Good Morning
I'm after some advice. I have a Linux file system that is not being read in EnCase 6 or 7 but is being read with XWays 18.4. I conducted a search with C4All Xtension (for the first time) but only got (approx) 20,000 images back. This seemed low to me so I conducted the same search over the un-parsed file system in EnCase 6 and got (approx) 50,000 images back.
Prior to running the Xtension (v.3.6.4.m) I conducted a particularly thorough file system search, verified file sigs, computed hashes, extracted metadata, parsed compound files, extracted email attachments and did the picture analysis and processing.
Have I missed a step somewhere to account for the disparity?
It's not ideal to grade the carved images from the unparsed file system as there is no context to any of it but I don't want to only see half the images.
Thanks
–Sheona
There is a dedicated forum for the C4All X-Tension - htp//c4all.ca
That said I imagine that you have followed the guide for C4All and done carving for picture files at sector boundaries only? If so changing this to "Complete Byte Level" will likely produce the results you are looking for.
Although reading your post, have you don't mention running any file signature header search - is this correct? If so your issue is you haven't actually carved for any files!
That's an oversight on my part trying to get all the information in - I HAD already run file header search prior to running the Xtension but I will take a look at the forum & try the search over byte level.
Thank you
–Sheona
Also uncover embedded data appears to be missing from your list, was this also done or not?
Thanks for helping out here minime -)
and sorry i did not see this thread or i would have offered some help.
There may be a disparity with number of images and i will give you a few reasons.
as minime2k9 mentioned there is the byte level as well as the embedded data options. When carving at a sector level you are encountering files written where a file system would put them. when you use the embedded option it will carve files that inside other like thumbnails, but it will also carve any files types you select at the byte level.
The encase enscript carves at the byte level and makes no reference to a thumbnail being a part of a parent jpeg. It also potentially carves thousands of mjpeg files from a video, as well as the main video. I have seen where 5 videos created 3 million plus pictures from a DVR, that were in fact 5 movies, and not individual pictures.
Each Jpeg can lead to you having upto 4 pictures as the jpeg standard allows for 3 other files to be contained. (most times it is 1 or 2 thumbnails.)
This quickly can lead to what you have seen with many more files. More isnt always better.
You can carve at the byte level and then categorize all the thumbnails of the same picture upto 3 times needlessly. or you can carve at the sector level and categorize the files, and the children are exported as thumbnails to be used in C4All.
In the latest version (3.6.5.j) there is an option make note of files that have differing thumbnails. It will put those files in a report table 'Verify' so you can quickly see any pictures that had different thumbnails based on the hash of the file.
Also with this feature if you chose to run the C4All X-tension and not include the irrelevant files (which you should, based on hash or size) and if a child (thumbnail is found to be a notable file, the parent will be retrieved and added to the C4All XML as notable and the file will have to be looked at by the categorizer to see if parent was miscategorized.
If you want to try this function and / or need help send me a PM or email.
Derek
