[sleuthkit-users] Fully automated tools and multiple volumes
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Fully automated tools and multiple volumes
|
From: Edward D. <eld...@tr...> - 2016-07-23 10:53:42
|
According to the documentation for the fully automated tools: "These tools integrate the volume and file system functionality. Instead of analyzing only a single file system, these tools take a disk image as input and identify the volumes and process the contents. " This implies to me that if I have ewf file sequence images which encompasses a number of different partitions, each partition having its own filesystem ( ntfs, fat32, ext3, ext4 as an example ) that the fully automated tools should process the ewf file sequence correctly. Yet when I tried using tsk_recover against such an image sequence it failed completely, whether with the 4.2.0 or 4.3.0 release. When I tried running tsk_recover, using the '-o sector offset' parameter to a particular filesystem in the image sequence it succeeded. So are these fuilly automated tools supposed to work correctly against a multi-partition image sequence, or are they supposed to work correctly only against a single particular partition in a multi-partition image sequence at a time ? Eddie Diener |
