Moshi Moshi, That is quite an interesting little puzzle you have run into. Nonetheless, I just wanted to sound off a suggestion or two. The first option, which I am sure you dont want to exercise is to learn Japanese. :-). Alright that being said, I think trying to load the Japanese Keymap may not be completely necessary. Although it would be nice to beable to talk to you apps with Kangi/Hirigana, I dont think it will be entirely necessary. One of the suggestions I would elaborate on is using a *nix system (linux perhaps) to mount -o loop the drive images. But before that perhaps using diff or something to find common "headers" for those .pst files, with hopes that there are fields or headers that dont utilize Kanji or Hirigana. Perhaps a hex editor will also help with this. Once such fields have been identified, it seems merely a matter of grep -a -B2 -A200 "headerthingy" /dev/wipeddisk and comparing the number of instances of found "headerthingy" to the number of messages known to be visible to windows, the difference of course being the files that were deleted. This is a bit oversimplified, of course because "headerthingy" may not prove to be human readable. but nonetheless, I think the basic idea is there. On Fri, 29 Mar 2002 Doug.Barbinat_private wrote: > I've got an interesting issue that I'm tackling with that I thought I'd > throw out to the group for discussion. I'm going to Japan to perform > forensic imaging and analysis of several laptop PC's. I'm assuming that > aside from power conversion and a few other idiosyncrasies, the imaging > piece will not be a problem. A few more details, these machines will be > Windows 2000 laptops, most likely imaged using EnCase or dd. I'll have the > ability to run either EnCase or FTK Forensic Suites against it the images as > well as all of the freely available command line tools. Linux is a > possibility as well. > > The interesting piece comes into the analysis portion. Of interest will be > e-mail, files, and deleted space. I was wondering if anyone had any > experience performing key word (or grep) searches and other types of > analytics in Kanji (Japanese) or another language that does not use > English-like characters. I do not think you can type Japanese terms into > EnCase. I'm also guessing FTK's DTSearch Indexing function will not allow > me to index in Kanji. Command line tools, I imagine will depend on the > interface. > > Some ideas so far . . . feel free to add: > - The e-mail will be in .pst files. Therefore, I should be able to mount it > in a Japanese configured PC, with Outlook so that a Japanese person can read > through the e-mails. FTK may also be able to parse the e-mail assuming the > character sets are installed on the analysis PC. > - I could use a Win32 port of grep on a Japanese configured PC. > - Ontrack PowerDesk has a halfway decent search utility I could run on a > Japanese PC. > - I could use a Japanese PC to convert the sought after words to Hex and > then run those searches in EnCase. > > Any other ideas/experiences? Thanks. > > -DB > > Douglas W. Barbin, CISSP, CFE > Principal Consultant > W: 925.945.8093 E-Fax: 240.331.6030 M: 415.806.4064 > 528-C North Civic Drive > Walnut Creek, CA 94596 www.guardent.com > PGP: 64CB ACA8 0474 B9AF 1B24 6756 FA80 A274 55A3 4122 > ______________________________________________________ > G U A R D E N T > Enterprise Security and Privacy Programs > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 31 2002 - 18:33:47 PST