Re: [sleuthkit-users] Autopsy: Can't search in unallocated space of a partition

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi, 

the image was created with FTK Imager (3.1). I did not activate
compression for the E01 image. 

Kind regards
Dennis 

Am Donnerstag, den 14.11.2013, 10:00 +0800 schrieb Notyor Buizines:
> what command did u use for taking image of hard disk?
> 
> 
> 
> On Thu, Nov 7, 2013 at 4:36 AM, Dennis <in...@ba...> wrote:
>         Dear all,
>         
>         I am currently giving autopsy a test ride on one of my test
>         images. I
>         use this test image in some of my forensic classes but I ran
>         into a
>         problem.
>         
>         My Setup
>            Windows 8 64 Bit
>            Autopsy V 3.0.6
>         
>         Image Details: t
>            320 GB EWF Image
>         
>         Case Setup / Activated Ingest Modules
>            Recent Activities
>            Hash Lookup
>            EXIF Image Parser
>            Keyword Search
>         
>         And of course the checkbox for "process unallocated space" was
>         activated.
>         
>         My Scenario
>         I know that a HTML fragment is available in the unallocated
>         space of one
>         partition. This HTML fragment contains the string "secret
>         secret".
>         Therefore, I just ran a search for the string secret but the
>         search did
>         not yield any results in the unallocated space.
>         
>         I double checked that the string was inside the unallocated
>         space by
>         mounting the image via fuse (DFF) and running the command
>                 string -f -t d * | grep secret
>         inside the NTFS unallocated folder. This resulted in roughly
>         20 - 30
>         hits.
>         
>         Question
>         Is this a known bug? Is the search in the unallocated space
>         not yet
>         supported? How can I investigate what is going wrong?
>         
>         Kind regards
>         Dennis
>         
>         
>         ------------------------------------------------------------------------------
>         November Webinars for C, C++, Fortran Developers
>         Accelerate application performance with scalable programming
>         models. Explore
>         techniques for threading, error checking, porting, and tuning.
>         Get the most
>         from the latest Intel processors and coprocessors. See
>         abstracts and register
>         http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>         _______________________________________________
>         sleuthkit-users mailing list
>         https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>         http://www.sleuthkit.org
> 
> 