Re: [sleuthkit-users] Autopsy: Can't search in unallocated space of a partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy: Can't search in unallocated space of a partition
|
From: Dennis <in...@ba...> - 2013-11-19 20:26:28
|
Simson, thanks for the reply. regarding 1) I know that the string is in the unallocated space of the partition due to an EnCASE analysis of the image and I have double checked this with the method outlined in my initial email using fuse, string and grep command. regarding 2) I already had a look at bulk_extractor but I thought that Autopsy should have found the string as well that was the reason for starting this thread to investigate. Some thoughts - better to say wild guesses - that I have: - character encoding problem (ANSI vs UTF8 vs UTF16 with its different endianness) - not fully index the unallocated space. Kind regards Dennis Kind regards Dennis Am Sonntag, den 17.11.2013, 06:54 -0500 schrieb Simson Garfinkel: > Dennis — > > 1. Perhaps the string is not in unallocated space. > > 2. For your application below, bulk_extractor with ‘-f’ might give better results. I realize that your goal is to test Autopsy, but I’m not really sure why you want to do that. bulk_extractor with identify_filenames.py will tell you which files the strings came from. > > Simson > > > On Nov 17, 2013, at 5:43 AM, Dennis <in...@ba...> wrote: > > > Hi, > > > > the image was created with FTK Imager (3.1). I did not activate > > compression for the E01 image. > > > > Kind regards > > Dennis > > > > Am Donnerstag, den 14.11.2013, 10:00 +0800 schrieb Notyor Buizines: > >> what command did u use for taking image of hard disk? > >> > >> > >> > >> On Thu, Nov 7, 2013 at 4:36 AM, Dennis <in...@ba...> wrote: > >> Dear all, > >> > >> I am currently giving autopsy a test ride on one of my test > >> images. I > >> use this test image in some of my forensic classes but I ran > >> into a > >> problem. > >> > >> My Setup > >> Windows 8 64 Bit > >> Autopsy V 3.0.6 > >> > >> Image Details: t > >> 320 GB EWF Image > >> > >> Case Setup / Activated Ingest Modules > >> Recent Activities > >> Hash Lookup > >> EXIF Image Parser > >> Keyword Search > >> > >> And of course the checkbox for "process unallocated space" was > >> activated. > >> > >> My Scenario > >> I know that a HTML fragment is available in the unallocated > >> space of one > >> partition. This HTML fragment contains the string "secret > >> secret". > >> Therefore, I just ran a search for the string secret but the > >> search did > >> not yield any results in the unallocated space. > >> > >> I double checked that the string was inside the unallocated > >> space by > >> mounting the image via fuse (DFF) and running the command > >> string -f -t d * | grep secret > >> inside the NTFS unallocated folder. This resulted in roughly > >> 20 - 30 > >> hits. > >> > >> Question > >> Is this a known bug? Is the search in the unallocated space > >> not yet > >> supported? How can I investigate what is going wrong? > >> > >> Kind regards > >> Dennis > >> > >> > >> ------------------------------------------------------------------------------ > >> November Webinars for C, C++, Fortran Developers > >> Accelerate application performance with scalable programming > >> models. Explore > >> techniques for threading, error checking, porting, and tuning. > >> Get the most > >> from the latest Intel processors and coprocessors. See > >> abstracts and register > >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > >> > >> > > > > > > > > ------------------------------------------------------------------------------ > > DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps > > OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access > > Free app hosting. Or install the open source package on any LAMP server. > > Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! > > http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > |
