Re: [sleuthkit-users] Extract files not in NSRL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Extract files not in NSRL
|
From: Brian C. <ca...@sl...> - 2013-09-17 13:14:51
|
Yes, another tool in TSK that almost meets the requirements, but not quite. Like the framework and Autopsy,sorter knows about hashes and NSRL, but doesn't have an output mode to save the non-NSRL files to their original path. I made an issue (https://github.com/sleuthkit/autopsy/issues/284) for this feature to be added to Autopsy. This could be a great module for the ongoing Autopsy Module Development Contest as part of OSDFCon... :) (http://www.basistechweek.com/osdf.html#contest). On Sep 17, 2013, at 1:47 AM, slo...@gm... wrote: > Why not use sorter for this purpose? > > > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...> wrote: > Thanks Brian, I see that I was not so wrong in my tests. > > This I try to do I think it's useful when a forensic investigator must return the results to someone who is not technical and need to access a small number of files. > I will continue looking for a solution. > > Take this opportunity to tell you that your tools are really great !! > > > Regards > Santiago > > > 2013/9/16 Brian Carrier <ca...@sl...> > Hi Santiago, > > There is nothing that currently supports that specific use case. > - tsk_recover would be the easiest to expand to this situation, but it currently doesn't know anything about hashes / NSRL (but it does know about saving files to original path). > - framework knows about hashes and NSRL, but doesn't have a reporting module that does exactly what you want. > - Autopsy also knows about hashes and NSRL, but also doesn't have an export / reporting module that does exactly what you want. > > Sorry. > > brian > > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote: > > > Hi all, maybe you can help me with this: > > > > I have: > > > > a) E01 Image. > > b) Indexed hash database. (NSRL) > > c) hfind working well with hash database. > > > > I need to extract all files from E01 image that are NOT in the hash database. So I need not known files. > > > > And if possible, export the files with the original path and directory strcuture they had in the image. > > > > I've tried with sleutkit framework, but could not make it work, > > > > Any ideas ? > > > > Many Thanks > > Santiago > > > > ------------------------------------------------------------------------------ > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > -- > Santiago Vallés > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
