[sleuthkit-users] Questions about Sleuthkit

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Greetings,

I have been using Sleuthkit for the last few months, and I have a few
questions that I could not find the answers to in the manual, or in the
mailing list archive.  I aplogize in advance if these issues have already
been addressed in previous posts, but the search function on the sourceforge
archive page does not seem to be functioning.

1) Is there a way to view Autopsy log files from within the Autopsy
interface?  I can load up the log files in the browser by going to
file->open, but is there any way from within the actual interface to do it?

2) Are EnCase images supported at all?  I can import EnCase images into a
case, but none of the operations I attempt seem to execute correctly.

3) Can a SHA-1 hash be generated when an image is imported.  When I import
an image, I have the option of generating an MD5 hash, but I don't see
SHA-1.

4) Is there any way to limit searches to files with certain extensions, or
to those in a particular directory?

5) Should the regular expresssion:
'special[:space:][0-9A-Za-z]*[:space:]access' (I don't include the single
quotes when I enter it in the search box) match the string "special test
access".  I've tried that expression on an image that I know contains that
string, but it doesn't return any matches.  I've ensured that the regular
expression box was checked on the search page, and I've tried using
parenthesis.

6) Is it possible to generate reports at a higher granularity than files.
That is, can a report be generated for a host or a case that contains
information about multiple files?  Can notes be included in reports?

7) Is there any way to dissect and analyze the messages/attachments within
an Outlook (.pst) or a Exchange (.edb) file, or can they only be searched
for text?

Thank you for any answers you can provide,
-Ryan

--
Ryan Persaud
rpe...@mi...
703-983-1275
The MITRE Corporation