Re: [sleuthkit-users] Difference in Keyword Searching between Unallocated and "Original"
Brought to you by:
carrier
From: Chuck W. <chu...@ne...> - 2003-07-03 14:23:23
|
Thanks for the response, Brian. You have pretty much confirmed what I suspected from my testing. Ideally, it would be nice to include the boot sector, FAT, directory entries, and probably even slack space in "unallocated" since you don't see it with normal mounting of the filesystem. Then you can mount the filesystem and doing standard searching with strings and grep you could get all the "allocated" space and then look at the .dls file you could look at all the "unallocated" space and not miss anything or search anything twice. I don't know how easy that would be to implement, though, and I really don't know how useful it would be because now you can just search the "original" and see everything, right? Thanks and have a great holiday. Chuck >>I have a question about searching in Autopsy. What is the difference >>between the "Unallocated" searching and the "Original" searching >>specifically. That is, does the "Original" search only allocated space >>(logical files) or does it search the entire drive, including allocated >>and unallocated space? I assume that the "Unallocated" search does not >>search logical files, but what about deleted files? > > > The unallocated search uses all of the unallocated blocks in the > image. The 'dls' tool goes through the allocation bitmap and extracts > out the unallocated blocks and saves them to a file. The unallocated > search is a grep of that. So, deleted content that has not been > overwritten will be in there. > > >>Part of the reason that I am confused by this is that I have done some >>testing and found that the "original" searches would find text in the >>boot sector of a floppy disk where the "unallocated" search would not. > > > Yes, the boot sector is considered allocated space so it would not > be found in the "unallocated" search. I was recently playing with > another forensic tool though and it considered the super blocks > and boot sectors to be unallocated because they were not part of > files. |