Re: [sleuthkit-users] Deleted files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Deleted files
|
From: HADER C. <in...@ha...> - 2014-03-11 14:47:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason, thank you for your reply. I am conviced that adding carving to autopsy is a very good improvement. Best regards Joachim On 11.03.2014 15:29, Jason Letourneau wrote: > We're working on adding carving via Scalpel. We've had some > hiccups trying to add it in as a library vs its more traditional > use as a stand alone tool. If you are inclined, you can see the > progress in the "develop" branch on Github (certainly experimental > at this stage). We're hoping to get a release out in a couple of > months that will have carving added to Autopsy. > > Jason > > > On Tue, Mar 11, 2014 at 9:25 AM, HADER Consulting > <in...@ha...>wrote: > > Barry, thanks for the answer. The source device has been formated > by using quick format (only the directory entries are deleted). The > images can be carved by commercial tools and scalpel / foremost. > You are right, the files can only be found by using header info. So > I miss carving capabilities in autopsy. File carving would be a > nice and useful add on for autopsy/sleuthkit. Regards Joachim > > HADER Consulting Dipl. Ing. (FH) Joachim A. Hader Authorized expert > on IT-Forensics, IT-Systems and Applications Data protection and > privacy official > > Moststraße 7 | 91799 Langenaltheim | Tel: +49 151 53872750 Email: > in...@ha... |WWW: http://www.hader-consulting.de > > Vertraulichkeit, Neutralität, Objektivität sind mein oberstes > Gebot Mitglied der Gesellschaft für Datenschutz und Datensicherheit > e.V. Mitglied des Verbands Europäischer Gutachter und > Sachverständiger e.V. > > On 11.03.2014 13:58, Grundy Barry J TIGTA wrote: >>>> Are the files simply deleted, or are they images in >>>> unallocated without associated directory entries? Are the >>>> 'commercial tools' carving the files out? I'm not an >>>> Autopsy user, so I'm not sure if Autopsy either will, or has >>>> a module to, carve out files based on signature. I expect >>>> that's what's happening here. You'll need to find the files >>>> based on signature not file system artifacts. >>>> >>>> Does anyone know if 'carving' has been added to Autopsy? In >>>> the meantime you can augment your work with >>>> scalpel/Photorec/foremost, etc. Or for small test images you >>>> can have a really good time with sigfind and dd... >>>> >>>> /******************************************* Barry J. Grundy >>>> Assistant Special Agent in Charge Digital Forensic Support >>>> Group Electronic Crimes and Intelligence Division Treasury >>>> Inspector General for Tax Administration (301) 210-8741 (w) >>>> (202) 527-5778 (c) Bar...@ti... >>>> ********************************************\ >>>> >>>> >>>>> -----Original Message----- From: HADER Consulting >>>>> [mailto:in...@ha...] Sent: Tuesday, March 11, >>>>> 2014 3:48 AM To: sle...@li... >>>>> Subject: [sleuthkit-users] Deleted files >>>>> >>>> Hi there, I'm running Autopsy 3.09 on a Win8-System. I have >>>> got a test image for comparing commercial and open source >>>> forensic tools. The test image is called rhinohunt, perhaps >>>> somebody knows it. On this image there are some pictures >>>> which are deleted. With autopsy i am not able to find this >>>> files. With foremost and commercial tools (eg. XWAYS) the >>>> files will be found. What went wrong with autopsy? Regards >>>> Joachim >>>>> >>>>> > ------------------------------------------------------------------------------ >>>>> >>>>> > > Learn >>>>> > Graph Databases - Download FREE O'Reilly Book "Graph Databases" is >>>>> the definitive new guide to graph databases and their >>>>> applications. Written by three acclaimed leaders in the >>>>> field, this first edition is now available. Download your >>>>> free book today! http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> sleuthkit-users mailing list >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>> >>>>> http://www.sleuthkit.org >>>> >> >> >> ------------------------------------------------------------------------------ >> >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases >> and their applications. Written by three acclaimed leaders in the >> field, this first edition is now available. Download your free >> book today! http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ sleuthkit-users >> mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHyH7AAoJEBkXzuy9JFgm3n0IAIKvEiNn0ozgF+8MFAjRy01L D884+upVG/ZZdmmxKi7toI0GwkJtVoZxGxHpk36f4WPqqEoxZcIZZmS/n7eztlOe U2sGBBkTBuuxyOEXHsD99qsnP60Ea6doVWoli0vswo47eNP4TCeArMYfvVM5Ft3F e5fq9LHGvzHOr6hz+qgeM1tjetFHAqEbmcr8I5U1T3+ltBvxcCM3ctTpX1T7OPBO AuAyPWN6HP7SQOvWnc3WkbhZHo1sXCrZ0HlzNedXFDBOHo6k63gBVOCdA+fXCVUa u2lbtTLYq02vlzByH6ZSGN4jYGQU1t9W497vR29qRz1rvdhVuc8yX3N5cqPavr0= =a8eT -----END PGP SIGNATURE----- |
