RE: [sleuthkit-developers] New Features / Changes

[Brian C. <ca...@sl...>]

On 15 Aug 2003 00:39 PDT you wrote:

> Hi Brian and everyone else,
> 
> I want to welcome everybody as well...
> I'm pleased to see so many people have joined already.
> 
> Now to business...
> 
> On you proposed features:
> 
> > - Redesign Autopsy so that it is easier for people to add 
> >   functions.
> This would help a lot.... It is probably closely tied to the Hooks 
>  feature I'm proposing below. You should be able to hook a function 
>  into a page. Shall I assist you with this feature?

The hooks feature, which I agree would be nice, doesn't need to be
tied to the re-architecture.  The hooks would probably be an 
installation wide configuration.  A config file can have the regular
expression to match against 'file' and the path of the program to
execute. 

> 
> > - Add a sector offset value to all Sleuth Kit tools so that they can be 
> >   used on a disk image instead of just file system images
> 
> I was about to propose the same.... Though not only offset is 
>  required, also the size should be given. (Tools that process the 
>  partition as raw data (Like Indexed searching) should not read too 
>  much)

I was actually referring to just the file system tools (even though I
said all tools).  So, if your partition begins in sector 63, then you can
run the following:

  # fls -f ntfs -o 63 disk.img

> As to the new (and future) features:
> 
> - Hooks. I would like to see the possilibity to add a hook to a "file 
>  type" so it is possible to open a .gif in an external OR internal 
>  viewer. Internal viewers would be the integrated Foundstone tools 
>  and possibly ol2mbox.

Yea, that should be easy to do.  

> - Integrate LibPST into Autopsy. The ol2mbox library (Better known 
>  as libPST) is almost newly released and is much improved. LibPST 
>  know supports not only mail messages but also appointments, tasks 
>  and contacts from Microsoft Outlook PST files. This is for me a much 
>  wanted functionality for Forensic research under *NIX....

I agree that this is needed, but am unsure how it should be 
integrated into autopsy.  I do not want to make a new tab for it,
because that does not scale very well.  I am almost wondering if 
there should be an 'Application Analysis' mode.  The current tabs are
all 'File System Analysis' modes (well besides file type sorting).

What is the output of the libPST?  Are there tools pre-defined or is
it just a library that you must write the code for?



> - RAW partition. Ability to at least view a raw part of data. When 
>  imaging a disk that is only partitioned for 10%, I would like the 
>  possibility to use Autopsy to at least browse and search the other 
>  90% for possible data.

I have had that on the TODO list since v1.00, but have never done
it.  I was originally doing it for swap space, but partitions are good 
too.

> - Spliced imagefiles. Ability for the tools to work with spliced 
>  imagefiles. Sometimes it is not workable to have one 80 Gb image, 
>  but you have spliced it into 10 Gb parts. I would like to see the tools 
>  to be able to work with that, though I know this to be hard an d 
>  perhaps a very future feature.

Yea, it is has not been on the top of my list.

> I would like to point out the kregedit/regedit projects (From Samba >  developers) which can be used to graphically show windows registry 
>  files. I already had contact with them and they plan to move the 
>  registry functionality into a seperate library, thus providing maybe 
>  an alternative to the Registry Viewing Tools (Which I have not seen 
>  yet and don't know how far they are...)

The registry tools that I know of, are being developed in the same
model as The Sleuth Kit.  So, there is a regls and a regcat.  They work
with 2K and XP (I think).  These tools would also fall under the
'Application Analysis' mode.    Actually, I guess the hooks design 
would also fall under the Appliation Analysis mode.  Instead of 
opening up just the 'Cell' window, it would open the application mode
that had the HTML cell as one of the tabs.  

 
> As to the Autopsy interface:
> I think some things should be moved around to new pages. Things 
>  like creating a DLS image of you image should not be in the 
>  keyword searching tab but in a special tab, just like maybe the 
>  generating of strings files and the creating of indexes. They clutter 
>  the keyword search interface and require unwanted behaviour if 
>  some other tab (Like for instance the File Recovery tab (Foremost 
>  inclusion) requires a DLS of your image. You have to go to Keyword 
>  Searching to make this.

Good point.  I think the proper place for it is the 'Image Details'
view though.  There is no need for another tab.  A link can exist from
the needed tabs to the Image Details window to make the needed
files.

My short-term goals are for the sector offset into the file system
tools and incorporate disk images into Autopsy.  The re-design
of Autopsy is also short-term.  My initial plan is to have a file
for each 'tab'.  So, there is a search file, a 'file' file, a 'meta' file,
etc and a couple of general files.  I do not have much experience
with very large Perl programs though and have not done any
research on how others have done it so I'm not sure of the 
best way to do it (which is why I've always found better things
to work on).   The raw data will also be a short-term goal for me.

brian