Thread: [sleuthkit-users] Deleted files
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: HADER C. <in...@ha...> - 2014-03-11 07:48:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, I'm running Autopsy 3.09 on a Win8-System. I have got a test image for comparing commercial and open source forensic tools. The test image is called rhinohunt, perhaps somebody knows it. On this image there are some pictures which are deleted. With autopsy i am not able to find this files. With foremost and commercial tools (eg. XWAYS) the files will be found. What went wrong with autopsy? Regards Joachim -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHr/LAAoJEBkXzuy9JFgmOe4H/2f4Y2gBKYpfcl2EGItfKDPz 56c5T4J1gu8D6Rh+tfWuqYieD4rh7wxSsQimpBxABI+ojHe5pYgUAswtTL07HJR9 yIQU4wJZ/DWZSWqHyQKMHSxMROWDT8fGgsfKmlQnHEI8ONLxkE/LuO75LFxNG6nD vVntJfB/JwIrJ9Tdjn9xgqzp1VKQr6DhOBXjXJIfM7xbG4uK76TWF6nfIoiiX1SS oqTpD2da53EZY51SRc4GSaxoiAz6lOQbhijt5IeaDQCXWqrp02nOCItyrGdQHijS Vt3Q48LBce/pF+LoqxkadSodkdG/mPY+y9QC1ZiAFowQxTKk8feLLHtOGaHDq7A= =qKrF -----END PGP SIGNATURE----- |
|
From: HADER C. <in...@ha...> - 2014-03-11 13:25:49
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Barry, thanks for the answer. The source device has been formated by using quick format (only the directory entries are deleted). The images can be carved by commercial tools and scalpel / foremost. You are right, the files can only be found by using header info. So I miss carving capabilities in autopsy. File carving would be a nice and useful add on for autopsy/sleuthkit. Regards Joachim HADER Consulting Dipl. Ing. (FH) Joachim A. Hader Authorized expert on IT-Forensics, IT-Systems and Applications Data protection and privacy official Moststraße 7 | 91799 Langenaltheim | Tel: +49 151 53872750 Email: in...@ha... |WWW: http://www.hader-consulting.de Vertraulichkeit, Neutralität, Objektivität sind mein oberstes Gebot Mitglied der Gesellschaft für Datenschutz und Datensicherheit e.V. Mitglied des Verbands Europäischer Gutachter und Sachverständiger e.V. On 11.03.2014 13:58, Grundy Barry J TIGTA wrote: > Are the files simply deleted, or are they images in unallocated > without associated directory entries? Are the 'commercial tools' > carving the files out? I'm not an Autopsy user, so I'm not sure > if Autopsy either will, or has a module to, carve out files based > on signature. I expect that's what's happening here. You'll need > to find the files based on signature not file system artifacts. > > Does anyone know if 'carving' has been added to Autopsy? In the > meantime you can augment your work with scalpel/Photorec/foremost, > etc. Or for small test images you can have a really good time > with sigfind and dd... > > /******************************************* Barry J. Grundy > Assistant Special Agent in Charge Digital Forensic Support Group > Electronic Crimes and Intelligence Division Treasury Inspector > General for Tax Administration (301) 210-8741 (w) (202) 527-5778 > (c) Bar...@ti... > ********************************************\ > > >> -----Original Message----- From: HADER Consulting >> [mailto:in...@ha...] Sent: Tuesday, March 11, 2014 >> 3:48 AM To: sle...@li... Subject: >> [sleuthkit-users] Deleted files >> > Hi there, I'm running Autopsy 3.09 on a Win8-System. I have got a > test image for comparing commercial and open source forensic > tools. The test image is called rhinohunt, perhaps somebody knows > it. On this image there are some pictures which are deleted. With > autopsy i am not able to find this files. With foremost and > commercial tools (eg. XWAYS) the files will be found. What went > wrong with autopsy? Regards Joachim >> >> ------------------------------------------------------------------------------ >> >> Learn >> Graph Databases - Download FREE O'Reilly Book "Graph Databases" is >> the definitive new guide to graph databases and their >> applications. Written by three acclaimed leaders in the field, >> this first edition is now available. Download your free book >> today! http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ sleuthkit-users >> mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHw7VAAoJEBkXzuy9JFgmaFoIAIgNpJOSbI6RABTJfDByb1nC 23cwIGXevh4DhQeU/igI7HDAKLX5UPvfmzwp1zwM6K+hYu013+DFo1R8uPT3MM0p p7NrYi5g7CpQ/J2xarB/rPmmMZibkaac72Y0oYumfyw0mH6QXAXocz+HxTu5UL0E 3s6p21hOJeWVuQAcuUYwWfUwVHHN+KfqVbQLQb386UXRs6FVUkuox5DmfmdT7ymm 1YwbtFXoMOqbtzzu2p4H93YBuClXo55nJDnwYH5JQ/Qw4V9faZPX1UpyPYqgGpwW bIX/xd5nvD0OiOGV69tpLE1q2Z5JRePPzd3hvBt/vu8VjKtSTuLQevR6vXaW/Vg= =SBOt -----END PGP SIGNATURE----- |
