Re: [sleuthkit-developers] Re: IO Subsystem patch for fstools
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Re: IO Subsystem patch for fstools
|
From: Michael C. <mic...@ne...> - 2004-02-19 10:53:02
|
On Thu, 19 Feb 2004 09:24 pm, Paul Bakker wrote: > Hi Michael.... Hi Paul, > This sounds very good and cool.... (I haven't looked at yours patch yet > though...).. Thanks... > But I just wanted to indicate that the combination of your IO Subsystem > patch for fstool and my searchtools (Indexed Searching) patch create a > system that is very powerful. Indeed, your indexing support looks very cool. I havent played with it just yet though (gotta find some time :-) > The only thing really missing is a subsystem that makes it possible to > "read" fileformats on the image with a specific interpreter. That would > enable us to "read" PDF files, PST files, etc... Im not sure I know what you mean, the IO subsystem is done at a very low level (well at the IO level)... The interpretation of different files on the filesystem is surely the job of a higher level application? For example in flag (http://sourceforge.net/projects/pyflag/), we are using exgrep (which is similar i gather to foreman) to extract files from the image and then use magic (and NSRL) to classify those and do some post processing. The GUI is then able to use the correct facility for displaying those images (usually by setting the correct mime type and asking the browser to display it but not necessarily). If you want to index the contents of binary files (say zip files or gziped files), maybe the best place to do so is by postprocessing at the higher level application? I am working also on reimplementing exgrep to use a python file-like object created using the proposed sleuthkit io subsystem. This way we can use exgrep to extract files from any type of image. For example we can find deleted and other wise un-recoverable images from an encase image etc. It would be cool if higher level programs (like autopsy or flag) can operate directly on the io subsystem for other file - like operations (like running foreman, indexing whatever). To this end I am working on a swig interface for this io subsystem, so we could use perl or python to directly access all those images. > If all these 3 are in place, I think sleuthkit is a product that is more > powerful than any of the other products I use... I concur with you. I had a bit of a play with encase and there is much room for encase to improve before it could be usable. (although as i mentioned I only had encase v 3, maybe 4 is better). Michael. |
