Re: [sleuthkit-users] Autopsy Case Management Gripes
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Case Management Gripes
|
From: Brian C. <ca...@sl...> - 2005-01-18 16:06:01
|
On Jan 18, 2005, at 6:53 AM, John Edwards wrote: > Even as a completely new user to Autopsy I found the > case management side simple enough to understand and > use. > > What I found a little tricky was the actual imaging > process itself. What would have been useful would > have been a utility that provided a 'suggested' dd > command line for imaging a disk. In other words, take > the simple but very common situation of an > investigator just hanging a copy of the drive to be > investigated onto his system - in Autopsy you could > browse or pick the physical drive or partition and > Autopsy would suggest a suitable command line for > making an image of it and provide a suitable mount > command line for it. Fortunately, there are starting to be more interfaces to 'dd' to make the process easier. There are AIR and GRAB: AIR: http://air-imager.sourceforge.net/ GRAB: http://www.e-fense.com/helix/index.html I haven't actually used either, but I know of people that have. > One other suggestion (not to do with case management) > that would have saved me loads of time recently is > having an extra button on the key word search results > screen in Autopsy. The extra button would begin a > batch process that would look up the filename (and > extension) of every hit and put the filename next to > each hit. This would save loads of time because if > you are most interested in say Word Docs you could in > the first instance only look at those hits that are > word documents. That is actually a fairly easy update. I can add that to the todo list. > One other thing, a facility whereby you could do a > second (and perhaps a third, fourth ..) keyword search > but only just the results of an initial keyword search > would be useful. It would get round those situations > where you want to find files that have word1 AND word2 > And possibly word3 in them (which I don't know whether > it is possible to set up as a regular expression). That can't be easily done until logical file searching is added. > PS, I am not griping :), I think it is a great > programme. no problem. I like knowing what people want. I'm not really an interface programmer, so I need all of the help that I can get. brian |
