Re: [sleuthkit-users] how do I get the file location without a scan?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] how do I get the file location without a scan?
|
From: brads <br...@ny...> - 2015-09-19 18:34:53
|
Yes, the string in question is the filename. The data in question fell victim to Cryptowall 3.0 >From what I read and can tell, Cryptowall 3.0 first deletes the file and then makes a copy of the file and encrypts that. Extundelete fails to undelete the original file. Photorec recovers the original file but blows out the file name with is not acceptable for the 4000 files in question. All corrupted files are .docx and .pdf formats. My thought is to create a python script that searches the string, then calculates the offset and then use dd to carve out the file and name that file to the proper name. The image is 189GB and is mounted ro from and EXT4 file system Thank you sincerely for any guidance you can provide. Brad From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel Sent: Saturday, September 19, 2015 1:43 PM To: brads <br...@ny...> Cc: sle...@li... Subject: Re: [sleuthkit-users] how do I get the file location without a scan? Hi Brad. Is the string in the file name, in the file contents, or in unallocated space? How big are your disk images? Are you trying to probe for the existence of the string, do you need to learn its block number, or are you trying to learn the actual file in which the string resides? Do you know anything else about the files? Such as their file type? Do you need to analyze every file, or just files of a particular type? Simson On Sep 19, 2015, at 1:15 PM, brads <br...@ny... <mailto:br...@ny...> > wrote: I followed the instruction from http://wiki.sleuthkit.org/index.php?title=FS_Analysis but following the process, I am unable to find a given string http://i.imgur.com/kYuEatn.png I know the string is there because I can locate it using the string command http://i.imgur.com/alQCRfM.png but, this is not an acceptable solution because the scan takes 3 hrs against the image, I have 400 to do. How do I get blkfs to work correctly or an alternative to getting a string location at the disk layer like string but more robust? Brad ---------------------------------------------------------------------------- -- _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
