Re: [sleuthkit-users] Feature suggestion for Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Feature suggestion for Autopsy
|
From: Brian C. <ca...@sl...> - 2005-12-01 08:04:36
|
That improvement is part of a larger improvement of adding "logical" searches in addition to just sector-level searches. That has been on the todo list for a while. After I finish up my dissertation in the next couple of months, these types of improvements should be made. brian On Nov 30, 2005, at 5:27 AM, esrkq yahoo wrote: > Hi, > > I recently downloaded the latest versions of tsk and > autopsy > and my general impression was (as a non expert user) > is that it does seem to have moved on a good step > since I last used it. Everything seemed to work great > (I only found one bug though I admit it could be user > error). > > The last time I used Autopsy (at the beginning of the > year) there was one feature that I wished it had and > when I used it again recently I again 'missed' this > feature. > > In fact, back in January Brian posted a request for > some feedback on Autopsy entitled: 'Autopsy Case > Management Gripes' > > I posted a reply to that and one of my 'gripes' at the > time was > .....copy and paste begin ...... > > One other suggestion (not to do with case management) > that would have saved me loads of time recently is > having an extra button on the key word search results > screen in Autopsy. The extra button would begin a > batch process that would look up the filename (and > extension) of every hit and put the filename next to > each hit. This would save loads of time because if > you are most interested in say Word Docs you could in > the first instance only look at those hits that are > word documents. Taking it a stage further the results > could be displayed in a navigable tree form with each > branch representing a different file type. At the > moment you have to visit every hit and manually > 'click' the MFT link to get the filename and type. I > know there would be a time overhead in a batch process > like this but at least it would all be done non > interactively (ie you can go for some lunch while > it's all happening). > > ---- paste finish ------- > > OK, maybe the navigable tree thing is a bit of a > stretch but if you could sort the results by filename > (and maybe also show the MD5SUM) that would be useful > as the same search string is found in many instances > of the same file and when browsing through the results > you find yourself checking out the same text over and > over. Often I find I just want to scan an individual > file quickly once and if it is not relevant then > ignore all other occurrences of it and move onto the > next one. > > The few times I used Autopsy this feature would have > been a real time saver. I think many users would find > this feature useful (what do others think?). > > Back in January you suggested this feature wouldn't be > a huge job to add :-) - however I realise your to do > list must be huge. > > Anyway Brian, thankyou for this useful and enjoyable > programme. |
