Forensic Focus - Computer Forensics, Computer Forensic Training, Digital Forensics
LoginRegisterForumsColumnistsPapersEducationGraduatesReviewsInterviewsNewsletterJobsEventsBlogAdvertise
Search Forensic Focus
Custom Search

Find us on Facebook
Follow Forensic Focus on Twitter
Columnists
"I erred." "I was mistaken."
Craig Ball
Single Sign On
Simon Biles
Copyright and games console modification
Dan Gaskell
To GUI or not to GUI?
Chris Hargreaves
'Web 2.0' as evidence
Sean McLinden
Sometimes it’s all about timing
Sam Raincock
Avoiding common job application errors
David Sullivan
Scalability: A Big Headache
Dominik Weber
Graduate Recruitment

computer forensics graduate jobs

Main Menu
MY ACCOUNT
COMMUNITY
EMPLOYMENT
EDUCATION
RESOURCES
MISC
Follow Forensic Focus

Join newsletter

Join LinkedIn group

Follow on Twitter

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Members' blogs

External feeds

Bookmark & share: Bookmark and Share

Computer Forensics Newsletter
Newsletter

You must be a
registered user
to receive our newsletter

Register Now!

 Forum FAQForum FAQ   SearchSearch   Log in to check your private messagesLog in to check your private messages   LoginLogin
How to search extensions with PTK?
Post new topic   Reply to topic   Printer Friendly Page     Forum Index -> Open Source and Freeware
View previous topic :: View next topic  
Author Message
Israel
Newbie


Joined: Jan 03, 2006
Posts: 8
Location: US
PostPosted: Wed Dec 17, 2008 9:59 pm    Post subject: How to search extensions with PTK? Reply with quote
Title says it all. I'm using the PTK (Sleuthkit Front-End) in Linux. I understood there was a way to search in it by file extention (eg.- .txt, .php, .jpg, .exe) I already have PTK working, does anyone know how to do that?
Back to top
View user's profile
Rampage
Senior Member


Joined: Oct 17, 2008
Posts: 207
Location: Italy
PostPosted: Thu Dec 18, 2008 5:07 am    Post subject: Re: How to search extensions with PTK? Reply with quote
i dunno if you can do this using PTK, but honestly i don't think it's the proper way to search for evidences either.

if you are going to search for particular file types i suggest you to go through a carving method.
wich will allow you to filter by filetype, and prevents you from dealing with files renamed to prevent identification.
not to mention that carving will help you to search for deleted data too.

for such a task, i suggest you to try plainsight, i've used it for some testing, the carving engine is based on foremost, and it works really good.
Back to top
View user's profile
bgrundy
Member


Joined: Apr 11, 2006
Posts: 68
Location: Maryland
PostPosted: Thu Dec 18, 2008 6:54 pm    Post subject: Re: How to search extensions with PTK? Reply with quote
Rampage wrote:

if you are going to search for particular file types i suggest you to go through a carving method.

I'm not sure this is the best idea for looking for file types. Carving is great for obtaining data from unallocated data or data not otherwise organized via a filesystem. There's little reason to use carving on a full filesystem (allocated and unallocate) just to recover file's of a particular type.

In this case, I'd suggest using a file signature search tool on the *live* files. Sleuthkit's "sorter" tool comes to mind (and it recovers deleted files and sorts them as well). Then rip out the unallocated (with dls) and *then* carve that.

I know your OP was a question about PTK, but I've not used it much (though I've done some testing with it).

For what it's worth, I'd give SFDumper a shot.

sfdumper.sourceforge.net/
Back to top
View user's profile
Israel
Newbie


Joined: Jan 03, 2006
Posts: 8
Location: US
PostPosted: Fri Dec 19, 2008 3:10 am    Post subject: Re: How to search extensions with PTK? Reply with quote
I remember reading on the forums here sometime back that PTK could do this. But I can't remember for the life of me what I searched to get to that thread.

SFDumper looks good! Is it possible to look multiple file types at the same time on here? Like jpg and gif?

Sorry to ask so many questions, but neither of these programs had man pages...

EDIT: Nevermind, this thing is fast enough that doesn't matter. I just wasn't doing it right the first time. Thank you for your help!
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic   Printer Friendly Page     Forum Index -> Open Source and Freeware All times are GMT - 6 Hours
Page 1 of 1


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Use of this website signifies your agreement to the Terms of Use/Privacy Policy available here.

All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2010 Forensic Focus


Interactive software released under GNU GPL, Code Credits, Privacy Policy
.: fisubsilver shadow phpbb2 style by Daz :: CPG-Nuke port by norseman :: ported to CPG-Dragonfly by jamin :.