Re: [sleuthkit-users] Autopsy extracting files Mac HFS+
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy extracting files Mac HFS+
|
From: Nanni B. <dig...@gm...> - 2015-02-18 08:15:12
|
Yes, I confirm this issue. 2015-02-18 1:55 GMT+01:00 Scott Johnson <sc...@of...>: > I have not been able to extract a file from an HFS+ image until I found > the email below describing the extraction program appending ":data" when > saving the file. When I remove the ":data" from the "save as" file name, > the file is extracted just fine. If I try to extract multiple files then > there is no option to remove the ":data" from the file names, and thus the > files are not extracted. The message below suggests a fix for this issue > but I cannot find where to obtain the fix. Any help would be appreciated as > I have to extract hundreds of files from a Mac image. > > Scott > > > > ------------------------------------------------------------------ > > *Re: [sleuthkit-users] Autopsy and MAC > <http://sourceforge.net/p/sleuthkit/mailman/message/33232201/>* > From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36 > > I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy. There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system. So, you would never see the exported file. I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now). > > There still seem to be some database issues with HFS+ that I haven't been able to recreate. > > brian > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > -- Dr. Nanni Bassetti http://www.nannibassetti.com CAINE project manager - http://www.caine-live.net |
