This example shows how to represent a forensic_path created by the Bulk Extractor tool by converting the forensic path seen on page 63 of the 2013 COSE paper:
946315592-GZIP-64000-GZIP-1600 [email protected]
946315592-GZIP-64000-GZIP-16095 [email protected]
This example takes advantage of the file mechanisms as described in file in order to create Relationship and Trace objects to represent each offset and gzip decompression performed to extract out the email addresses.
- disk_image
- relationship6 (DataRange : 946315592) -> compressed_gzip1
- relationship5 (Compression : GZIP) -> decompressed_gzip1
- relationship4 (DataRange : 64000) -> compressed_gzip0
- relationship3 (Compression : GZIP) -> decompressed_gzip0
- relationship0 (DataRange : 1600) -> extracted_email_address0
- relationship1 (DataRange : 16095) -> extracted_email_address1
- relationship3 (Compression : GZIP) -> decompressed_gzip0
- relationship4 (DataRange : 64000) -> compressed_gzip0
- relationship5 (Compression : GZIP) -> decompressed_gzip1
- relationship6 (DataRange : 946315592) -> compressed_gzip1
Using a proof-of-concept illustration system, a render of this scenario's uco-core:Relationship objects is available:
