Forensic software f...
 
Notifications
Clear all

Forensic software flatfile reports?

7 Posts
6 Users
0 Likes
1,143 Views
(@mortificating)
Posts: 4
New Member
Topic starter
 

God morning!

Background
I have worked as a computer forensic (LE) for 10 years and is now employed as an an analyst (also LE).
My main cases are white collar crimes and tax frauds. I work in one of the larger countries in Europe.
My prime headache is reports from forensic software. Our nearest computer forensic is a 3 hour drive away (4 h with train).
The main workload for our forensics is to "serve the information on a silver platter" and not so much digging for malware and other information.

Case description
In one case we had 15 computers with roughly 2500 invoices and documents each. All of them more or less relevant to the case. This is not an uncommon case. The main focus is to follow the money and the "paper trail". When I get a report from a seized device it is usually produced from one of the bigger forensic software. It is either in html or pdf- format with clickable links. There is also no easy way to do a keyword or reg-ex search in the attached files.

Question/ wish
I would like to receive a flat file report (pdf?) that contains metadata (ie path, md5, filename) followed by the actual document that is deemed relevant to the case.

Compare with UFED reader or XAMN spotlight. An easy GUI wich let me search an bookmark document/ spreedsheets which is then included in the report without the annoying clickable links or attached files. Is there such a forensic software?

Is there another method that let me easily sift thru a large amount of information and without much fuzz produce a readable report?

Please let me know if I have missed something or been unclear and I will try to explain further.

Best regards and have a good weekend
// Mort

PS. I have been a member of Forensic focus for a number of years. Because of old age, very selective memory and small kids my credentials for FF somehow disappeared. Hence the new account. DS

 
Posted : 12/01/2019 9:06 am
(@athulin)
Posts: 1156
Noble Member
 

Our nearest computer forensic is a 3 hour drive away (4 h with train).

Sounds like somewhat of a challenge.

I would like to receive a flat file report (pdf?) that contains metadata (ie path, md5, filename) followed by the actual document that is deemed relevant to the case.

What format are those documents in to begin with? Some kind of internal format for 'insert invoicing program name here', and that need to be given a printed form? Or print-ready invoices ready to send off to a mass mailer every month, but without any intern structure so that hits for 'NameX' may be for the addresse, the street he lives on, or the city he lives in?

When you say flat file … do you mean that the format is of no consequence? That is, you're not going to grep it or work on in as a single unit, but only use some reading program ? (I mean, creating a index text file with the information you ask + an internal file name, adding that to a zip file, followed by each document, under the new name would create a flat zip file, but it might not be useful.) And creating a HTML structure on the same lines would not be a flat file, but a directory hierarchy, but it may perhaps be more useful. (unless you wget -warc-file it, and it becomes a web.warc.gz file)

Compare with UFED reader or XAMN spotlight. An easy GUI wich let me search an bookmark document/ spreedsheets which is then included in the report without the annoying clickable links or attached files. Is there such a forensic software?

You mentioned PDF just then. Is that format suitable as input format to you, and for the final report that you deliver?

If it is, it seems that some kind of software that just walks over the input data you get, creating the metadata you mention and (probably) each invoice on a page of its own into PDF, and then merge everything.

Is there another method that let me easily sift thru a large amount of information and without much fuzz produce a readable report?

So what is 'sift'? Ignoring input reports that may not be relevant? Getting the input reports into a particular order? Or … ?

 
Posted : 12/01/2019 2:27 pm
(@mortificating)
Posts: 4
New Member
Topic starter
 

Hello!
Thank You for the reply. English is not my native language so I appricate the questions.

I would like to receive a flat file report (pdf?) that contains metadata (ie path, md5, filename) followed by the actual document that is deemed relevant to the case.

What format are those documents in to begin with? Some kind of internal format for 'insert invoicing program name here', and that need to be given a printed form? Or print-ready invoices ready to send off to a mass mailer every month, but without any intern structure so that hits for 'NameX' may be for the addresse, the street he lives on, or the city he lives in?

Reply
The documents are generally a mix of Excel spreadsheets, Word documents, PDF documents and sometimes OpenOffice documents (*odt) pops up. We have other means to take care of databases from accounting software.

