Re: [sleuthkit-users] Autopsy extracting files Mac HFS+

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Yes, I confirm this issue.

2015-02-18 1:55 GMT+01:00 Scott Johnson <sc...@of...>:

> I have not been able to extract a file from an HFS+ image until I found
> the email below describing the extraction program appending ":data" when
> saving the file. When I remove the ":data" from the "save as" file name,
> the file is extracted just fine. If I try to extract multiple files then
> there is no option to remove the ":data" from the file names, and thus the
> files are not extracted. The message below suggests a fix for this issue
> but I cannot find where to obtain the fix. Any help would be appreciated as
> I have to extract hundreds of files from a Mac image.
>
> Scott
>
>
>
> ------------------------------------------------------------------
>
> *Re: [sleuthkit-users] Autopsy and MAC
> <http://sourceforge.net/p/sleuthkit/mailman/message/33232201/>*
> From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36
>
> I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy.  There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system.  So, you would never see the exported file.  I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now).
>
> There still seem to be some database issues with HFS+ that I haven't been able to recreate.
>
> brian
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>

-- 
Dr. Nanni Bassetti
http://www.nannibassetti.com
CAINE project manager - http://www.caine-live.net