Re: [sleuthkit-users] Error in sorter - what am I missing?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Error in sorter - what am I missing?
|
From: Patrick F. <fo...@ch...> - 2006-04-20 05:28:18
|
Jennifer Smith wrote: >Ok, I got the offset from mmls (thanks Barry, that was exactly what I needed to do!) and now sorter is running beautifully, with just one hangup. > >It appears that there are some file system compressed files in this image and when sorter gets to them it throws out an error that it can not access NTFS compressed files and then it aborts trying to access that particular file. These appear to be file system compressed files, not standard archive files, since it was able to sort and catalog .cab, .dat, and .zip files with no problem. > >According to some research on this end, it seems that NTFS uses something similar to DriveSpace3 for it's compression (please correct me if I'm wrong) - has anyone found/created any method to work through this error with sorter so that instead of aborting the file, it uncompresses it and sorts it as intended? > > > The unofficial NTFS driver for Linux handles compressed files. By loop-back mounting the image (read-only) you can get to the non-deleted compressed files. This shouldn't compromise the evidence as long as it is repeatable and yo can prove the image hasn't been modified (checksum you images). Unfortunately this method doesn't work for deleted files. I still find loop-back mounting the image file a great help in investigating since it's so much easier than just using TSK utilities. /Patrick |
