Re: [sleuthkit-users] fls simply reports usage information?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] fls simply reports usage information?
|
From: Brian C. <ca...@sl...> - 2005-01-06 14:42:10
|
On Jan 6, 2005, at 12:54 AM, Seth Arnold wrote: > >> Are you sure you have a partition image and not a disk image? What is >> the error message before the usage information is displayed. There >> should be one line that explains why it gave an error. > > Sadly, there isn't even the one-liner error message. :( I've appended > output near the end. I just fixed that so that all 'usage' statements have an error. There were a couple that do not. I've updated the src/fstools/fls.c file with more error messages (based on if there are too few or too many arguments). Try it and see if it gives more details. The command you are using is standard, so I do not know why it is giving problems. > I'm positive I have a partition image; I still have that shell open, > and it's history command shows that I copied /dev/sda1 -- the first > partition on the first scsi disk. (Linux supports Sandisk by emulating > a SCSI drive.) Ok. > (While I don't know filesystem internals well enough to tell from the > contents of what I've got, maybe you do. So I've appended that near the > end as well. :) It looks legit. > >> Hmm. I do not know of anyone that has used them under Debian on an >> iBook. There could be an endian ordering issue with the package. You >> may want to try directly from the source. > > "Try directly from the source" -- do you mean try running autopsy and > TSK on my brother's OS X machine? Or compiling TSK from source? I > tried compiling TSK from Debian's source on machine with identical > results. (This shouldn't surprise me. I did it with intentions of being > able to try suggestions that include source modifications. :) I haven't > tried running TSK on my brother's OS X machine simply because I've > never > compiled anything on it and didn't want to bother late at night.. :) I meant to download the tarball from sleuthkit.org and compile it. Do any of the other tools work? It seems that 'fsstat' worked because you were able to import the image. Try to run 'istat -f fat /home/sarnold/sandisk.dd 2'. Also let me know how using the fls.c file worked. When compiling from the source, it will not install itself in '/usr/bin/', so make sure you are running the new binaries and not the original ones :) brian |
