[Nottingham] Forensics problem

Paul Tew binarybod at gmail.com
Thu Sep 16 21:15:31 UTC 2010 

Luke,

Thanks for the suggestion but...

foremost, scalpel and the surprisingly more sophisticated photorec (from
the testdisk suite) are my stock-in-trade. I use these tools or
something equivalent on just about every case I examine. Unfortunately
they only work when they have data to examine and I can't get at the
unallocated area of the partition on it's own. (well actually I think I
can thanks to Mat's suggestion)

I could use these tools on the whole partition but there are 150GB of
allocated files already on disk. I don't want to have to filter out
those I know about to leave me with those I don't.

You might think that using an MD5 or SHA1 hash set against the files I
have recovered and comparing this to the files I carve using the tools
you mention would be a good idea. Surprisingly however, the carvers tend
to make lots of assumptions about the files they are carving and they
are not bit-perfect in a lot of cases. In my experience around 20% are
imperfectly carved which would leave me with a whole load of unnecessary
work that would have the potential to slow me down.

As it happens I may have enough evidence without carving the unallocated
space. Once this has been to court I'll tell you all about it ;)

Thanks to everyone who has devoted time and energy to my little
conundrum.

Paul


On Thu, 2010-09-16 at 21:34 +0100, Luke Crowe wrote:
> Have you tried Foremost or Scalpel, which carves on headers and footers
> Luke
> 
> -----Original Message-----
> From: nottingham-bounces at mailman.lug.org.uk
> [mailto:nottingham-bounces at mailman.lug.org.uk] On Behalf Of Paul Tew
> Sent: 14 September 2010 14:56
> To: Notts GNU/Linux Users Group
> Subject: [Nottingham] Forensics problem
> 
> Hi,
> Some of you folks are aware that I'm a forensic examiner with Notts
> Police... well I suppose you all know now ;)
> 
> I have a bit of a problem with some evidence I'm examining and could do with
> some suggestions...
> 
> I recently took possession of a Buffalo LinkStation which serves files to an
> attached network via samba. The issue I have is that these files are stored
> on an XFS partition. None of my usual forensic tools can parse XFS. To
> recover the files I've had to mount the image file (for the uninitiated, an
> image file is a copy of all the data from the hard drive or, as in this case
> a RAID). I've mounted the XFS partition without any problem and recovered
> the files, all well and good so far.
> 
> My problem is that I need to look at those parts of the drive that DON'T
> form regular files so that I can search for deleted and unallocated files
> and carve them out. Ideally I would like to extract all the data from
> sectors that aren't allocated to files. I would normally use something like
> 'blkls' from the sleuthkit (TSK), but unfortunately TSK can't parse XFS
> partitions.
> 
> My question is this:
> Does anyone have any suggestions as to how to stream the areas of a
> partition that don't consist of regular files?
> 
> Paul
> 
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham
> 
> 
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham

More information about the Nottingham mailing list