Re: [sleuthkit-users] autopsy does not open this image file
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] autopsy does not open this image file
|
From: Brian C. <ca...@sl...> - 2017-08-15 01:33:24
|
Circling back on this topic, I think we focus on 001 since that is what FTK Imager starts with. I think the easiest solution is to have Autopsy look for a .000 file when the user chooses a .001 file and use that as the starting image. The risk with this approach is that if someone used a tool that started at 000 and they had only a single image, then it will not be shown by default. But, they can see it by choosing the "Show All Files" option. On Thu, Aug 10, 2017 at 2:54 AM, Nanni Bassetti <dig...@gm...> wrote: > I did not make the image file, it has been made by others using Guymager > (see the .info file) it is a part of an online challenge: > http://www.dfrws.org/dfrws-forensic-challenge > And yes, I did not notice that Autopsy opens .001 by default, indeed using > FTK Imager, I instinctively chose the .000 file and not the .001 and it > worked :-) > Thanks > > 2017-08-10 6:04 GMT+02:00 Barry Grundy <bg...@gm...>: > >> Just food for thought, dc3dd starts with 000 on split files. The ofs= >> parameter takes a format of either 00 or 000, so the splits start with >> that. You cannot specify a start of 001. TSK works fine with 000. >> >> dc3dd is a pretty popular open source imaging tool, so that might should >> be taken into account. It's my primary, but I don't use Autopsy, so I've >> never noticed the issue. >> >> Barry >> >> On Wed, Aug 9, 2017 at 11:10 PM, Brian Carrier <ca...@sl...> >> wrote: >> >>> Hi Nanni, >>> >>> How did you make the image? >>> >>> Autopsy has an assumption that .001 is the first image in a split set of >>> images and doesn't expect 000. The file picker in Autopsy therefore just >>> shows .001 files and hides the rest. When it looks at your .001 file, it >>> isn't happy because it isn't the start of a disk image. >>> >>> Though, as I think about this... 'split' will use .000 as the first >>> file. Does FTK Imager use .001? I'm now wondering how we picked '.001' >>> (and have so many '.001 files in our test data). >>> >>> The options here seem to be: >>> - We decide that .001 is not a common starting number and it should >>> really be 000. Though I"m surprised we haven't gotten more complaints >>> about this over the years. >>> - We add some logic into TSK so that it looks for a .000 if .001 was >>> given and uses that instead as the starting location. >>> >>> >>> >>> >>> On Wed, Aug 9, 2017 at 3:30 PM, Nanni Bassetti <dig...@gm...> >>> wrote: >>> >>>> Yes! it works in that way...but it's a strange behavior :-) >>>> Thank you >>>> >>>> 2017-08-09 21:22 GMT+02:00 Ann Priestman <apr...@ba...>: >>>> >>>>> Sorry what I meant was: >>>>> - go through the Autopsy data source selection >>>>> - when you browse to your folder, it will display the .001 file as the >>>>> only choice >>>>> - change the filter to All files to make it show everything in the >>>>> folder and then select the .000 file >>>>> >>>>> Sent from my iPhone >>>>> >>>>> On Aug 9, 2017, at 3:11 PM, Nanni Bassetti <dig...@gm...> wrote: >>>>> >>>>> Anyway...I tried and nothing to do! :-) >>>>> >>>>> 2017-08-09 21:08 GMT+02:00 Nanni Bassetti <dig...@gm...>: >>>>> >>>>>> >>>>>> 2017-08-09 20:56 GMT+02:00 Ann Priestman <apr...@ba...>: >>>>>> >>>>>>> Hi Nanni, >>>>>>> >>>>>>> On the Autopsy select data source screen, try changing the given >>>>>>> file name "E001SmartTVMMC.001" to "E001SmartTVMMC.000". The file system >>>>>>> loaded for me after that change. >>>>>>> >>>>>> >>>>>> And what have I to do with the original E001SmartTVMMC.000? If I >>>>>> rename the .001 to .000 what's about the .000 file? >>>>>> Thanks >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Dott. Nanni Bassetti >>>>>> http://www.nannibassetti.com >>>>>> CAINE project manager - http://www.caine-live.net >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Dott. Nanni Bassetti >>>>> http://www.nannibassetti.com >>>>> CAINE project manager - http://www.caine-live.net >>>>> >>>>> >>>> >>>> >>>> -- >>>> Dott. Nanni Bassetti >>>> http://www.nannibassetti.com >>>> CAINE project manager - http://www.caine-live.net >>>> >>>> ------------------------------------------------------------ >>>> ------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> >> >> -- >> ---- >> Barry Grundy >> bg...@gm... >> bg...@li... >> > > > > -- > Dott. Nanni Bassetti > http://www.nannibassetti.com > CAINE project manager - http://www.caine-live.net > |
