Re: [sleuthkit-users] Extract files not in NSRL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Extract files not in NSRL
|
From: <slo...@gm...> - 2013-09-17 18:41:53
|
Yes, I realized that, but I read the original email as "if possible"
extract the files to full paths, and sorter was the closest and easiest
solution to the problem.
Santiago, this is not a fast solution, but you could do something like this
if you want the non-matching files to be exported with full paths:
$ partition="-o63 WinXP.E01"
$ fls -r $partition | egrep -o "[0-9-]*" | grep 128 | \
> while read inode
> do
> md5=$(icat $partition $inode | md5sum | cut -d ' ' -f1)
> hit=$(hfind -q minimal/NSRLFile.txt $md5)
> if [ $hit -eq 0 ]
> then
> fname=$(ffind $partition $inode)
> mkdir -pv "export${fname%/*}"
> echo exporting "$fname..."
> icat $partition $inode > "export${fname}"
> fi
> done
On Tue, Sep 17, 2013 at 6:14 AM, Brian Carrier <ca...@sl...>wrote:
> Yes, another tool in TSK that almost meets the requirements, but not
> quite. Like the framework and Autopsy,sorter knows about hashes and NSRL,
> but doesn't have an output mode to save the non-NSRL files to their
> original path.
>
> I made an issue (https://github.com/sleuthkit/autopsy/issues/284) for
> this feature to be added to Autopsy. This could be a great module for the
> ongoing Autopsy Module Development Contest as part of OSDFCon... :) (
> http://www.basistechweek.com/osdf.html#contest).
>
> On Sep 17, 2013, at 1:47 AM, slo...@gm... wrote:
>
> > Why not use sorter for this purpose?
> >
> >
> > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>
> wrote:
> > Thanks Brian, I see that I was not so wrong in my tests.
> >
> > This I try to do I think it's useful when a forensic investigator must
> return the results to someone who is not technical and need to access a
> small number of files.
> > I will continue looking for a solution.
> >
> > Take this opportunity to tell you that your tools are really great !!
> >
> >
> > Regards
> > Santiago
> >
> >
> > 2013/9/16 Brian Carrier <ca...@sl...>
> > Hi Santiago,
> >
> > There is nothing that currently supports that specific use case.
> > - tsk_recover would be the easiest to expand to this situation, but it
> currently doesn't know anything about hashes / NSRL (but it does know about
> saving files to original path).
> > - framework knows about hashes and NSRL, but doesn't have a reporting
> module that does exactly what you want.
> > - Autopsy also knows about hashes and NSRL, but also doesn't have an
> export / reporting module that does exactly what you want.
> >
> > Sorry.
> >
> > brian
> >
> > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...> wrote:
> >
> > > Hi all, maybe you can help me with this:
> > >
> > > I have:
> > >
> > > a) E01 Image.
> > > b) Indexed hash database. (NSRL)
> > > c) hfind working well with hash database.
> > >
> > > I need to extract all files from E01 image that are NOT in the hash
> database. So I need not known files.
> > >
> > > And if possible, export the files with the original path and directory
> strcuture they had in the image.
> > >
> > > I've tried with sleutkit framework, but could not make it work,
> > >
> > > Any ideas ?
> > >
> > > Many Thanks
> > > Santiago
> > >
> > >
> ------------------------------------------------------------------------------
> > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
> > > sleuthkit-users mailing list
> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > > http://www.sleuthkit.org
> >
> >
> >
> >
> > --
> > Santiago Vallés
> >
> >
> ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> > _______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> >
> >
> >
> ------------------------------------------------------------------------------
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
|
