Re: [sleuthkit-users] how do I get the file location without a scan?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] how do I get the file location without a scan?
|
From: Simson G. <si...@ac...> - 2015-09-19 17:42:56
|
Hi Brad. Is the string in the file name, in the file contents, or in unallocated space? How big are your disk images? Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides? Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type? Simson > On Sep 19, 2015, at 1:15 PM, brads <br...@ny...> wrote: > > I followed the instruction from http://wiki.sleuthkit.org/index.php?title=FS_Analysis <http://wiki.sleuthkit.org/index.php?title=FS_Analysis> but following the process, I am unable to find a given string http://i.imgur.com/kYuEatn.png <http://i.imgur.com/kYuEatn.png> > I know the string is there because I can locate it using the string command http://i.imgur.com/alQCRfM.png <http://i.imgur.com/alQCRfM.png> but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do. > How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust? > > Brad > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
