Re: [sleuthkit-users] autopsy does not open this image file
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] autopsy does not open this image file
|
From: Nanni B. <dig...@gm...> - 2017-08-10 06:54:28
|
I did not make the image file, it has been made by others using Guymager (see the .info file) it is a part of an online challenge: http://www.dfrws.org/dfrws-forensic-challenge And yes, I did not notice that Autopsy opens .001 by default, indeed using FTK Imager, I instinctively chose the .000 file and not the .001 and it worked :-) Thanks 2017-08-10 6:04 GMT+02:00 Barry Grundy <bg...@gm...>: > Just food for thought, dc3dd starts with 000 on split files. The ofs= > parameter takes a format of either 00 or 000, so the splits start with > that. You cannot specify a start of 001. TSK works fine with 000. > > dc3dd is a pretty popular open source imaging tool, so that might should > be taken into account. It's my primary, but I don't use Autopsy, so I've > never noticed the issue. > > Barry > > On Wed, Aug 9, 2017 at 11:10 PM, Brian Carrier <ca...@sl...> > wrote: > >> Hi Nanni, >> >> How did you make the image? >> >> Autopsy has an assumption that .001 is the first image in a split set of >> images and doesn't expect 000. The file picker in Autopsy therefore just >> shows .001 files and hides the rest. When it looks at your .001 file, it >> isn't happy because it isn't the start of a disk image. >> >> Though, as I think about this... 'split' will use .000 as the first >> file. Does FTK Imager use .001? I'm now wondering how we picked '.001' >> (and have so many '.001 files in our test data). >> >> The options here seem to be: >> - We decide that .001 is not a common starting number and it should >> really be 000. Though I"m surprised we haven't gotten more complaints >> about this over the years. >> - We add some logic into TSK so that it looks for a .000 if .001 was >> given and uses that instead as the starting location. >> >> >> >> >> On Wed, Aug 9, 2017 at 3:30 PM, Nanni Bassetti <dig...@gm...> >> wrote: >> >>> Yes! it works in that way...but it's a strange behavior :-) >>> Thank you >>> >>> 2017-08-09 21:22 GMT+02:00 Ann Priestman <apr...@ba...>: >>> >>>> Sorry what I meant was: >>>> - go through the Autopsy data source selection >>>> - when you browse to your folder, it will display the .001 file as the >>>> only choice >>>> - change the filter to All files to make it show everything in the >>>> folder and then select the .000 file >>>> >>>> Sent from my iPhone >>>> >>>> On Aug 9, 2017, at 3:11 PM, Nanni Bassetti <dig...@gm...> wrote: >>>> >>>> Anyway...I tried and nothing to do! :-) >>>> >>>> 2017-08-09 21:08 GMT+02:00 Nanni Bassetti <dig...@gm...>: >>>> >>>>> >>>>> 2017-08-09 20:56 GMT+02:00 Ann Priestman <apr...@ba...>: >>>>> >>>>>> Hi Nanni, >>>>>> >>>>>> On the Autopsy select data source screen, try changing the given file >>>>>> name "E001SmartTVMMC.001" to "E001SmartTVMMC.000". The file system loaded >>>>>> for me after that change. >>>>>> >>>>> >>>>> And what have I to do with the original E001SmartTVMMC.000? If I >>>>> rename the .001 to .000 what's about the .000 file? >>>>> Thanks >>>>> >>>>> >>>>> >>>>> -- >>>>> Dott. Nanni Bassetti >>>>> http://www.nannibassetti.com >>>>> CAINE project manager - http://www.caine-live.net >>>>> >>>> >>>> >>>> >>>> -- >>>> Dott. Nanni Bassetti >>>> http://www.nannibassetti.com >>>> CAINE project manager - http://www.caine-live.net >>>> >>>> >>> >>> >>> -- >>> Dott. Nanni Bassetti >>> http://www.nannibassetti.com >>> CAINE project manager - http://www.caine-live.net >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > > -- > ---- > Barry Grundy > bg...@gm... > bg...@li... > -- Dott. Nanni Bassetti http://www.nannibassetti.com CAINE project manager - http://www.caine-live.net |
