[sleuthkit-users] TSK Installation Issues

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi everyone,

I have installed Red Hat 9.0.  I am a little unsure as to how I get Sleuth
Kit on my hard disk now.  Here is what I have done:

Downloaded the source code from your website.  Extracted the archived
contents to my /home/brian directory.  There is now a folder called
Sleuthkit-2.00.  I opened up the terminal window and logged in as root.  I
then went to the directory /home/brian/sleuthkit-2.00 and typed 'make'.
After it finished I attempted to use fls, and it said the tool is not found.
What am I doing wrong?  I am obviously not a linux guru. 

Also, one other question.  Is it possible to recover a deleted file created
from within a previous operating system.  For example, let's say I created a
Microsoft Excel file using Windows 98.  Then, I decided to format my entire
hard disk and install Windows ME.  I now have the image of the hard disk
with the Windows ME operating system on it.  Assuming the new operating
system has not written to any of the sectors the Excel file is stored in, is
it possible to restore the Excel file to its .xls format, or can we only
view the strings from that file (keyword search through unallocated space)?
A simple yes or no will really help.  

Thanks so much!  

Brian

-----Original Message-----
From: Brian Carrier [mailto:ca...@sl...]
Sent: Thursday, March 24, 2005 7:00 PM
To: Brian Starr
Subject: Re: [sleuthkit-users] dls

On Mar 24, 2005, at 5:13 PM, Brian Starr wrote:

> Thanks, Brian.  I guess the dls file does not have a number.  I guess 
> I need
> to figure out how to get from a byte offset to the exact location in 
> the
> image.  I just ordered your book.  Does it go into all of this??

No.  The book is more general and not specific about Linux or TSK.

How did you make the file?  What did you type? Or, where did you get it 
from?

> Anyways, I have another issue.  I am using the Penquin Sleuth Kit 
> Bootable
> CD.  When running the sorter on my image (using the command line), I 
> get the
> following error:

The error is because the people who made the CD compiled TSK in one 
location and then moved it to a different one on the CD.  I have 
nothing to do with the people who make the CD, they just have similar 
names.

brian