Re: [sleuthkit-users] Autopsy: Can't search in unallocated space of a partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy: Can't search in unallocated space of a partition
|
From: Brian C. <ca...@sl...> - 2013-11-21 17:41:30
|
Hi Dennis, Sorry for the late reply on this. I'm finally getting back to all of the e-mails that occurred during OSDFCon the prep time before it. It should have found the strings and I just verified it on a test image. A couple of things to mention here: - Autopsy does case insensitive, exact matches. Meaning that if you search for "forensic", then it will not find "forensics". It will find "FORENSIC" though. We are going to change the behavior in the future to make these substring matches easier. Currently, you need to make a regular expression search and do something like ".*forensic.*". The ".*" are wild cards before and after the word. Not sure if that is related to what you are seeing or not. - One thing to help debug is if the text was properly extracted. If you know where the string is in unallocated space, then you can look at the virtual unallocated file that Autopsy/TSK created for that region of unallocated space. The virtual files are located in the "$Unalloc" folder for each file system and have names of the following syntax: Unalloc_InternalID_StartByteOffset_EndByteOffset If you know the byte offset of the string relative to the start of the disk, then find the Unalloc file that it is located in and view its contents. The "Strings" tab shows the output of running strings on the content and the "Text" tab shows you want is in the SOLR keyword index. If none of these helped, let me know and we can proceed with more steps. thanks, brian On Nov 6, 2013, at 3:36 PM, Dennis <in...@ba...> wrote: > Dear all, > > I am currently giving autopsy a test ride on one of my test images. I > use this test image in some of my forensic classes but I ran into a > problem. > > My Setup > Windows 8 64 Bit > Autopsy V 3.0.6 > > Image Details: t > 320 GB EWF Image > > Case Setup / Activated Ingest Modules > Recent Activities > Hash Lookup > EXIF Image Parser > Keyword Search > > And of course the checkbox for "process unallocated space" was > activated. > > My Scenario > I know that a HTML fragment is available in the unallocated space of one > partition. This HTML fragment contains the string "secret secret". > Therefore, I just ran a search for the string secret but the search did > not yield any results in the unallocated space. > > I double checked that the string was inside the unallocated space by > mounting the image via fuse (DFF) and running the command > string -f -t d * | grep secret > inside the NTFS unallocated folder. This resulted in roughly 20 - 30 > hits. > > Question > Is this a known bug? Is the search in the unallocated space not yet > supported? How can I investigate what is going wrong? > > Kind regards > Dennis > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
