RE: [sleuthkit-users] Feature request
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Feature request
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-20 15:31:49
|
Brian, >>I don't know how useful it would be though >>because The Sleuth Kit doesn't automatically do file recovery. Think about: 1. Many times we (investigators) get called by attorneys and clients to look at their computers, or the computers belonging to their clients. In the civil litigation world, the money is doled out slowly and carefully. Telling someone that it will take 10 hours to get all deleted images, at $150 per hour is not appetizing. Especially since you have the to issue the caveat that we may or may not find what they want. Being able to print off pages of preview thumbnails of deleted messages would allow an investigator to simply import his partition image, run sorter with the Deleted Only flag, and let the software run. The print off the pages of graphic file previews and take those to the client. Total investigator hands-on time invested? Probably 2 hours, or $300, tops. Sorter does the work. If the preview thumbnails show some derogatory content, then the customer is much more comfortable spending more money to retrieve or restore those graphic files with timelines etc. 2. SMART has an option to only list deleted files. (All files, not just graphic image files). and then export the graphic files if you like. 3. Encase (as it has been described to me) offers exactly what I describe in scenario 1. Also, having a list of deleted files in text format, by name, would be useful....something like DELETED: c\Documents And Settings\Microsoft Word\Iloveyour***.doc DELETED: c\Roxio\Music Files\SongIBurnedForMyLover.mp3 Just an idea.... >>I was actualy considering making an option to take the deleted files >>out of 'sorter' because I have found they clutter the whole thing >>up more than they help. Well, I just ran it on an NTFS image . I checked some of the files that the preview showed as deleted (maybe 5 or 6 files) and they were, in fact, deleted files. I figured since they were marked as deleted in the browser, it wouldn't be a big deal to separate them in sorter (I am not a coder, just an assumer) I'll go back and see if I can find any that are marked deleted that are not correct. For the preview, I *think* it would be safe enough to have something that would show files that APPEARED to be deleted, and then have further analysis to prove if in fact they were deleted. Maybe two separate output folders? I see the option as a "whet your appetite" option for clients, and others. Niall. Eagle Investigative Services, Inc. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Wednesday, August 20, 2003 9:58 AM To: in...@ea...; sle...@li... Cc: sle...@li... Subject: Re: [sleuthkit-users] Feature request On 19 Aug 2003 23:52 PDT you wrote: > It'd be really nice if the sorter would allow you to choose > only deleted files when searching for images. > > It'd also be very useful since many times, as an investigator > I'm only interested in deleted files. > > Is there a way to modify sorter on the fly to accomplish this? I guess I could add that. I don't know how useful it would be though because The Sleuth Kit doesn't automatically do file recovery. For a FAT deleted file, it will find the first sector (which should work for running 'file' on it), but I'm not sure about other file systems and such. Even if it found the header with FAT, the full file will only be recovered if it is done by hand. I was actualy considering making an option to take the deleted files out of 'sorter' because I have found they clutter the whole thing up more than they help. I was just running it on a Linux system and it hundreds of deleted file entries and almost none of them were correct. In what scenarios do you think it will be useful? brian ------------------------------------------------------- This SF.net email is sponsored by Dice.com. Did you know that Dice has over 25,000 tech jobs available today? From careers in IT to Engineering to Tech Sales, Dice has tech jobs from the best hiring companies. http://www.dice.com/index.epl?rel_code=104 _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
