How to search extensions with PTK?

i dunno if you can do this using PTK, but honestly i don't think it's the proper way to search for evidences either.

if you are going to search for particular file types i suggest you to go through a carving method.
wich will allow you to filter by filetype, and prevents you from dealing with files renamed to prevent identification.
not to mention that carving will help you to search for deleted data too.

for such a task, i suggest you to try plainsight, i've used it for some testing, the carving engine is based on foremost, and it works really good.

if you are going to search for particular file types i suggest you to go through a carving method.

I'm not sure this is the best idea for looking for file types. Carving is great for obtaining data from unallocated data or data not otherwise organized via a filesystem. There's little reason to use carving on a full filesystem (allocated and unallocate) just to recover file's of a particular type.

In this case, I'd suggest using a file signature search tool on the *live* files. Sleuthkit's "sorter" tool comes to mind (and it recovers deleted files and sorts them as well). Then rip out the unallocated (with dls) and *then* carve that.

I know your OP was a question about PTK, but I've not used it much (though I've done some testing with it).

For what it's worth, I'd give SFDumper a shot.

http//sfdumper.sourceforge.net/

I remember reading on the forums here sometime back that PTK could do this. But I can't remember for the life of me what I searched to get to that thread.

SFDumper looks good! Is it possible to look multiple file types at the same time on here? Like jpg and gif?

Sorry to ask so many questions, but neither of these programs had man pages…

EDIT Nevermind, this thing is fast enough that doesn't matter. I just wasn't doing it right the first time. Thank you for your help!