Search multiple .e0...
 
Notifications
Clear all

Search multiple .e01 images for specific file.

18 Posts
11 Users
0 Likes
4,138 Views
(@flyingdingy)
Posts: 3
New Member
Topic starter
 

I've got multiple .e01 images in a case (bunch of usb sticks, hdd, sdcard, ++), and we are looking for a specific file that we know the filename to.

Is it possible to search for the file in multiple .e01 acquisitions/images at once without having to open one at a time?

 
Posted : 22/04/2021 10:36 am
Thomas
(@thomas)
Posts: 59
Trusted Member
 

As far as I know you can mount multiple images in FTK imager. But you still have to mount them seperately, and the number of images is limited to the available letters. However, this gives you the opportunitiy to search through all of them at once.

Maybe its better to write a simple script that mounts an image, reads (and indexes and if possible makes a hash of each file) and searches for the specific file(s). When completed the script goes to the next .e01 image, etc.

 

 
Posted : 23/04/2021 6:49 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

I suspect, based on your question, that you are using freely available tools?

If so, maybe try autopsy which will allow you to create a case and add multiple images to it.

If you are using commercial tools, many of them allow you to all multiple image files to a single case; X-Ways, Blacklight, FTK etc.

 
Posted : 24/04/2021 6:10 am
(@flyingdingy)
Posts: 3
New Member
Topic starter
 

Thanks for reply guys!

I do have access to some commercial tools, Magnet Axiom, FTK, blacklight, autopsy, encase, and so forth.

The problem with all of them is that it needs to process before any search can be done, I have yet to find any good way to only process the file tree.

It might be like Thomas said that the best method would be to create a script using ewfmount or similar, but I must admit that I am not sure how I would go about to make that script auto mount next .e01 in a different folder and index all the files.

Lets say I am in the root folder of the case, and all the evidence is listed in their own directory. So the path is /casenumber/evidencenr/image/***.e01

What I am trying to do is to index/search all the .e01 in the subfolders of /casenumber/ to find these specified filenames. (no hashes)

 
Posted : 26/04/2021 11:36 am
azrael
(@azrael)
Posts: 656
Honorable Member
 

Get a Linux box, mount them as drives (see here) and use the find command.

Quick, effective and free...

 
Posted : 26/04/2021 12:31 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 
Posted by: @azrael

Get a Linux box, mount them as drives (see here) and use the find command.

Quick, effective and free...

Sorry - didn't read the final response in this chain before answering.

Iterating over a list is a fairly common programming task and I'm sure that you can find a good example of iterating over files in any language you see fit. There will be slight complications if there are multiple partitions per image - as per the second part of the link that I sent first - however, you could still address this in a script. If you create mount directories in line with the image &/or partition names, you'll easily be able to identify which image the file has been found in.

After that, I wouldn't bother creating an index - you know the file name, so once all the images are mounted you can do:

find /search_mount_directory/ -name "mysuspectfile.txt" 

Linux will do the rest - it would print results listing the directory that it has been found in, and, if you've named them correctly this will show you which image &/or partition it is from.

 

 

 
Posted : 26/04/2021 12:43 pm
(@hommy0)
Posts: 98
Trusted Member
 

Hi,

 

EnCase does not need to be processed before a search can be conducted.  With all the evidence files loaded in Entries view, you can blue check select those files of interest and use the RAW Search option that will become enabled.  The Raw Search also provides the option of GREP.

As mentioned blue check a single file, a folder, multiple folders or the complete evidence file to perform the Raw Search.

The Raw Search will have limited success with compressed document types such as DOCX and PDF (hence why processing is suggested).

Alternatively the following EnScript provides the option to select the files of interest from your evidence, the option is then to do a Raw Search as before or a Transcript Search.

The Transcript Search will allow for searching of content in compressed document types such as DOCX and PDF

https://security.opentext.com/appDetails/Keyword-Search-with-Range-Bookmarking

Processing is there to be used (and with the release of 21.2 I see OCR has been added).

However this is not always practicable, hence the above options for Raw Search or using the EnScript, means a search in real time of your selected files of interest - no pre-processing required.

 

However if you want to use the index and process, you can create a Logical Evidence File of your selection, or create a Result Set.  Both of these can contain a much smaller sub-set of data from your E01's and they can both be processed - and thus indexed.

 

Hope that helps a little

 

Regards

 
Posted : 30/04/2021 9:08 am
(@jerryw)
Posts: 56
Trusted Member
 

"The problem with all of them is that it needs to process before any search can be done, I have yet to find any good way to only process the file tree."

Are you only trying to find the file then? If so, can you not just add all the E01 files in to Encase and sort all by filename? That would also identify link files to the target file

If you are trying to find whether there are any traces of that file, such as within system files then you will need to do some indexing/processing.

 
Posted : 30/04/2021 3:34 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

OSForensics can search multiple E01s for files, by file name, without any pre-processing.

(Use the "File Name Search" module)

 
Posted : 02/05/2021 9:50 am
(@hommy0)
Posts: 98
Trusted Member
 
Posted by: @flyingdingy

 

What I am trying to do is to index/search all the .e01 in the subfolders of /casenumber/ to find these specified filenames. (no hashes)

Forgot to mention, EnCase has default conditions that allow searching for filenames - or virtually any metadata that you can see on the table.

You can find them in the lower 4th pane.  

Again no pre-processing is required to use a condition, and can run them against multiple E01’s

 
Posted : 02/05/2021 5:25 pm
Page 1 / 2
Share: