RE: [sleuthkit-users] Opening Application Files
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Opening Application Files
|
From: Brian S. <Br...@Pe...> - 2005-04-21 15:52:17
|
Thanks for all of your help, Brian. I have a follow up question (see below): > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example, = > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex = editor is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that = > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a = tool that can understand the structure of a specific file system to=20 view a file system image file). Where can I find these apps? Are there any linux based apps that can = do this? Is there one app that can understand the structure of many = different application files? Thanks, Brian -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Thursday, April 21, 2005 7:01 AM To: Brian Starr Cc: sle...@li... Subject: Re: [sleuthkit-users] Opening Application Files On Apr 20, 2005, at 5:54 PM, Brian Starr wrote: > Hi everyone, > =A0 > I am new to the forensic world using TSK and other tools, and any = help=20 > is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so = any=A0help=20 > is=A0received with gladness:=A0 > =A0 > =A0 > Foremost (I know this is not a foremost forum, so hopefully=A0some of = > you can help me.) > =A0 > I have recovered several different file types from fat32 unallocated=20 > disk space (dls file) using foremost.=A0 I have=A0some questions:=A0 > =A0 > 1)=A0 Why does foremost make many of the file sizes the max file size = as=20 > specified in the foremost.conf file?=A0 In other words, is their a = way=20 > to compress them down.=A0 For example, I retrieved about 1000 .doc = files=20 > (MS Office), but because of the max file size, the total disk space = is=20 > showing as 2 gigs, which cannot be the case.=A0 If it doesn't find the footer value (or if the application type doesn't = have a footer value), it goes until the maximum length. > =A02)=A0 Of the .doc files retrieved, half will not open in MS = Word.=A0 Why=20 > is that?=A0 I understand that other office application data files = have=20 > the same file headers.=A0 Is this because I do not have the right=20 > application to open them, or because the files are corrupted?=A0 If=20 > corrupted, is there any way to recover it, or view the content,=20 > outside of viewing the strings with a hex editor? foremost only looks for a basic signature value, which could be 2 or 4=20 bytes long. Random data is bound to eventually have the same value in=20 that location so you will get false positives. > =A03)=A0 None of the database files recovered with foremost open in = the=20 > application associated with them, whereas half of word/excel files=20 > open.=A0 Why is that?=A0 Are db files just more difficult to recover? Could just be a more common signature value or because database files=20 tend to be larger and more fragmented so you are not recovering the=20 full file. foremost recovers only files that are not fragmented. > =A0Sorter > =A0 > 4)=A0 When I run the sorter, I have the same file types in the 'data' = > and 'documents' directories (for instance, there will be .doc files = in=20 > both directories).=A0 What is the file type reported for those in the data directory? 'file' = puts things in 'data' if it doesn't know the type. > In addition, many common file types are labeled as unknown (for=20 > instance, a .pst file - MS Outlook). Is this because I do not have = the=20 > NIST NSRL database installed? It has nothing to do with NSRL. I thought pst was in the rules though. = If you send me the unknown file I can add more rules to the next=20 release (this goes for anyone who finds lots of stuff in unknown. I=20 haven't updated the rules in a while). > 5)=A0 Does the sorter pull files from unallocated as well as = allocated=20 > disk space? It pulls stuff from unallocated space IF there is a metadata structure=20 (i.e. inode / MFT entry etc.) that points to the data. It does not do=20 carving like foremost does. > Other Questions > =A0 > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example, = > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex = editor is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that = > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a = tool that can understand the structure of a specific file system to=20 view a file system image file). > =A07)=A0 How could I view the content of .dat files?=A0 Is their a = specific=20 > tool, or do I view the strings with a hex editor? '.dat' is a generic extension. You really need to base it on what=20 'file' (or similar) tool tells you about the file type. brian |
