December 11th, 2008 by ahoogSorter is a program that takes an image file as input categorizes each file (allocated and deleted), optionally saving them to your hard drive for examination. This process is achieve by performing the following steps:
- Runs file command on all files, deleted and undeleted
- Sorts based on file type, looks for mismatched extensions
- Can utilize hash databases for known good or known bad files
This is very powerful because an analyst can combine this program with a list of Known Good or Known Bad files and quickly determine what needs to be examined further. Also, by optionally saving files to disk, you can quikly review thumbnails or use other tools to examine files.
Sorter is part of The Sleuth Kit.
