Announcement

Collapse
No announcement yet.

Super Timeline Creation

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Super Timeline Creation

    Hello,

    I would like to create a super timeline report of all files I have ingested and indexed in an OSForensics case.

    I first mounted a forensic image file of a 32GB USB thumb drive using FTK Imager.

    I then pointed OSForensics at the mounted drive of the forensic image file.

    I would like to generate a report of all of the files that OSForensics indexed for the case that includes such metadata as File Name, Date Created, Date Accessed, and Date Modified.

    The goal of the report is to be able to determine which files were created on the original evidence USB thumb drive before and after certain key dates.

    I have tried running a search for "*.*" (without the quote marks), in an attempt to return all files that are on the thumb drive, but I am not certain that this particular search is returning all files.

    Is there a better method to achieve my goal?

  • #2
    You don't need to use FTK to mount an image file. OSF can directly access it.

    While you could use the indexer and it should mostly work, you would risk missing some files, depending on the options selected in the indexer. Also it will be way slower than need be, as you will be indexing all the file's content, even when you don't care about the content.

    A better option would be to use the "Create Signature" function to get a list of all files. Then import the result to Excel and sort by date.

    Comment


    • #3
      Originally posted by David (PassMark) View Post
      You don't need to use FTK to mount an image file. OSF can directly access it.

      While you could use the indexer and it should mostly work, you would risk missing some files, depending on the options selected in the indexer. Also it will be way slower than need be, as you will be indexing all the file's content, even when you don't care about the content.

      A better option would be to use the "Create Signature" function to get a list of all files. Then import the result to Excel and sort by date.
      David,

      Thanks for the tip!

      How can OSForensics directly access the E01 image file? In the "Create Index" option, I only see choices of indexing a drive letter such as "C" or a "Specific Folder". I do not see an option to select a specific image file. Other forensic applications do allow me to select the *.E01 file to ingest. Do I simply choose the "Specific Folder" containing the forensic image file?

      I am testing the file listing / signature creation option now by selecting the folder that holds the forensic image files.

      I definitely need to create a searchable index of the contents of the forensic image file as well.

      Please advise.

      Comment


      • #4
        Originally posted by David (PassMark) View Post
        You don't need to use FTK to mount an image file. OSF can directly access it.

        While you could use the indexer and it should mostly work, you would risk missing some files, depending on the options selected in the indexer. Also it will be way slower than need be, as you will be indexing all the file's content, even when you don't care about the content.

        A better option would be to use the "Create Signature" function to get a list of all files. Then import the result to Excel and sort by date.
        David,

        I think I answered my own question - I first need to use the "Add Device" function in OSForensics and choose the "Image File" option. Then, when I go to create an index, the forensic image file I just added comes up as and option.

        Comment


        • #5
          Add Device Screen shot

          Yes, to access an E01 image, you need to add a device. See the screen shot below. For details.

          Comment


          • #6
            File Listing screen shot

            If you just need a file listing with dates, the "Create Signature" module is the fastest option.
            On my system it was able to list around 200,000 files in about 15 seconds.
            (Turn off hashing to make it run quicker)

            Given it is so quick to do, I would suggest doing this file list and also also creating an index of the content.


            Here is a screen shot.

            Comment

            Working...
            X