Re: [sleuthkit-users] Feature Placement
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Feature Placement
|
From: Andre L. <la...@xe...> - 2015-04-17 22:45:04
|
Hi, for me such embed Files are part of the Document self. What i mean was it would be perfect if in the List where Doc or Docx Files are listed every file with embed Files have a + sign and i can see here what is embed. I not will loose the link between Mother and Child Objects, if i would get a Folder with all embed Images maybe with link to Mother Document i loose the information of the rest Document and mostly pictures are only important with the rest of Information in a Document. I i find now in hundreds of Pictures some that i will get more Information i will get massive false positives the picture is maybe hot but the text in document self is a Joke that someone have send as Attachment in doc to hole Department. Without knowing the rest of Information from such Document a picture is only a picture it say all and say nothing. For my Cases i miss in Autopsy a Document tree like this Documents sorted as type, perfect with a second Tab where is a Timeline of that Documents and if i select a day or hour the visible Files in tree are that what are matsch my time slot selection Doc Foler file.doc + embed Files + Meta data DocX Folder file.docx + embed Files + Meta data and so far And for those File Tree a Search Function with enhancement to save searches, make a Index over hole Files (Text), and search word lists with searchable result Lists that can be exported to case report. But Live is not perfect ;-) maybe you can pic something of my wishes for such feature. best Andre > ---------- Original Message ---------- > Von: Derrick Karpo dk...@gm... > Gesendet: 17. April 2015 16:06:21 MESZ > An: Brian Carrier ca...@sl...; sleuthkit-users sle...@li... > Betreff: Aw: [sleuthkit-users] Feature Placement > > Would it work to just have a single "Extract embedded data in files" > module which would deep traverse files and look for embedded child > objects such as pictures in docs/pdfs, pictures from thumbnails, > cookies and blobs from browser sqlite databases, etc? It's a bit of a > catch all module for all things embedded (not just graphics) so that > you don't end up with an ever growing list of modules. > > I think the keyword module should be kept separate. For me, even > though searching for ASCII/Unicode text uses the same library, the use > case is very different. I only search for keywords in specific cases > and often would just want to run the 'deep traverse' without running > keywords. > > Derrick > > > On Thu, Apr 16, 2015 at 9:46 PM, Hoyt Harness <hoy...@gm...> wrote: >> Maybe it's a matter of renaming the keyword module and modifying the >> hover tip so they're more inclusive once the embedded image feature is >> added. That would solve it, I think, as well as maximize performance, >> reduce the development task, and aid in ingest brevity. >> >> Hoyt >> >> On Thu, Apr 16, 2015 at 8:57 AM, Brian Carrier <ca...@sl...> wrote: >>> Question for the Autopsy users on the list. We’re about to add a feature to extract pictures from inside of Word/PowerPoint/Excel docs and add them in as derived files that will be hashed, searched, etc. >>> >>> The question is where we put the module. >>> >>> Technically, it is using the same library that we use in Keyword Search to extract text from these file types, so it would be fastest and least code for us to add it as a by-product of that module. Though, it is not very intuitive that the Keyword Search module would be doing that (from a user experience perspective). >>> >>> A second option is to make a module just for that. In addition to a slight performance hit, my other concern with this is that the list of ingest modules is starting to get long. I don’t want Autopsy to have a list of 20 items to select from each time (when most of them will always be enabled). There are of course longer-term ways to group modules by category, but that doesn’t solve the problem of where do we check this in next week. >>> >>> A third option is to make a module that is graphic image focused and merge the EXIF module into it. So, this new module would extract images from Word and EXIF extract and have a name that is graphics-based. >>> >>> Any strong thoughts? Should performance trump a little confusion about who is actually going to be extracting the images? >>> >>> >>> ------------------------------------------------------------------------------ >>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >>> Develop your own process in accordance with the BPMN 2 standard >>> Learn Process modeling best practices with Bonita BPM through live exercises >>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ >>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> >> >> -- >> Hoyt >> ----------------- >> There are 11 kinds of people - those who think binary jokes are funny, >> those who don't, ...and those who don't know binary. >> >> ------------------------------------------------------------------------------ >> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT >> Develop your own process in accordance with the BPMN 2 standard >> Learn Process modeling best practices with Bonita BPM through live exercises >> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ >> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT > Develop your own process in accordance with the BPMN 2 standard > Learn Process modeling best practices with Bonita BPM through live exercises > http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ > source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org MfG Andre Lauzon la...@xe... |