|
From: Jason L. <jle...@ba...> - 2014-03-11 15:23:35
|
We're working on adding carving via Scalpel. We've had some hiccups trying to add it in as a library vs its more traditional use as a stand alone tool. If you are inclined, you can see the progress in the "develop" branch on Github (certainly experimental at this stage). We're hoping to get a release out in a couple of months that will have carving added to Autopsy. Jason On Tue, Mar 11, 2014 at 9:25 AM, HADER Consulting <in...@ha...>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Barry, > thanks for the answer. > The source device has been formated by using quick format (only the > directory entries are deleted). The images can be carved by commercial > tools and scalpel / foremost. > You are right, the files can only be found by using header info. So I > miss carving capabilities in autopsy. File carving would be a nice and > useful add on for autopsy/sleuthkit. > Regards > Joachim > > HADER Consulting > Dipl. Ing. (FH) Joachim A. Hader > Authorized expert on IT-Forensics, IT-Systems and Applications > Data protection and privacy official > > Moststraße 7 | 91799 Langenaltheim | Tel: +49 151 53872750 > Email: in...@ha... |WWW: http://www.hader-consulting.de > > Vertraulichkeit, Neutralität, Objektivität sind mein oberstes Gebot > Mitglied der Gesellschaft für Datenschutz und Datensicherheit e.V. > Mitglied des Verbands Europäischer Gutachter und Sachverständiger e.V. > > On 11.03.2014 13:58, Grundy Barry J TIGTA wrote: > > Are the files simply deleted, or are they images in unallocated > > without associated directory entries? Are the 'commercial tools' > > carving the files out? I'm not an Autopsy user, so I'm not sure > > if Autopsy either will, or has a module to, carve out files based > > on signature. I expect that's what's happening here. You'll need > > to find the files based on signature not file system artifacts. > > > > Does anyone know if 'carving' has been added to Autopsy? In the > > meantime you can augment your work with scalpel/Photorec/foremost, > > etc. Or for small test images you can have a really good time > > with sigfind and dd... > > > > /******************************************* Barry J. Grundy > > Assistant Special Agent in Charge Digital Forensic Support Group > > Electronic Crimes and Intelligence Division Treasury Inspector > > General for Tax Administration (301) 210-8741 (w) (202) 527-5778 > > (c) Bar...@ti... > > ********************************************\ > > > > > >> -----Original Message----- From: HADER Consulting > >> [mailto:in...@ha...] Sent: Tuesday, March 11, 2014 > >> 3:48 AM To: sle...@li... Subject: > >> [sleuthkit-users] Deleted files > >> > > Hi there, I'm running Autopsy 3.09 on a Win8-System. I have got a > > test image for comparing commercial and open source forensic > > tools. The test image is called rhinohunt, perhaps somebody knows > > it. On this image there are some pictures which are deleted. With > > autopsy i am not able to find this files. With foremost and > > commercial tools (eg. XWAYS) the files will be found. What went > > wrong with autopsy? Regards Joachim > >> > >> > ------------------------------------------------------------------------------ > >> > >> > Learn > >> > Graph Databases - Download FREE O'Reilly Book "Graph Databases" is > >> the definitive new guide to graph databases and their > >> applications. Written by three acclaimed leaders