Hi. I'm currently a student at Carnegie Mellon and I am working on a project for federal law enforcement. We are looking to develope a tool that will batch scan an inventory of forensic images, pull out metadata, and dump that data into a database. Hopefully, this database will help with correlating evidence by displaying cases that may be related to the case the examiner is working on. For example, you can search the database for all Windows operating systems that contain this image file, or word document, and be able to look up that case and apply it to the current one.
I just wanted to check and see if there are any tools available that may already do this process, or at least some of the steps. I found the tool MetadataMiner Catalogue, which looks like it will be good for gathering the metadata and creating a .csv file that can be imported to a database. However, this program cost a considerable amount of money, and we have a very fixed budget to work with.
Also, are there any good places to download sample forensic images? I tried searching the forums but didn't find much. We want to make sure our program works across all kinds of forensic images such as .img, .dd, .vmdk, etc. Therefore, having some sample images to test against would be very helpful.
Do you mean the image details? BEcause exporting the metadata of all files of all cases would be endless. Personally, I use Autopsy and Encase, for this purpose, and have developed a very old fashion SQL DB, where I add relevant things, and sometimes helps me a lot.
You could extract your own image files for testing purposes,
Not all metadata, just the things that would be most relevant, such as date/time, OS type, file creator. We're not really sure what metadata to extract until we talk with their investigators to see what they want. We just need to find some tool that will automate the process.
Basically we will tell the tool, look for this type of data, scan a list of images, if it finds that data it can report back saying which image contained what and then dump that into a database.
You can export a list of folders and their file content using FTK Imager I believe.
There might be a way to run the DOS command 'tree' against the mounted images, but I am not sure that would export the metadata too. Good luck.
So you're at Carnegie Mellon, not FLETC, why software for Federal law enforcement and not software for the forensic community?
Hi. I'm currently a student at Carnegie Mellon and I am working on a project for federal law enforcement. We are looking to develope a tool that will batch scan an inventory of forensic images, pull out metadata, and dump that data into a database. Hopefully, this database will help with correlating evidence by displaying cases that may be related to the case the examiner is working on. For example, you can search the database for all Windows operating systems that contain this image file, or word document, and be able to look up that case and apply it to the current one.
I just wanted to check and see if there are any tools available that may already do this process, or at least some of the steps. I found the tool MetadataMiner Catalogue, which looks like it will be good for gathering the metadata and creating a .csv file that can be imported to a database. However, this program cost a considerable amount of money, and we have a very fixed budget to work with.
Also, are there any good places to download sample forensic images? I tried searching the forums but didn't find much. We want to make sure our program works across all kinds of forensic images such as .img, .dd, .vmdk, etc. Therefore, having some sample images to test against would be very helpful.
Depends what you're after, but in a Win environment ListIt http//
OK, doesn't read direct from forensic images but you can easily mount from FTK Imager and run the tool against the mounted image.
Save in csv with auto-view in Excel and convert from there?
ListIT costs circa $30 (US), FTKI is free.
HTH
Greetings,
You could do this with Python, MySQL, and Mount Image Pro. I started writing a Python program that would sequentially mount images using MIP, extract registry information using RipXP, and do some other things.
I could easily integrate analyzeMFT into it to pull most of the metadata you mention, and use the Python registry library to get the rest.
As for the images, I'd just create my own. Then you know exactly what is in them, and how they were created.
-David