Thread: [sleuthkit-users] tsk_recover with L01 and Lx01
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Bala <bal...@cs...> - 2013-10-10 06:11:50
|
Hi I'm trying to use recover *.L01 files using the tsk_recover (from version 4.2.1). However to my disappointment I get the following error. Cannot determine file system type (Sector offset: 0)Files Recovered: 0 I used the following command to recover the files tsk_recover -o 32 -e "C:\Files\part-of-usb-disk-logical-file.Lx01" "Extract" I presume the error is due to the wrong offset. Let me know if its otherwise. Could I use any other offset? If YES how do I determine the offset suitable for *.L01 I'm on a Windows 2012 server Regards Bala |
|
From: Brian C. <ca...@sl...> - 2013-10-10 15:12:37
|
My understanding is that an L01 file is basically a glorified ZIP file with forensically-interesting metadata embedded in it. It was created by a forensics tool that likely analyzed a disk image and made an L01 with a subset of the files. None of the TSK tools analyze L01 files. The TSK core tools all take disk images in as input (which could be in an E01 format, but not L01). The framework supports L01, but that isn't going to help you in this case. On Oct 10, 2013, at 2:11 AM, Bala <bal...@cs...> wrote: > Hi > > I’m trying to use recover *.L01 files using the tsk_recover (from version 4.2.1). > > However to my disappointment I get the following error. > Cannot determine file system type (Sector offset: 0)Files Recovered: 0 > > I used the following command to recover the files > tsk_recover -o 32 -e "C:\Files\part-of-usb-disk-logical-file.Lx01" "Extract" > > I presume the error is due to the wrong offset. Let me know if its otherwise. > Could I use any other offset? If YES how do I determine the offset suitable for *.L01 > > I’m on a Windows 2012 server > > > Regards > Bala > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Bala <bal...@cs...> - 2013-10-11 09:11:49
|
Brian I wouldn't want to analyze L01 images, however I would my program to extract the files in L01. Is there a possibility ? I would like to see how the framework reads/extracts the .L01 files as well. Let me know if this is possible too. Regards Bala -----Original Message----- From: Brian Carrier [mailto:ca...@sl...] Sent: Thursday, October 10, 2013 8:43 PM To: Bala Cc: sle...@li... Subject: Re: [sleuthkit-users] tsk_recover with L01 and Lx01 My understanding is that an L01 file is basically a glorified ZIP file with forensically-interesting metadata embedded in it. It was created by a forensics tool that likely analyzed a disk image and made an L01 with a subset of the files. None of the TSK tools analyze L01 files. The TSK core tools all take disk images in as input (which could be in an E01 format, but not L01). The framework supports L01, but that isn't going to help you in this case. On Oct 10, 2013, at 2:11 AM, Bala < <mailto:bal...@cs...> bal...@cs...> wrote: > Hi > > I'm trying to use recover *.L01 files using the tsk_recover (from version 4.2.1). > > However to my disappointment I get the following error. > Cannot determine file system type (Sector offset: 0)Files Recovered: 0 > > I used the following command to recover the files tsk_recover -o 32 -e > "C:\Files\part-of-usb-disk-logical-file.Lx01" "Extract" > > I presume the error is due to the wrong offset. Let me know if its otherwise. > Could I use any other offset? If YES how do I determine the offset > suitable for *.L01 > > I'm on a Windows 2012 server > > > Regards > Bala > > ---------------------------------------------------------------------- > -------- October Webinars: Code for Performance Free Intel webinars > can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > most from the latest Intel processors and coprocessors. See abstracts > and register > > <http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c> http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c > lktrk_______________________________________________ > sleuthkit-users mailing list > <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > <http://www.sleuthkit.org> http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2013-10-11 13:37:25
|
