Re: [sleuthkit-users] Feature request
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Feature request
|
From: Brian C. <ca...@sl...> - 2003-08-20 14:05:50
|
On 19 Aug 2003 23:52 PDT you wrote: > It'd be really nice if the sorter would allow you to choose > only deleted files when searching for images. > > It'd also be very useful since many times, as an investigator > I'm only interested in deleted files. > > Is there a way to modify sorter on the fly to accomplish this? I guess I could add that. I don't know how useful it would be though because The Sleuth Kit doesn't automatically do file recovery. For a FAT deleted file, it will find the first sector (which should work for running 'file' on it), but I'm not sure about other file systems and such. Even if it found the header with FAT, the full file will only be recovered if it is done by hand. I was actualy considering making an option to take the deleted files out of 'sorter' because I have found they clutter the whole thing up more than they help. I was just running it on a Linux system and it hundreds of deleted file entries and almost none of them were correct. In what scenarios do you think it will be useful? brian |
