Hello,
Thanks for letting me into your forum and world.
What is your preferred method to image something where you are told ahead of time that certain words cannot appear in the image you are to leave with.
e.g. If someone says anything with the words "blah blah blah" you cannot have access to, but, you can have full access to the image, Unalloc, free sp, etc. After you get the image all instances of those words (I'd imagine this would include any emails also or documents) and files containing those words must not be taken out.
Any suggestions on what you would do?
I saw a post on here about FTK, saying you can exclude certain things, but that is only from a search, you would need to exclude those from the image so after exclusion a reimage or something like that, not really sure how to go about it.
(Can't delete this post for some reason to start a new one which is worded differently) Let's say the imaging went fine, now we have a nice DD, .eo1, etc. image, now how to exclude the terms is the question)
Appreciate the help.
Edited to better explain.
I can't, for the life of me, work out why you would want to acquire an image with exclusions like this.
I'm a police officer used to acquiring evidence and the thought of someone giving me a list of terms that needed to be excluded seems perverse. What if the list included the term 'It was me that committed the crime'? I'd be excluding relevant evidence, surely?
That issue aside, the implication in your question is that you want to copy files and exclude those that contain the specified term(s). This, to my mind is not an image, an image includes all of the data on the device regardless of the partitions and filesystems. It is my forensic software or the built-in drivers that reconstruct the logical layout of this data when I load it in or mount the image later on. In this context filtering out data at the sector or cluster level is a bit of a nonsense because you could be removing structures that define the logical layout of the filesystem. For example removing the sector that contained a directory entry for a file named 'Huckleberry.doc' might mean the loss of other logical data that means you can't reconstruct the filesystem.
If it is files that you want to copy then a simple grep-like search through the contents will identify those with the undesirable term. The problem with this approach is that you might miss deleted files or files in unallocated space.
OK, now to put aside all the negativity and look at a way forward. In the UK the police are not allowed to view items subject to legal privilege. This includes discussions between legal counsel and their client. I've had a few cases where we have been investigating lawyers for unlawful activity and the computers are suspected of holding evidence. As well as evidence though they also contain masses of material subject to legal privilege. The way this is overcome is to employ the services of an independent lawyer who can oversee the acquisition process which is encrypted and the lawyer provides a password. Subsequent analysis is done under the supervision of the independent lawyer or by an independent analyst.
Paul
There are several reasons, the main being privilege.
Nothing nefarious here, just looking for a way to image the entire drive and exclude instances of certain words or phrases which fall under privilege.
So there may be 2M total items and only 4k that need to be excluded, so I figure there has to be a relatively simple way to exclude specific terms and still get all the other data as well as the unal and free.
I tried to use weird words as opposed to John Smith Esq. or attorney, because john smith was too common. So I figured with a weird word it would make more sense, sorry for that.
There are several reasons, the main being privilege.
Nothing nefarious here, just looking for a way to image the entire drive and exclude instances of certain words or phrases which fall under privilege.
So there may be 2M total items and only 4k that need to be excluded, so I figure there has to be a relatively simple way to exclude specific terms and still get all the other data as well as the unal and free.
I tried to use weird words as opposed to John Smith Esq. or attorney, because john smith was too common. So I figured with a weird word it would make more sense, sorry for that.
You should create the image and worry about the exclusions after.
Don't you just need a search and replace to find 'John Smith' and replace it with a string (same length) of XXXXXXX. This can work on a raw disk image.
The danger always is you will hit the string as some control element of the disk, though this chance gets less with longer strings.
You also have the problem if the string is found within compressed files, or compressed NTFS, or if the string is over sector boundary of a fragmented file.
OK, so take the imaging out of the equation. Say the image is done. How, post imaging do you set up the exclusions so that the remainder of data can be taken and viewed but you don't take any files including those search terms?
I seem to remember in FTK you can put in keywords and then bookmark those items, and export the rest of the data, but that method produced so many crashes it wasn't a good method. Exporting 2M data items just isn't efficient.
You can't preprocess and remove items because you don't know where they reside, I'm guessing a lot reside in emails or documents, maybe other places also.
Any suggestions
There are several reasons, the main being privilege.
Nothing nefarious here, just looking for a way to image the entire drive and exclude instances of certain words or phrases which fall under privilege.
So there may be 2M total items and only 4k that need to be excluded, so I figure there has to be a relatively simple way to exclude specific terms and still get all the other data as well as the unal and free.
I tried to use weird words as opposed to John Smith Esq. or attorney, because john smith was too common. So I figured with a weird word it would make more sense, sorry for that.
You should create the image and worry about the exclusions after.
There are lots of ways this could be done. If you used Encase you can only restore (Copy Folders) the files you want. If you know the paths of the files you want to exclude you could even use something like robocopy to get this done with a move. A python script could also be used to move or delete the files you don't want. There are all kinds of ways of getting this done. The easiest would be to exclude the files in the tool you use for keyword searching and not restore them.
"You can't preprocess and remove items because you don't know where they reside, I'm guessing a lot reside in emails or documents, maybe other places also. "
No idea where the files will reside, and guessing, they will reside all over, one here, one there, etc.
Have to be able to exclude hits in UA also but don't want to exclude all of the UA, just the ones containing the keywords.
I'm too new to know anything about python or writing a script, I know that various software has the functionality to take a list of words find all instances of those words and say here they are, the goal is how to get all the other 97% of the data exported without any of the keyword data being mixed in.
"You can't preprocess and remove items because you don't know where they reside, I'm guessing a lot reside in emails or documents, maybe other places also. "
No idea where the files will reside, and guessing, they will reside all over, one here, one there, etc.
Have to be able to exclude hits in UA also but don't want to exclude all of the UA, just the ones containing the keywords.
I'm too new to know anything about python or writing a script, I know that various software has the functionality to take a list of words find all instances of those words and say here they are, the goal is how to get all the other 97% of the data exported without any of the keyword data being mixed in.
Once you run your keyword search you will know exactly where the files reside. It shouldn't really matter anyway if you are only "restoring" the files you want and not any that contain the hits you don't.
Kovar had posted the item below, and I'm looking for some steps similiar to that, but since I don't have paths I can't eliminate pre process, even if I did have paths, there could be several hundred.
The below method is for crashes, I thought someone might be able to do a similiar type 1,2,3,4 for privilege items.
Thank you for all of your replies and help, I look forward to getting back with you with results after some more posts are put up.
From Kovar
Greetings,
You should be able to ignore an entire file. I had to do this when FTK crashed while processing one file on an image. There is an Access Data technical document available somewhere. (It was emailed to me.) Here's what it contains
FTK Crashes or Hangs on Certain Files
If FTK crashes or hangs on a file you can either exclude the file by refining the
evidence or by reindexing the case while ignoring the problem file that FTK is
crashing or hanging on.
Please note that you will need to reprocess the case when FTK crashes or hangs on a
particular file.
Follow the steps below to exclude the file from the case by selecting the Refine
Evidence – Advanced option.
1. From the Add Evidence to Case screen click on Add Evidence and choose
the item that you want to add to the case.
2. Click on the Refine Evidence - Advanced button and select the Refine
Evidence by File Path tab.
3. Browse to the directory the problem file resides in.
4. Uncheck the directory so that the problem file will be excluded from the case.