Thread: RE: [sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian S. <Br...@Pe...> - 2005-03-16 00:23:28
|
Thanks, Alan. Ext3 will support a 17 gig file size? NTFS as well? -----Original Message----- From: Alan [mailto:ts...@as...] Sent: Tuesday, March 15, 2005 4:16 PM To: sle...@li... Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux Hi Brian, Here are a few answers to your first questions. Imaging to a Fat32 partition... Either split up the image (I don't know the specific syntax to do this specifically) or format your hdb1 output partition in a filesystem that supports larger files. Ext3 will work, NTFS will also. >What is the advantage of imaging a drive over just cloning it? In other words, why would I want to create an image as opposed to a bit-for->bit copy of one drive to another? When you image using dd, you are creating a bit-for-bit copy. dd reads each raw sector from input and writes to output. I think the distinction is grey. I consider imaging generally as writing the bit-for-bit to a file, while cloning as writing a bit-for-bit image directly to a blank drive. >Also, why wouldn't I use bs=8k as opposed bs=512? Larger block sizes generally makes the imaging go faster. HTH Alan At 19:05 3/15/2005, you wrote: >Hi, I am new to Linux and have a lot of questions. Any help is HUGELY >appreciated . . . here is what I am trying to do. >IMAGING >I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). >I am using the TSK bootable cd to do the imaging. My target drive is a >FAT32 formatted hard disk that is partitioned several times - All FAT32. I >am using the following command: > >dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 >hashlog= hash.txt > >This stops after 2 Gigs of copying due to the FAT32 file size limit being >exceeded. How do I get around this? Is it even possible with any >filesystem to create a 17 Gig image file? Would I use a formatted ext3 >file system? > >What is the advantage of imaging a drive over just cloning it? In other >words, why would I want to create an image as opposed to a bit-for-bit >copy of one drive to another? Does it allow the forensic analyses to be >performed quicker? >Also, why wouldn't I use bs=8k as opposed bs=512? > >AUTOPSY >Because of the file size limit, I created a bit for bit clone of the disk, >from which I am attempting to use TSK forensic tools (which may or may not >be the correct approach). >So with that, I began using autopsy. I added a new case. Gave it a host >name of 192.168.1.1 and timezone of PST. I then added an image location >of /dev/hda1, symlink as the import method, fstype of fat32, mounting >point of /mnt/hda1, and ignore md5. Is this a correct setup? With this >setup I began to use the autopsy tools with the following results: > >-The keyword search didn't work - is this because I am using /mnt/hda1 >instead of an image file? Does this version of autopsy work using /mnt/hda1? >-The sorter also did not work. No output files in the directories >specified. Is this also because I am not using an image as well? > >GREP >Also, I have a general linux question. Is there a way to speed up >grep? I am searching the unallocated/slack space and it is taking forever >. . . here is the command I am using: > tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 > > grephits.txt > >I would really like to use TSK - just need these issues addressed. I >really want to use linux. Heaven forbid purchasing a windows forensic >software package. > >Thanks so much in advance. > >Brian > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Alan <ts...@as...> - 2005-03-16 00:49:53
|
Hi Brian, Yes, both NTFS and Ext3 filesystems support files much larger than 17 GB. NTFS I think is 2 TB, and Ext3 16 exibytes. Alan |
|
From: Enda C. <en...@co...> - 2005-03-16 14:26:07
|
Alan wrote: > Hi Brian, Yes, both NTFS and Ext3 filesystems support files much larger > than 17 GB. NTFS I think is 2 TB, and Ext3 16 exibytes. Alan I'm making an assumption here that you're going to continue running linux, and then of course writing anything to an NTFS parition is going to be problematic without a valid licenced copy of windows and a tool such as: http://www.jankratochvil.net/project/captive/ -Enda. > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: Brian S. <Br...@Pe...> - 2005-03-16 00:52:09
|
Thanks so much. Any insight on the TSK/autopsy issues I am having? -----Original Message----- From: Alan [mailto:ts...@as...] Sent: Tuesday, March 15, 2005 4:50 PM To: sle...@li... Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux Hi Brian, Yes, both NTFS and Ext3 filesystems support files much larger than 17 GB. NTFS I think is 2 TB, and Ext3 16 exibytes. Alan ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Poldervaart, C. A <chr...@lm...> - 2005-03-16 02:10:02
|
One advantage of imaging a drive vs. cloning is the fact that with an image you are simply creating a file (or files if you are splitting) on an existing file system. This makes for portability. You can copy the image files, move them, mount them. With a clone you are tying up an entire partition to create the cloned filesystem. I always image to file, then if needed I can always blow that image off to a device for a cloned copy.
