Re: [sleuthkit-users] RE: Problem adding image

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sun, Mar 09, 2003 at 05:42:53PM -0500, Eagle Investigative Services wrote:
> It appears that Autopsy takes a looong time to load the image.
> 3 hours for my 20 Gig partition. Only to find that I had forgotten
> to select NTFS on the drop down and was greeted with "error - not
> an FFS system".

As sid alluded to, it took so long because it was calculating the MD5
value of the partition (Although that is really long and slow!).
Uncheck the 'Calculate MD5' if you need to to go faster.  Also, if you
choose the wrong file system type, you can just edit the 'host.aut'
file by hand and change the 'bsdi' field to 'ntfs'.

> 
> Some other newbie points:
> 
> I found I could only create the symbolic link to dev/hda1 when I had
> navigated to the images directory within which I wished to create the
> symbolic link. Maybe this is something all experts
> of Unix know you should do, but I was logged in as root, so I assumed
> I had God-like powers to create links and directories at will. Not so, at
> least
> in my case.

Symbolic links can be tricky about where they point to.  In general,
it is best to provide full paths for the source and destination.  For
example:

	ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images/hda1

> 
> When I did a dmesg on my drive, it came back with the following:
> 
> hda1 hda2 <hda3 hda4 hda5>
> 
> Can anyone explain what's between the angled brackets? Hidden
> partitions? I know there's only two partitions on the drive.

They are partitions.  Use 'mount' to find out how many you
are actually using.  

> Also, is there an archive of these messages anywhere? Maybe some of my
> future
> questions have already been discussed and I'd like not to waste anyone's
> time.

There should be on the sourceforge site.

brian