Re: [sleuthkit-users] Opening Application Files

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Apr 20, 2005, at 5:54 PM, Brian Starr wrote:

> Hi everyone,
> =A0
> I am new to the forensic world using TSK and other tools, and any help=20=

> is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so =
any=A0help=20
> is=A0received with gladness:=A0
> =A0
> =A0
> Foremost (I know this is not a foremost forum, so hopefully=A0some of=20=

> you can help me.)
> =A0
> I have recovered several different file types from fat32 unallocated=20=

> disk space (dls file) using foremost.=A0 I have=A0some questions:=A0
> =A0
> 1)=A0 Why does foremost make many of the file sizes the max file size =
as=20
> specified in the foremost.conf file?=A0 In other words, is their a way=20=

> to compress them down.=A0 For example, I retrieved about 1000 .doc =
files=20
> (MS Office), but because of the max file size, the total disk space is=20=

> showing as 2 gigs, which cannot be the case.=A0

If it doesn't find the footer value (or if the application type doesn't=20=

have a footer value), it goes until the maximum length.

> =A02)=A0 Of the .doc files retrieved, half will not open in MS Word.=A0 =
Why=20
> is that?=A0 I understand that other office application data files have=20=

> the same file headers.=A0 Is this because I do not have the right=20
> application to open them, or because the files are corrupted?=A0 If=20
> corrupted, is there any way to recover it, or view the content,=20
> outside of viewing the strings with a hex editor?

foremost only looks for a basic signature value, which could be 2 or 4=20=

bytes long.  Random data is bound to eventually have the same value in=20=

that location so you will get false positives.

> =A03)=A0 None of the database files recovered with foremost open in =
the=20
> application associated with them, whereas half of word/excel files=20
> open.=A0 Why is that?=A0 Are db files just more difficult to recover?

Could just be a more common signature value or because database files=20
tend to be larger and more fragmented so you are not recovering the=20
full file.  foremost recovers only files that are not fragmented.

> =A0Sorter
> =A0
> 4)=A0 When I run the sorter, I have the same file types in the 'data'=20=

> and 'documents' directories (for instance, there will be .doc files in=20=

> both directories).=A0

What is the file type reported for those in the data directory?  'file'=20=

puts things in 'data' if it doesn't know the type.

> In addition, many common file types are labeled as unknown (for=20
> instance, a .pst file - MS Outlook). Is this because I do not have the=20=

> NIST NSRL database installed?

It has nothing to do with NSRL.  I thought pst was in the rules though.=20=

  If you send me the unknown file I can add more rules to the next=20
release (this goes for anyone who finds lots of stuff in unknown.  I=20
haven't updated the rules in a while).

> 5)=A0 Does the sorter pull files from unallocated as well as allocated=20=

> disk space?

It pulls stuff from unallocated space IF there is a metadata structure=20=

(i.e. inode / MFT entry etc.) that points to the data.  It does not do=20=

carving like foremost does.

> Other Questions
> =A0
> 6)=A0 If data files are recovered, is the only way to view their =
content=20
> through the application that is associated with them?=A0 For example,=20=

> must a Microsoft Money data file be viewed with the MS Money=20
> application in order to=A0see the content?=A0 I know when a hex editor =
is=20
> used, it is impossible to see what is in the file.=A0 I have had =
success=20
> with getting text from a file with a hex editor, however, with=20
> database apps I have no such luck.=A0 Is there some kind of tool that=20=

> allows me to see the tables of a db, or do I need to open it in the=20
> application that is associated with it?

If you want more than just strings, you will need an app that=20
understands the structure of the application file (just like you need a=20=

tool that can understand the structure of a specific file system to=20
view a file system image file).

> =A07)=A0 How could I view the content of .dat files?=A0 Is their a =
specific=20
> tool, or do I view the strings with a hex editor?

'.dat' is a generic extension.  You really need to base it on what=20
'file' (or similar) tool tells you about the file type.

brian