The best way to handle imaging to FAT32 is just to split the image during the dd by piping the output to split. The caveat with this is that mounting multiple image files as one is a little more tricky, unless you are using a tool like SMART, which is very good at seamlessly putting back together chunks of images.
Chris A. Poldervaart, Investigator
Lockheed Martin Corporation - EIS
Corporate Information Security Office
Computing System Investigations-CSI
3600 Ridgecrest Dr. Casper, WY 82604
Office: 307.265.2152
Cell: 307.258.1292
-----Original Message-----
From: sle...@li... <sle...@li...>
To: 'sle...@li...' <sle...@li...>
Sent: Tue Mar 15 17:05:50 2005
Subject: [sleuthkit-users] Help!! New to TSK and Linux
Hi, I am new to Linux and have a lot of questions. Any help is HUGELY appreciated . . . here is what I am trying to do.
IMAGING
I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I am using the TSK bootable cd to do the imaging. My target drive is a FAT32 formatted hard disk that is partitioned several times - All FAT32. I am using the following command:
dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 hashlog= hash.txt
This stops after 2 Gigs of copying due to the FAT32 file size limit being exceeded. How do I get around this? Is it even possible with any filesystem to create a 17 Gig image file? Would I use a formatted ext3 file system?
What is the advantage of imaging a drive over just cloning it? In other words, why would I want to create an image as opposed to a bit-for-bit copy of one drive to another? Does it allow the forensic analyses to be performed quicker?
Also, why wouldn't I use bs=8k as opposed bs=512?
AUTOPSY
Because of the file size limit, I created a bit for bit clone of the disk, from which I am attempting to use TSK forensic tools (which may or may not be the correct approach).
So with that, I began using autopsy. I added a new case. Gave it a host name of 192.168.1.1 and timezone of PST. I then added an image location of /dev/hda1, symlink as the import method, fstype of fat32, mounting point of /mnt/hda1, and ignore md5. Is this a correct setup? With this setup I began to use the autopsy tools with the following results:
-The keyword search didn't work - is this because I am using /mnt/hda1 instead of an image file? Does this version of autopsy work using /mnt/hda1?
-The sorter also did not work. No output files in the directories specified. Is this also because I am not using an image as well?
GREP
Also, I have a general linux question. Is there a way to speed up grep? I am searching the unallocated/slack space and it is taking forever . . . here is the command I am using:
tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 > grephits.txt
I would really like to use TSK - just need these issues addressed. I really want to use linux. Heaven forbid purchasing a windows forensic software package.
Thanks so much in advance.