There could be a tool in libewf that extracts L01 contents. On Oct 11, 2013, at 5:11 AM, Bala <bal...@cs...> wrote: > Brian > > I wouldn’t want to analyze L01 images, however I would my program to extract the files in L01. Is there a possibility ? > > I would like to see how the framework reads/extracts the .L01 files as well. Let me know if this is possible too. > > Regards > Bala > > > -----Original Message----- > From: Brian Carrier [mailto:ca...@sl...] > Sent: Thursday, October 10, 2013 8:43 PM > To: Bala > Cc: sle...@li... > Subject: Re: [sleuthkit-users] tsk_recover with L01 and Lx01 > > My understanding is that an L01 file is basically a glorified ZIP file with forensically-interesting metadata embedded in it. It was created by a forensics tool that likely analyzed a disk image and made an L01 with a subset of the files. > > None of the TSK tools analyze L01 files. The TSK core tools all take disk images in as input (which could be in an E01 format, but not L01). The framework supports L01, but that isn't going to help you in this case. > > > > > On Oct 10, 2013, at 2:11 AM, Bala <bal...@cs...> wrote: > > > Hi > > > > I’m trying to use recover *.L01 files using the tsk_recover (from version 4.2.1). > > > > However to my disappointment I get the following error. > > Cannot determine file system type (Sector offset: 0)Files Recovered: 0 > > > > I used the following command to recover the files tsk_recover -o 32 -e > > "C:\Files\part-of-usb-disk-logical-file.Lx01" "Extract" > > > > I presume the error is due to the wrong offset. Let me know if its otherwise. > > Could I use any other offset? If YES how do I determine the offset > > suitable for *.L01 > > > > I’m on a Windows 2012 server > > > > > > Regards > > Bala > > > > ---------------------------------------------------------------------- > > -------- October Webinars: Code for Performance Free Intel webinars > > can help you accelerate application performance. > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > > most from the latest Intel processors and coprocessors. See abstracts > > and register > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c > > lktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Tom Y. <to...@ya...> - 2013-10-11 14:38:51
|
ewfmount -f files <name of L01 file> <mount point> will allow you to view the contents of the L01 file. (with the caveat that you need a newer version of libewf - within the last year IIRC) Tom PGP Key ID - B32585D0 On Fri, Oct 11, 2013 at 8:37 AM, Brian Carrier <ca...@sl...>wrote: > There could be a tool in libewf that extracts L01 contents. > > > On Oct 11, 2013, at 5:11 AM, Bala <bal...@cs...> wrote: > > > Brian > > > > I wouldn’t want to analyze L01 images, however I would my program to > extract the files in L01. Is there a possibility ? > > > > I would like to see how the framework reads/extracts the .L01 files as > well. Let me know if this is possible too. > > > > Regards > > Bala > > > > > > -----Original Message----- > > From: Brian Carrier [mailto:ca...@sl...] > > Sent: Thursday, October 10, 2013 8:43 PM > > To: Bala > > Cc: sle...@li... > > Subject: Re: [sleuthkit-users] tsk_recover with L01 and Lx01 > > > > My understanding is that an L01 file is basically a glorified ZIP file > with forensically-interesting metadata embedded in it. It was created by a > forensics tool that likely analyzed a disk image and made an L01 with a > subset of the files. > > > > None of the TSK tools analyze L01 files. The TSK core tools all take > disk images in as input (which could be in an E01 format, but not L01). > The framework supports L01, but that isn't going to help you in this case. > > > > > > > > > > On Oct 10, 2013, at 2:11 AM, Bala <bal...@cs...> wrote: > > > > > Hi > > > > > > I’m trying to use recover *.L01 files using the tsk_recover (from > version 4.2.1). > > > > > > However to my disappointment I get the following error. > > > Cannot determine file system type (Sector offset: 0)Files Recovered: 0 > > > > > > I used the following command to recover the files tsk_recover -o 32 -e > > > "C:\Files\part-of-usb-disk-logical-file.Lx01" "Extract" > > > > > > I presume the error is due to the wrong offset. Let me know if its > otherwise. > > > Could I use any other offset? If YES how do I determine the offset > > > suitable for *.L01 > > > > > > I’m on a Windows 2012 server > > > > > > > > > Regards > > > Bala > > > > > > ---------------------------------------------------------------------- > > > -------- October Webinars: Code for Performance Free Intel webinars > > > can help you accelerate application performance. > > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > > > most from the latest Intel processors and coprocessors. See abstracts > > > and register > > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c > > > lktrk_______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > > October Webinars: Code for Performance > > Free Intel webinars can help you accelerate application performance. > > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > > the latest Intel processors and coprocessors. See abstracts and register > > > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X