Re: [sleuthkit-users] Basic methods for imaging OS X hard drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Basic methods for imaging OS X hard drive
|
From: RB <ao...@gm...> - 2008-09-30 18:31:03
|
On Tue, Sep 30, 2008 at 10:29, Mr. David J. Hughes <da...@ma...> wrote: > I made the change to TSK_USE_HFS and enabled HFS. I have recompiled and > tried to add an image of the MacBook internal drive with Autopsy. Autopsy > does not seem to recognize any partitions. Autopsy is hard-coded to the filesystem types normally supported by sleuthkit; as such, it won't support experimental filesystems. You'll have to use the underlying binaries to perform your analysis. > RB, thanks for your help and patience. I am working against a dead line and > would like to get a basic timeline of deleted files. How do I use the 'ils > -f list' to verify that the HFS is enabled. If you had looked at the output of my 'ils -f list' command, you would have seen 'hfs (HFS+)' right between 'iso9660' and 'ufs'. Slow down and look for the same in yours; if you overlooked it, chances are you're going to overlook something in your analysis as well. Unfortunately, I don't have a native HFS+ volume to test against and the images I create with diskdev_cmds-332.14 under Linux either fail to show anything in the image (x86_64) or segfault (x86). This may or may not be indicative of the overall HFS+ support in Sleuthkit - carrier has it disabled for a reason, be that insufficient testing or bugs. Sleuthkit has a good doc (docs/ref_timeline.txt) on generating timelines and analyzing them - try following it with your image. Then again, if time is of such essence and you're neither familiar with Sleuthkit nor prepared to deal with the ramifications of potentially buggy software (alpha support for a filesystem), a commercial tool may be of greater utility for you. RB |
