Hello everyone,
The work on Searchtools was halted a bit when my hard drive crashed in february, just when
I had done a major rewrite during a holiday... Because I never have gotten any feedback on the
usage of the indexed searching patches, I did not get the urge to redo all those changes again....
Then 2 weeks ago, I got an e-mail from somebody who was using the patches and requested
updated patches for the newer versions of Sleuthkit and Autopsy.... This e-mail has resulted in
this new third release.
Not all the features that I had wanted in the third release have made it due to the crash, but still
a lot of improvements have been made:
* Generalized the internal structure to support multiple index types.
* Added extra index type in addition to the already existing raw indexes: raw fragments indexes.
These indexes contain all the strings that exist within files on the image but are stored in two
non adjecent disk fragments.
* Much improved/optimized file format, resulting in more index data stored in less disk space.
* Improved memory model and handling of the index tree resulting in more index data fitting in
the memory during the indexing.
* Reading of images now uses the fstools library (from sleuthkit) in order to not remake the
filesystem understanding knowledge.
* Better organized index files/directories
* Higher stability of the tools
* Added extra tools for validating files/printing data from the indexes
* Better integration within Autopsy
The patches can be downloaded from the usual place: http://www.brainspark.nl/?show=tools_sleuthkit
This link can also be found on the Download page on http://www.sleuthkit.org
The patches have been tested on both Autopsy 2.01 and 2.02 and on both Sleuthkit 1.70 and 1.71.
Other versions may or may not work.
If the patches do not work on a platform, or if you have questions or suggestions regarding these
patches, please feel free to e-mail me.
Paul Bakker
|