in the field, > >> this first edition is now available. Download your free book > >> today! http://p.sf.net/sfu/13534_NeoTech > >> _______________________________________________ sleuthkit-users > >> mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTHw7VAAoJEBkXzuy9JFgmaFoIAIgNpJOSbI6RABTJfDByb1nC > 23cwIGXevh4DhQeU/igI7HDAKLX5UPvfmzwp1zwM6K+hYu013+DFo1R8uPT3MM0p > p7NrYi5g7CpQ/J2xarB/rPmmMZibkaac72Y0oYumfyw0mH6QXAXocz+HxTu5UL0E > 3s6p21hOJeWVuQAcuUYwWfUwVHHN+KfqVbQLQb386UXRs6FVUkuox5DmfmdT7ymm > 1YwbtFXoMOqbtzzu2p4H93YBuClXo55nJDnwYH5JQ/Qw4V9faZPX1UpyPYqgGpwW > bIX/xd5nvD0OiOGV69tpLE1q2Z5JRePPzd3hvBt/vu8VjKtSTuLQevR6vXaW/Vg= > =SBOt > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: HADER C. <in...@ha...> - 2014-03-11 14:47:32
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason, thank you for your reply. I am conviced that adding carving to autopsy is a very good improvement. Best regards Joachim On 11.03.2014 15:29, Jason Letourneau wrote: > We're working on adding carving via Scalpel. We've had some > hiccups trying to add it in as a library vs its more traditional > use as a stand alone tool. If you are inclined, you can see the > progress in the "develop" branch on Github (certainly experimental > at this stage). We're hoping to get a release out in a couple of > months that will have carving added to Autopsy. > > Jason > > > On Tue, Mar 11, 2014 at 9:25 AM, HADER Consulting > <in...@ha...>wrote: > > Barry, thanks for the answer. The source device has been formated > by using quick format (only the directory entries are deleted). The > images can be carved by commercial tools and scalpel / foremost. > You are right, the files can only be found by using header info. So > I miss carving capabilities in autopsy. File carving would be a > nice and useful add on for autopsy/sleuthkit. Regards Joachim > > HADER Consulting Dipl. Ing. (FH) Joachim A. Hader Authorized expert > on IT-Forensics, IT-Systems and Applications Data protection and > privacy official > > Moststraße 7 | 91799 Langenaltheim | Tel: +49 151 53872750 Email: > in...@ha... |WWW: http://www.hader-consulting.de > > Vertraulichkeit, Neutralität, Objektivität sind mein oberstes > Gebot Mitglied der Gesellschaft für Datenschutz und Datensicherheit > e.V. Mitglied des Verbands Europäischer Gutachter und > Sachverständiger e.V. > > On 11.03.2014 13:58, Grundy Barry J TIGTA wrote: >>>> Are the files simply deleted, or are they images in >>>> unallocated without associated directory entries? Are the >>>> 'commercial tools' carving the files out? I'm not an >>>> Autopsy user, so I'm not sure if Autopsy either will, or has >>>> a module to, carve out files based on signature. I expect >>>> that's what's happening here. You'll need to find the files >>>> based on signature not file system artifacts. >>>> >>>> Does anyone know if 'carving' has been added to Autopsy? In >>>> the meantime you can augment your work with >>>> scalpel/Photorec/foremost, etc. Or for small test images you >>>> can have a really good time with sigfind and dd... >>>> >>>> /******************************************* Barry J. Grundy >>>> Assistant Special Agent in Charge Digital Forensic Support >>>> Group Electronic Crimes and Intelligence Division Treasury >>>> Inspector General for Tax Administration (301) 210-8741 (w) >>>> (202) 527-5778 (c) Bar...@ti... >>>> ********************************************\ >>>> >>>> >>>>> -----Original Message----- From: HADER Consulting >>>>> [mailto:in...@ha...] Sent: Tuesday, March 11, >>>>> 2014 3:48 AM To: sle...