sleuthkit-users

[sleuthkit-users] Photorec carver

[Alan B. <ala...@gm...>]

Hi all

I was looking at the the available modules written for autopsy and I have
noticed the code for photorec carver module. I have noticed that in the
presentation given by Richard Cordovano in python autopsy that the photorec
carving module is compiled and installed into autopsy (screen shot
attached).
Unfortunately my knowledge of java and netbeans is limited to say the least
so I am unable to compile the module from source to test it.

Is the photorec module working?
Is the compiled version of photorec carver available to me?
Or is it possible for someone to walk me through on how I can compile the
module from source.

Regards

Alan

Re: [sleuthkit-users] Photorec carver

[Brian C. <ca...@sl...>]

Hi Alan,

It will be part of the next release (which will be either end of this week or early next week). 

brian

On Feb 17, 2015, at 4:29 AM, Alan Browne <ala...@gm...> wrote:

> Hi all
> 
> I was looking at the the available modules written for autopsy and I have noticed the code for photorec carver module. I have noticed that in the presentation given by Richard Cordovano in python autopsy that the photorec carving module is compiled and installed into autopsy (screen shot attached). 
> Unfortunately my knowledge of java and netbeans is limited to say the least so I am unable to compile the module from source to test it.
> 
> Is the photorec module working?
> Is the compiled version of photorec carver available to me?
> Or is it possible for someone to walk me through on how I can compile the module from source.
> 
> Regards
> 
> Alan
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Photorec carver

[Ketil F. <ke...@fr...>]

Is it possible to get the photorec carver module to look at every byte and
not just sector aligned offsets?

I have played a bit with the photorec application, but I haven't managed to
find a way to make it work for cases where I'm looking for data that
doesn't start at a sector. I tried setting sector size to 1 byte, but it
either refused or crashed, don't remember which.

Regards, Ketil
On 17 Feb 2015 16:51, "Brian Carrier" <ca...@sl...> wrote:

> Hi Alan,
>
> It will be part of the next release (which will be either end of this week
> or early next week).
>
> brian
>
> On Feb 17, 2015, at 4:29 AM, Alan Browne <ala...@gm...> wrote:
>
> > Hi all
> >
> > I was looking at the the available modules written for autopsy and I
> have noticed the code for photorec carver module. I have noticed that in
> the presentation given by Richard Cordovano in python autopsy that the
> photorec carving module is compiled and installed into autopsy (screen shot
> attached).
> > Unfortunately my knowledge of java and netbeans is limited to say the
> least so I am unable to compile the module from source to test it.
> >
> > Is the photorec module working?
> > Is the compiled version of photorec carver available to me?
> > Or is it possible for someone to walk me through on how I can compile
> the module from source.
> >
> > Regards
> >
> > Alan
> >
> ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>

Re: [sleuthkit-users] Photorec carver

[Brian C. <ca...@sl...>]

Right now, we use the default PhotoRec settings and just give a 'search' command. If there are any photorec gurus out there that want to suggest more fancy arguments, then let us know.




On Feb 17, 2015, at 2:16 PM, Ketil Froyn <ke...@fr...> wrote:

> Is it possible to get the photorec carver module to look at every byte and not just sector aligned offsets?
> 
> I have played a bit with the photorec application, but I haven't managed to find a way to make it work for cases where I'm looking for data that doesn't start at a sector. I tried setting sector size to 1 byte, but it either refused or crashed, don't remember which.
> 
> Regards, Ketil
> 
> On 17 Feb 2015 16:51, "Brian Carrier" <ca...@sl...> wrote:
> Hi Alan,
> 
> It will be part of the next release (which will be either end of this week or early next week).
> 
> brian
> 
> On Feb 17, 2015, at 4:29 AM, Alan Browne <ala...@gm...> wrote:
> 
> > Hi all
> >
> > I was looking at the the available modules written for autopsy and I have noticed the code for photorec carver module. I have noticed that in the presentation given by Richard Cordovano in python autopsy that the photorec carving module is compiled and installed into autopsy (screen shot attached).
> > Unfortunately my knowledge of java and netbeans is limited to say the least so I am unable to compile the module from source to test it.
> >
> > Is the photorec module working?
> > Is the compiled version of photorec carver available to me?
> > Or is it possible for someone to walk me through on how I can compile the module from source.
> >
> > Regards
> >
> > Alan
> > ------------------------------------------------------------------------------
> > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> > from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> > with Interactivity, Sharing, Native Excel Exports, App Integration & more
> > Get technology previously reserved for billion-dollar corporations, FREE
> > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> 
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Photorec carver

[Nanni B. <dig...@gm...>]

It could be useful to run Photorec only on the unallocated space and the a
special module for deleting the duplicated files by hash comparison.
Deleted files and carved files compared and the carved files duplicated
deleted...
I made this procedure in KS
http://articles.forensicfocus.com/2013/04/23/ks-an-open-source-bash-script-for-indexing-data/

I hope this could be a nice advice ;)

-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net

Re: [sleuthkit-users] Photorec carver

[Brian C. <ca...@sl...>]

On Feb 17, 2015, at 3:01 PM, Nanni Bassetti <dig...@gm...> wrote:

> It could be useful to run Photorec only on the unallocated space

It does.  

> and the a special module for deleting the duplicated files by hash comparison.
> Deleted files and carved files compared and the carved files duplicated deleted...

Hmm, that could be interesting, but a bit challenging with the Autopsy pipelines.  Files aren't hashed until they are added to the central database and scheduled for analysis.  Hash calc is the first step in the pipeline.  

We could do the calculation in the PhotoRec module, it's just another I/O round trip and a database query, so the question is if carving generates so many duplicate hits that it is worth this effort.  

Thoughts?



> 
> I made this procedure in KS http://articles.forensicfocus.com/2013/04/23/ks-an-open-source-bash-script-for-indexing-data/ 
> I hope this could be a nice advice ;)
> 
> -- 
> Dr. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] Photorec carver

[Simson G. <si...@ac...>]

My thoughts:

- De-duplication is so very important in modern forensic processing that you might want to make it a core function of the autopsy pipeline.

- Prior to that, it might make sense for modules to be able to perform hashing and submit then include the hash when they submit files for analysis. If a system is I/O bound, then computing the hash might essentially be free, especially if the hash is a lightweight hash like MD5.

- So I agree, it makes sense to do the hash calculation in the PhotoRec module and for the module to check to see if the carved object has already been processed.

Simson



> On Feb 17, 2015, at 5:43 PM, Brian Carrier <ca...@sl...> wrote:
> 
> 
> On Feb 17, 2015, at 3:01 PM, Nanni Bassetti <dig...@gm...> wrote:
> 
>> It could be useful to run Photorec only on the unallocated space
> 
> It does.  
> 
>> and the a special module for deleting the duplicated files by hash comparison.
>> Deleted files and carved files compared and the carved files duplicated deleted...
> 
> Hmm, that could be interesting, but a bit challenging with the Autopsy pipelines.  Files aren't hashed until they are added to the central database and scheduled for analysis.  Hash calc is the first step in the pipeline.  
> 
> We could do the calculation in the PhotoRec module, it's just another I/O round trip and a database query, so the question is if carving generates so many duplicate hits that it is worth this effort.  
> 
> Thoughts?