Thread: Re: [sleuthkit-users] Using Autopsy with a mount point rather than an image
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Enda C. <en...@co...> - 2004-08-09 14:08:50
|
Correct.
Linux presents devices as files in the filesystem, so you can treat any disk
/ partition as a file. So it is equally valid to point any disk tool at an
image file or a device mount point, or a partition mount point.
You can operate on disks as if they were files, try cat /dev/hda etc. You
can operate on files as if they were disks, try fdisk'ing a dd image file.
The only time you treat them differently is when you mount them, disk image
files need to be mounted on a loopback device, and it points you at this if
you don't.
HTH,
-Enda.
----- Original Message -----
From: Fra...@ps...
To: Enda Cronnolly
Sent: Monday, August 09, 2004 2:31 PM
Subject: Re: [sleuthkit-users] Using Autopsy with a mount point rather than
an image
When you say 'Point Autopsy' to the device do you mean in the 'add new
image' as in
1. Location: The full path (starting with /) to the raw file system image.
/dev/hdc
Frank Kenisky IV, CISSP, CISA, CISM
Information Technical Security Specialist
(210) 301-6433 or (210) 887-6985
"Enda Cronnolly" <en...@co...>
Sent by: sle...@li...
08/07/2004 03:02 PM To<sle...@li...>
cc
SubjectRe: [sleuthkit-users] Using Autopsy with a mount point rather than an
image
> I have a second hard drive that I want to examine that is currently too
> big to image on my forensics machine. I can mount the hard drive read-
> only to a mount point (e.g. /mnt/drive) but when I try to use the Autopsy
> gui to examine it it says that /mnt/drive is a directory and cannot use
> that location as the target.
Point autopsy at the device, eg /dev/hdc or whatever device label you use
when you mount the drive.
> Is there a way around this with Autopsy? I can use the sleuthkit tools
> against a mounted hard drive jus the same.
You don't need the drive to be mounted at all.
HTH,
-Enda.
> Thanks.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkEVLscACgkQRBFe1uc9INqveACcC9fP0dacgifm0nVHumey1WN9i80A
> niyvbCH4lydhuB7RVjBKCv2VH55u
> =BW9B
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> secure FREE email: http://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> http://www.hushmail.com/services-messenger?l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> http://www.hushmail.com/about-affiliate?l=427
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
|
|
From: <sec...@hu...> - 2004-08-10 17:36:29
|
Thanks to all. I will follow the unanimous advice of the list to point Autopsy to the physical device (in this case /dev/hdd). Regards. On Sat, 07 Aug 2004 12:34:31 -0700 sec...@hu... wrote: >Hello list, > >Is it possible to use autopsy with a harddrive that is mounted read >only >to a mount point rather than an image? > >I have a second hard drive that I want to examine that is currently >too >big to image on my forensics machine. I can mount the hard drive >read- >only to a mount point (e.g. /mnt/drive) but when I try to use the >Autopsy >gui to examine it it says that /mnt/drive is a directory and cannot >use >that location as the target. > >Is there a way around this with Autopsy? I can use the sleuthkit >tools >against a mounted hard drive jus the same. > >Thanks. > Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 |
|
From: Angus M. <an...@n-...> - 2004-08-10 18:37:52
|
On Tuesday 10 August 2004 18:36, sec...@hu... wrote: > Thanks to all. I will follow the unanimous advice of the list to point > Autopsy to the physical device (in this case /dev/hdd). Not wishing to appear picky - but shouldn't this be the PARTITION on the device ? (e.g. /dev/hdd1 ) Unless Autopsy & Sleuthkit have changed a lot since I last used them (last night) ;-) |
|
From: <sec...@hu...> - 2004-08-11 02:47:52
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If the hard drive in question had multiple partitions, then yes. In this case it was a basic Windows install. I use a hard disk enclosure that I can insert a hard drive into and mount/image/etc. So it was as simple as 'mount -t fat /dev/hdc /mnt/image'. It would no doubt been different if there were multiple partitions on the HD. On Tue, 10 Aug 2004 11:37:06 -0700 Angus Marshall <an...@n-...> wrote: >On Tuesday 10 August 2004 18:36, sec...@hu... wrote: >> Thanks to all. I will follow the unanimous advice of the list >to point >> Autopsy to the physical device (in this case /dev/hdd). > >Not wishing to appear picky - but shouldn't this be the PARTITION >on the >device ? (e.g. /dev/hdd1 ) Unless Autopsy & Sleuthkit have changed >a lot >since I last used them (last night) ;-) > > > >------------------------------------------------------- >SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank >Media >100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 >Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. >http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkEZiKcACgkQRBFe1uc9INr/0gCcCIDMZS2un+zZ0ilyMvi2z4le/j8A n1Um8H/ns0Gz0q77hcRKOOKx6W/O =nRS5 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X