Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy Question - ZIP files that can't be opened
|
From: Brian C. <ca...@sl...> - 2015-09-29 02:44:24
|
Flagging the file so that it is in the tree for easy follow on analysis seems to be a common theme with the suggestions. We could do a few things: 1) Make a new artifact, such as “TSK_FILE_CANNOT_OPEN” that could have a description that says why. 2) Use the generic “TSK_INTERESTING_FILES” artifact with a set name that is why it could not be opened. — For those who have not used the Interesting Files module yet, it exists to flag files that meet certain criteria and there is a special section in the tree for them. They are both equivalent. Any strong opinions? This is also making me think about adding “task management” to Autopsy to help people track what needs to be done because it occurred to me that we could also make “tasks” to help you track which of the unsupported files that you have looked at yet or not. We could do this either with specially named tags (that can be deleted or moved to different “priorities”) or a new data type. Is this task tracking of interest? > On Sep 24, 2015, at 4:14 PM, Derrick Karpo <dk...@gm...> wrote: > > I don't mind the log message with an additional pop up in the lower > right. That works for me. I don't recall but, are those problematic > files marked somehow so that we can manually examine them after > without digging through the log to identify them? > > Derrick > > > On Thu, Sep 24, 2015 at 1:57 PM, Simson Garfinkel <si...@ac...> wrote: >> I think that there should be a general "alert" framework where any scanner can post processing alerts, and have them show up in the results like other results. >> >>> On Sep 24, 2015, at 3:50 PM, Brian Carrier <ca...@sl...> wrote: >>> >>> Autopsy will sometimes encounter allocated ZIP files that cannot be opened by 7Zip (or other tools). We’re currently creating a log message, but no one probably sees though. Would you rather that we pop up an error message in the lower right? I’d suggest this only be done for allocated files rather than deleted files (that could be corrupt). >>> >>> Opinions? >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
