We use the following methodology to accomplish our objective:
- Identify if the evidence container is a raw image or an E01 container.
- Access the image using pytsk3.
- Recurse through all directories in each partition.
- Send each file to be hashed using the appropriate hashing algorithm.
- Check if the hash matches one of those provided and if so, print to the console.