Re: [sleuthkit-users] Fully automated tools and multiple volumes

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Eddie,

It’s been a little while since I have used tools like tsk_loaddb and tsk_gettimes (and even longer for tsk_recover), but they were designed and did work on disk images, automatically identifying and processing the partitions.

I’d suggest filing a bug report (https://github.com/sleuthkit/sleuthkit/issues).

John

> On Jul 23, 2016, at 3:53 AM, Edward Diener <eld...@tr...> wrote:
> 
> According to the documentation for the fully automated tools:
> 
> "These tools integrate the volume and file system functionality. Instead 
> of analyzing only a single file system, these tools take a disk image as 
> input and identify the volumes and process the contents. "
> 
> This implies to me that if I have ewf file sequence images which 
> encompasses a number of different partitions, each partition having its 
> own filesystem ( ntfs, fat32, ext3, ext4 as an example ) that the fully 
> automated tools should process the ewf file sequence correctly. Yet when 
> I tried using tsk_recover against such an image sequence it failed 
> completely, whether with the 4.2.0 or 4.3.0 release. When I tried 
> running tsk_recover, using the '-o sector offset' parameter to a 
> particular filesystem in the image sequence it succeeded.
> 
> So are these fuilly automated tools supposed to work correctly against a 
> multi-partition image sequence, or are they supposed to work correctly 
> only against a single particular partition in a multi-partition image 
> sequence at a time ?
> 
> Eddie Diener
> 
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
> patterns at an interface-level. Reveals which users, apps, and protocols are 
> consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
> J-Flow, sFlow and other flows. Make informed decisions using capacity planning
> reports.http://sdm.link/zohodev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org