Re: [sleuthkit-users] Basic methods for imaging OS X hard drive

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I made the change to TSK_USE_HFS and enabled HFS. I have recompiled  
and tried to add an image of the MacBook internal drive with Autopsy.  
Autopsy does not seem to recognize any partitions.

Details:

I am working with SleuthKit 3.0.0.b3 and Autopsy 2.2.0b2.
I imaged the suspect drive with dd to get a complete copy of the drive.
Suspect computer: MacBook Pro 17 inch Intel 2.16 with 120 Gb hard drive.

RB, thanks for your help and patience. I am working against a dead  
line and would like to get a basic timeline of deleted files. How do I  
use the 'ils -f list' to verify that the HFS is enabled.

On Sep 30, 2008, at 9:41 AM, RB wrote:

> On Tue, Sep 30, 2008 at 08:26, Mr. David J. Hughes <da...@ma...>  
> wrote:
>> I do not understand how to enable the HFS support. Can anyone give  
>> a little
>> more detail. I tried the command you listed but got an error:
>>
>> sed: 1: "tsk3/fs/tsk_fs_i.h": undefined label 'sk3/fs/tsk_fs_i.h
>
> Not sure if you copied/pasted correctly, I tried the precise command I
> posted against a virgin sleuthkit-3.0.0b3 tree and it worked fine.
> The following should be a single line:
>
> sed -i 's/define TSK_USE_HFS 0/define TSK_USE_HFS 1/' tsk3/fs/ 
> tsk_fs_i.h
>
> You could also do it the 'hard' way: open up tsk3/fs/tsk_fs_i.h in an
> editor of your choice, go to line 57, and change the 0 to a 1.  Either
> way, if you do it properly calling 'ils -f list' should show something
> like:
>
> Supported file system types:
>        ntfs (NTFS)
>        fat (FAT (Auto Detection))
>        ext (ExtX (Auto Detection))
>        iso9660 (ISO9660 CD)
>        hfs (HFS+)
>        ufs (UFS (Auto Detection))
>        raw (Raw Data)
>        swap (Swap Space)
>        fat12 (FAT12)
>        fat16 (FAT16)
>        fat32 (FAT32)
>        ext2 (Ext2)
>        ext3 (Ext3)
>        ufs1 (UFS1)
>        ufs2 (UFS2)
>
> You will have also entered the unofficially-supported realm; nothing
> you do with HFS+ will be guaranteed to work or be right, but as long
> as you're working on copies of the original data and can back up your
> findings with a tool that officially supports HFS+, you should be
> okay.
>
>
> RB
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org