Re: [sleuthkit-users] Opening Application Files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Opening Application Files
|
From: Brian C. <ca...@sl...> - 2005-04-21 14:01:16
|
On Apr 20, 2005, at 5:54 PM, Brian Starr wrote: > Hi everyone, > =A0 > I am new to the forensic world using TSK and other tools, and any help=20= > is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so = any=A0help=20 > is=A0received with gladness:=A0 > =A0 > =A0 > Foremost (I know this is not a foremost forum, so hopefully=A0some of=20= > you can help me.) > =A0 > I have recovered several different file types from fat32 unallocated=20= > disk space (dls file) using foremost.=A0 I have=A0some questions:=A0 > =A0 > 1)=A0 Why does foremost make many of the file sizes the max file size = as=20 > specified in the foremost.conf file?=A0 In other words, is their a way=20= > to compress them down.=A0 For example, I retrieved about 1000 .doc = files=20 > (MS Office), but because of the max file size, the total disk space is=20= > showing as 2 gigs, which cannot be the case.=A0 If it doesn't find the footer value (or if the application type doesn't=20= have a footer value), it goes until the maximum length. > =A02)=A0 Of the .doc files retrieved, half will not open in MS Word.=A0 = Why=20 > is that?=A0 I understand that other office application data files have=20= > the same file headers.=A0 Is this because I do not have the right=20 > application to open them, or because the files are corrupted?=A0 If=20 > corrupted, is there any way to recover it, or view the content,=20 > outside of viewing the strings with a hex editor? foremost only looks for a basic signature value, which could be 2 or 4=20= bytes long. Random data is bound to eventually have the same value in=20= that location so you will get false positives. > =A03)=A0 None of the database files recovered with foremost open in = the=20 > application associated with them, whereas half of word/excel files=20 > open.=A0 Why is that?=A0 Are db files just more difficult to recover? Could just be a more common signature value or because database files=20 tend to be larger and more fragmented so you are not recovering the=20 full file. foremost recovers only files that are not fragmented. > =A0Sorter > =A0 > 4)=A0 When I run the sorter, I have the same file types in the 'data'=20= > and 'documents' directories (for instance, there will be .doc files in=20= > both directories).=A0 What is the file type reported for those in the data directory? 'file'=20= puts things in 'data' if it doesn't know the type. > In addition, many common file types are labeled as unknown (for=20 > instance, a .pst file - MS Outlook). Is this because I do not have the=20= > NIST NSRL database installed? It has nothing to do with NSRL. I thought pst was in the rules though.=20= If you send me the unknown file I can add more rules to the next=20 release (this goes for anyone who finds lots of stuff in unknown. I=20 haven't updated the rules in a while). > 5)=A0 Does the sorter pull files from unallocated as well as allocated=20= > disk space? It pulls stuff from unallocated space IF there is a metadata structure=20= (i.e. inode / MFT entry etc.) that points to the data. It does not do=20= carving like foremost does. > Other Questions > =A0 > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example,=20= > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex editor = is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that=20= > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a=20= tool that can understand the structure of a specific file system to=20 view a file system image file). > =A07)=A0 How could I view the content of .dat files?=A0 Is their a = specific=20 > tool, or do I view the strings with a hex editor? '.dat' is a generic extension. You really need to base it on what=20 'file' (or similar) tool tells you about the file type. brian |
