Re: [sleuthkit-users] Fw: dd file size limitations?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fw: dd file size limitations?
|
From: <Fra...@ps...> - 2004-07-23 15:56:14
|
Ok I got autopsy to see the file on the other drive. Here's another one of my dumb questions... The image I have is of a windows 2000 server which is on a raid=20 configuration. I think the drive is about 139gig. I'm not sure how large = the image would be... As most security forensics people who are jack of all trades I've been=20 asked to try and undelete a log file that might be within the image. But=20 I only have a 40 gig hd. I've tried to uncompress the the files sent to=20 me and it got to 32 gig and stopped due to the limit of the drive. Can I use the portion of the image that I was able to uncompress and use=20 it in Autopsy? I have added as an image, and received the following... Linking /cygdrive/h/scd/scd/scd0004.tst to=20 /cygdrive/h/scd/SCD0001/scd0001/images/scd0004.tst Calculating MD5 of images/scd0004.tst (this could take a while) +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----= +----+----+----+----+----+----+----+----+----+----+----+----+----+----+----= +----+----+----+----+=20 Current MD5: 1EE487013EFE27AFFA3CC964DA4CEA56 The problem is that I don't get the cute "OK" button. And when I open=20 another browser with autospy it doesn't show the image. Apparently it created the MD5 hash... I think I did open a partical image once and got the "OK" button. Do I need to wait for that button? If so how long? And the browser=20 (FoxFire) at the bottom left corner says "done". Frank Kenisky IV, CISSP, CISA, CISM=20 Information Technical Security Specialist=20 (210) 301-6433 or (210) 887-6985=20 Brian Carrier <ca...@sl...>=20 Sent by: sle...@li... 07/22/2004 11:29 PM To Frank=5FK...@ps... cc sle...@li... Subject Re: [sleuthkit-users] Fw: dd file size limitations? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 22, 2004, at 3:53 PM, Frank=5FK...@ps... wrote: > The thing is > > that the server is on a raid and the dd file had to be compressed > > (gzip'ed) and broken into about 9 separate 1 gig files. > > > > The problem is hardware resources. > > > > Currently I'm running Autopsy from cygwin on a Windows 2000 desktop. > > (Got > > it running! - thanks to Charles Lucas for the great directions).=20 > I've > > got > > cygwin on the root directory which currently only has less than 4=20 > gig of > > hd space left. I've got a "D" partition of about 12 gig free space=20 > and > > I've just installed a 40 gig hd. > > > > Here's my question(s)... > > > > Once I've configured autopsy do I have to re-run 'make' every time=20 > I want > > to restart it or everytime I have to restart windows? If not how? Nope. 'make' compiles the program and configures it. All you have to=20 do to run autopsy is to run the 'autopsy' command. > > The second question is regarding the "ADD a New Image"... > > > > The location of the image on the windows 2000 workstation is; > > > > h:\folder1\folder2\folder3\file.dd > > > > The evidence folder is located according to the Lucas explaination > > (/usr/local/evidence/casename > > > > How do I make Autopsy point to this file. When add an image it=20 > doesn't > > find the file I point to when I put in something like the following; > > > > /cygdrive/h/folder1/folder2/folder3/file.dd Is it saying that it can't find the file or that it isn't a valid=20 partition. Did you merge the 1GB slices back into one big file?=20 Autopsy / TSK do not currently support slices. They support only a=20 full image. Is the image of the entire disk or of each partition?=20 Autopsy / TSK currently only support partitions. Can you see the image=20 file by typing 'ls /cygwin/h/folder1/....'? brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBAJQUOK1gLsdFTIsRAvokAJ0fFIHZSxL7hDTSYiCE6qaUdY7TZACfZxcn 2b7jzkUBSefH0UK8rEBahY8=3D =3Dn6jN -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad=5FidG21&alloc=5Fid=10040&op=3Dclick =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
