Re: [sleuthkit-users] Using Autopsy with a mount point rather than an image
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Using Autopsy with a mount point rather than an image
|
From: Enda C. <en...@co...> - 2004-08-09 14:08:50
|
Correct.
Linux presents devices as files in the filesystem, so you can treat any disk
/ partition as a file. So it is equally valid to point any disk tool at an
image file or a device mount point, or a partition mount point.
You can operate on disks as if they were files, try cat /dev/hda etc. You
can operate on files as if they were disks, try fdisk'ing a dd image file.
The only time you treat them differently is when you mount them, disk image
files need to be mounted on a loopback device, and it points you at this if
you don't.
HTH,
-Enda.
----- Original Message -----
From: Fra...@ps...
To: Enda Cronnolly
Sent: Monday, August 09, 2004 2:31 PM
Subject: Re: [sleuthkit-users] Using Autopsy with a mount point rather than
an image
When you say 'Point Autopsy' to the device do you mean in the 'add new
image' as in
1. Location: The full path (starting with /) to the raw file system image.
/dev/hdc
Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 or (210) 887-6985
"Enda Cronnolly" <en...@co...>
Sent by: sle...@li...
08/07/2004 03:02 PM To<sle...@li...>
cc
SubjectRe: [sleuthkit-users] Using Autopsy with a mount point rather than an
image
> I have a second hard drive that I want to examine that is currently too
> big to image on my forensics machine. I can mount the hard drive read-
> only to a mount point (e.g. /mnt/drive) but when I try to use the Autopsy
> gui to examine it it says that /mnt/drive is a directory and cannot use
> that location as the target.
Point autopsy at the device, eg /dev/hdc or whatever device label you use
when you mount the drive.
> Is there a way around this with Autopsy? I can use the sleuthkit tools
> against a mounted hard drive jus the same.
You don't need the drive to be mounted at all.
HTH,
-Enda.
> Thanks.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkEVLscACgkQRBFe1uc9INqveACcC9fP0dacgifm0nVHumey1WN9i80A
> niyvbCH4lydhuB7RVjBKCv2VH55u
> =BW9B
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> secure FREE email: http://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> http://www.hushmail.com/services-messenger?l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> http://www.hushmail.com/about-affiliate?l=427
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
|