@li... >>>>> Subject: [sleuthkit-users] Deleted files >>>>> >>>> Hi there, I'm running Autopsy 3.09 on a Win8-System. I have >>>> got a test image for comparing commercial and open source >>>> forensic tools. The test image is called rhinohunt, perhaps >>>> somebody knows it. On this image there are some pictures >>>> which are deleted. With autopsy i am not able to find this >>>> files. With foremost and commercial tools (eg. XWAYS) the >>>> files will be found. What went wrong with autopsy? Regards >>>> Joachim >>>>> >>>>> > ------------------------------------------------------------------------------ >>>>> >>>>> > > Learn >>>>> > Graph Databases - Download FREE O'Reilly Book "Graph Databases" is >>>>> the definitive new guide to graph databases and their >>>>> applications. Written by three acclaimed leaders in the >>>>> field, this first edition is now available. Download your >>>>> free book today! http://p.sf.net/sfu/13534_NeoTech >>>>> _______________________________________________ >>>>> sleuthkit-users mailing list >>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>>> >>>>> http://www.sleuthkit.org >>>> >> >> >> ------------------------------------------------------------------------------ >> >> Learn Graph Databases - Download FREE O'Reilly Book >> "Graph Databases" is the definitive new guide to graph databases >> and their applications. Written by three acclaimed leaders in the >> field, this first edition is now available. Download your free >> book today! http://p.sf.net/sfu/13534_NeoTech >> _______________________________________________ sleuthkit-users >> mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHyH7AAoJEBkXzuy9JFgm3n0IAIKvEiNn0ozgF+8MFAjRy01L D884+upVG/ZZdmmxKi7toI0GwkJtVoZxGxHpk36f4WPqqEoxZcIZZmS/n7eztlOe U2sGBBkTBuuxyOEXHsD99qsnP60Ea6doVWoli0vswo47eNP4TCeArMYfvVM5Ft3F e5fq9LHGvzHOr6hz+qgeM1tjetFHAqEbmcr8I5U1T3+ltBvxcCM3ctTpX1T7OPBO AuAyPWN6HP7SQOvWnc3WkbhZHo1sXCrZ0HlzNedXFDBOHo6k63gBVOCdA+fXCVUa u2lbtTLYq02vlzByH6ZSGN4jYGQU1t9W497vR29qRz1rvdhVuc8yX3N5cqPavr0= =a8eT -----END PGP SIGNATURE----- |
|
From: Grundy B. J T. <Bar...@ti...> - 2014-03-11 13:33:39
|
Are the files simply deleted, or are they images in unallocated without associated directory entries? Are the 'commercial tools' carving the files out? I'm not an Autopsy user, so I'm not sure if Autopsy either will, or has a module to, carve out files based on signature. I expect that's what's happening here. You'll need to find the files based on signature not file system artifacts. Does anyone know if 'carving' has been added to Autopsy? In the meantime you can augment your work with scalpel/Photorec/foremost, etc. Or for small test images you can have a really good time with sigfind and dd... /******************************************* Barry J. Grundy Assistant Special Agent in Charge Digital Forensic Support Group Electronic Crimes and Intelligence Division Treasury Inspector General for Tax Administration (301) 210-8741 (w) (202) 527-5778 (c) Bar...@ti... ********************************************\ > -----Original Message----- > From: HADER Consulting [mailto:in...@ha...] > Sent: Tuesday, March 11, 2014 3:48 AM > To: sle...@li... > Subject: [sleuthkit-users] Deleted files > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi there, > I'm running Autopsy 3.09 on a Win8-System. > I have got a test image for comparing commercial and open source forensic > tools. The test image is called rhinohunt, perhaps somebody knows it. On this > image there are some pictures which are deleted. > With autopsy i am not able to find this files. With foremost and commercial > tools (eg. XWAYS) the files will be found. > What went wrong with autopsy? > Regards > Joachim > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTHr/LAAoJEBkXzuy9JFgmOe4H/2f4Y2gBKYpfcl2EGItfKDPz > 56c5T4J1gu8D6Rh+tfWuqYieD4rh7wxSsQimpBxABI+ojHe5pYgUAswtTL07HJR > 9 > yIQU4wJZ/DWZSWqHyQKMHSxMROWDT8fGgsfKmlQnHEI8ONLxkE/LuO75LF > xNG6nD > vVntJfB/JwIrJ9Tdjn9xgqzp1VKQr6DhOBXjXJIfM7xbG4uK76TWF6nfIoiiX1SS > oqTpD2da53EZY51SRc4GSaxoiAz6lOQbhijt5IeaDQCXWqrp02nOCItyrGdQHijS > Vt3Q48LBce/pF+LoqxkadSodkdG/mPY+y9QC1ZiAFowQxTKk8feLLHtOGaHDq > 7A= > =qKrF > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is > the definitive new guide to graph databases and their applications. Written > by three acclaimed leaders in the field, this first edition is now available. > Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X