RE: [sleuthkit-developers] blindly indexing garbage...
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-developers] blindly indexing garbage...
|
From: Paul B. <ba...@fo...> - 2004-02-24 08:49:07
|
Hi t f, > I see much fuss over indexing capabilities, but not a lot of=20 > discussion as=20 > to the purpose of said indexes. One might assume they are to=20 > be searched,=20 > but, why would one search on base64-encoded, zipped, cab'd, pdf'd, or=20 > otherwise "unreadable" data? I suppose it would be helpful=20 > for identifying=20 > certain malicious files as they lay on the drive, but I don't=20 > see too many=20 > other applications. You're absolutely right... And this will happen in the "Searchtools" implementation. But this requires "interpreters" as I said.. There has to be a generic way to interpret the data. The best way would be if this is integrated into Sleutkit. If this will not happen, release 4 of the code (The future release, not the next one) will use external interpreters to read through data and index it. > My point is this: Shouldn't there be some work toward=20 > preprocessing this=20 > data, THEN indexing the intelligible bits?? Just a=20 > suggestion. Take it for=20 > what it's worth. See above... You are right, BUT! I would still want to have an index tool show me ALL occurrences of that string I am searching for on the disk. Not only Raw (Thus uninterpreted), but also fragmented versions and versions in files that have to be interpreted (Also multiple levels deep, e.g. a PDF inside a ZIP file).... The goal of Searchtools is to be capable of supporting all these strings and thus give the maximum information! You can always use the command-line options (Or Autopsy integrated HTML page) to only index or search interpreted strings. Almost all options and behavioural aspects of the tools can be tweaked. > I have seen a great deal of excellent discussion here over=20 > the past few=20 > months. Sleuthkit is becoming a very impressive tool. I=20 > look forward to=20 > seeing where it goes over the next few months. Thanks to all=20 > for the great=20 > work! You're welcome! ;-).. I hope this answers your questions.. Paul Bakker |
