RE: [sleuthkit-users] Feature request
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Feature request
|
From: Brian C. <ca...@sl...> - 2003-08-20 21:35:55
|
Niall, I understand the "big picture" use for the functionality, but there needs to be more than just a flag for 'sorter'. The Sleuth Kit doesn't really do automatic file recovery right now. TSK only processes what the file system says. For example, a deleted FAT file has the starting cluster, but the rest of the FAT entries are likely wiped. Therefore, all TSK will do is recover that first cluster. You can manually extract the remaining X clusters that make up the file, but it is a manual process that 'sorter' will not do for you. Furthermore, if the cluster that the deleted file name points to has been reallocated and belongs to a new file, TSK does not check for that and will report the type of the new cluster. So, you may get very wrong results for deleted files with TSK. The automated process can occur in the future, but it hasn't yet. The main goal for 'sorter' is to provide the equivalent to the thumbnail view of EnCase and also do it for more than just images. thanks, brian On 20 Aug 2003 08:33 PDT you wrote: > Brian, > > >>I don't know how useful it would be though > >>because The Sleuth Kit doesn't automatically do file recovery. > > Think about: > > 1. Many times we (investigators) get called by attorneys and > clients to look at their computers, or the computers belonging > to their clients. In the civil litigation world, the money > is doled out slowly and carefully. Telling someone that it > will take 10 hours to get all deleted images, at $150 per hour > is not appetizing. Especially since you have the to issue the caveat > that we may or may not find what they want. > > Being able to print off pages of preview thumbnails of deleted > messages would allow an investigator to simply import his partition image, > run sorter with the Deleted Only flag, and let the software run. > > The print off the pages of graphic file previews and take those > to the client. > > Total investigator hands-on time invested? Probably 2 hours, or > $300, tops. Sorter does the work. > > If the preview thumbnails show some derogatory content, then the > customer is much more comfortable spending more money to retrieve > or restore those graphic files with timelines etc. > > 2. SMART has an option to only list deleted files. (All files, not > just graphic image files). and then export the graphic files if you like. > > 3. Encase (as it has been described to me) offers exactly what I describe > in scenario 1. > > Also, having a list of deleted files in text format, by name, would > be useful....something like > > DELETED: c\Documents And Settings\Microsoft Word\Iloveyour***.doc > DELETED: c\Roxio\Music Files\SongIBurnedForMyLover.mp3 > > Just an idea.... > > >>I was actualy considering making an option to take the deleted files > >>out of 'sorter' because I have found they clutter the whole thing > >>up more than they help. > > Well, I just ran it on an NTFS image . I checked some of the files that the > preview > showed as deleted (maybe 5 or 6 files) and they were, in fact, deleted > files. > > I figured since they were marked as deleted in the browser, it wouldn't > be a big deal to separate them in sorter (I am not a coder, just an assumer) > > I'll go back and see if I can find any that are marked deleted that are not > correct. > > For the preview, I *think* it would be safe enough to have something that > would show files that APPEARED to be deleted, and then have further analysis > to prove if in fact they were deleted. > > Maybe two separate output folders? > > I see the option as a "whet your appetite" option for clients, and others. > > Niall. > Eagle Investigative Services, Inc. > > > > > > -----Original Message----- > From: sle...@li... > [mailto:sle...@li...]On Behalf Of Brian > Carrier > Sent: Wednesday, August 20, 2003 9:58 AM > To: in...@ea...; sle...@li... > Cc: sle...@li... > Subject: Re: [sleuthkit-users] Feature request > > > > > On 19 Aug 2003 23:52 PDT you wrote: > > It'd be really nice if the sorter would allow you to choose > > only deleted files when searching for images. > > > > It'd also be very useful since many times, as an investigator > > I'm only interested in deleted files. > > > > Is there a way to modify sorter on the fly to accomplish this? > > I guess I could add that. I don't know how useful it would be though > because The Sleuth Kit doesn't automatically do file recovery. For > a FAT deleted file, it will find the first sector (which should work for > running 'file' on it), but I'm not sure about other file systems and > such. Even if it found the header with FAT, the full file will only > be recovered if it is done by hand. > > I was actualy considering making an option to take the deleted files > out of 'sorter' because I have found they clutter the whole thing > up more than they help. I was just running it on a Linux system > and it hundreds of deleted file entries and almost none of them > were correct. > > In what scenarios do you think it will be useful? > > brian > > > > ------------------------------------------------------- > This SF.net email is sponsored by Dice.com. > Did you know that Dice has over 25,000 tech jobs available today? From > careers in IT to Engineering to Tech Sales, Dice has tech jobs from the > best hiring companies. http://www.dice.com/index.epl?rel_code=104 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > ------------------------------------------------------- > This SF.net email is sponsored by Dice.com. > Did you know that Dice has over 25,000 tech jobs available today? From > careers in IT to Engineering to Tech Sales, Dice has tech jobs from the > best hiring companies. http://www.dice.com/index.epl?rel_code=104 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
