Re: [sleuthkit-users] Deleted files
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Deleted files
|
From: Jason L. <jle...@ba...> - 2014-03-11 15:23:35
|
We're working on adding carving via Scalpel. We've had some hiccups trying to add it in as a library vs its more traditional use as a stand alone tool. If you are inclined, you can see the progress in the "develop" branch on Github (certainly experimental at this stage). We're hoping to get a release out in a couple of months that will have carving added to Autopsy. Jason On Tue, Mar 11, 2014 at 9:25 AM, HADER Consulting <in...@ha...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Barry, > thanks for the answer. > The source device has been formated by using quick format (only the > directory entries are deleted). The images can be carved by commercial > tools and scalpel / foremost. > You are right, the files can only be found by using header info. So I > miss carving capabilities in autopsy. File carving would be a nice and > useful add on for autopsy/sleuthkit. > Regards > Joachim > > HADER Consulting > Dipl. Ing. (FH) Joachim A. Hader > Authorized expert on IT-Forensics, IT-Systems and Applications > Data protection and privacy official > > Moststraße 7 | 91799 Langenaltheim | Tel: +49 151 53872750 > Email: in...@ha... |WWW: http://www.hader-consulting.de > > Vertraulichkeit, Neutralität, Objektivität sind mein oberstes Gebot > Mitglied der Gesellschaft für Datenschutz und Datensicherheit e.V. > Mitglied des Verbands Europäischer Gutachter und Sachverständiger e.V. > > On 11.03.2014 13:58, Grundy Barry J TIGTA wrote: > > Are the files simply deleted, or are they images in unallocated > > without associated directory entries? Are the 'commercial tools' > > carving the files out? I'm not an Autopsy user, so I'm not sure > > if Autopsy either will, or has a module to, carve out files based > > on signature. I expect that's what's happening here. You'll need > > to find the files based on signature not file system artifacts. > > > > Does anyone know if 'carving' has been added to Autopsy? In the > > meantime you can augment your work with scalpel/Photorec/foremost, > > etc. Or for small test images you can have a really good time > > with sigfind and dd... > > > > /******************************************* Barry J. Grundy > > Assistant Special Agent in Charge Digital Forensic Support Group > > Electronic Crimes and Intelligence Division Treasury Inspector > > General for Tax Administration (301) 210-8741 (w) (202) 527-5778 > > (c) Bar...@ti... > > ********************************************\ > > > > > >> -----Original Message----- From: HADER Consulting > >> [mailto:in...@ha...] Sent: Tuesday, March 11, 2014 > >> 3:48 AM To: sle...@li... Subject: > >> [sleuthkit-users] Deleted files > >> > > Hi there, I'm running Autopsy 3.09 on a Win8-System. I have got a > > test image for comparing commercial and open source forensic > > tools. The test image is called rhinohunt, perhaps somebody knows > > it. On this image there are some pictures which are deleted. With > > autopsy i am not able to find this files. With foremost and > > commercial tools (eg. XWAYS) the files will be found. What went > > wrong with autopsy? Regards Joachim > >> > >> > ------------------------------------------------------------------------------ > >> > >> > Learn > >> > Graph Databases - Download FREE O'Reilly Book "Graph Databases" is > >> the definitive new guide to graph databases and their > >> applications. Written by three acclaimed leaders in the field, > >> this first edition is now available. Download your free book > >> today! http://p.sf.net/sfu/13534_NeoTech > >> _______________________________________________ sleuthkit-users > >> mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTHw7VAAoJEBkXzuy9JFgmaFoIAIgNpJOSbI6RABTJfDByb1nC > 23cwIGXevh4DhQeU/igI7HDAKLX5UPvfmzwp1zwM6K+hYu013+DFo1R8uPT3MM0p > p7NrYi5g7CpQ/J2xarB/rPmmMZibkaac72Y0oYumfyw0mH6QXAXocz+HxTu5UL0E > 3s6p21hOJeWVuQAcuUYwWfUwVHHN+KfqVbQLQb386UXRs6FVUkuox5DmfmdT7ymm > 1YwbtFXoMOqbtzzu2p4H93YBuClXo55nJDnwYH5JQ/Qw4V9faZPX1UpyPYqgGpwW > bIX/xd5nvD0OiOGV69tpLE1q2Z5JRePPzd3hvBt/vu8VjKtSTuLQevR6vXaW/Vg= > =SBOt > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
