Re: [sleuthkit-users] Autopsy and MAC
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy and MAC
|
From: Brian C. <ca...@sl...> - 2015-01-14 15:30:36
|
I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy. There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system. So, you would never see the exported file. I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now). There still seem to be some database issues with HFS+ that I haven't been able to recreate. brian On Jan 12, 2015, at 3:42 AM, jack tiger <jac...@ne...> wrote: > I saw it's impossibile to extract directly data of a MAC using Autopsy. > I tried mounting the E01 file in windows then using an HFS reader i copied the file. But the photo and the PDF are damaged. > Which is a possibile solution? > thanks > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > vanity: www.gigenet.com > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
