Re: [sleuthkit-users] tsk_recover with L01 and Lx01
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] tsk_recover with L01 and Lx01
|
From: Tom Y. <to...@ya...> - 2013-10-11 14:38:51
|
ewfmount -f files <name of L01 file> <mount point> will allow you to view the contents of the L01 file. (with the caveat that you need a newer version of libewf - within the last year IIRC) Tom PGP Key ID - B32585D0 On Fri, Oct 11, 2013 at 8:37 AM, Brian Carrier <ca...@sl...>wrote: > There could be a tool in libewf that extracts L01 contents. > > > On Oct 11, 2013, at 5:11 AM, Bala <bal...@cs...> wrote: > > > Brian > > > > I wouldn’t want to analyze L01 images, however I would my program to > extract the files in L01. Is there a possibility ? > > > > I would like to see how the framework reads/extracts the .L01 files as > well. Let me know if this is possible too. > > > > Regards > > Bala > > > > > > -----Original Message----- > > From: Brian Carrier [mailto:ca...@sl...] > > Sent: Thursday, October 10, 2013 8:43 PM > > To: Bala > > Cc: sle...@li... > > Subject: Re: [sleuthkit-users] tsk_recover with L01 and Lx01 > > > > My understanding is that an L01 file is basically a glorified ZIP file > with forensically-interesting metadata embedded in it. It was created by a > forensics tool that likely analyzed a disk image and made an L01 with a > subset of the files. > > > > None of the TSK tools analyze L01 files. The TSK core tools all take > disk images in as input (which could be in an E01 format, but not L01). > The framework supports L01, but that isn't going to help you in this case. > > > > > > > > > > On Oct 10, 2013, at 2:11 AM, Bala <bal...@cs...> wrote: > > > > > Hi > > > > > > I’m trying to use recover *.L01 files using the tsk_recover (from > version 4.2.1). > > > > > > However to my disappointment I get the following error. > > > Cannot determine file system type (Sector offset: 0)Files Recovered: 0 > > > > > > I used the following command to recover the files tsk_recover -o 32 -e > > > "C:\Files\part-of-usb-disk-logical-file.Lx01" "Extract" > > > > > > I presume the error is due to the wrong offset. Let me know if its > otherwise. > > > Could I use any other offset? If YES how do I determine the offset > > > suitable for *.L01 > > > > > > I’m on a Windows 2012 server > > > > > > > > > Regards > > > Bala > > > > > > ---------------------------------------------------------------------- > > > -------- October Webinars: Code for Performance Free Intel webinars > > > can help you accelerate application performance. > > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > > > most from the latest Intel processors and coprocessors. See abstracts > > > and register > > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c > > > lktrk_______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > > October Webinars: Code for Performance > > Free Intel webinars can help you accelerate application performance. > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > > the latest Intel processors and coprocessors. See abstracts and register > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
