Re: [sleuthkit-users] Autopsy - FAT32 images problem ?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy - FAT32 images problem ?
|
From: Angus M. <an...@n-...> - 2004-09-13 18:56:02
|
On Monday 13 September 2004 03:09, Brian Carrier wrote: > On Sep 12, 2004, at 10:46 AM, Angus Marshall wrote: > > I have a 160Gb partition formatted as FAT32 which has been imaged > > using dd. > > > > I can mount it ro on a loop device on Linux and confirm that is it > > FAT32, but > > when I try to symlink the image into the case on Autopsy 2.03 it's > > reporting > > that the images is not FAT32. The autopsy shell window reports : > > > > "bin/fsstat: FAT Volume too large for analysis" > > > > so I guess there's a hard limit set somewhere in sleuthkit. Can this be > > overcome ? > > Not until version 2 when I start to use the fixed size variables. This > limit is because FAT directory entries do not have any form of address > and therefore I assign them one based on the sector they are located in > and their location in the sector. To keep in a 32-bit inode address, > there can only be 2^28 sectors, which is a 128 GB file system. I had > assumed that few people would be using FAT for such a large file > system. In version 2, the internal inode address will be 64-bits and > will be able to assign larger addresses. > > Sorry. If you want to do keyword searching you can import it as a raw > image. > > brian Thanks Brian - it's the first large disk I've encountered where the suspect has used FAT32 instead of NTFS. I reckon I can handle it using the loopback mount instead. It's only a CD-piracy case, so the evidence is likely to be fairly obvious anyway. |
