Re: [sleuthkit-users] Autopsy - FAT32 images problem ?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy - FAT32 images problem ?
|
From: Brian C. <ca...@sl...> - 2004-09-13 02:09:29
|
On Sep 12, 2004, at 10:46 AM, Angus Marshall wrote: > I have a 160Gb partition formatted as FAT32 which has been imaged > using dd. > > I can mount it ro on a loop device on Linux and confirm that is it > FAT32, but > when I try to symlink the image into the case on Autopsy 2.03 it's > reporting > that the images is not FAT32. The autopsy shell window reports : > > "bin/fsstat: FAT Volume too large for analysis" > > so I guess there's a hard limit set somewhere in sleuthkit. Can this be > overcome ? Not until version 2 when I start to use the fixed size variables. This limit is because FAT directory entries do not have any form of address and therefore I assign them one based on the sector they are located in and their location in the sector. To keep in a 32-bit inode address, there can only be 2^28 sectors, which is a 128 GB file system. I had assumed that few people would be using FAT for such a large file system. In version 2, the internal inode address will be 64-bits and will be able to assign larger addresses. Sorry. If you want to do keyword searching you can import it as a raw image. brian |
