkit-users] Refining keyword searches
Brought to you by:
carrier
From: Brian C. <ca...@ce...> - 2003-03-28 17:12:23
|
On Thu, Mar 27, 2003 at 11:23:05PM -0000, Silent Partner wrote: > Am revisiting this point..... more in light of your recent postings to the list > saying that a new version of the tools are being cooked at present..... and > apologies for not just trying this out myself, have had to wipe my linux > partitions... > > Is it correct to say that in terms of a forensic analysis involving Task / > Autopsy : > (1) It performs limited searches on files, hidden or unhidden > (2) Hyperlink to view the not-hidden files > (3) No support to show the contents of the hidden files found in a basic search > if discovered. > (4) Suggest mounting a partition in loopback for extensive searches, but outside > autopsy, but have no access to the hidden files that the Task/Autopsy tools > finds in its basic searches. How are you defining limited? Sure you can do more on the command line with grep and find, but I think the Autopsy options are fairly standard with other forensic tools. How are you defining hidden? Do you mean deleted? Autopsy and The Sleuth Kit currently make no attempts at "guessing" which data belongs to which files. They only follow pointers and values that are clearly defined. So, if a search hits a block that does not have a meta data structure that points to it, then you will not get any additional data. If all of the pointers exist for a deleted file, then its contents will be shown. > > Also, in forensic analysis, a master image is obtained, checksummed and stored. > You work from a copy of this. In this instance, shouldn't it be the case that > task/autopsy undeletes hidden files into the image and re-checksums? or > automatically creates a duplicate image of this nature in the locker? as long as > the master is available to have the same process performed on it and can match > the new checksummed image, then its fine. > > I agree that it is inherently "bad" to tamper with an image. But.... I also > think its inherently bad for a forensic "evidence" gathering tool not to cater > for hidden files. Don't crooks delete files with "interesting" info?? The future plan to integrate more advanced file recovery involves making a separate file that describes the relationships between data units and files. Then you can always say that the data was found from the original image. Otherwise, you have to show that when you rewrote the image that you did not overwrite evidence or add evidence etc. > Any plans to extend the searching capabilities in the Autopsy interface? What else are you looking for? I need to make a second searching option to search by file instead of image so that keywords across fragmented data units are found. brian |