[sleuthkit-users] dcat feature request
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] dcat feature request
|
From: nighty <nig...@gm...> - 2004-03-29 15:29:05
|
Hello, I just found something, but I'm not sure, whether it's a bug. I used Autopsy (I tested it on 1.75 and 2.0) and switched to Data Analysi= s=20 Mode in order to check some unit's content. Now it appears, that if I am=20 using a raw image (without filesystem) and want to view more than one uni= t,=20 Autopsy gives me a wrong unit content. I want to give you an example of w= hat=20 Autopsy does, using dcat: dcat -a -f raw /PATH_TO_IMAGE/foo.dd 4000 512 this gives me the ascii output of the 4000th 512 byte unit. Fine! Now, when telling Autopsy to show me 2 units, Autopsy gives me the same=20 output, as if I had done a dcat -a -f raw /PATH_TO_IMAGE/foo.dd 4000 2048 So he does not show me unit 4000-4003, but the 4000th 2048 byte unit. When using a image with a filesystem, there is no problem, only with raw=20 images this occurs. Therefor I suggest, that it would be fine, to give dcat the capability to= =20 show a range of units, similar to what dls does, and of course adjust Aut= opsy=20 to this. So I could perform a dcat -a -f raw /PATH_TO_IMAGE/foo.dd 4000-4003 512 Best regards, Harald Katzer PS.: It would also be a useful feature, when the user could remove images= ,=20 hosts and cases from Autopsy |
