[sleuthkit-users] Re: sleuthkit-users digest, Vol 1 #202 - 1 msg
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Re: sleuthkit-users digest, Vol 1 #202 - 1 msg
|
From: Devi0s M. <de...@gm...> - 2004-09-17 04:03:27
|
Just FYI: The Maxtor OneTouch external drives are pre-formatted as a 250GB FAT32 partition, and include a bootable cd with software that allows you to quick-format any large disk with a FAT32. - Dev On Mon, 13 Sep 2004 20:52:11 -0700, sle...@li... <sle...@li...> wrote: > Send sleuthkit-users mailing list submissions to > sle...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > or, via email, send a message with subject or body 'help' to > sle...@li... > > You can reach the person managing the list at > sle...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sleuthkit-users digest..." > > Today's Topics: > > 1. Re: Autopsy - FAT32 images problem ? (Angus Marshall) > > --__--__-- > > Message: 1 > From: Angus Marshall <an...@n-...> > Organization: Dis- > To: Brian Carrier <ca...@sl...> > Subject: Re: [sleuthkit-users] Autopsy - FAT32 images problem ? > Date: Mon, 13 Sep 2004 19:55:12 +0100 > Cc: "sleuthkit-users <sle...@li...>" <sle...@li...> > > On Monday 13 September 2004 03:09, Brian Carrier wrote: > > On Sep 12, 2004, at 10:46 AM, Angus Marshall wrote: > > > I have a 160Gb partition formatted as FAT32 which has been imaged > > > using dd. > > > > > > I can mount it ro on a loop device on Linux and confirm that is it > > > FAT32, but > > > when I try to symlink the image into the case on Autopsy 2.03 it's > > > reporting > > > that the images is not FAT32. The autopsy shell window reports : > > > > > > "bin/fsstat: FAT Volume too large for analysis" > > > > > > so I guess there's a hard limit set somewhere in sleuthkit. Can this be > > > overcome ? > > > > Not until version 2 when I start to use the fixed size variables. This > > limit is because FAT directory entries do not have any form of address > > and therefore I assign them one based on the sector they are located in > > and their location in the sector. To keep in a 32-bit inode address, > > there can only be 2^28 sectors, which is a 128 GB file system. I had > > assumed that few people would be using FAT for such a large file > > system. In version 2, the internal inode address will be 64-bits and > > will be able to assign larger addresses. > > > > Sorry. If you want to do keyword searching you can import it as a raw > > image. > > > > brian > > Thanks Brian - it's the first large disk I've encountered where the suspect > has used FAT32 instead of NTFS. I reckon I can handle it using the loopback > mount instead. It's only a CD-piracy case, so the evidence is likely to be > fairly obvious anyway. > > --__--__-- > > _______________________________________________ > sleuthkit-users mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > End of sleuthkit-users Digest > |
