Bruce Nikkel search_sort.pdf
Bruce Nikkel search_sort.pdf
Bruce Nikkel search_sort.pdf
Kartei Details
| Karten | 8 | 
|---|---|
| Sprache | English | 
| Kategorie | Informatik | 
| Stufe | Universität | 
| Erstellt / Aktualisiert | 20.06.2019 / 01.07.2020 | 
| Weblink | 
                                
                                
                                https://card2brain.ch/cards/20190620_bruce_nikkel_searchsort_pdf
                             | 
| Einbinden | 
                                
                                
                                <iframe src="https://card2brain.ch/box/20190620_bruce_nikkel_searchsort_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
                             | 
When searching what do you search for?
Searching for what?
- something you know
- something you don't know
- search file names
- search file content
What are the chalanges when performing a search?
Challenges:
- too many hits
- hidden content (steganography) is not found
- protectet content (steganography) is not found
- compund files (zip, tar, attachments, embedded) are harder to serach - need to extracted first
- proprietary file formats - hard to search because unknown of how to search
What sleuthkit command can be used to search ?
fls
fls outputs a large file list, deleted file, multiple partitions/drives/PCs
What two GNU commands can be used for searching?
GNU grep
GNU find
What UNIX command can you use to extract strings from images?
UNIX Strings
- strings -td image.dd
- strings -td -e l image.dd
- strings -td partition.dd |grep keyword
What is the sleuthkit version of the strings command and what benefits does it have?
Sleuthkit has the "srch_strings" version of strings command.
The offset is in bytes, can calculate the block and find the inode.
You can feed meta data into an SQL database for fast searching:
- tsk_loaddb image.dd
Searching and indexing is very advanced in commercial tools
What is a hash database and why is it usefull?
In a hash database the hashes of individual files are stored. This can be used to:
- find or ignore matching file sets using hash values
- There are lists available of hashes of system files so they can be excluded from searches and analysis- NSLR is an example of a list of known "good" files.
 
- Own custom databases of hashes of good and bad files can be created.
Some agencies have special hash databases to find illegal materials
What does the sleuthkit sorter do?
The sleuthkit sorter :
- creates a report of identified files (incl. deleted)- sorter -d . partition.dd
 
- Sorted extraction of files- sorter -s -d . partition.dd
 
- Sorter only includeing hash database- sorter -a contraband.db -d . partition.dd
 
- Sorter excluding NSRL database- sorter - nsrl_db -d . partition.dd
 
It is configurable perl script that uses multiple TSK tools.
 
                 
                 
                