Re: [sleuthkit-users] Deleted files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Deleted files
|
From: Grundy B. J T. <Bar...@ti...> - 2014-03-11 13:33:39
|
Are the files simply deleted, or are they images in unallocated without associated directory entries? Are the 'commercial tools' carving the files out? I'm not an Autopsy user, so I'm not sure if Autopsy either will, or has a module to, carve out files based on signature. I expect that's what's happening here. You'll need to find the files based on signature not file system artifacts. Does anyone know if 'carving' has been added to Autopsy? In the meantime you can augment your work with scalpel/Photorec/foremost, etc. Or for small test images you can have a really good time with sigfind and dd... /******************************************* Barry J. Grundy Assistant Special Agent in Charge Digital Forensic Support Group Electronic Crimes and Intelligence Division Treasury Inspector General for Tax Administration (301) 210-8741 (w) (202) 527-5778 (c) Bar...@ti... ********************************************\ > -----Original Message----- > From: HADER Consulting [mailto:in...@ha...] > Sent: Tuesday, March 11, 2014 3:48 AM > To: sle...@li... > Subject: [sleuthkit-users] Deleted files > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi there, > I'm running Autopsy 3.09 on a Win8-System. > I have got a test image for comparing commercial and open source forensic > tools. The test image is called rhinohunt, perhaps somebody knows it. On this > image there are some pictures which are deleted. > With autopsy i am not able to find this files. With foremost and commercial > tools (eg. XWAYS) the files will be found. > What went wrong with autopsy? > Regards > Joachim > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTHr/LAAoJEBkXzuy9JFgmOe4H/2f4Y2gBKYpfcl2EGItfKDPz > 56c5T4J1gu8D6Rh+tfWuqYieD4rh7wxSsQimpBxABI+ojHe5pYgUAswtTL07HJR > 9 > yIQU4wJZ/DWZSWqHyQKMHSxMROWDT8fGgsfKmlQnHEI8ONLxkE/LuO75LF > xNG6nD > vVntJfB/JwIrJ9Tdjn9xgqzp1VKQr6DhOBXjXJIfM7xbG4uK76TWF6nfIoiiX1SS > oqTpD2da53EZY51SRc4GSaxoiAz6lOQbhijt5IeaDQCXWqrp02nOCItyrGdQHijS > Vt3Q48LBce/pF+LoqxkadSodkdG/mPY+y9QC1ZiAFowQxTKk8feLLHtOGaHDq > 7A= > =qKrF > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is > the definitive new guide to graph databases and their applications. Written > by three acclaimed leaders in the field, this first edition is now available. > Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
