Re: [sleuthkit-users] Difference in Keyword Searching between Unallocated and "Original"
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Difference in Keyword Searching between Unallocated and "Original"
|
From: Brian C. <ca...@sl...> - 2003-07-03 03:48:42
|
On 02 Jul 2003 19:55 PDT you wrote: > Hi all, > > I have a question about searching in Autopsy. What is the difference > between the "Unallocated" searching and the "Original" searching > specifically. That is, does the "Original" search only allocated space > (logical files) or does it search the entire drive, including allocated > and unallocated space? I assume that the "Unallocated" search does not > search logical files, but what about deleted files? The unallocated search uses all of the unallocated blocks in the image. The 'dls' tool goes through the allocation bitmap and extracts out the unallocated blocks and saves them to a file. The unallocated search is a grep of that. So, deleted content that has not been overwritten will be in there. > > Part of the reason that I am confused by this is that I have done some > testing and found that the "original" searches would find text in the > boot sector of a floppy disk where the "unallocated" search would not. Yes, the boot sector is considered allocated space so it would not be found in the "unallocated" search. I was recently playing with another forensic tool though and it considered the super blocks and boot sectors to be unallocated because they were not part of files. brian |
