Searchtools, Indexed searching in forensic images

Diving into the workings

This article has been published in the Sleuthkit Informer #16 Description Forensic investigations of hard drives/images have a lot of benefit from the different tools that are around. Some of these tools are Open Source or Free Software, and some of these tools are commercial. Searching for keywords is probably one of the most performed actions during forensic investigations. But depending on the tools that are used this can take a lot of time depending on the size of the hard drive/image that is investigated. [Read More]

Sleuthkit/Autopsy Searchtools patch

What is Searchtools?

Description As the main Forensic tool I like to use Autopsy/Sleuthkit. As it is missing some features in comparison to (commercial) Windows products, I’ve decided to contribute and add some new features to Autopsy and Sleuthkit. This is done in cooperation with Brian Carrier. One of the major missing features is indexed searching. Indexed searching greatly speeds up searches for words during investigations. So Searchtools was introduced. This article describes the features. [Read More]

Publications

In the public eye

Presentations A number of my historic presentations I can make public: 1-2 Startup weekend - Revenue streams & Innovation Accounting (June 9th 2018) FOSDEM PolarSSL lightning talk (May 5th 2012) HAR2009 Presentatie “Life or Death Cryptology, it’s not about the encryption alghorithm” (August 15th 2009) This presentation was given at HAR 2009. There’s a rumor that there’s also a video available. Own articles EDP-Auditor, nr 2, 2007 - Forensic IT Investigations [Read More]

Sleuthkit/Autopsy Foremost patch

Adding Foremost to Autopsy

Description Author: P. Vissers Foremost is a tool which can recover data from unallocated space by user definable headers and optionally footers. It runs on most Linux distributions. I thought it would be handy to be able to integrate this into Autopsy, along with the option to edit the configuration file. Well, here is the patch. Effort has been made to respect the original format of the ‘base/autopsyfunc.pm’. Foremost 0. [Read More]