Re: [sleuthkit-users] Recovering unallocated using Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Recovering unallocated using Autopsy
|
From: Brian C. <ca...@sl...> - 2003-11-09 20:44:44
|
> Are you aware if Foremost would run on FreeBSD? I don't know. I haven't tried it. I know that there are a few Linux specific commands, but haven't done much at getting around those. I have been meaning to get it working on OS X. > Would foremost work on the unallocated extraction by unrm as well? Yes. 'foremost' just looks at data (like lazarus) and doesn't care about the file system type. So, it can analyze the entire file system or just the unallocated. > And what was the procedore to extract unallocated via autopsy? If you go the 'keyword search' mode or the 'details' mode of the image, then there is an option to extract the unallocated space. This uses the 'dls' tool in The Sleuth Kit, which is basically the same tool as 'unrm' in TCT. brian |
