[sleuthkit-users] Opening Application Files
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Opening Application Files
|
From: Brian S. <Br...@Pe...> - 2005-04-20 22:55:20
|
Hi everyone, I am new to the forensic world using TSK and other tools, and any help is GREATLY appreciated! I know I have a lot of questions, so any help is received with gladness: Foremost (I know this is not a foremost forum, so hopefully some of you can help me.) I have recovered several different file types from fat32 unallocated disk space (dls file) using foremost. I have some questions: 1) Why does foremost make many of the file sizes the max file size as specified in the foremost.conf file? In other words, is their a way to compress them down. For example, I retrieved about 1000 .doc files (MS Office), but because of the max file size, the total disk space is showing as 2 gigs, which cannot be the case. 2) Of the .doc files retrieved, half will not open in MS Word. Why is that? I understand that other office application data files have the same file headers. Is this because I do not have the right application to open them, or because the files are corrupted? If corrupted, is there any way to recover it, or view the content, outside of viewing the strings with a hex editor? 3) None of the database files recovered with foremost open in the application associated with them, whereas half of word/excel files open. Why is that? Are db files just more difficult to recover? Sorter 4) When I run the sorter, I have the same file types in the 'data' and 'documents' directories (for instance, there will be .doc files in both directories). In addition, many common file types are labeled as unknown (for instance, a .pst file - MS Outlook). Is this because I do not have the NIST NSRL database installed? 5) Does the sorter pull files from unallocated as well as allocated disk space? Other Questions 6) If data files are recovered, is the only way to view their content through the application that is associated with them? For example, must a Microsoft Money data file be viewed with the MS Money application in order to see the content? I know when a hex editor is used, it is impossible to see what is in the file. I have had success with getting text from a file with a hex editor, however, with database apps I have no such luck. Is there some kind of tool that allows me to see the tables of a db, or do I need to open it in the application that is associated with it? 7) How could I view the content of .dat files? Is their a specific tool, or do I view the strings with a hex editor? Again, any help is mucho appreciated! Thanks. Brian |
