Re: [sleuthkit-users] Questions about Sleuthkit
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Questions about Sleuthkit
|
From: youcef b. <ybi...@ya...> - 2006-01-23 22:56:27
|
These are my answers given my knowledge of the product. > 1) Is there a way to view Autopsy log files from > within the Autopsy > interface? I can load up the log files in the > browser by going to > file->open, but is there any way from within the > actual interface to do it? No > 2) Are EnCase images supported at all? I can import > EnCase images into a > case, but none of the operations I attempt seem to > execute correctly. No. Autopsy (TSK in fact) supports raw image format. > 3) Can a SHA-1 hash be generated when an image is > imported. When I import > an image, I have the option of generating an MD5 > hash, but I don't see > SHA-1. You can use sha in TSK but it is no incorporated yet in Autopsy. > 4) Is there any way to limit searches to files with > certain extensions, or > to those in a particular directory? Not in autopsy. but you have all the tools in TSK to achieve this. unfortunatrely there is no automated way to do it. > 5) Should the regular expresssion: > 'special[:space:][0-9A-Za-z]*[:space:]access' (I > don't include the single > quotes when I enter it in the search box) match the > string "special test > access". I've tried that expression on an image > that I know contains that > string, but it doesn't return any matches. I've > ensured that the regular > expression box was checked on the search page, and > I've tried using > parenthesis. your search is vlaid for ASCII text. Make sure that your text is not in Unicode. > 6) Is it possible to generate reports at a higher > granularity than files. > That is, can a report be generated for a host or a > case that contains > information about multiple files? Can notes be > included in reports? Autopsy is still weak in the reporting side. it doesnt generate a decent report, but it does log all the investigator actions which could be inlcuded in the report. > 7) Is there any way to dissect and analyze the > messages/attachments within > an Outlook (.pst) or a Exchange (.edb) file, or can > they only be searched > for text? TSK and autopsy are file system analysis tool. Here your are touching on applicaiton analysis layer and you need to look for other specialsed tools that achieve it. Open source tools that I know of which can process pst files are readpst from the debian project. there is a good article in the forensicfocus which explains the usage of this tool and other ones related to email analysis. Regards Youcef ___________________________________________________________ Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com |
