[sleuthkit-users] What's the difference between foremost and manual extraction using dd and sleuthk
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] What's the difference between foremost and manual extraction using dd and sleuthkit?
|
From: Jelle S. <fo...@em...> - 2006-06-13 13:07:47
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> <div class="moz-text-flowed" style="font-family: -moz-fixed; font-size: 15px;" lang="x-western">Hi list, <br> <br> I'm running some tests on an image with foremost and dd and I bumped upon this which I can't really explain: <br> <br> #istat floppy1.001 22 <br> <br> Directory Entry: 22 <br> Allocated <br> File Attributes: File, Archive <br> Size: 51712 <br> Name: REPORT~1.DOC <br> <br> Directory Entry Times: <br> Written: Thu Apr 27 17:56:34 2006 <br> Accessed: Wed May 24 00:00:00 2006 <br> Created: Wed May 24 09:21:08 2006 <br> <br> Sectors: <br> 33 34 35 36 37 38 39 40 <br> 41 42 43 44 45 46 47 48 <br> 49 50 51 52 53 54 55 56 <br> 57 58 59 60 61 62 63 64 <br> 65 66 67 68 69 70 71 72 <br> 73 74 75 76 77 78 79 80 <br> 81 82 83 84 85 86 87 88 <br> 89 90 91 92 93 94 95 96 <br> 97 98 99 100 101 102 103 104 <br> 105 106 107 108 109 110 111 112 <br> 113 114 115 116 117 118 119 120 <br> 121 122 123 124 125 126 127 128 <br> 129 130 131 132 133 <br> <br> <br> Given this information we do 133-33+1= 101 and use this for the count parameter. <br> <br> #dd if=../../floppy1.001 of=./test_recovery-1.doc skip=33 count=101 <br> #md5sum test_recovery-1.doc <br> 9a1715b9b66de7839d8010496d027c05 test_recovery-1.doc <br> <br> <br> When using foremost to carve through this image a .doc file is found. <br> The foremost audit.txt file contains this information: <br> <br> Foremost version 1.2 by Jesse Kornblum, Kris Kendall, and Nick Mikus <br> Audit File <br> <br> Foremost started at Thu Jun 1 20:07:09 2006 <br> Invocation: /usr/local/bin/foremost -t all -i floppy1.001 <br> Output directory: /home/jelle/forensics/output <br> Configuration file: /usr/local/etc/foremost.conf <br> ------------------------------------------------------------------ <br> File: floppy1.001 <br> Start: Thu Jun 1 20:07:09 2006 <br> Length: 1 MB (1474560 bytes) <br> <br> Num Name (bs=512) Size File Offset Comment <br> <br> 0: 33.doc 51 KB 16896 <br> 1: 190.doc 80 KB 97280 <br> 2: 253.png 15 KB 129607 (800 x 600) <br> 3: 285.png 13 KB 146153 (800 x 600) <br> Finish: Thu Jun 1 20:07:09 2006 <br> <br> 4 FILES EXTRACTED <br> ole:= 2 <br> png:= 2 <br> ------------------------------------------------------------------ <br> <br> Foremost finished at Thu Jun 1 20:07:09 2006 <br> <br> when I check the MD5 sum of file 33.doc I get: <br> aa7f9b9be2ca9be17a668eb00e2ea209 00000033.doc <br> <br> <br> This means the 2 files we're talking about arent the same. <br> While I'm pretty shure they should be the same! <br> Even better: <br> <br> dd if=../../floppy1.001 of=./test_recovery-2.doc skip=33 count=103 <br> When I check the MD5 sum of the file test_recovery-2.doc I get: <br> aa7f9b9be2ca9be17a668eb00e2ea209 est_recovery-2.doc <br> <br> <br> Which Is the same hash as the file foremost has recovered! <br> <br> <br> Now my question is: <br> <br> why do I need to count 103 sectors? Shouldn't I based upon the output of the istat command only count 101 sectors? <br> quid? <br> <br> Thanks in advance, <br> <br> Jelle S. <br> <br> <br> <br> </div> </body> </html> |
