[sleuthkit-users] TSK and forensic methodologies
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] TSK and forensic methodologies
|
From: youcef b. <ybi...@ya...> - 2005-09-22 22:07:48
|
Hi, I need to have your feedback on your experience of using TSK following a forensic methodology. I have found some limitations but this could be just my little exposure to the tool. I am currently use Eoghan Caseys methodology and trying to follow it using TSK. In brief the steps of such methodology are: - Preparation (we can ignore it) - Listing : fully supported in TSK via fls - Recovery: o Unallocated space (supported via dls) o Slack space (supported via dls s) o Deleted files (manually by not fully automated) - Filtering (manually by not automated) - Process identification/classification (supported via sorter) The problem encountered is that the recovery of deleted files cannot be accomplished automatically. There is no TSK command that will recursively parse the image and dumps all the deleted files. Same thing could be said for filtering, the fact that we needed to recover the content first of both allocated and unallocated files to be able to create an MD5 hash of the image media, means that the filtering is exposed to the same limitation. I know that some of you may say that sorter will accomplish both tasks: recovering deleted files, hashing them, apply the filtering and dumping their content. But the problem with sorter is its versatility. I wish I could use a switch to instruct it do one thing at the time. The problem I am having, at least methodology wise, is that sorter breaks the boundaries of a structured methodology (like the one I am try to follow) by merging several steps into one action. My question is: - Is it possible to accomplish the above missing , in my understanding, steps using TSK (i.e. recursively recover deleted files and filtering) as separate tasks. - What sort of methodology are you using when doing forensic using TSK/autopsy. My approach to the subject is purely academic, as I am trying to adopt it for educational purposes. I know that in real some of you guys my burn all the steps and dont care about strict methodology. Any feedback or code examples that do the trick are all welcomed. ___________________________________________________________ How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com |
