[sleuthkit-users] Working with a Mac OS X HFS volume
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Working with a Mac OS X HFS volume
|
From: Mr. D. J. H. <da...@ma...> - 2008-09-29 23:50:43
|
I am trying to get a simple time line of files deleted on a Mac OS X 10.4 volume formatted as a HFS+ partition. It is my understanding that TSK does not understand HFS+ by default. Is there a simple set of step by step instructions on how to get it to understand HFS+. I have tried this: sed -i 's/define TSK_USE_HFS 0/define TSK_USE_HFS 1/'tsk3/fs/tsk_fs_i.h and get the result: sed: 1: "tsk3/fs/tsk_fs_i.h": undefined label 'sk3/ fs/tsk_fs_i.h Is there something I need to do before this command? Is the command correct? Do I need to do something after the command (recompile)? I know that these tools require a good understanding of UNIX commands but I just want to use Autopsy to generate a timeline for deleted files. Does anyone know af a step by step set of instructions for this process? |
