Re: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit

From: Matthew M. Shannon (mmshannat_private)
Date: Thu May 22 2003 - 17:35:28 PDT

Next message: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"

Previous message: Matt Bergen: "Re: Future of indexing in Autopsy and Sleuthkit"
In reply to: Paul Bakker: "Future of indexing in Autopsy and Sleuthkit"
Next in thread: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul Bakker wrote:

> 
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello,
>
>As some people may already know, I am in the process of adding an Indexed Search feature to Autopsy and Sleuthkit, which are Open Source filesystem forensic tools.
>
>I have some issues that concern these additions and I would like to get community members' opinions on some of these. So anyone who is using Autopsy/Sleuthkit or just wants to give his/her opinion: Feel free to give your opinion and let me know if I should or should not implement these features/issues.
>
>Issue 1:
>I think it is advisable to limit the indexed character range to only alphanumeric characters instead of the current limitation of all printable ASCII characters. The consequences are the following:
> - POSITIVE: The size of the used index files is smaller (Now it's the size of the strings file of an image) Which is quite huge if you have just copied a 80 Gb partition.
> - NEGATIVE: Indexed Searching on other characters will not be possible anymore.
> - POSITIVE: It will be easier to search for substrings of words, which is not yet possible at the moment. (It is possible in both versions, but will take a huge extra space if used on the original charachter range)
> - POSITIVE: Searching will be even quicker.
>  
>
Paul, is it just me, or do I read that as alphanumeric only? I often 
need to search for instances of email addresses, and while it is not 
always mandatory, having access to the @ symbol sure does speed the 
process up.

>Issue 2:
>Human readability of the files. A speedup in the indexed searching process and a redeuction of the size of the used files can be accomplished by changing the format of the index files. The consequence is that these cannot be read by a human anymore (No more text-format file). The consequences are the following:
> - POSITIVE: Speed of searches is increased
> - POSITIVE: Size of used files is reduces
> - NEGATIVE: Files cannot be checked anymore with the human eye.
>
>For the moment this are the issues. Maybe more will come..
>
>  
>
Not an issue in my opinion, in fact I agree with another post that 
mentioned making the file layout open, someone here will write a tool to 
read it.



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
Previous message: Matt Bergen: "Re: Future of indexing in Autopsy and Sleuthkit"
In reply to: Paul Bakker: "Future of indexing in Autopsy and Sleuthkit"
Next in thread: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 23 2003 - 08:40:39 PDT