Re: [sleuthkit-users] Recovering unallocated using Autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Recovering unallocated using Autopsy
|
From: A Z <fbs...@er...> - 2003-11-09 20:49:30
|
Thank you sir. I shall attempt to run foremost after I'm done with lazarus .. atleast that way I would know which blocks not to search. Shall let you know if it worked :) - A Z On Sun, 9 Nov 2003, Brian Carrier wrote: > > Are you aware if Foremost would run on FreeBSD? > > I don't know. I haven't tried it. I know that there are a few Linux > specific commands, but haven't done much at getting around those. I > have been meaning to get it working on OS X. > > > Would foremost work on the unallocated extraction by unrm as well? > > Yes. 'foremost' just looks at data (like lazarus) and doesn't care > about the file system type. So, it can analyze the entire file system > or just the unallocated. > > > And what was the procedore to extract unallocated via autopsy? > > If you go the 'keyword search' mode or the 'details' mode of the image, > then there is an option to extract the unallocated space. This uses > the 'dls' tool in The Sleuth Kit, which is basically the same tool as > 'unrm' in TCT. > > brian > |
