I have to find information that can be located in files on a hard drive. Are there good tools to search for specific keywords (even in the hard disk free space area ;-), detect encrypted files, detect wrong filetype, etc.?
I currently use Windirstat to see all the filetypes and open each one manually. This process is very long and not reliable.
Can someone provide a better method?
Just running commands isn't really an option, I suggest you have a look at this website: http://www.lnx4n6.be/
It is a project of the Belgian Federal Computer Crime Unit. They have a linux live disk with digital forensics tools. In the presentations you can find tutorials on how to find things. Even on hidden space that is not reported by your hard disk (e.g. replace firmware of 1 TB hard disk to report as 750 GB hard disk).
Be aware it you need to check that every file is the file it pretends to be and every file's slackspace.
For keywords what you could do, provided the disk is not encrypted:
You then cat the usbkey, pipe it to strings and grep for the keywords in keywords.txt as so:
cat usbkey.dd | strings | egrep -i -f keywords.txt If you want to know the position on the key of the file:
cat usbkey.dd | strings -tx | egrep -i -f keywords.txt The -tx in strings will give you the hexadecimal offset.
I suggest you take a look at the forensics presentation on their website, because as I said there is a lot more to it.
