Re: [sleuthkit-users] Basic methods for imaging OS X hard drive

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, Sep 30, 2008 at 08:26, Mr. David J. Hughes <da...@ma...> wrote:
> I do not understand how to enable the HFS support. Can anyone give a little
> more detail. I tried the command you listed but got an error:
>
> sed: 1: "tsk3/fs/tsk_fs_i.h": undefined label 'sk3/fs/tsk_fs_i.h

Not sure if you copied/pasted correctly, I tried the precise command I
posted against a virgin sleuthkit-3.0.0b3 tree and it worked fine.
The following should be a single line:

sed -i 's/define TSK_USE_HFS 0/define TSK_USE_HFS 1/' tsk3/fs/tsk_fs_i.h

You could also do it the 'hard' way: open up tsk3/fs/tsk_fs_i.h in an
editor of your choice, go to line 57, and change the 0 to a 1.  Either
way, if you do it properly calling 'ils -f list' should show something
like:

Supported file system types:
        ntfs (NTFS)
        fat (FAT (Auto Detection))
        ext (ExtX (Auto Detection))
        iso9660 (ISO9660 CD)
        hfs (HFS+)
        ufs (UFS (Auto Detection))
        raw (Raw Data)
        swap (Swap Space)
        fat12 (FAT12)
        fat16 (FAT16)
        fat32 (FAT32)
        ext2 (Ext2)
        ext3 (Ext3)
        ufs1 (UFS1)
        ufs2 (UFS2)

You will have also entered the unofficially-supported realm; nothing
you do with HFS+ will be guaranteed to work or be right, but as long
as you're working on copies of the original data and can back up your
findings with a tool that officially supports HFS+, you should be
okay.

RB