Forums
Main Category
General (Technical,...
Finding/Viewing/Car...
 
Notifications
Clear all

Finding/Viewing/Carving $I30 files

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by csericks 13 years ago
9 Posts
5 Users
0 Reactions
2,322 Views
RSS
 csericks
(@csericks)
Trusted Member
Joined: 18 years ago
Posts: 99
Topic starter 20/08/2012 8:20 am  

I wonder what tools, other than FTK, might be best (interpret as "easy-to-use" or "automatically parsed and displayed or saved") to use for finding/viewing/carving $I30 files.

Suggestions? (We accept Mastercard, Visa, and Sarcasm at Register 2. wink )

Thank you, in advance, for your thoughtful recommendations.


   
Quote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
21/08/2012 12:34 am  

Top of my head, in no particular order -
The Sleuth Kit
WinHex
EnCase
INDXParse by Willi Balenthin


   
ReplyQuote
 tg92
(@tg92)
Active Member
Joined: 15 years ago
Posts: 13
21/08/2012 1:24 am  

Hi,

I use "wisp" from TZWORKS, easy and efficient (thanks to them)

TZWORKS

Thierry


   
ReplyQuote
 csericks
(@csericks)
Trusted Member
Joined: 18 years ago
Posts: 99
Topic starter 21/08/2012 6:56 am  

Top of my head, in no particular order -
The Sleuth Kit
WinHex
EnCase
INDXParse by Willi Balenthin

Thank you for the suggestions, so far. I respect your knowledge and opinions.

I'm not sure I understand why EnCase and WinHex appear on the list. Manually carving the files (which falls short of the criteria of "easy-to-use" or "automatically parsed and displayed or saved") is the only option available in EnCase or WinHex to get the $I30 files. Is there an EnScript or some feature I'm missing in EnCase or WinHex? Would you be so kind as to expound on this?

I like the way FTK automatically parses/indexes and displays the $I30s, which expedites review and exporting. My interest lies in identifying another tool that performs in a similar manner.

I'll take a look at TZWORKS; they have very useful products.


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
21/08/2012 8:28 am  

"Easy to use" is a relative term.


   
ReplyQuote
 jonstewart
(@jonstewart)
Eminent Member
Joined: 16 years ago
Posts: 47
21/08/2012 5:46 pm  

There's an "Index Buffer Reader" EnScript floating around. I thought it even shipped with EnCase under the Examples/ folder…

Jon


   
ReplyQuote
 kazamiya
(@kazamiya)
New Member
Joined: 17 years ago
Posts: 2
21/08/2012 6:44 pm  

Hi,

My utility fte supports parsing of INDX record($I30).

fte 1.8
http//www.kazamiya.net/en/fte

Currently fte supports parsing of general INDX record and slack area within INDX record, but doesn't support from unallocated area. You need to carve INDX record using blkls+scalpel or similar process if you want to examine deleted INDX record from unallocated area.


   
ReplyQuote
 csericks
(@csericks)
Trusted Member
Joined: 18 years ago
Posts: 99
Topic starter 26/08/2012 6:51 am  

There's an "Index Buffer Reader" EnScript floating around. I thought it even shipped with EnCase under the Examples/ folder…

Jon

Jon,

Thanks for the suggestion. You are correct–it is part of EnCase. I successfully used it.

kazamiya,

Thank you for your suggestion.


   
ReplyQuote
 csericks
(@csericks)
Trusted Member
Joined: 18 years ago
Posts: 99
Topic starter 26/08/2012 6:51 am  

There's an "Index Buffer Reader" EnScript floating around. I thought it even shipped with EnCase under the Examples/ folder…

Jon

Jon,

Thanks for the suggestion. You are correct–it is part of EnCase. I successfully used it.

kazamiya,

Thank you for your suggestion.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: