Re: [sleuthkit-users] Autopsy extracting files Mac HFS+
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy extracting files Mac HFS+
|
From: Ketil F. <ke...@fr...> - 2015-02-18 17:23:02
|
If this is the same issue as I reported earlier on github and it's been fixed, I guess both the sleuthkit issue and the autopsy issue can be closed? https://github.com/sleuthkit/sleuthkit/issues/376 https://github.com/sleuthkit/autopsy/issues/903 Regards, Ketil On 18 February 2015 at 16:38, Brian Carrier <ca...@sl...> wrote: > The fix will be in the 3.1.2 release, which should be out early next week. > > > > On Feb 18, 2015, at 3:15 AM, Nanni Bassetti <dig...@gm...> wrote: > >> Yes, I confirm this issue. >> >> 2015-02-18 1:55 GMT+01:00 Scott Johnson <sc...@of...>: >> I have not been able to extract a file from an HFS+ image until I found the email below describing the extraction program appending ":data" when saving the file. When I remove the ":data" from the "save as" file name, the file is extracted just fine. If I try to extract multiple files then there is no option to remove the ":data" from the file names, and thus the files are not extracted. The message below suggests a fix for this issue but I cannot find where to obtain the fix. Any help would be appreciated as I have to extract hundreds of files from a Mac image. >> >> Scott >> >> >> >> ------------------------------------------------------------------ >> >> Re: [sleuthkit-users] Autopsy and MAC >> From: Brian Carrier <carrier@sl...> - 2015-01-14 15:30:36 >> I poked at the HFS+ code a bit this morning to try some things since there seem to be some common issues with it and Autopsy. There is a slight exporting issue that I've fixed, which was basically that you could export the file, but the HFS+ code was adding ":DATA" to the end of the name to reflect the data fork (versus the resource fork) and that turned into an Alternate Data Stream on a windows system. So, you would never see the exported file. I changed it so that ":DATA" is not added for the default data fork (like what happens on the command line tools for TSK) and also changed Autopsy so that it replaces any ":" with a "_" in the suggested file name so that you don't save things as ADS (well you still can, but you need to do some work to do it now). >> >> There still seem to be some database issues with HFS+ that I haven't been able to recreate. >> >> brian >> >> >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> >> >> >> -- >> Dr. Nanni Bassetti >> http://www.nannibassetti.com >> CAINE project manager - http://www.caine-live.net >> ------------------------------------------------------------------------------ >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org -- -Ketil |
