Announcement

Collapse
No announcement yet.

Raw Disk Viewer | Hex Search

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Raw Disk Viewer | Hex Search

    Hi there,

    I am using OSF 1.2.1003. Using Hex Seaech within the Raw Disk Viewer I discovered kin dof a problem. Searching for certain Hex-String (4 Bytes) within a 160 GB image OSF does not find all files including the string.

    I have allocated files containg the Hex-String. Searching for files in unallocated space (fe deleted files) using the Hex-String which usally identifies this type of files correctly OSF did not come up with all known files.

    PS: Can I define individual search patterns for the file carving option within Deleted File Search. Is there a kind of config file?

    Any idea on this?

    Best regards
    Last edited by Forensik; Jan-11-2013, 04:13 PM.

  • #2
    Can I define individual search patterns for the file carving option within Deleted File Search. Is there a kind of config file?
    Yes, there is a OSForensics FileCarving configuration file.

    Normally it is here if you have installed on C:\ drive,
    C:\ProgramData\Passmark\OSForensics\osf_filecarve. conf

    There is some documentation of the pattern syntax in the header of the file itself.

    Comment


    • #3
      For the hex search issue I have some questions.

      How many results did if find?

      How many were you expecting, the default OSF limit is 1000 results?

      The raw disk viewer might not always be able to associate a file with a sector on the disk. So did the search results turn up the correct disk sector, even if the file name did not appear.

      What file system was this for?

      For the not found results, what type of files were they in. I assume you know that for some file types strings, or hex values might not be in clear text. For example Word .DOCX files are compressed and no strings inside a DOCX file will be searchable from the raw disk viewer.

      Comment

      Working...
      X