Re: [sleuthkit-users] autopsy does not open this image file
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] autopsy does not open this image file
|
From: Barry G. <bg...@gm...> - 2017-08-10 04:04:42
|
Just food for thought, dc3dd starts with 000 on split files. The ofs= parameter takes a format of either 00 or 000, so the splits start with that. You cannot specify a start of 001. TSK works fine with 000. dc3dd is a pretty popular open source imaging tool, so that might should be taken into account. It's my primary, but I don't use Autopsy, so I've never noticed the issue. Barry On Wed, Aug 9, 2017 at 11:10 PM, Brian Carrier <ca...@sl...> wrote: > Hi Nanni, > > How did you make the image? > > Autopsy has an assumption that .001 is the first image in a split set of > images and doesn't expect 000. The file picker in Autopsy therefore just > shows .001 files and hides the rest. When it looks at your .001 file, it > isn't happy because it isn't the start of a disk image. > > Though, as I think about this... 'split' will use .000 as the first > file. Does FTK Imager use .001? I'm now wondering how we picked '.001' > (and have so many '.001 files in our test data). > > The options here seem to be: > - We decide that .001 is not a common starting number and it should really > be 000. Though I"m surprised we haven't gotten more complaints about this > over the years. > - We add some logic into TSK so that it looks for a .000 if .001 was given > and uses that instead as the starting location. > > > > > On Wed, Aug 9, 2017 at 3:30 PM, Nanni Bassetti <dig...@gm...> wrote: > >> Yes! it works in that way...but it's a strange behavior :-) >> Thank you >> >> 2017-08-09 21:22 GMT+02:00 Ann Priestman <apr...@ba...>: >> >>> Sorry what I meant was: >>> - go through the Autopsy data source selection >>> - when you browse to your folder, it will display the .001 file as the >>> only choice >>> - change the filter to All files to make it show everything in the >>> folder and then select the .000 file >>> >>> Sent from my iPhone >>> >>> On Aug 9, 2017, at 3:11 PM, Nanni Bassetti <dig...@gm...> wrote: >>> >>> Anyway...I tried and nothing to do! :-) >>> >>> 2017-08-09 21:08 GMT+02:00 Nanni Bassetti <dig...@gm...>: >>> >>>> >>>> 2017-08-09 20:56 GMT+02:00 Ann Priestman <apr...@ba...>: >>>> >>>>> Hi Nanni, >>>>> >>>>> On the Autopsy select data source screen, try changing the given file >>>>> name "E001SmartTVMMC.001" to "E001SmartTVMMC.000". The file system loaded >>>>> for me after that change. >>>>> >>>> >>>> And what have I to do with the original E001SmartTVMMC.000? If I >>>> rename the .001 to .000 what's about the .000 file? >>>> Thanks >>>> >>>> >>>> >>>> -- >>>> Dott. Nanni Bassetti >>>> http://www.nannibassetti.com >>>> CAINE project manager - http://www.caine-live.net >>>> >>> >>> >>> >>> -- >>> Dott. Nanni Bassetti >>> http://www.nannibassetti.com >>> CAINE project manager - http://www.caine-live.net >>> >>> >> >> >> -- >> Dott. Nanni Bassetti >> http://www.nannibassetti.com >> CAINE project manager - http://www.caine-live.net >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > -- ---- Barry Grundy bg...@gm... bg...@li... |
