Re: [sleuthkit-users] Recovering unallocated using Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Recovering unallocated using Autopsy
|
From: A Z <fbs...@er...> - 2003-11-09 20:40:25
|
Thank you for your reply. I am using Freebsd. Foremost seems to be for Linux. I am not quite sure how to extract unallocated space using autopsy. At this very moment I am using tct's lazarus on my unrm.output .. I so far It hasn't hit an *.i.txt yet ( or image file ), in the last 10 hours. I am using a 180gb drive to do all this, and have left my 80gb drive alone since making the dd image for autopsy and unrm for tct, just incase I need to look at the 80gb again in the future. Are you aware if Foremost would run on FreeBSD? Would foremost work on the unallocated extraction by unrm as well? And what was the procedore to extract unallocated via autopsy? Thanks again! - A Z On Sun, 9 Nov 2003, Brian Carrier wrote: > > On Saturday, November 8, 2003, at 05:00 PM, A Z wrote: > > > On the File Analysis list, it says this directory cannot be expanded > > into. > > I Can't seem to export anything either. > > When I tried to use sorter via file type on the entire drive image, it > > skips all unallocated: > > I'm assuming that you are using a UFS or EXT?FS file system. Most file > systems now clear out the values in the data structures when a file is > deleted and therefore you cannot see the directory contents and sorter > cannot examine the deleted files. > > > My question is what is the best method to recover all the file that had > > existed under the CF-dl's directory ( about 4gb worth of JPGs ) > > Your best bet would be to try 'foremost', foremost.sourceforge.net. > Normally, you would be able to restrict the amount of disk space that > you would have to search because you could just look at one block > group, but because you have 4GB, that is likely bigger than just one > block group and the images are all over the disk. So, I would extract > the unallocated space (which an be done in Autopsy) and then run > foremost on the resulting file (which will be in the 'output' folder in > the evidence locker and have an extension of '.dls'. > > brian > |
