Re: [sleuthkit-users] Extract files not in NSRL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Extract files not in NSRL
|
From: Santiago <san...@gm...> - 2013-09-17 12:09:08
|
How can I do this ?? With sorter you mean linux sort command ? 2013/9/17 slo...@gm... <slo...@gm...> > Why not use sorter for this purpose? > > > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>wrote: > >> Thanks Brian, I see that I was not so wrong in my tests. >> >> This I try to do I think it's useful when a forensic investigator must >> return the results to someone who is not technical and need to access a >> small number of files. >> I will continue looking for a solution. >> >> Take this opportunity to tell you that your tools are really great !! >> >> >> Regards >> Santiago >> >> >> 2013/9/16 Brian Carrier <ca...@sl...> >> >>> Hi Santiago, >>> >>> There is nothing that currently supports that specific use case. >>> - tsk_recover would be the easiest to expand to this situation, but it >>> currently doesn't know anything about hashes / NSRL (but it does know about >>> saving files to original path). >>> - framework knows about hashes and NSRL, but doesn't have a reporting >>> module that does exactly what you want. >>> - Autopsy also knows about hashes and NSRL, but also doesn't have an >>> export / reporting module that does exactly what you want. >>> >>> Sorry. >>> >>> brian >>> >>> On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: >>> >>> > Hi all, maybe you can help me with this: >>> > >>> > I have: >>> > >>> > a) E01 Image. >>> > b) Indexed hash database. (NSRL) >>> > c) hfind working well with hash database. >>> > >>> > I need to extract all files from E01 image that are NOT in the hash >>> database. So I need not known files. >>> > >>> > And if possible, export the files with the original path and directory >>> strcuture they had in the image. >>> > >>> > I've tried with sleutkit framework, but could not make it work, >>> > >>> > Any ideas ? >>> > >>> > Many Thanks >>> > Santiago >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >>> SharePoint >>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >>> includes >>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >>> > >>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ >>> > sleuthkit-users mailing list >>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> > http://www.sleuthkit.org >>> >>> >> >> >> -- >> Santiago Vallés >> >> >> ------------------------------------------------------------------------------ >> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! >> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, >> SharePoint >> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack >> includes >> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. >> >> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > -- Santiago Vallés |
