Re: [sleuthkit-users] search question

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

That was a bug, that I just fixed.  

The 'False Hit' code was added to the latest release.  Autopsy reports how
many hits it found in the search and then prints them out.  In some cases, it
used to claim 100 hits, but only show 99 entries.  So, I added code to report
the false 1 hit so that people could account for it.  But, the logic had a
slight bug that printed even when the word was found and there was a previous
hit in the same data unit.  

The fix is to move the '}' on line 4905 to before the '$found++' statement on
line 4904 in base/autopsyfunc.pm/base.  Re-run make and you should be set. 
So, it should be:

                    $prev = $b;
                }
                $found++;

                print "- offset $o bytes<BR>\n";
                $idx++;

As a note about what causes false hits.  The strings file has the ASCII stings
and the byte offset.  If you search for a numerical value, then 'grep' could
find the "string" in the numerical offset field.  So, that would count as a
false hit.  

thanks,
brian

"Buckman, Cathy" <Buc...@dc...> said:

> 
> I downloaded the latest version of the autopsy and sleuthkit, and am running
> it on Solaris 8. I created a search on the dd image file, and it returned
> the following:
> 
> 4053 (Hex-Ascii)
> offset 16 bytes
> False Hit Offset 232 bytes
> 
> What does 'False Hit' mean and why is it showing up under the search
> results? Other than the false hit message, the search seems to be working
> fine.
> 
> Thanks.
> Cathy
> 

-- 