Loading ...
Sorry, an error occurred while loading the content.

Indexing Unallocated Space for Content Discovery

Expand Messages
  • Stephen E. Fowler
    Does anyone have experience doing discovery by using an indexing utility on unallocated disk drive space? I d be most grateful for any hints, stories,
    Message 1 of 7 , Nov 9, 2004
    View Source
    • 0 Attachment
      Does anyone have experience doing discovery by using an indexing utility on
      unallocated disk drive space? I'd be most grateful for any hints,
      stories, narration or pointers to information.

      Thanks.

      Steve Fowler



      MicroCom Digital Discovery < http://www.data-master.com > 800.469.2549

      [Non-text portions of this message have been removed]
    • The Dog's Bollix
      I ve used FTK in the past to do this. It does a good job of indexing it for search purposes and then creates a custom dictionary based upon the terms it
      Message 2 of 7 , Nov 9, 2004
      View Source
      • 0 Attachment
        I've used FTK in the past to do this. It does a good job of indexing it for search purposes and then creates a custom dictionary based upon the terms it indexes. It is a Windows tool, I don't know of any tools that will index unallocated in Linux.

        T

        "Stephen E. Fowler" <sfowler@...> wrote:
        Does anyone have experience doing discovery by using an indexing utility on
        unallocated disk drive space? I'd be most grateful for any hints,
        stories, narration or pointers to information.

        Thanks.

        Steve Fowler



        MicroCom Digital Discovery < http://www.data-master.com > 800.469.2549

        [Non-text portions of this message have been removed]


        Yahoo! Groups Sponsor
        Get unlimited calls to

        U.S./Canada


        ---------------------------------
        Yahoo! Groups Links

        To visit your group on the web, go to:
        http://groups.yahoo.com/group/linux_forensics/

        To unsubscribe from this group, send an email to:
        linux_forensics-unsubscribe@yahoogroups.com

        Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



        ---------------------------------
        Do you Yahoo!?
        Check out the new Yahoo! Front Page. www.yahoo.com

        [Non-text portions of this message have been removed]
      • M J
        I also use FTK. It utilizes dtSearch for indexing. dtSearch (dtengine.com) does have a Linux engine available but I have no idea if anyone has done anything
        Message 3 of 7 , Nov 9, 2004
        View Source
        • 0 Attachment
          I also use FTK. It utilizes dtSearch for indexing. dtSearch (dtengine.com) does have a Linux engine available but I have no idea if anyone has done anything with this.


          Martin Herlihy
          Associated Investigations
          Toms River, NJ

          __________________________________________________
          Do You Yahoo!?
          Tired of spam? Yahoo! Mail has the best spam protection around
          http://mail.yahoo.com

          [Non-text portions of this message have been removed]
        • Stephen E. Fowler
          Thanks for the responses. dtSearch, along with a couple of other indexing apps, is what I m doing an eval on right now -- and it s already the winner because
          Message 4 of 7 , Nov 9, 2004
          View Source
          • 0 Attachment
            Thanks for the responses. dtSearch, along with a couple of other indexing
            apps, is what I'm doing an eval on right now -- and it's already the
            winner because of its ability to hit targets based on things like stemming,
            phonics, synonyms, and fuzzy search. Do you know if FTK extends its
            dtSearch module beyond the basic app -- in particular with respect to
            unallocated data -- especially where fragmentary strings of data encrypted
            as zip or PDF may no longer be as readily identifiable as they are when
            found in normally maintained file systems?

            I know of FTK only by frequent mention, but haven't heard what it can do
            for me beyond what dtSearch does. Feel free to illuminate! Thanks again.

            cheers
            sef

            ==================

            From: The Dog's Bollix <isxpro@...>
            At 02:26 PM 11/9/04, you wrote:

            >I've used FTK in the past to do this. It does a good job of indexing it
            >for search purposes and then creates a custom dictionary based upon the
            >terms it indexes. It is a Windows tool, I don't know of any tools that
            >will index unallocated in Linux.
            >
            >T

            ~~~~~~~~~~~
            From: M J <njinvestigators@...>
            At 04:31 PM 11/9/04, you wrote:

            >I also use FTK. It utilizes dtSearch for indexing. dtSearch (dtengine.com)
            >does have a Linux engine available but I have no idea if anyone has done
            >anything with this.
            >
            >
            >Martin Herlihy
            >Associated Investigations
            >Toms River, NJ




            MicroCom Digital Discovery < http://www.data-master.com > 800.469.2549

            [Non-text portions of this message have been removed]
          • M J
            I have never worked with dtSearch as an independant program. I do like FTK as a total package though. As a side note, when I went to their boot camp in DC, I
            Message 5 of 7 , Nov 9, 2004
            View Source
            • 0 Attachment
              I have never worked with dtSearch as an independant program. I do like FTK as a total package though.

              As a side note, when I went to their boot camp in DC, I was talking to some of the feds in class. They use FTK. Some also use dtSearch independantly because they believed that it indexed faster. This was a while ago and Access Data has updated the search engine within the past few months so I cannot say if this still holds true.

              Martin Herlihy
              Associated Investigations
              Toms River, NJ


              ---------------------------------
              Do you Yahoo!?
              Check out the new Yahoo! Front Page. www.yahoo.com

              [Non-text portions of this message have been removed]
            • Brian Carrier
              ... Paul Bakker has been developing some indexing tools to work with Autopsy / The Sleuth Kit. He did an article about them in the last Informer:
              Message 6 of 7 , Nov 9, 2004
              View Source
              • 0 Attachment
                On Nov 9, 2004, at 4:27 PM, Stephen E. Fowler wrote:

                > Does anyone have experience doing discovery by using an indexing
                > utility on
                > unallocated disk drive space? I'd be most grateful for any hints,
                > stories, narration or pointers to information.


                Paul Bakker has been developing some indexing tools to work with
                Autopsy / The Sleuth Kit. He did an article about them in the last
                Informer:

                http://www.sleuthkit.org/informer/sleuthkit-informer-16.html#search

                brian
              • Andrew Rosen
                Hi Steve - I will use text indexing on unallocated space from time to time. I like to preprocess the unalocated by removing any documents that are recoverable
                Message 7 of 7 , Nov 10, 2004
                View Source
                • 0 Attachment
                  Hi Steve -

                  I will use text indexing on unallocated space from
                  time to time. I like to preprocess the unalocated by
                  removing any documents that are recoverable utilizing
                  headers/footers.

                  Depending on what I'm looking for and the file system
                  the unallocated space was aggregated from, I will
                  often pre-process the unallocated space in one or more
                  of a variety of ways, including squishing or deleting
                  non-ascii repeating characters (SMART can automate
                  this for you).

                  Glimpse does a pretty good job when you consider the
                  speed and index-creation options.

                  Regards -

                  Andrew Rosen

                  --- "Stephen E. Fowler" <sfowler@...>
                  wrote:

                  >
                  > Does anyone have experience doing discovery by using
                  > an indexing utility on
                  > unallocated disk drive space? I'd be most grateful
                  > for any hints,
                  > stories, narration or pointers to information.
                  >
                  > Thanks.
                  >
                  > Steve Fowler
                  >



                  __________________________________
                  Do you Yahoo!?
                  Check out the new Yahoo! Front Page.
                  www.yahoo.com
                Your message has been successfully submitted and would be delivered to recipients shortly.