Future of indexing in Autopsy and Sleuthkit

• Previous message: Drew Flickema: "Re: Windows XP Startup Disk"
• Next in thread: Simson L. Garfinkel: "Re: Future of indexing in Autopsy and Sleuthkit"
• Reply: Simson L. Garfinkel: "Re: Future of indexing in Autopsy and Sleuthkit"
• Reply: Matt Bergen: "Re: Future of indexing in Autopsy and Sleuthkit"
• Reply: Matthew M. Shannon: "Re: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
• Reply: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

As some people may already know, I am in the process of adding an Indexed Search feature to Autopsy and Sleuthkit, which are Open Source filesystem forensic tools.

I have some issues that concern these additions and I would like to get community members' opinions on some of these. So anyone who is using Autopsy/Sleuthkit or just wants to give his/her opinion: Feel free to give your opinion and let me know if I should or should not implement these features/issues.

Issue 1:
I think it is advisable to limit the indexed character range to only alphanumeric characters instead of the current limitation of all printable ASCII characters. The consequences are the following:
 - POSITIVE: The size of the used index files is smaller (Now it's the size of the strings file of an image) Which is quite huge if you have just copied a 80 Gb partition.
 - NEGATIVE: Indexed Searching on other characters will not be possible anymore.
 - POSITIVE: It will be easier to search for substrings of words, which is not yet possible at the moment. (It is possible in both versions, but will take a huge extra space if used on the original charachter range)
 - POSITIVE: Searching will be even quicker.

Issue 2:
Human readability of the files. A speedup in the indexed searching process and a redeuction of the size of the used files can be accomplished by changing the format of the index files. The consequence is that these cannot be read by a human anymore (No more text-format file). The consequences are the following:
 - POSITIVE: Speed of searches is increased
 - POSITIVE: Size of used files is reduces
 - NEGATIVE: Files cannot be checked anymore with the human eye.

For the moment this are the issues. Maybe more will come..

- --
Paul Bakker

Fox-IT Experts in IT Security!
Haagweg 137 
2281 AG RIJSWIJK 
T 070 336 9999 
F 070 336 9990 
I www.fox-it.com 
E bakker@fox-it.com
57A6 C5EA 55E4 CC1C A967 B13C F8C0 C0FB 8135 E225

Disclaimer: This email may contain confidential information. If this message is not addressed to you, you may not retain or use the information in it for any purpose. If you have received it in error, please notify the sender and delete this message. We try to screen out viruses but take no responsibility if this email contains a virus.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPss3KvjAwPuBNeIlEQKRXwCg7CS05qSRSxlLxW6Z30wwnj0SQzUAmwbv
s4OvNJhBlhByW5cZcx9tyuUq
=//+o
-----END PGP SIGNATURE-----

• application/octet-stream attachment: PGPexch.htm.pgp

• Next message: Simson L. Garfinkel: "Re: Future of indexing in Autopsy and Sleuthkit"
• Previous message: Drew Flickema: "Re: Windows XP Startup Disk"
• Next in thread: Simson L. Garfinkel: "Re: Future of indexing in Autopsy and Sleuthkit"
• Reply: Simson L. Garfinkel: "Re: Future of indexing in Autopsy and Sleuthkit"
• Reply: Matt Bergen: "Re: Future of indexing in Autopsy and Sleuthkit"
• Reply: Matthew M. Shannon: "Re: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
• Reply: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 22 2003 - 05:36:24 PDT