sorter is a Perl script that analyzes a file system to organize the allocated and unallocated files by file type. It runs the ’file’ command on each file and organizes the files according to the rules in configuration files. Extension mismatching is also done to identify ’hidden’ files. One can also provide hash databases for files that are known to be good and can be ignored and files that are known to be bad and should be alerted.
sorter [-b size] [-E] [-e] [-h] [-l] [-md5] [-s] [-sha1] [-U] [-v] [-V] [-a hash_alert] [-c config] [-C config] [-d dir] [-m mnt] [-n nsrl_db] [-x hash_exclude] [-o imgoffset] [-f fstype] [-i imgtype] image [images] [dir_meta_addr]
-b size: Minimum size. Ignore files smaller than 'size' sorter -E: Perform category indexing only (no extension checks - was '-i') -e: Perform extension checks only (no category index files) -h: HTML Format -l: List index to STDOUT (no files are ever written) -md5: Print the MD5 value with the index output -s: Save files to category directories -sha1: Print the SHA-1 value with the index output sorter -U: Ignore the unknown category - only save catgories in config files -v: verbose debugging output -V: print version information -a hash_alert: hash database of hashes to alert on -c config: specify a config file to use (in addition to default files) NOTE: This config file has priority over default files -C config: specify the ONLY config file to use -d dir: Save category index files in the specified directory -f fstype: file system type (Sleuth Kit types) of image -i imgtype: Format of image file -o imgoffset: Offset of file system in image (in sectors) -m mnt: The mounting point of the image -n nsrl_db: The NIST NSRL database file (NSRLFile.txt) (hashes to ignore) -x hash_exclude: hash database of hashes to ignore dir_meta_addr: Address of directory to start analyzing from image: image to analyze sorter
cyborg@cyborg:~$ sudo sorter -f ntfs -d /home/cyborg/DIR1 image.dd Analyzing "image.dd" Loading Allocated File Listing Processing 49 Allocated Files and Directories 100% All files have been saved to: /home/cyborg/DIR1