Search multiple .e0...
 
Notifications
Clear all

Search multiple .e01 images for specific file.

Page 2 / 2
watcher
(@watcher)
Active Member
Posted by: @azrael
Posted by: @azrael

Get a Linux box, mount them as drives (see here) and use the find command.

Quick, effective and free...

Sorry - didn't read the final response in this chain before answering.

Iterating over a list is a fairly common programming task and I'm sure that you can find a good example of iterating over files in any language you see fit. There will be slight complications if there are multiple partitions per image - as per the second part of the link that I sent first - however, you could still address this in a script. If you create mount directories in line with the image &/or partition names, you'll easily be able to identify which image the file has been found in.

After that, I wouldn't bother creating an index - you know the file name, so once all the images are mounted you can do:

find /search_mount_directory/ -name "mysuspectfile.txt" 

Linux will do the rest - it would print results listing the directory that it has been found in, and, if you've named them correctly this will show you which image &/or partition it is from.

 

 

Running updatedb to generate an index:

  • Eliminates the need to write a script
  • Fast multiple searches
  • Case free searches
  • Wild card searches

Using locate.

A perfect I know the one thing I want right down to exact name and case without error is rare enough that an index is almost always the way to go.

I thought I made a mistake once, but I was wrong.

ReplyQuote
Posted : 12/07/2021 4:14 pm
zemaria523
(@zemaria523)
New Member

You could use iped and do a fast process in ALL e01.

https://github.com/sepinf-inc/IPED

ReplyQuote
Posted : 28/08/2021 3:17 pm
Gsibat
(@gsibat)
New Member

@flyingdingy it is incorrect to say that you need to process your case first in EnCase before you can search.  How you search is very much dependent on what you are searching and what you are search for.  In EnCase, you can perform a RAW search, which is to search the data as it sits in clusters.  This requires no processing.  You can select and index your data, for this you do process the case.  Regardless of which option you choose, it can be done on single or multiple evidence or on single or multiple files.

ReplyQuote
Posted : 16/09/2021 9:34 am
Page 2 / 2
Share: