Re: [sleuthkit-users] Fiwalk on running system
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Fiwalk on running system
|
From: Derrick K. <dk...@gm...> - 2015-09-18 15:14:41
|
Hi Rolf. I'm not sure if Michael's suggestion works with the latest fiwalk or not but if it doesn't, have you looked at tsk_loaddb as an alternative to fiwalk? fiwalk hasn't been getting as much development lately but tsk_loaddb is actively developed and outputs all the results into a SQLite database. Something like this would work with tsk_loaddb: tsk_loaddb -d myimage.db \\.\c: Alternatively, for physical disks: wmic diskdrive list tsk_loaddb -d myimage.db \\.\PhysicalDrive0 Derrick On Fri, Sep 18, 2015 at 8:05 AM, Michael Cohen <scu...@gm...> wrote: > Does it work if you give it the volume name? fiwalk \\.\C: > > On 18 September 2015 at 14:50, Rolf Inator <rol...@gm...> wrote: >> Hi list, >> >> I wonder if it's possible to run fiwalk on a live system? The documentation says >> user@forensicbox:~$ fiwalk >> usage: fiwalk [options] iso-name >> >> The problem I am facing is, that if I want to run fiwalk over a bitlocker encrypted dd image, I have to install Dislocker (a new driver) on my Linux system. It would be more decent if I could just run the fiwalk Windows executable while the suspects system is still running. >> >> I hope that was clear :) >> >> Kind regards, >> Rolf >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
