Loading ...
Sorry, an error occurred while loading the content.

Re: [linux_forensics] best carver to pull an apple mail out of an image?

Expand Messages
  • Greg Freemyer
    Okay, Dumb question time. What interface? I only know about the CLI command. Greg ... [Non-text portions of this message have been removed]
    Message 1 of 5 , Apr 12, 2013
    • 0 Attachment
      Okay,

      Dumb question time. What interface? I only know about the CLI command.

      Greg

      On Fri, Apr 12, 2013 at 8:57 AM, Simson Garfinkel <simsong@...> wrote:

      > Greg,
      >
      > I'm glad that you were able to do well with bulk_extractor. You might want
      > to look at the User Interface. it would allow you to search for the email
      > address, click on it, and see it in context. This is especially important
      > in the case of email addresses recovered from compressed data. Those will
      > not appear properly with the approach that you describe below.
      >
      >
      > On Apr 11, 2013, at 9:44 PM, Greg Freemyer <greg.freemyer@...>
      > wrote:
      >
      >
      >
      > All,
      >
      > In my case, bulk_extractor found about 90,000 rfc822 related fragments
      > (or full emails). I then did a simple grep through those to find the
      > specific email I was trying to find.
      >
      > I don't know how others are working with that output, but since I only
      > had one email I cared about at all, I just used dd to grab a big
      > section around my offset of interest and then used vi to manually
      > carve out the legit rfc822 email I was looking for.
      >
      > dd if=/image/ewf1 of=$offset bs=1 count=102400 skip=$(($offset - 500))
      >
      > Greg
      >
      > On Thu, Apr 11, 2013 at 12:29 AM, Greg Freemyer <greg.freemyer@...>
      > wrote:
      > > I've got a case where I need to find one specific email.
      > >
      > > It was sent via Apple Mail on a Mac about 6 months ago. It was
      > > deleted a couple months later.
      > >
      > > I'm wondering what the best carver for that situation is? I have the
      > > to address and in theory it should not be very common on the image.
      > >
      > > I'm thinking bulk_extractor with a keyword list should definitely be
      > > something I try, but what else.
      > >
      > > Greg
      >
      >
      >
      >


      [Non-text portions of this message have been removed]
    • Simson Garfinkel
      The BEViewer https://github.com/simsong/bulk_extractor/wiki/BEViewer ... [Non-text portions of this message have been removed]
      Message 2 of 5 , Apr 12, 2013
      • 0 Attachment
        The BEViewer
        https://github.com/simsong/bulk_extractor/wiki/BEViewer

        On Apr 12, 2013, at 1:06 PM, Greg Freemyer <greg.freemyer@...> wrote:

        > Okay,
        >
        > Dumb question time. What interface? I only know about the CLI command.
        >
        > Greg
        >
        > On Fri, Apr 12, 2013 at 8:57 AM, Simson Garfinkel <simsong@...> wrote:
        > Greg,
        >
        > I'm glad that you were able to do well with bulk_extractor. You might want to look at the User Interface. it would allow you to search for the email address, click on it, and see it in context. This is especially important in the case of email addresses recovered from compressed data. Those will not appear properly with the approach that you describe below.
        >
        >
        > On Apr 11, 2013, at 9:44 PM, Greg Freemyer <greg.freemyer@...> wrote:
        >
        >>
        >> All,
        >>
        >> In my case, bulk_extractor found about 90,000 rfc822 related fragments
        >> (or full emails). I then did a simple grep through those to find the
        >> specific email I was trying to find.
        >>
        >> I don't know how others are working with that output, but since I only
        >> had one email I cared about at all, I just used dd to grab a big
        >> section around my offset of interest and then used vi to manually
        >> carve out the legit rfc822 email I was looking for.
        >>
        >> dd if=/image/ewf1 of=$offset bs=1 count=102400 skip=$(($offset - 500))
        >>
        >> Greg
        >>
        >> On Thu, Apr 11, 2013 at 12:29 AM, Greg Freemyer <greg.freemyer@...> wrote:
        >> > I've got a case where I need to find one specific email.
        >> >
        >> > It was sent via Apple Mail on a Mac about 6 months ago. It was
        >> > deleted a couple months later.
        >> >
        >> > I'm wondering what the best carver for that situation is? I have the
        >> > to address and in theory it should not be very common on the image.
        >> >
        >> > I'm thinking bulk_extractor with a keyword list should definitely be
        >> > something I try, but what else.
        >> >
        >> > Greg
        >>
        >
        >



        [Non-text portions of this message have been removed]
      Your message has been successfully submitted and would be delivered to recipients shortly.