[sleuthkit-users] Fw: dd file size limitations?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Fw: dd file size limitations?
|
From: <Fra...@ps...> - 2004-07-22 20:53:23
|
Frank Kenisky IV, CISSP, CISA, CISM Information Technical Security Specialist (210) 301-6433 or (210) 887-6985 ----- Forwarded by Frank Kenisky/SAT/AO/USCOURTS on 07/22/2004 03:53 PM ----- sle...@sh... 07/22/2004 03:38 PM To Fra...@ps... cc Subject Re: dd file size limitations? Hi, I think you meant to send this to sle...@li... I've only done that to one mailing list so far this week - must be getting better ;-) Regards, Ben On Thu, 22 Jul 2004 14:17:54 -0500, Fra...@ps... said: > I'm sort of new to using autopsy so be gentle... > > My goal is to undelte one ftp log file to compare against IDS logs. > > I have an image that was created by a third party of a Windows2000 > server. > The sysadmin is not sure if it was an NTFS or FAT32 (that's not real > important since Autopsy can help with determining that). The thing is > that the server is on a raid and the dd file had to be compressed > (gzip'ed) and broken into about 9 separate 1 gig files. > > The problem is hardware resources. > > Currently I'm running Autopsy from cygwin on a Windows 2000 desktop. > (Got > it running! - thanks to Charles Lucas for the great directions). I've > got > cygwin on the root directory which currently only has less than 4 gig of > hd space left. I've got a "D" partition of about 12 gig free space and > I've just installed a 40 gig hd. > > Here's my question(s)... > > Once I've configured autopsy do I have to re-run 'make' every time I want > to restart it or everytime I have to restart windows? If not how? > > The second question is regarding the "ADD a New Image"... > > The location of the image on the windows 2000 workstation is; > > h:\folder1\folder2\folder3\file.dd > > The evidence folder is located according to the Lucas explaination > (/usr/local/evidence/casename > > How do I make Autopsy point to this file. When add an image it doesn't > find the file I point to when I put in something like the following; > > /cygdrive/h/folder1/folder2/folder3/file.dd > > Even when I re-ran 'make' for autopsy I gave it the > /cygdrive/h/folder1/folder2/folder3 as the evidence locker and it > apparently ignored it cause when I pointed to the /usr/local/evidence > folder it found the file just fine. > > Any clues? > > Frank Kenisky IV, CISSP, CISA, CISM > Information Technical Security Specialist > (210) 301-6433 or (210) 887-6985 |
