Thread: [sleuthkit-users] Opening Application Files
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian S. <Br...@Pe...> - 2005-04-20 22:55:20
|
Hi everyone, I am new to the forensic world using TSK and other tools, and any help is GREATLY appreciated! I know I have a lot of questions, so any help is received with gladness: Foremost (I know this is not a foremost forum, so hopefully some of you can help me.) I have recovered several different file types from fat32 unallocated disk space (dls file) using foremost. I have some questions: 1) Why does foremost make many of the file sizes the max file size as specified in the foremost.conf file? In other words, is their a way to compress them down. For example, I retrieved about 1000 .doc files (MS Office), but because of the max file size, the total disk space is showing as 2 gigs, which cannot be the case. 2) Of the .doc files retrieved, half will not open in MS Word. Why is that? I understand that other office application data files have the same file headers. Is this because I do not have the right application to open them, or because the files are corrupted? If corrupted, is there any way to recover it, or view the content, outside of viewing the strings with a hex editor? 3) None of the database files recovered with foremost open in the application associated with them, whereas half of word/excel files open. Why is that? Are db files just more difficult to recover? Sorter 4) When I run the sorter, I have the same file types in the 'data' and 'documents' directories (for instance, there will be .doc files in both directories). In addition, many common file types are labeled as unknown (for instance, a .pst file - MS Outlook). Is this because I do not have the NIST NSRL database installed? 5) Does the sorter pull files from unallocated as well as allocated disk space? Other Questions 6) If data files are recovered, is the only way to view their content through the application that is associated with them? For example, must a Microsoft Money data file be viewed with the MS Money application in order to see the content? I know when a hex editor is used, it is impossible to see what is in the file. I have had success with getting text from a file with a hex editor, however, with database apps I have no such luck. Is there some kind of tool that allows me to see the tables of a db, or do I need to open it in the application that is associated with it? 7) How could I view the content of .dat files? Is their a specific tool, or do I view the strings with a hex editor? Again, any help is mucho appreciated! Thanks. Brian |
|
From: Brian C. <ca...@sl...> - 2005-04-21 14:01:16
|
On Apr 20, 2005, at 5:54 PM, Brian Starr wrote: > Hi everyone, > =A0 > I am new to the forensic world using TSK and other tools, and any help=20= > is GREATLY appreciated!=A0 I know I have a lot of=A0questions, so = any=A0help=20 > is=A0received with gladness:=A0 > =A0 > =A0 > Foremost (I know this is not a foremost forum, so hopefully=A0some of=20= > you can help me.) > =A0 > I have recovered several different file types from fat32 unallocated=20= > disk space (dls file) using foremost.=A0 I have=A0some questions:=A0 > =A0 > 1)=A0 Why does foremost make many of the file sizes the max file size = as=20 > specified in the foremost.conf file?=A0 In other words, is their a way=20= > to compress them down.=A0 For example, I retrieved about 1000 .doc = files=20 > (MS Office), but because of the max file size, the total disk space is=20= > showing as 2 gigs, which cannot be the case.=A0 If it doesn't find the footer value (or if the application type doesn't=20= have a footer value), it goes until the maximum length. > =A02)=A0 Of the .doc files retrieved, half will not open in MS Word.=A0 = Why=20 > is that?=A0 I understand that other office application data files have=20= > the same file headers.=A0 Is this because I do not have the right=20 > application to open them, or because the files are corrupted?=A0 If=20 > corrupted, is there any way to recover it, or view the content,=20 > outside of viewing the strings with a hex editor? foremost only looks for a basic signature value, which could be 2 or 4=20= bytes long. Random data is bound to eventually have the same value in=20= that location so you will get false positives. > =A03)=A0 None of the database files recovered with foremost open in = the=20 > application associated with them, whereas half of word/excel files=20 > open.=A0 Why is that?=A0 Are db files just more difficult to recover? Could just be a more common signature value or because database files=20 tend to be larger and more fragmented so you are not recovering the=20 full file. foremost recovers only files that are not fragmented. > =A0Sorter > =A0 > 4)=A0 When I run the sorter, I have the same file types in the 'data'=20= > and 'documents' directories (for instance, there will be .doc files in=20= > both directories).=A0 What is the file type reported for those in the data directory? 'file'=20= puts things in 'data' if it doesn't know the type. > In addition, many common file types are labeled as unknown (for=20 > instance, a .pst file - MS Outlook). Is this because I do not have the=20= > NIST NSRL database installed? It has nothing to do with NSRL. I thought pst was in the rules though.=20= If you send me the unknown file I can add more rules to the next=20 release (this goes for anyone who finds lots of stuff in unknown. I=20 haven't updated the rules in a while). > 5)=A0 Does the sorter pull files from unallocated as well as allocated=20= > disk space? It pulls stuff from unallocated space IF there is a metadata structure=20= (i.e. inode / MFT entry etc.) that points to the data. It does not do=20= carving like foremost does. > Other Questions > =A0 > 6)=A0 If data files are recovered, is the only way to view their = content=20 > through the application that is associated with them?=A0 For example,=20= > must a Microsoft Money data file be viewed with the MS Money=20 > application in order to=A0see the content?=A0 I know when a hex editor = is=20 > used, it is impossible to see what is in the file.=A0 I have had = success=20 > with getting text from a file with a hex editor, however, with=20 > database apps I have no such luck.=A0 Is there some kind of tool that=20= > allows me to see the tables of a db, or do I need to open it in the=20 > application that is associated with it? If you want more than just strings, you will need an app that=20 understands the structure of the application file (just like you need a=20= tool that can understand the structure of a specific file system to=20 view a file system image file). > =A07)=A0 How could I view the content of .dat files?=A0 Is their a = specific=20 > tool, or do I view the strings with a hex editor? '.dat' is a generic extension. You really need to base it on what=20 'file' (or similar) tool tells you about the file type. brian |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X