Scenario
You'd like to do a keyword search -- not only within user documents, but within deleted items, as well. We will need to extract unallocated space, first and foremost.
The Solution
Boot up a Linux VM (I chose Ubuntu) and install The Sleuth Kit:
- sudo apt-get install sleuthkit
If you are working with a non-raw container (E01, AFF), use xmount to "convert"* it to a dd image. Split images can be accounted for by using questions marks:
- sudo apt-get install xmount
- sudo xmount --in ewf ~/image.e?? /mnt/foo
Use mmls to find the offset of the partition for which you'd like to extract the unallocated space (using our newly created .dd image as input):
- mmls /mnt/foo/image.dd
Using the starting sector of the desired partition as the offset, run blkls and output the unallocated space to a file:
- sudo blkls -o 411648 /mnt/foo/image.dd > ~/Evidence/image.unalloc
Thanks to @chadgough for spurring this post.
-4n6k
*It's not actually a conversion; it's a representation of the original image.
References
1. The Sleuth Kit
2. xmount
0 comments:
Post a Comment