Re: [sleuthkit-users] recovering large files using Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] recovering large files using Autopsy
|
From: Brian C. <ca...@sl...> - 2003-04-30 02:46:54
|
Terry, Matt's reply gives a good summary about why FAT file recovery is difficult. You may observe that other tools can recover the file though. They guess what clusters the file was using on the disk, even if they were not consecutive. Autopsy and The Sleuth Kit do not do any of the guessing. It has been on the TODO list for quite a while, but one of those things that has not been written yet. For small files, it is easy to do by hand (refer to some of the recent Honeynet Scan of the Months for examples). But, for large files it is not easy. Autopsy only knows the starting cluster of the file, the size of the file, and what clusters are allocated. So, it gave you the contents of the first cluster (8k). brian Terry Fernandez <Ter...@mc...> said: > In the File Analysis component of Autopsy (v1.70), I can see the > deleted file and the size with the metadata information. When I try to > export it only 8KB is exported, while the file size shown is around > 185MB. I am sure I am missing a step somewhere, Can you assist. The > image is a FAT32 partition and the file in question is a pst file. > > Terry Fernandez > Tel: 312.260.3223 > Vnet: 894.3223 > > -- |
