±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32774
New Yesterday: 3 Visitors: 138

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

How to search extensions with PTK?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

How to search extensions with PTK?

Post Posted: Thu Dec 18, 2008 2:59 am

Title says it all. I'm using the PTK (Sleuthkit Front-End) in Linux. I understood there was a way to search in it by file extention (eg.- .txt, .php, .jpg, .exe) I already have PTK working, does anyone know how to do that?  

Israel
Member
 
 
  

Re: How to search extensions with PTK?

Post Posted: Thu Dec 18, 2008 10:07 am

i dunno if you can do this using PTK, but honestly i don't think it's the proper way to search for evidences either.

if you are going to search for particular file types i suggest you to go through a carving method.
wich will allow you to filter by filetype, and prevents you from dealing with files renamed to prevent identification.
not to mention that carving will help you to search for deleted data too.

for such a task, i suggest you to try plainsight, i've used it for some testing, the carving engine is based on foremost, and it works really good.  

Rampage
Senior Member
 
 
  

Re: How to search extensions with PTK?

Post Posted: Thu Dec 18, 2008 11:54 pm

- Rampage

if you are going to search for particular file types i suggest you to go through a carving method.


I'm not sure this is the best idea for looking for file types. Carving is great for obtaining data from unallocated data or data not otherwise organized via a filesystem. There's little reason to use carving on a full filesystem (allocated and unallocate) just to recover file's of a particular type.

In this case, I'd suggest using a file signature search tool on the *live* files. Sleuthkit's "sorter" tool comes to mind (and it recovers deleted files and sorts them as well). Then rip out the unallocated (with dls) and *then* carve that.

I know your OP was a question about PTK, but I've not used it much (though I've done some testing with it).

For what it's worth, I'd give SFDumper a shot.

sfdumper.sourceforge.net/  

bgrundy
Senior Member
 
 
  

Re: How to search extensions with PTK?

Post Posted: Fri Dec 19, 2008 8:10 am

I remember reading on the forums here sometime back that PTK could do this. But I can't remember for the life of me what I searched to get to that thread.

SFDumper looks good! Is it possible to look multiple file types at the same time on here? Like jpg and gif?

Sorry to ask so many questions, but neither of these programs had man pages...

EDIT: Nevermind, this thing is fast enough that doesn't matter. I just wasn't doing it right the first time. Thank you for your help!  

Israel
Member
 
 

Page 1 of 1