RE: [sleuthkit-users] RE: searching times was - Problem adding image
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] RE: searching times was - Problem adding image
|
From: Eagle I. S. <in...@ea...> - 2003-03-10 04:12:50
|
Thanks Brian, >>Also, if you >>choose the wrong file system type, you can just edit the 'host.aut' >>file by hand and change the 'bsdi' field to 'ntfs'. That's good to know. I'm up and running with Autopsy now. I have to re-red the docs, but when I ran a keyword search on the string " *.eml ", it was still searching after an hour and a half. Is this normal? I know that Encase uses a version of grep that takes all night to search its proprietary images. Is there a way to speed up the process in Autopsy? For example if I was looking for a person's name that I know is contained in a deleted email. Is there a way to quickly search for that or do I need to sit it out? Thanks again in advance for all the help..... Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Sunday, March 09, 2003 9:51 PM To: Eagle Investigative Services Cc: sle...@li... Subject: Re: [sleuthkit-users] RE: Problem adding image On Sun, Mar 09, 2003 at 05:42:53PM -0500, Eagle Investigative Services wrote: > It appears that Autopsy takes a looong time to load the image. > 3 hours for my 20 Gig partition. Only to find that I had forgotten > to select NTFS on the drop down and was greeted with "error - not > an FFS system". As sid alluded to, it took so long because it was calculating the MD5 value of the partition (Although that is really long and slow!). Uncheck the 'Calculate MD5' if you need to to go faster. Also, if you choose the wrong file system type, you can just edit the 'host.aut' file by hand and change the 'bsdi' field to 'ntfs'. > > Some other newbie points: > > I found I could only create the symbolic link to dev/hda1 when I had > navigated to the images directory within which I wished to create the > symbolic link. Maybe this is something all experts > of Unix know you should do, but I was logged in as root, so I assumed > I had God-like powers to create links and directories at will. Not so, at > least > in my case. Symbolic links can be tricky about where they point to. In general, it is best to provide full paths for the source and destination. For example: ln -s /dev/hda1 /usr/local/forensics/locker/case1/host1/images/hda1 > > When I did a dmesg on my drive, it came back with the following: > > hda1 hda2 <hda3 hda4 hda5> > > Can anyone explain what's between the angled brackets? Hidden > partitions? I know there's only two partitions on the drive. They are partitions. Use 'mount' to find out how many you are actually using. > Also, is there an archive of these messages anywhere? Maybe some of my > future > questions have already been discussed and I'd like not to waste anyone's > time. There should be on the sourceforge site. brian ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The debugger for complex code. Debugging C/C++ programs can leave you feeling lost and disoriented. TotalView can help you find your way. Available on major UNIX and Linux platforms. Try it free. www.etnus.com _______________________________________________ sleuthkit-users mailing list sle...@li... https://lists.sourceforge.net/lists/listinfo/sleuthkit-users |
