Extraction of User ...
 
Notifications
Clear all

Extraction of User Created Content For Dummies

7 Posts
4 Users
0 Likes
640 Views
(@cs1337)
Posts: 83
Trusted Member
Topic starter
 

Hello Forensic Focus Team,

I'm hoping you can provide some insight to what I am looking for.

I am looking for an easier method of running an isolation and extraction of user created content from a DD or E01 Image. Generally we have a set list of file extension and we use FTK to Tag and Export while maintaining all file / folder paths and metadata.

Is anyone aware or currently using a cheaper and easier method of isolation a extraction?

I have a few ideas of using a program called Safecopy along with a file extension filter but I wasn't sure if there was something a little better than this.

Let me know what you think.

Someone told me about encase scripts but I am trying to avoid the need to use FTK or Encase. I do have a dongle for Encase v6 and FTK v3 If necessary.

Thank you in advance for any help you can provide.

 
Posted : 30/12/2014 4:11 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

For NTFS filesystems - a first approach is anything owned by the SID of the user account of interest.

 
Posted : 30/12/2014 9:38 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I get this right ? csalm1337 asked about HOW (which program/method to use), whilst pbobby answered about the WHICH (which files to save/export).

On the other hand I am completely failing at understanding the actual goal. 😯 i.e. the WHAT.

Safecopy, I believe you mean this
http//safecopy.sourceforge.net/
which is more a "RAW" copier with direct access to disk/device for data recovery purposes.

And I am at a loss understanding which specific metadata are you willing to "keep".

Or are you meaning this safecopy?
http//www.elwinsoft.com/safecopy-free.html

Can you try to expand on the matter?

jaclaz

 
Posted : 30/12/2014 3:55 pm
(@athulin)
Posts: 1156
Noble Member
 

I am looking for an easier method of running an isolation and extraction of user created content from a DD or E01 Image. Generally we have a set list of file extension and we use FTK to Tag and Export while maintaining all file / folder paths and metadata.

Is anyone aware or currently using a cheaper and easier method of isolation a extraction?

Cheaper … in terms of what? Time? Effort? License costs?
Easier … again, in terms of what?
Are there other aspects that you want covered as well, such as false positive/false negative ratios? (i.e. extracting more or less than you want?)

Does your description match the full workflow, or is it just what you do now? I.e. do you want something that should work on E01/DD files, or are you looking for something that does also the imaging part.

Someone told me about encase scripts but I am trying to avoid the need to use FTK or Encase. I do have a dongle for Encase v6 and FTK v3 If necessary.

Does that mean you don't use either tool to filter out files with known hashes before you do the extraction? If you don't do any selection (say, look only in user home directories and generally writeable areas), some kind of known file filtering might be useful (i.e. look at known hashes, look at signed files with known cignatures, etc.)

 
Posted : 30/12/2014 5:02 pm
(@cs1337)
Posts: 83
Trusted Member
Topic starter
 

Hello,

Sorry let me elaborate.

In regards to Safecopy I am referring to Pinpoint Labs SafeCopy

http//pinpointlabs.com/sc2.html

We currently are use kCura Relativity Collections to Perform Remote Forensic Collections.

Once we have the Forensic Image we would generally perform an Isolation and extraction to pull out user content. We don't want to be processing system files/ program files even though our Processing tools have an updated NIST filter it's a waste of processing power. We generally base the isolation and extraction off set file extensions agreed upon with the client.

We then ingest this data into our eDiscovery tool which will index/ocr everything so we can further date cull and keyword search it/ prepare for export into Relativity for Review.

I am looking for a tool to help me "standardize" the isolation and extraction portion with using a set list of file extensions. I was curious if people had any tools in their arsenal they could suggest.

We do have FTK and Encase expired dongles, but I wouldn't trust someone who've never used those tools crack open a forensic image and perform an isolation and extraction.

Safecopy can work for this and has a pretty simple straightforward interface. I wanted to see if there were any other options.

Let me know if this makes a little more sense?

 
Posted : 31/12/2014 4:14 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am still missing (clearly) something. 😯

That Pinpoint Labs SafeCopy tool seems to me like little more than a simplified Robocopy (or *any* similar utility, like - say - STRARC) GUI version, it seems from the video that you choose a user folder and the tool copies its contents to a selected destination (good ) that it is multithreaded and supposedly can resume from errors and can create/check MD5's, but I am failing to see in it any particular "feature") .

You know, *like*
http//digital-forensics.sans.org/blog/2009/01/08/robocopy-a-computer-forensics-tool

jaclaz

 
Posted : 31/12/2014 8:00 pm
(@cs1337)
Posts: 83
Trusted Member
Topic starter
 

Wanted to Update this Thread.

I am going to be Demoing Pinpoint Harvester soon. It looks to do everything I will need.

I'll let you all know if there is anything else worth checking out.

 
Posted : 13/01/2015 11:43 pm
Share: