[sleuthkit-users] Future of indexing in Autopsy and Sleuthkit
Brought to you by:
carrier
From: Paul B. <ba...@fo...> - 2003-05-21 08:22:44
|
=20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, As some people may already know, I am in the process of adding an = Indexed Search feature to Autopsy and Sleuthkit, which are Open Source = filesystem forensic tools. I have some issues that concern these additions and I would like to get = community members' opinions on some of these. So anyone who is using = Autopsy/Sleuthkit or just wants to give his/her opinion: Feel free to = give your opinion and let me know if I should or should not implement = these features/issues. Issue 1: I think it is advisable to limit the indexed character range to only = alphanumeric characters instead of the current limitation of all = printable ASCII characters. The consequences are the following: - POSITIVE: The size of the used index files is smaller (Now it's the = size of the strings file of an image) Which is quite huge if you have = just copied a 80 Gb partition. - NEGATIVE: Indexed Searching on other characters will not be possible = anymore. - POSITIVE: It will be easier to search for substrings of words, which = is not yet possible at the moment. (It is possible in both versions, but = will take a huge extra space if used on the original charachter range) - POSITIVE: Searching will be even quicker. Issue 2: Human readability of the files. A speedup in the indexed searching = process and a redeuction of the size of the used files can be = accomplished by changing the format of the index files. The consequence = is that these cannot be read by a human anymore (No more text-format = file). The consequences are the following: - POSITIVE: Speed of searches is increased - POSITIVE: Size of used files is reduces - NEGATIVE: Files cannot be checked anymore with the human eye. For the moment this are the issues. Maybe more will come.. - -- Paul Bakker Fox-IT Experts in IT Security! Haagweg 137=20 2281 AG RIJSWIJK=20 T 070 336 9999=20 F 070 336 9990=20 I www.fox-it.com=20 E ba...@fo... 57A6 C5EA 55E4 CC1C A967 B13C F8C0 C0FB 8135 E225 Disclaimer: This email may contain confidential information. If this = message is not addressed to you, you may not retain or use the = information in it for any purpose. If you have received it in error, = please notify the sender and delete this message. We try to screen out = viruses but take no responsibility if this email contains a virus. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPss3KvjAwPuBNeIlEQKRXwCg7CS05qSRSxlLxW6Z30wwnj0SQzUAmwbv s4OvNJhBlhByW5cZcx9tyuUq =3D//+o -----END PGP SIGNATURE----- |