Re: [sleuthkit-users] Deleted files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Deleted files
|
From: HADER C. <in...@ha...> - 2014-03-11 13:25:49
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barry, thanks for the answer. The source device has been formated by using quick format (only the directory entries are deleted). The images can be carved by commercial tools and scalpel / foremost. You are right, the files can only be found by using header info. So I miss carving capabilities in autopsy. File carving would be a nice and useful add on for autopsy/sleuthkit. Regards Joachim HADER Consulting Dipl. Ing. (FH) Joachim A. Hader Authorized expert on IT-Forensics, IT-Systems and Applications Data protection and privacy official Moststraße 7 | 91799 Langenaltheim | Tel: +49 151 53872750 Email: in...@ha... |WWW: http://www.hader-consulting.de Vertraulichkeit, Neutralität, Objektivität sind mein oberstes Gebot Mitglied der Gesellschaft für Datenschutz und Datensicherheit e.V. Mitglied des Verbands Europäischer Gutachter und Sachverständiger e.V. On 11.03.2014 13:58, Grundy Barry J TIGTA wrote: > Are the files simply deleted, or are they images in unallocated > without associated directory entries? Are the 'commercial tools' > carving the files out? I'm not an Autopsy user, so I'm not sure > if Autopsy either will, or has a module to, carve out files based > on signature. I expect that's what's happening here. You'll need > to find the files based on signature not file system artifacts. > > Does anyone know if 'carving' has been added to Autopsy? In the > meantime you can augment your work with scalpel/Photorec/foremost, > etc. Or for small test images you can have a really good time > with sigfind and dd... > > /******************************************* Barry J. Grundy > Assistant Special Agent in Charge Digital Forensic Support Group > Electronic Crimes and Intelligence Division Treasury Inspector > General for Tax Administration (301) 210-8741 (w) (202) 527-5778 > (c) Bar...@ti... > ********************************************\ > > >> -----Original Message----- From: HADER Consulting >> [mailto:in...@ha...] Sent: Tuesday, March 11, 2014 >> 3:48 AM To: sle...@li... Subject: >> [sleuthkit-users] Deleted files >> > Hi there, I'm running Autopsy 3.09 on a Win8-System. I have got a > test image for comparing commercial and open source forensic > tools. The test image is called rhinohunt, perhaps somebody knows > it. On this image there are some pictures which are deleted. With > autopsy i am not able to find this files. With foremost and > commercial tools (eg. XWAYS) the files will be found. What went > wrong with autopsy? Regards Joachim >> >> ------------------------------------------------------------------------------ >> >> Learn >> Graph Databases - Download FREE O'Reilly Book "Graph Databases" is >> the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book >> today! http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ sleuthkit-users >> mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHw7VAAoJEBkXzuy9JFgmaFoIAIgNpJOSbI6RABTJfDByb1nC 23cwIGXevh4DhQeU/igI7HDAKLX5UPvfmzwp1zwM6K+hYu013+DFo1R8uPT3MM0p p7NrYi5g7CpQ/J2xarB/rPmmMZibkaac72Y0oYumfyw0mH6QXAXocz+HxTu5UL0E 3s6p21hOJeWVuQAcuUYwWfUwVHHN+KfqVbQLQb386UXRs6FVUkuox5DmfmdT7ymm 1YwbtFXoMOqbtzzu2p4H93YBuClXo55nJDnwYH5JQ/Qw4V9faZPX1UpyPYqgGpwW bIX/xd5nvD0OiOGV69tpLE1q2Z5JRePPzd3hvBt/vu8VjKtSTuLQevR6vXaW/Vg= =SBOt -----END PGP SIGNATURE----- |
