Re: [sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Help!! New to TSK and Linux
|
From: Brian C. <ca...@sl...> - 2005-03-16 03:46:08
|
On Mar 15, 2005, at 7:05 PM, Brian Starr wrote: > > AUTOPSY=A0 > Because of the file size limit, I created a bit for bit clone of the=20= > disk, from which I am attempting to use TSK forensic tools (which may=20= > or may not be the correct approach). > So with that, I began using autopsy.=A0 I added a new case.=A0 Gave it = a=20 > host name of 192.168.1.1 and timezone of PST.=A0 I then added an image=20= > location of /dev/hda1, symlink as the import method, fstype of fat32,=20= > mounting point of /mnt/hda1, and ignore md5.=A0 Is this a correct=20 > setup?=A0 With this setup I began to use the autopsy tools with the=20 > following results: The image location should be the name of the file that you create using=20= 'dd' (or similar tool). The mounting point is the location where the=20 file system originally existed (i.e. C:\ or '/usr/'). It is cosmetic=20 only. > =A0-The keyword search=A0didn't work=A0- is this because I am using=20 > /mnt/hda1 instead of an image file?=A0 Does this version of autopsy = work=20 > using /mnt/hda1? Can you be more specific about how it didn't work? Did you run autopsy=20= in live analysis mode or just with (./autopsy)? > -The sorter also did not work.=A0 No output files in the directories=20= > specified.=A0 Is this also because I am not using an image as well? Are sure it completed? It takes a while. There should be an=20 index.html file that lists how many files existed, how many were=20 ignored, and which were put into different categories. brian |
