Re: [sleuthkit-users] Autopsy beginner question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy beginner question
|
From: Brian C. <bca...@at...> - 2003-02-14 17:45:30
|
On Fri, Feb 14, 2003 at 09:17:19AM -0500, Eagle Investigative Services wrote: > When I specified the Evidence Locker I specified it as the "base" > directory > that was in the Autopsy folder. Is this correct? I wasn't sure where > to put it. The Evidence Locker is where all of your case data will be saved. So, no it should not be the installation folder. It will work, but it is not recommended. You could use something like /usr/local/forensics/locker. > > Also, I have dual boot machine, Linux and Win2K. My plan is to work > with TASK/Autopsy to examine the Win2K partition. > > For example, I will do something in Win2K then delete it, and then > switch to Linux to find it. Is this going to be possible? Yes. Make a case and host in Autopsy and make a symlink from /dev/hda1 (or whichever partition it is) to the 'images' directory. % ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images Autopsy must be running as root so that it has read permissions on the device. brian |
