Re: [sleuthkit-users] Extract files not in NSRL
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Extract files not in NSRL
|
From: Santiago <san...@gm...> - 2013-09-17 19:13:21
|
Thank you both !!
I will try this.
2013/9/17 slo...@gm... <slo...@gm...>
> Yes, I realized that, but I read the original email as "if possible"
> extract the files to full paths, and sorter was the closest and easiest
> solution to the problem.
>
> Santiago, this is not a fast solution, but you could do something like
> this if you want the non-matching files to be exported with full paths:
>
> $ partition="-o63 WinXP.E01"
>
> $ fls -r $partition | egrep -o "[0-9-]*" | grep 128 | \
> > while read inode
> > do
> > md5=$(icat $partition $inode | md5sum | cut -d ' ' -f1)
> > hit=$(hfind -q minimal/NSRLFile.txt $md5)
> > if [ $hit -eq 0 ]
> > then
> > fname=$(ffind $partition $inode)
> > mkdir -pv "export${fname%/*}"
> > echo exporting "$fname..."
> > icat $partition $inode > "export${fname}"
> > fi
> > done
>
>
>
>
> On Tue, Sep 17, 2013 at 6:14 AM, Brian Carrier <ca...@sl...>wrote:
>
>> Yes, another tool in TSK that almost meets the requirements, but not
>> quite. Like the framework and Autopsy,sorter knows about hashes and NSRL,
>> but doesn't have an output mode to save the non-NSRL files to their
>> original path.
>>
>> I made an issue (https://github.com/sleuthkit/autopsy/issues/284) for
>> this feature to be added to Autopsy. This could be a great module for the
>> ongoing Autopsy Module Development Contest as part of OSDFCon... :) (
>> http://www.basistechweek.com/osdf.html#contest).
>>
>> On Sep 17, 2013, at 1:47 AM, slo...@gm... wrote:
>>
>> > Why not use sorter for this purpose?
>> >
>> >
>> > On Mon, Sep 16, 2013 at 7:44 PM, Santiago <san...@gm...>
>> wrote:
>> > Thanks Brian, I see that I was not so wrong in my tests.
>> >
>> > This I try to do I think it's useful when a forensic investigator must
>> return the results to someone who is not technical and need to access a
>> small number of files.
>> > I will continue looking for a solution.
>> >
>> > Take this opportunity to tell you that your tools are really great !!
>> >
>> >
>> > Regards
>> > Santiago
>> >
>> >
>> > 2013/9/16 Brian Carrier <ca...@sl...>
>> > Hi Santiago,
>> >
>> > There is nothing that currently supports that specific use case.
>> > - tsk_recover would be the easiest to expand to this situation, but it
>> currently doesn't know anything about hashes / NSRL (but it does know about
>> saving files to original path).
>> > - framework knows about hashes and NSRL, but doesn't have a reporting
>> module that does exactly what you want.
>> > - Autopsy also knows about hashes and NSRL, but also doesn't have an
>> export / reporting module that does exactly what you want.
>> >
>> > Sorry.
>> >
>> > brian
>> >
>> > On Sep 16, 2013, at 9:41 PM, Santiago <san...@gm...>
>> wrote:
>> >
>> > > Hi all, maybe you can help me with this:
>> > >
>> > > I have:
>> > >
>> > > a) E01 Image.
>> > > b) Indexed hash database. (NSRL)
>> > > c) hfind working well with hash database.
>> > >
>> > > I need to extract all files from E01 image that are NOT in the hash
>> database. So I need not known files.
>> > >
>> > > And if possible, export the files with the original path and
>> directory strcuture they had in the image.
>> > >
>> > > I've tried with sleutkit framework, but could not make it work,
>> > >
>> > > Any ideas ?
>> > >
>> > > Many Thanks
>> > > Santiago
>> > >
>> > >
>> ------------------------------------------------------------------------------
>> > > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> > > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> > > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> > >
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
>> > > sleuthkit-users mailing list
>> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > > http://www.sleuthkit.org
>> >
>> >
>> >
>> >
>> > --
>> > Santiago Vallés
>> >
>> >
>> ------------------------------------------------------------------------------
>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>>
>>
>
--
Santiago Vallés
|
