Hi everyone,
I am struggling with what should be a rather simple issue. I need to perform a massive keyword search across an E01 image and see what documents/files appear that have been deleted in the past.
This can be done using Paraben's P2 Commander, but it crashes ("exception thrown" error message on ALL of my machines and Paraben cannot provide any solution for it, happens on nearly all forensic images). So, I've switched to using Autopsy, but that crashes with a black or white screen sometime during the Ingestion phase.
I don't have enough business yet to justify buying anything from Guidance, so I am at a loss.
Do any of you know of any very stable forensic software – open source or affordable that I might be able to use to get past this?
Thank you all!
X-ways Forensics. IMO it is the fastest at doing the kinds of searches you are interested in. even if it does crash, it knows where it left off and will continue from there.
you cant go wrong with X-ways (and its 1/2 the cost of Encase and updated 10x as often with new features)
PM me if you like, I can set you up with a trial of OSForensics to try out searching on the E01 image.
A terribly slow but functional hack would work for pure ASCII search if you converted the E01 to raw/dd and searched that using grep.
Alternatively, you can look into Nuix's ProofFinder. It is $100. "[T]otal cumulative expanded data is limited to 15GB."
DtSearch Desktop is $200. Supports not just ASCII, Unicode, but many application specific file types , including various mailboxes.
There are a number of possible freeware solutions…
Digital Forensics Framework (DFF) - http//
Autopsy - http//
Bulk_extractor - here's a reference http//
Samuel1, I would like to second "keydet89's" suggestion idea of the Bulk_Extractor by Dr. Garfinkel. I am guessing that your need is immediate so I will only direct you to some other on-line resources that Keydet89 may not be aware of.
Dr. Garfinkel has attended and presented at the Open Source Digital Forensic Conference on his Bulk_Extractor tool for the last two (2) years and he is also presenting at this year's conference. Here is a link to the first three years conference's website, where you will find the presentations from the past presentations listed under the program selection of the listed year
Here is the description of this presentation of this link
bulk_extractor A Stream-Based Forensics Toolbulk_extractor is a high-performance carving and feature extraction tool. Instead of operating on individual files, bulk_extractor scans an entire disk image from beginning to end and extracts salient details that are of use in the typical digital forensics investigation. The tool demonstrates a new approach to computer forensics—stream-based forensics—which eschews file extraction and instead relies on parallelizable operations performed on bulk data. This tool has given us a high-performance platform that has allowed us to explore new forensic ideas such as memory carving, histogram analysis, and context-based stop lists. Although bulk_extractor was developed as a prototype, it has proved useful in actual police investigations, two of which we recount.
At this link you will also find the Dr.'s presentation slides. Samuel1, since you are also in the continental United States, you may want to attend this year's conference and here is a link to this new website for this year's conference
You will notice that Dr. Brian Carrier's company (Basis Technology) is the major sponsor for this conference. I hope that this information helps in providing more useful information in-order to tackle your needs.
Hwallbanger )
Samuel1 I'd love to hear more about the Autopsy crash. Can you contact me to get some logs to help debug it?