Re: [sleuthkit-users] Autopsy: File Activity Timelines not working
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy: File Activity Timelines not working
|
From: <gim...@we...> - 2006-03-06 11:57:56
|
On Wed, 22 Feb 2006 22:01:00 -0500 Brian Carrier <ca...@sl...> wrote: > > > I added Partition 4 to case and it was partition i choosed to make > > timeline of. > > Was partition 4 added as a specific file system (i.e. can you go > into the file analysis mode of Autopsy and view the directory > listing?)? Only file systems are shown in the timeline view. If it > was added as raw or swap then it will not be shown in the timeline > view. I'm sorry for my late answer (i did overlook this message thread for a while). You are right! I choosed file system type "raw"! That's because fat filesystem wasn't detected properly. Here is what i got: Collecting details on new image file: Warning: Conflicts in the partitions were detected. The full mmls output is given at the bottom of the page For your reference, the mmls output was the following: DOS Partition Table Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0538989390 0538989390 Unallocated 02: 00:02 0538989391 1937352302 1398362912 OnTrack Disk Manager (0x53) 03: 00:01 1330184202 1869160489 0538976288 Unknown Type (0x6B) 04: 00:03 1394627663 1394648999 0000021337 Unknown Type (0x49) 05: ----- 1394649000 1935758367 0541109368 Unallocated 06: 00:00 1935758368 3615603091 1679844724 Unused (0x20) I did make image from iomega zip disk (100 MB). These zip disks use fat16 (fat12?) filesystems on partition 4. But it isn't recognized: Testing partitions Partition 4 is not a fat16 file system Use the browser's back button to fix the data Do you have any idea? regards |
