[sleuthkit-users] Autopsy: Can't search in unallocated space of a partition
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Autopsy: Can't search in unallocated space of a partition
|
From: Dennis <in...@ba...> - 2013-11-06 20:52:37
|
Dear all, I am currently giving autopsy a test ride on one of my test images. I use this test image in some of my forensic classes but I ran into a problem. My Setup Windows 8 64 Bit Autopsy V 3.0.6 Image Details: t 320 GB EWF Image Case Setup / Activated Ingest Modules Recent Activities Hash Lookup EXIF Image Parser Keyword Search And of course the checkbox for "process unallocated space" was activated. My Scenario I know that a HTML fragment is available in the unallocated space of one partition. This HTML fragment contains the string "secret secret". Therefore, I just ran a search for the string secret but the search did not yield any results in the unallocated space. I double checked that the string was inside the unallocated space by mounting the image via fuse (DFF) and running the command string -f -t d * | grep secret inside the NTFS unallocated folder. This resulted in roughly 20 - 30 hits. Question Is this a known bug? Is the search in the unallocated space not yet supported? How can I investigate what is going wrong? Kind regards Dennis |
