Re: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble
|
From: <spa...@gi...> - 2004-07-07 20:18:35
|
Oh dear. Unfortunately I can't use any application level techniques as the file in question is a raw 2GB MPEG TransportStream which does not carry any header or so :( The disk was built into a digital set-top box and the file is an important evidence in a case... Seems I am out of luck today... Any other idea? Hmm, after thinking about it On the other problem: I copied the URL properly but it didn't work. Neither with IE6 nor Firefox 0.91. Anyway I finally got it working with the -C option. Ciao, Christof ----- Original Message -----=20 From: "Brian Carrier" <ca...@sl...> To: "Christof Baumg=E4rtner" <spa...@gi...> Cc: <sle...@li...> Sent: Wednesday, July 07, 2004 6:57 PM Subject: Re: [sleuthkit-users] Overwritten parition and filesystem and some Autopsy trouble -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 6, 2004, at 6:06 PM, Christof Baumg=E4rtner wrote: > Hello, > I have a harddisk which has two partitions on it (one of type 0x41, one > of type 0x83 which is Linux ext2). By accident I started a script which > recreated the two partitions, recreated the two filesystems and > recreated the directory structure the same way as it was before. So I > can still mount the ext2 partition and have access to all my previous > directories. But now they are empty :( > I tried to search for the inodes of the missing files without success. > How do I actually have to proceed? If the file system data is gone (which probably occured when your recreated the file systems), then your only bet is to use the "application-level" techniques for recovery and use a tool like foremost or another tool that looks at file headers. > My second question concerns autopsy. I start autopsy with "./autopsy > 9999 192.168.1.109" (192.168.1.109 is the IP address of another > machine). I enter the long URL into a browser on the other machine but > get HTTP 403 denied. Am I missing something? <later> > Anyway: I just receive "document contains no data" with this > modification :( If using '-C' helped, then you were probably copying the cookie value incorrectly. Are you using IE as a client? I have had bad luck with IE giving the document contains no data errors and use Mozilla. I thought I fixed most of the problems a long time ago though. I also seen those errors from running autopsy from within some versions of Cygwin. Check the autopsy log in the evidence locker for more information on why the original connection was being denied. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFA7CuGOK1gLsdFTIsRAi8PAJ9iKte0sRi6iJEBxQa1pSamrxejRQCdHK5x ad8Wza3uoLN2othykM15Jw8=3D =3DrxqN -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
