Re: [sleuthkit-users] Extract files not in NSRL

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The sorter tool is a part of sleuthkit.  Find information about it here:
http://wiki.sleuthkit.org/index.php?title=Sorter.

On Tue, Sep 17, 2013 at 5:08 AM, Santiago <san...@gm...> wrote:

> How can I do this ??
>
> With sorter you mean linux sort command ?
>
>
> 2013/9/17 slo...@gm... <slo...@gm...>
>
> Why not use sorter for this purpose?
>>
>>
>> On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>wrote:
>>
>>> Thanks Brian, I see that I was not so wrong in my tests.
>>>
>>> This I try to do I think it's useful when a forensic investigator must
>>> return the results to someone who is not technical and need to access a
>>> small number of files.
>>> I will continue looking for a solution.
>>>
>>> Take this opportunity to tell you that your tools are really great !!
>>>
>>>
>>> Regards
>>> Santiago
>>>
>>>
>>> 2013/9/16 Brian Carrier <ca...@sl...>
>>>
>>>> Hi Santiago,
>>>>
>>>> There is nothing that currently supports that specific use case.
>>>> - tsk_recover would be the easiest to expand to this situation, but it
>>>> currently doesn't know anything about hashes / NSRL (but it does know about
>>>> saving files to original path).
>>>> - framework knows about hashes and NSRL, but doesn't have a reporting
>>>> module that does exactly what you want.
>>>> - Autopsy also knows about hashes and NSRL, but also doesn't have an
>>>> export / reporting module that does exactly what you want.
>>>>
>>>> Sorry.
>>>>
>>>> brian
>>>>
>>>> On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...>
>>>> wrote:
>>>>
>>>> > Hi all, maybe you can help me with this:
>>>> >
>>>> > I have:
>>>> >
>>>> > a) E01 Image.
>>>> > b) Indexed hash database. (NSRL)
>>>> > c) hfind working well with hash database.
>>>> >
>>>> > I need to extract all files from E01 image that are NOT in the hash
>>>> database. So I need not known files.
>>>> >
>>>> > And if possible, export the files with the original path and
>>>> directory strcuture they had in the image.
>>>> >
>>>> > I've tried with sleutkit framework, but could not make it work,
>>>> >
>>>> > Any ideas ?
>>>> >
>>>> > Many Thanks
>>>> > Santiago
>>>> >
>>>> >
>>>> ------------------------------------------------------------------------------
>>>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>>>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>>>> SharePoint
>>>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>>>> includes
>>>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>>>> >
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
>>>> > sleuthkit-users mailing list
>>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> > http://www.sleuthkit.org
>>>>
>>>>
>>>
>>>
>>> --
>>> Santiago Vallés
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>>> SharePoint
>>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>>> includes
>>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>>
>>
>
>
> --
> Santiago Vallés
>