Ok, I have little experience with forensics itself so this is just comming from the japanese language perspective. It is definitely possible to do greps on the files from a *nix environment. I am on a netbsd box right now, and I have the japanese enabled grep. So there is no reason you can't search through the data with the words you are looking for. I would think the biggest issue you will face is what is the encoding format. There are 4 possible encodings (JIS, SJIS, EUC, unicode). If you were dealing with software that can't handle japanese input at all you could probably use the equivelent escape codes in the searches. I believe that win2k does most of its encoding in unicode internally so I wouldn't give up on the possibility of entering the search terms into EnCase directly as I imagine that will be more a function of the locales and IME than EnCase itself. I know you can do the searching in *nix environment. It might make it easier to install a japanese distro (Vine, Redhat, Turbolinux) so that you don't have to figure out the locale settings and installing japanese enabled utils. If you are an emacs user you might consider using mule. That said you can probably use EnCase on a win2k box with proper locales, and IME (win2k+multilingual or win2k Japanese). Either way it shouldn't be as much of a problem as you think. I sort of rambled here because I can't seem to focus on what is, atleast for me, a very wide topic. If you have specific questions just ask. --Matt On Fri, Mar 29, 2002 at 09:28:26PM -0500, Doug.Barbinat_private wrote: > I've got an interesting issue that I'm tackling with that I thought I'd > throw out to the group for discussion. I'm going to Japan to perform > forensic imaging and analysis of several laptop PC's. I'm assuming that > aside from power conversion and a few other idiosyncrasies, the imaging > piece will not be a problem. A few more details, these machines will be > Windows 2000 laptops, most likely imaged using EnCase or dd. I'll have the > ability to run either EnCase or FTK Forensic Suites against it the images as > well as all of the freely available command line tools. Linux is a > possibility as well. > > The interesting piece comes into the analysis portion. Of interest will be > e-mail, files, and deleted space. I was wondering if anyone had any > experience performing key word (or grep) searches and other types of > analytics in Kanji (Japanese) or another language that does not use > English-like characters. I do not think you can type Japanese terms into > EnCase. I'm also guessing FTK's DTSearch Indexing function will not allow > me to index in Kanji. Command line tools, I imagine will depend on the > interface. > > Some ideas so far . . . feel free to add: > - The e-mail will be in .pst files. Therefore, I should be able to mount it > in a Japanese configured PC, with Outlook so that a Japanese person can read > through the e-mails. FTK may also be able to parse the e-mail assuming the > character sets are installed on the analysis PC. > - I could use a Win32 port of grep on a Japanese configured PC. > - Ontrack PowerDesk has a halfway decent search utility I could run on a > Japanese PC. > - I could use a Japanese PC to convert the sought after words to Hex and > then run those searches in EnCase. > > Any other ideas/experiences? Thanks. > > -DB > > Douglas W. Barbin, CISSP, CFE > Principal Consultant > W: 925.945.8093 E-Fax: 240.331.6030 M: 415.806.4064 > 528-C North Civic Drive > Walnut Creek, CA 94596 www.guardent.com > PGP: 64CB ACA8 0474 B9AF 1B24 6756 FA80 A274 55A3 4122 > ______________________________________________________ > G U A R D E N T > Enterprise Security and Privacy Programs > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- "Take away them collisions and the common channel and it's like Christianity without Christ." -Jim Breen (speaking about "full-duplex" Ethernet) ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 05:42:02 PST