[sleuthkit-users] Autopsy extracting files Mac HFS+
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Autopsy extracting files Mac HFS+
|
From: Scott J. <sc...@of...> - 2015-02-18 01:50:15
|
I have not been able to extract a file from an HFS+ image until I found the email below describing the extraction program appending ":data" when saving the file. When I remove the ":data" from the "save as" file name, the file is extracted just fine. If I try to extract multiple files then there is no option to remove the ":data" from the file names, and thus the files are not extracted. The message below suggests a fix for this issue but I cannot find where to obtain the fix. Any help would be appreciated as I have to extract hundreds of files from a Mac image. Scott ------------------------------------------------------------------ *Re: [sleuthkit-users] Autopsy and MAC <http://sourceforge.net/p/sleuthkit/mailman/message/33232201/>* From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36 I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy. There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system. So, you would never see the exported file. I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now). There still seem to be some database issues with HFS+ that I haven't been able to recreate. brian |
