For the hex search issue I have some questions.
How many results did if find?
How many were you expecting, the default OSF limit is 1000 results?
The raw disk viewer might not always be able to associate a file with a sector on the disk. So did the search results turn up the correct disk sector, even if the file name did not appear.
What file system was this for?
For the not found results, what type of files were they in. I assume you know that for some file types strings, or hex values might not be in clear text. For example Word .DOCX files are compressed and no strings inside a DOCX file will be searchable from the raw disk viewer.
-
Yes, there is a OSForensics FileCarving configuration file.Can I define individual search patterns for the file carving option within Deleted File Search. Is there a kind of config file?
Normally it is here if you have installed on C:\ drive,
C:\ProgramData\Passmark\OSForensics\osf_filecarve. conf
There is some documentation of the pattern syntax in the header of the file itself.Leave a comment:
-
Raw Disk Viewer | Hex Search
Hi there,
I am using OSF 1.2.1003. Using Hex Seaech within the Raw Disk Viewer I discovered kin dof a problem. Searching for certain Hex-String (4 Bytes) within a 160 GB image OSF does not find all files including the string.
I have allocated files containg the Hex-String. Searching for files in unallocated space (fe deleted files) using the Hex-String which usally identifies this type of files correctly OSF did not come up with all known files.
PS: Can I define individual search patterns for the file carving option within Deleted File Search. Is there a kind of config file?
Any idea on this?
Best regardsLast edited by Forensik; 01-11-2013, 04:13 PM.
Leave a comment: