Re: [sleuthkit-users] Extract files not in NSRL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Extract files not in NSRL
|
From: Brian C. <ca...@sl...> - 2013-09-17 01:52:51
|
Hi Santiago, There is nothing that currently supports that specific use case. - tsk_recover would be the easiest to expand to this situation, but it currently doesn't know anything about hashes / NSRL (but it does know about saving files to original path). - framework knows about hashes and NSRL, but doesn't have a reporting module that does exactly what you want. - Autopsy also knows about hashes and NSRL, but also doesn't have an export / reporting module that does exactly what you want. Sorry. brian On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: > Hi all, maybe you can help me with this: > > I have: > > a) E01 Image. > b) Indexed hash database. (NSRL) > c) hfind working well with hash database. > > I need to extract all files from E01 image that are NOT in the hash database. So I need not known files. > > And if possible, export the files with the original path and directory strcuture they had in the image. > > I've tried with sleutkit framework, but could not make it work, > > Any ideas ? > > Many Thanks > Santiago > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
