RE: [sleuthkit-developers] New Features / Changes
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-developers] New Features / Changes
|
From: Paul B. <ba...@fo...> - 2003-08-15 07:37:42
|
Hi Brian and everyone else, I want to welcome everybody as well... I'm pleased to see so many people have joined already. Now to business... On you proposed features: > - Redesign Autopsy so that it is easier for people to add=20 > functions. This would help a lot.... It is probably closely tied to the Hooks = feature I'm proposing below. You should be able to hook a function into = a page. Shall I assist you with this feature? > - Add a sector offset value to all Sleuth Kit tools so that they can = be=20 > used on a disk image instead of just file system images I was about to propose the same.... Though not only offset is required, = also the size should be given. (Tools that process the partition as raw = data (Like Indexed searching) should not read too much) As to the new (and future) features: - Hooks. I would like to see the possilibity to add a hook to a "file = type" so it is possible to open a .gif in an external OR internal = viewer. Internal viewers would be the integrated Foundstone tools and = possibly ol2mbox. - Integrate LibPST into Autopsy. The ol2mbox library (Better known as = libPST) is almost newly released and is much improved. LibPST know = supports not only mail messages but also appointments, tasks and = contacts from Microsoft Outlook PST files. This is for me a much wanted = functionality for Forensic research under *NIX.... - RAW partition. Ability to at least view a raw part of data. When = imaging a disk that is only partitioned for 10%, I would like the = possibility to use Autopsy to at least browse and search the other 90% = for possible data. - Spliced imagefiles. Ability for the tools to work with spliced = imagefiles. Sometimes it is not workable to have one 80 Gb image, but = you have spliced it into 10 Gb parts. I would like to see the tools to = be able to work with that, though I know this to be hard an d perhaps a = very future feature. I would like to point out the kregedit/regedit projects (From Samba = developers) which can be used to graphically show windows registry = files. I already had contact with them and they plan to move the = registry functionality into a seperate library, thus providing maybe an = alternative to the Registry Viewing Tools (Which I have not seen yet and = don't know how far they are...) As to the Autopsy interface: I think some things should be moved around to new pages. Things like = creating a DLS image of you image should not be in the keyword searching = tab but in a special tab, just like maybe the generating of strings = files and the creating of indexes. They clutter the keyword search = interface and require unwanted behaviour if some other tab (Like for = instance the File Recovery tab (Foremost inclusion) requires a DLS of = your image. You have to go to Keyword Searching to make this. -- Paul Bakker -----Oorspronkelijk bericht----- Van: Brian Carrier [mailto:ca...@sl...] Verzonden: donderdag 14 augustus 2003 17:37 Aan: sle...@so... Onderwerp: [sleuthkit-developers] New Features / Changes Welcome everyone. At this point, there are around 15 people on this list so it is time to=20 start discussing what to develop. I would first like to say that I welcome any help, espeically on the interface. I enjoy the low-level disk and file system tools and would welcome anyone that would like to offer a better, and still free = interface. My primary focus right now is on my Purdue research, so any help with this work is appreciated. =20 The following are the projects that I know of: - Indexed Search (Fox-IT) - Integrating foremost (Fox-IT) - New Interface (openforensics.org) - Registry Viewing Tools (not yet public) The smaller features that I want to see done are the following: - Redesign Autopsy so that it is easier for people to add=20 functions. =20 - Add a sector offset value to all Sleuth Kit tools so that they can be=20 used on a disk image instead of just file system images - Add 'mmls' and offset values to Autopsy so that disk images can=20 be imported - Integrate the new Foundstone tools for viewing the trash bin, history file etc. - Improve timeline tools and add some scripts to parse logs into the body file. I think the redesign is the most important to make the Fox-IT work easier. thanks for your interest. brian |
