Loading ...
Sorry, an error occurred while loading the content.

Announcing frag_find 1.1.1

Expand Messages
  • Simson Garfinkel
    All, Based on user feedback, I am happy to announce the release of frag_find version 1.1.1. This program is part of the NPS Bloom Filter package. You can
    Message 1 of 1 , Apr 12, 2009
    • 0 Attachment
      All,

      Based on user feedback, I am happy to announce the release of
      frag_find version 1.1.1. This program is part of the NPS Bloom Filter
      package.

      You can download it from: http://www.afflib.org/downloads/bloom-1.1.1.tar.gz

      New features:

      * Approximately 10x faster (improvements to both I/O and computation)
      * Prints status reports including estimated time of completion
      * Fixed a bug coming from errors in some STL implementations

      frag_find takes a TARGET file and a disk IMAGE and tells you were the
      sectors of the TARGET and be found on the IMAGE. The program is
      designed for use in exfiltration cases --- the idea is that someone
      may have stolen some files, put them on a hard drive, then erased the
      files tried overwrite the disk. Are there any sectors from the
      original files still present on the disk?

      Here is a sample run of the program, using a ZIP file that was present
      on the disk image nps-2009-ubnist1/ubnist1.gen3.raw:

      $ ./frag_find x.zip /corp/images/nps/nps-2009-ubnist1/ubnist1.gen3.raw
      Scanning for x.zip (5535 512-byte blocks) in /corp/images/nps/nps-2009-
      ubnist1/ubnist1.gen3.raw (4114432 blocks)
      Creating bloom filter...
      Bloom filter created.
      Computing SHA1 values of search blocks...
      All SHA1 values have been stored
      Now searching image file...
      0M out of 4M sectors processed; hits=0
      0M out of 4M sectors processed; hits=0
      0M out of 4M sectors processed; hits=0; 252.928 Kblocks/sec; done in
      0:00:15
      0M out of 4M sectors processed; hits=0; 288.242 Kblocks/sec; done in
      0:00:12
      0M out of 4M sectors processed; hits=0; 314.217 Kblocks/sec; done in
      0:00:11
      ...
      4M out of 4M sectors processed; hits=11070; 439.015 Kblocks/sec; done
      in 0:00:00
      4M out of 4M sectors processed; hits=11070; 440.737 Kblocks/sec; done
      in 0:00:00


      Blocksize: 512
      Target file: x.zip (5535 blocks)
      Image file: /corp/images/nps/nps-2009-ubnist1/ubnist1.gen3.raw
      (4114432 blocks)
      Blocks of target file found in image file: 11070
      Here is where they were found:
      Target Block(s) Found at image block
      0-7 2143717-2143724 (8 blocks)
      8-15 2155469-2155476 (8 blocks)
      16-95 2159573-2159652 (80 blocks)
      96-367 2159661-2159932 (272 blocks)
      368-431 2159997-2160060 (64 blocks)
      432-615 2160069-2160252 (184 blocks)
      616-671 2160261-2160316 (56 blocks)
      672-695 2168197-2168220 (24 blocks)
      696-5455 2171557-2176316 (4760 blocks)
      5456-5463 2176333-2176340 (8 blocks)
      5464-5471 2176365-2176372 (8 blocks)
      5472-5479 2176901-2176908 (8 blocks)
      5480-5534 2191077-2191131 (55 blocks)
      Total blocks of original file found: 5535 (100%)
      Bloom filter utilization: 0.00064%
      Seen First Utilization: 0.00033%
      $


      As always, I am interested in feedback.

      Thanks!
    Your message has been successfully submitted and would be delivered to recipients shortly.