—-

When you say flat file … do you mean that the format is of no consequence? That is, you're not going to grep it or work on in as a single unit, but only use some reading program ? (I mean, creating a index text file with the information you ask + an internal file name, adding that to a zip file, followed by each document, under the new name would create a flat zip file, but it might not be useful.) And creating a HTML structure on the same lines would not be a flat file, but a directory hierarchy, but it may perhaps be more useful. (unless you wget -warc-file it, and it becomes a web.warc.gz file)

Reply
I guess "flat file" was not the right word. What I would like to have is one file (docx, pdf or something else easy printable) with all information. Keywords and serches are good and I use it a lot. But when it comes to it, a manully inspection of the information is often needed. Faulty OCR recogniton, strange scanning formats to name a few.

—-

Compare with UFED reader or XAMN spotlight. An easy GUI wich let me search an bookmark document/ spreedsheets which is then included in the report without the annoying clickable links or attached files. Is there such a forensic software?

You mentioned PDF just then. Is that format suitable as input format to you, and for the final report that you deliver?

Reply
PDF or docx is a suitable format. I import the report in an investigation system together with other reports and documents (DNA, surveillance photos, crime scene investigations to name a few). It is then compiled to an preliminary investigation report and send to the prosecutors office.

—-

If it is, it seems that some kind of software that just walks over the input data you get, creating the metadata you mention and (probably) each invoice on a page of its own into PDF, and then merge everything.

Reply
Yes. It is exactly what I was thinking about.

—-

Is there another method that let me easily sift thru a large amount of information and without much fuzz produce a readable report?

So what is 'sift'? Ignoring input reports that may not be relevant? Getting the input reports into a particular order? Or … ?

Reply
When I read your reply I noticed that I was very "muddy" in my question. There are a lot of bright people out there and my ideas is far away from the best or brightest. My thought was to be open for other ideas and methods that I have missed or did not think of. Very often there are already a solution hiding in plain sight. Very often a little help where to start look is all that is needed.

 
Posted : 15/01/2019 8:47 am
Thomas
(@thomas)
Posts: 59
Trusted Member
 

Maybe this is what you are looking for? https://www.krksoft.com/

Directory Lister allows you to list & print folder contents, that is to create and then save, print or send via e-mail list of files from selected folders on hard disks, cd-roms, dvd-roms, floppys, USB storages and network shares. Listing can be in HTML, text, Microsoft Excel, CSV format or stored directly into a database. Directory Lister can also be integrated into the context menu of Windows Explorer so you don't even need to open the application to generate listings.

When you print a file list, you can include standard file information like file name, extension, type, owner and attributes as well as executable file information (EXE, DLL, OCX) like file version, description, company. Also multimedia properties (MP3, AVI, WAV, JPG, GIF, BMP) like track, title, artist, album, genre, video format, bits per pixel, frames per second, audio format, bits per channel can be listed.

Another set of columns you can print is for Microsoft Office and Open Office files (DOC, XLS, PPT) so you can see document title, author, keywords etc. without opening these files one after another. For each file and folder it is also possible to obtain its CRC32, MD5, SHA-1, SHA-256, SHA-512 and Whirlpool hash number so you can verify the file has not been modified.

Extensive number of options allows you to completely customize the visual look of the output. You can set sorting for files and folders so they are always displayed as you want. You can define column order so the most important columns are immediately visible. International display format options allows you to adjust the output for your local needs. Listing can contain links to actual files and directories so you are able to put the listing on a web page with clickable contents.

 
Posted : 23/03/2019 7:44 pm
(@xandstorm)
Posts: 56
Trusted Member
 

Looks like you would be better off with a "portable case" kind of dataset like the ones that that can be exported from AXIOM. Portable cases also allow for regex searches.

Saludos,
Lex

 
Posted : 23/03/2019 8:03 pm
pr3cur50r
(@pr3cur50r)
Posts: 28
Eminent Member
 

Sounds like you might be better working with an e-discovery platform such as Nuix.

 
Posted : 24/03/2019 11:31 pm
marky.mark
(@marky-mark)
Posts: 22
Eminent Member
 

Looks like you would be better off with a "portable case" kind of dataset like the ones that that can be exported from AXIOM. Portable cases also allow for regex searches.

Saludos,
Lex

I second that.

I think you can split your need in two different parts. First of all you maybe need some form of "portable case" that can help you to see the data with some kind of search engine and index. For this need, you could use dtsearch engine. It is going to index many standard file format and you will be able to make portable productions that contain your data.

Your second need would be for a good reporting tool. For that you can use the one built-in your favorite forensic/eDiscovery tool. eDiscovery are often better in this case than pure forensic tools. If you want something customizable, you can export a loadfile from your forensic tool with the information that you need and make a personalized excel spreadsheet.

I hope this can help you.

M.

 
Posted : 25/03/2019 2:06 pm
Share: