Paul Bakker wrote: > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Hello, > >As some people may already know, I am in the process of adding an Indexed Search feature to Autopsy and Sleuthkit, which are Open Source filesystem forensic tools. > >I have some issues that concern these additions and I would like to get community members' opinions on some of these. So anyone who is using Autopsy/Sleuthkit or just wants to give his/her opinion: Feel free to give your opinion and let me know if I should or should not implement these features/issues. > >Issue 1: >I think it is advisable to limit the indexed character range to only alphanumeric characters instead of the current limitation of all printable ASCII characters. The consequences are the following: > - POSITIVE: The size of the used index files is smaller (Now it's the size of the strings file of an image) Which is quite huge if you have just copied a 80 Gb partition. > - NEGATIVE: Indexed Searching on other characters will not be possible anymore. > - POSITIVE: It will be easier to search for substrings of words, which is not yet possible at the moment. (It is possible in both versions, but will take a huge extra space if used on the original charachter range) > - POSITIVE: Searching will be even quicker. > > Paul, is it just me, or do I read that as alphanumeric only? I often need to search for instances of email addresses, and while it is not always mandatory, having access to the @ symbol sure does speed the process up. >Issue 2: >Human readability of the files. A speedup in the indexed searching process and a redeuction of the size of the used files can be accomplished by changing the format of the index files. The consequence is that these cannot be read by a human anymore (No more text-format file). The consequences are the following: > - POSITIVE: Speed of searches is increased > - POSITIVE: Size of used files is reduces > - NEGATIVE: Files cannot be checked anymore with the human eye. > >For the moment this are the issues. Maybe more will come.. > > > Not an issue in my opinion, in fact I agree with another post that mentioned making the file layout open, someone here will write a tool to read it. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 23 2003 - 08:40:39 PDT