Announcement

Collapse
No announcement yet.

Searched Files export

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Searched Files export

    Dear Sirs,
    how can I export from File Name Search all of the founded files to the new location?
    I would like copy all of documents (.pdf, . doc., .odf, ) to an new folder from the suspected disk.
    The forensic copy is can copy only one folder to one folder..
    The FTK and other tools can export the searched files.

    Sorry my english.

    Thank your help!

  • #2
    You should be able to select the files you want (or use CTRL-A) to select all files.
    Then copy the files with CTRL-C
    Then go to Windows Explorer and paste the files with CTRL-V

    Note that there is potential for conflict in doing this. If you for example try and copy multiple files with the same name, from different folders all to the same folder. (i.e. you can't have multiple files all with the same name in the same folder).

    Another option is to select the files then right click to add the files to the case. If you do this, then the files are copied to the case folder. But you also get some additional meta data files. If you do this, then the files get placed into separate folders, which avoids any name collisions. Folders are typically here,
    C:\Users\<User_Name>\Documents\PassMark\OSForensic s\Cases\<Case_Name>\Files

    The additional meta data files might be of interest to you or it might not. They have hashes, dates, times, original file path, etc...

    Internally they are XML files like this,

    <?xml version="1.0" encoding="UTF-8" ?>
    <OSFCaseMetaInfo Type="File">
    <!--OSForensics Case Meta Info File-->
    <OSFVersionInfo MajorVersion="2" MinorVersion="0" Build="1001" />
    <Title></Title>
    <Notes></Notes>
    <FileName>Decorative_Scatter.ai</FileName>
    <Module>File Name Search</Module>
    <AddedToCase TimeZone="UTC" Year="2013" Month="9" Day="19" Hour="20" Minute="36" Second="40" />
    <SHA1>104DDD063A34503B3C68A93D54947A131E08CC1F</SHA1>
    <SHA256>ABE6C8FA4C6D56DE692383EC52C747129617CC95C1 7A92F4C8CB5821EBE83BF0</SHA256>
    <MD5>092A0ED01B8A880DB1D6868F8B4FAFFE</MD5>
    <OrginalPath>C:\Program Files\Adobe\Adobe Illustrator CS6 (64 Bit)\Presets\en_US\Brushes\Decorative\Decorative_S catter.ai</OrginalPath>
    <Extension>ai</Extension>
    <Size>63285</Size>
    <CreateTime dwHighDateTime="30195248" dwLowDateTime="1085390592" />
    <ModifiedTime dwHighDateTime="30195248" dwLowDateTime="1085390592" />
    </OSFCaseMetaInfo>


    If this doesn't work for some reason, then please get back to us.

    Comment


    • #3
      Hi David,
      thank you the info.
      The copy and paste is no way, when I have more files than 100.

      I was try this copy and paste and I got this message:
      "You have selected to copy more than 100 files to clipboard. Only the first 100 have been copyed."

      I was used Paraben P2Commander , before OSForensic, and on P2C I can make an simple sorting or searching and I could export all selected items to an new folder with hashing.
      I think this is an good new feature in the new version of OSForensic

      Comment


      • #4
        Hi, I was try this method, but this is dont work.
        When I added the selected files to the case, this is not copyed to the case folder.
        The OSForensic generated only an html file like this:

        Timezone: GMT +2:00
        13_2009_M szerződés magyar fordítás.doc
        Location: K:\Új mappa\Kassa\Szerződések
        Size: 35.50 KB, Created: 2009.09.08., 14:27, Modified: 2009.09.08., 14:57 Accessed: 2011.05.23., 12:38

        1fejezet.doc
        Location: K:\Deltech\Autodesk AutoCAD Mechanical v2007\Okosság\egyetemi_jegyzet
        Size: 1.74 MB, Created: 2010.01.16., 17:46, Modified: 2007.04.26., 22:15 Accessed: 2011.05.23., 12:23

        2008.1.doc
        Location: K:\Új mappa\Cégismertető
        Size: 32.34 MB, Created: 2008.02.07., 16:37, Modified: 2008.08.27., 10:53 Accessed: 2011.05.23., 12:37


        Comment


        • #5
          I forgot about the 100 file limit. It is too small by today's standard. We'll increase the limit to 10,000 in the next patch release.

          For the add to case option, I think you are selecting the wrong option from the right click menu.
          I think you picked the option, "Export list of selected items to HTML". This is not what you want.

          What you want is this option, "Add to Case - Files".
          Or you can select use CTRL-S from the keyboard after the desired files are selected. This does the same thing as "Add to Case - Files".

          Comment


          • #6
            OK, Its work.

            I made an mistake I selected the "Add to Case - List to All Items"....

            The "Add to Case - Files" option is copying to an random named folder like this:

            \OSForensic\Files\
            \0F842342EC4C304B6E3A99B0D80DF962
            \1B9603A44CD211948A4ABF12DC8C5F70


            Can you add an new export feature on the future version of OSF like this:

            Source folder name: c:\Documents And Settings\Documents\Text\
            The destination folder (after exporting) name is this: c_Documents And Settings_Documents_Text NOT an randomly generated string.
            Is this possible?

            Comment


            • #7
              The 'random' folder names aren't in fact random. They are a MD5 hash of the path. They do look random however.

              Your suggestion won't work in all cases because

              A) It would result in very long folder names, which would in turn result in a overflow of the maximum path / file name length restrictions in Windows. (the max length for a path is a complex affair in Windows, sometimes it is just 260 characters, but other times it is 32,767 characters)

              B) It doesn't deal with source folders names that contain an underscore.

              C) As a result of B) you can get name conflicts. For example with these 2 folders.
              C:\temp_files\
              C:\temp\files\

              Comment

              Working...
              X