I created an index containing, emails, attachtments, pdfs, .... Then I searched the index using case related keywords. Now I am not sure whether OSF will find pdf-documents containing the keywords in unallocated areas. I am able to carve these files manually. But I am not sure whether OSF carves the pdf, decodes ist and finds the keyword within the unallocated space?
Announcement
Collapse
No announcement yet.
Search Index Behaviour
Collapse
X
-
The indexing function can index unallocated space. It does this by doing a string extraction (ASCII and Unicode) on the free clusters on the disk.
But if the free space contains, for example, remains of compressed Zip file, the contents of the Zip file will not be indexed as it will look like random binary data on the disk.
So if there are a lot of deleted files that can be carved intact, and they contain textual information (like PDFs & DOCX files) then it is best to do a carve on the disk first, undelete them all to a temp folder, then make an index of the temp folder.
-
Hi David!
Thanks for your response. One additional question comes to my mind. Searching in unallocated space leads to results named by cluster addresses (LCN). Is there any way to hash the data? Would be great. Because than I can proof no data was changed when the content of this clusters was exported to some other software like a hex-viewer.
Comment
Comment