I have a case where I am checking the levels of IIOC to SAP levels, the prosecution have given me the C4P and C4M databases and encase evidence files.
Due to me not having the images in question I am having to extract the data out again from the images and then compare hashes. I have done this on all the evidence files apart from one which has been causing me headaches as it's giving me errors whilst running C4P on one of the case files as there is so much data to be extracted, I'm going to have to find another way to extract the data so any guidance on that would be good - I may have to use the file paths and get most things that way (although this leaves unallocated clusters and .part torrent files etc.).
Do you guys have an easy way around the above?
and also does anyone have any guidance on how I could compare the hash's that I've got already, I was using access and comparing the two databases, but its been so long since I've played with access I need a little guidance.
Thanks for any help.
If by 'evidence files' you mean the E01 forensic images and not the Encase case files; I am sure you have enough data to use the C4P application to import the graded bookmarks back into an EnCase case file and confirm the gradings in EnCase using gallery view.
There are EnScripts available that will use a C4P application created report as the basis for importing bookmarks in EnCase.
The prosecution should have provided you with a C4P exported report created from their grading and you can import this into EnCase in order to examine the accuracy of their grading process.
As for adding your own Hash Sets to C4P, I think it is a simple matter of importing them from a csv file format.
What version of C4P are you using if at all?
I hope this helps and if not I know the more experienced members will reply soon!
thanks Neddy…
Yes it was the E01's I was talking about…
The prosecution only provided the C4P databases, and their case files that hold their gradings. The gradings were done by a third party afterwards, although alot of this is undocumented so were currently unsure exactly what process was taken.
Not having much luck with C4P it seems to error about a day an half through processing on the large case…
I'm going to have to pull the data back using the file paths (should get most of it)… just going to miss anything that's in unallocated or .torrent files etc.
I'm using C4P 3.5.5, as this is what the prosecutions expert used, so we want to ensure that the results we get match… (not happening at the moment sadly).
Thanks, hopefully should get this sorted this week.
Fuzed, i'm not sure you understood my reply to this (on the EnCase board), judging by what you are saying.
You shouldnt need to run anything that requires much processing, provided you have a couple of things.
What needs to be cleared up is
What type of C4P output you have, is it a set of xml files and folders containing the pictures (the xml files should be named C4P Index.xml and Case Report.xml off the top of my head).
or
It is a set of HTML reports with the pictures in, and the pictures in subfolders.
If you have the XML files, you can just load that into C4P Review, export the bookmarks using that, and use the C4P import script in EnCase to get the exact locations all bookmarked. (provided the other side hasn't mounted files - if they have - you might need to find out what and how they mounted the items - file mounter and what types - via the c4p script - logical evidence files etc)
If you dont have the source XML documents its basically a pain, going by file path and file offset is probably the only way to find the exact start (rather than blanket sector).
If I remember correctly, you should be able to export a hash set of the bookmarked images from C4P then import that into EnCase. It should then be relatively straight forward to identify live images that have been bookmarked.
If they have bookmarked images from unallocated you are probably going to have to either run through the C4P process again, or alternatively ask them to provide you with the C4P data that was used to create the reports.
Thanks JDCoulthard…
I don't actually have either of these
"a set of xml files and folders containing the pictures (the xml files should be named C4P Index.xml and Case Report.xml off the top of my head).
or
It is a set of HTML reports with the pictures in, and the pictures in subfolders."
Only the C4P databases have been supplied which is basically, giving me that extra headache…
fuzed,
I've PM'd you…
Fuzed
When you say C4P databases have been supplied, do you mean the Access database file (C4P.mdb ?)
If so you could open this in Access and query for the graded images. You should then be able to export the files details to create your own hash set.
JD - yep thats exactly it… C4P.mdb (well I have around 7 of the damn things to go trough and extract data from).
That was pretty much going to have to be the next exercise to get this data sorted out…
Fuzed
I would try to contact whoever did the job and ask them if they can provide hash sets for you.
If they have access to the complete C4P cases, it should be a quick job for whoever to create these for you.
It is usually in everyones interest as it saves time and money for everyone, so its worth a try.