autopsy is creating enormous databases
VM got full and crashed
will have to setup clean and larger VM, and redo
analysis is also taking a lot of time
seems like it takes days to do full analysis…
it's not a real time recorder of events
it's only analyzing what it can from a single snapshot taken at a specific given time
but I can't speak as to what the software is able to do, it seems much more sophisticated than what I expected
also, I seem to have seen a 'timeline' somewhere
maybe it can reconstruct the ordering of creation/modification of the files that were still there at the moment the given snapshot was taken?
maybe it can also reconstruct the times of deletion of some files?
>Could see it being something that if built, could both save folks and also convict them.
yes, really looking forward to what this software is able to do
also, analysis does not need to be repeated
once scan is done, one can export the results/analysis database, and share with other
of course, anyone can run the analysis and compare, to verify
kinda busy IRL too this WE, might only be able to carry this is out next week
but most definitely very interesting
if we figure out good stuff from this and then share to broader community, could have a good impact
worth seeing this through
by the way, might be something, might be nothing:
when Ron shared the links to the torrents, he said the following
https://t.me/CodeMonkeyZ/1119
I was able to uncover a script that WEAKENS the EMS server on purpose.
I was also able to uncover a bunch of deleted election log files that spanned years.
It will be exciting to see what all of you sleuths will be able to find.
(emphasis mine)
->
this software is based on a package 'sleuthkit', the set of command line tools I was using at the beginning to do some analysis, and which seems to be the de facto industry standard for doing forensic data analysis
it adds a lot of tools, but it is based on '__sleuth__kit'