[sleuthkit-users] Opening Application Files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi everyone,

I am new to the forensic world using TSK and other tools, and any help is
GREATLY appreciated!  I know I have a lot of questions, so any help is
received with gladness: 

Foremost (I know this is not a foremost forum, so hopefully some of you can
help me.)

I have recovered several different file types from fat32 unallocated disk
space (dls file) using foremost.  I have some questions:  

1)  Why does foremost make many of the file sizes the max file size as
specified in the foremost.conf file?  In other words, is their a way to
compress them down.  For example, I retrieved about 1000 .doc files (MS
Office), but because of the max file size, the total disk space is showing
as 2 gigs, which cannot be the case.  

2)  Of the .doc files retrieved, half will not open in MS Word.  Why is
that?  I understand that other office application data files have the same
file headers.  Is this because I do not have the right application to open
them, or because the files are corrupted?  If corrupted, is there any way to
recover it, or view the content, outside of viewing the strings with a hex
editor?

3)  None of the database files recovered with foremost open in the
application associated with them, whereas half of word/excel files open.
Why is that?  Are db files just more difficult to recover?

Sorter

4)  When I run the sorter, I have the same file types in the 'data' and
'documents' directories (for instance, there will be .doc files in both
directories).  In addition, many common file types are labeled as unknown
(for instance, a .pst file - MS Outlook). Is this because I do not have the
NIST NSRL database installed?

5)  Does the sorter pull files from unallocated as well as allocated disk
space?

Other Questions

6)  If data files are recovered, is the only way to view their content
through the application that is associated with them?  For example, must a
Microsoft Money data file be viewed with the MS Money application in order
to see the content?  I know when a hex editor is used, it is impossible to
see what is in the file.  I have had success with getting text from a file
with a hex editor, however, with database apps I have no such luck.  Is
there some kind of tool that allows me to see the tables of a db, or do I
need to open it in the application that is associated with it?

7)  How could I view the content of .dat files?  Is their a specific tool,
or do I view the strings with a hex editor?

Again, any help is mucho appreciated!  Thanks.

Brian