Re: [sleuthkit-users] ISTAT output question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] ISTAT output question
|
From: Brian C. <ca...@sl...> - 2005-04-28 06:59:31
|
On Apr 27, 2005, at 9:56 AM, fu...@gm... wrote: >> You >> can look at the exec log to see the commands that have been executed >> for previous files as a basis. > > Oh I did not know about this log, this is exactly what I was looking > for. I now start compiliing al list of one-liner, so I can make things > faster. As fas as I can see the only problem would be that these steps > are not automatically logged in the Autopsy-Files, so maybe not the > best thing from the forensic point of view? There is no legal requirement that you have a log of every single command that is executed. You can always write down the commands that you used in a notebook. > Furthermore, I got kinda other problem: I analyze an image of a > NTFS-Hardrive, containing two partitions. If I look at the deleted > files list on the first partition, I see a lot of files which are > deleted, if I look into the directories, they are still there OR I > don't see the brown, unallocated file. Is this a problem with NTFS > handling? I'm not quite sure what you are asking. Can you give a specific example? brian |
