RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit

From: Paul Bakker (bakker@fox-it.com)
Date: Fri May 23 2003 - 01:13:13 PDT

Next message: Brian Carrier: "RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"

Previous message: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
Next in thread: Brian Carrier: "RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
Reply: Brian Carrier: "RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Matthew,

Thanks for your response.

> Paul, is it just me, or do I read that as alphanumeric only? I often 
> need to search for instances of email addresses, and while it is not 
> always mandatory, having access to the @ symbol sure does speed the 
> process up.
I can understand your problem.... Please try to understand mine (As I see it). The problem with indexed searching is that you have to have a limited set of characters to search for. Otherwise it's not possible to generate an index file. The size of the index file grows exponentially with the size of the character set.

Therefore it might be possible to add some other characters like the diacrtitic ASCII characters and maybe an @ (BUt then other people want to have other characters too). Based on this it will probably be configurable in the final version.

Unicode is for me a NoNo.... Beacause of the sheer size of the set of characters contained therein.
If anyone can suggest a fix/solution I would greatly appreciate that!

I'm still thinking about a better solution.

You should remember though that there will always be Standard searching with regexp and all... Indexed searching is just to generate a speedup for the most commonly used search strings (Which in my opinion are the Alphanumeric and diacritic ASCII characters. PLEASE DEBATE WITH ME ON THIS!!!!!!!)

> >Issue 2:
> >Human readability of the files. A speedup in the indexed 
> >searching process and a redeuction of the size of the used 
>
> Not an issue in my opinion, in fact I agree with another post that 
> mentioned making the file layout open, someone here will 
> write a tool to 
> read it.

I will do both. I will document the file format and provide a tool to
convert it to human readable format.

--
Paul Bakker

Fox-IT Experts in IT Security!
Haagweg 137 
2281 AG RIJSWIJK 
T 070 336 9999 
F 070 336 9990 
I www.fox-it.com 
E bakker@fox-it.com
57A6 C5EA 55E4 CC1C A967 B13C F8C0 C0FB 8135 E225

Disclaimer: This email may contain confidential information. If this message is not addressed to you, you may not retain or use the information in it for any purpose. If you have received it in error, please notify the sender and delete this message. We try to screen out viruses but take no responsibility if this email contains a virus.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brian Carrier: "RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
Previous message: Paul Bakker: "RE: Future of indexing in Autopsy and Sleuthkit"
Next in thread: Brian Carrier: "RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
Reply: Brian Carrier: "RE: [sleuthkit-users] Future of indexing in Autopsy and Sleuthkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 23 2003 - 08:42:40 PDT