Brian
|
|
From: Baskin, B. <ba...@dc...> - 2005-03-16 12:59:43
|
If you would like to continue using a FAT32 as an image repository, the = files need to be split. To do this, leave off the "of=3D..." section of = dcfldd, and pipe the output to the split command. Others have already = covered the aspect of using EXT2/3 or NTFS. =20 ie: dcfldd if=3D/dev/hda1 conv=3Dnoerror,sync hashwindow=3D0 = hashlog=3Dhash.txt | split -b 650m - /mnt/hdb1/image. =20 The above will create files called image.aa, image.ab, image.ac... in = the /mnt/hdb1 directory, each being 650MB (for burning to a CD). You = can change the filename, and file size in that command line. Now, with = the new version of Autopsy/TSK, you can import those split images = directly into Autopsy (/mnt/hdb/image.a*). In prior version, they had = to be concatenated back together. ie: cat image.a* > image.dd =20 Creating an image vs. a clone is beneficial in that you don't need to = keep a cache of spare hard drives available. All images can just be = stored on one large hard drive and analyzed from there. When cloning, = extra work, and care, must be taken to each individial hard drive. They = have to be wiped and verified prior to receiving data, and if the = original hard drive is smaller than then clone hard drive, there'll be = an amount of slack space on the clone drive. =20 Good luck! =20 -----Original Message----- From: sle...@li... = [mailto:sle...@li...]On Behalf Of Brian = Starr Sent: Tuesday, March 15, 2005 7:06 PM To: 'sle...@li...' Subject: [sleuthkit-users] Help!! New to TSK and Linux Hi, I am new to Linux and have a lot of questions. Any help is HUGELY = appreciated . . . here is what I am trying to do.=20 IMAGING I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on = it). I am using the TSK bootable cd to do the imaging. My target drive = is a FAT32 formatted hard disk that is partitioned several times - All = FAT32. I am using the following command:=20 dcfldd if=3D/dev/hda1 of=3D/mnt/hdb1/image.dd conv=3Dnoerror,sync = hashwindow=3D0 hashlog=3D hash.txt=20 This stops after 2 Gigs of copying due to the FAT32 file size limit = being exceeded. How do I get around this? Is it even possible with any = filesystem to create a 17 Gig image file? Would I use a formatted ext3 = file system? =20 What is the advantage of imaging a drive over just cloning it? In other = words, why would I want to create an image as opposed to a bit-for-bit = copy of one drive to another? Does it allow the forensic analyses to be = performed quicker? =20 |
|
From: Brian S. <Br...@Pe...> - 2005-03-16 17:03:40
|
Thanks Chris . . . what you are saying about imaging versus clone makes
complete sense. I think I have decided with going to ext2 and copying the
17gig image to the ext2 file system.
-----Original Message-----
From: Poldervaart, Christopher A
[mailto:chr...@lm...]
Sent: Tuesday, March 15, 2005 6:08 PM
To: Br...@Pe...; sle...@li...
Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux
One advantage of imaging a drive vs. cloning is the fact that with an image
you are simply creating a file (or files if you are splitting) on an
existing file system. This makes for portability. You can copy the image
files, move them, mount them. With a clone you are tying up an entire
partition to create the cloned filesystem. I always image to file, then if
needed I can always blow that image off to a device for a cloned copy.
The best way to handle imaging to FAT32 is just to split the image during
the dd by piping the output to split. The caveat with this is that mounting
multiple image files as one is a little more tricky, unless you are using a
tool like SMART, which is very good at seamlessly putting back together
chunks of images.
Chris A. Poldervaart, Investigator
Lockheed Martin Corporation - EIS
Corporate Information Security Office
Computing System Investigations-CSI
3600 Ridgecrest Dr. Casper, WY 82604
Office: 307.265.2152
Cell: 307.258.1292
-----Original Message-----
From: sle...@li...
<sle...@li...>
To: 'sle...@li...'
<sle...@li...>
Sent: Tue Mar 15 17:05:50 2005
Subject: [sleuthkit-users] Help!! New to TSK and Linux
Hi, I am new to Linux and have a lot of questions. Any help is HUGELY
appreciated . . . here is what I am trying to do.
IMAGING
I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I
am using the TSK bootable cd to do the imaging. My target drive is a FAT32
formatted hard disk that is partitioned several times - All FAT32. I am
using the following command:
dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0
hashlog= hash.txt
This stops after 2 Gigs of copying due to the FAT32 file size limit being
exceeded. How do I get around this? Is it even possible with any filesystem
to create a 17 Gig image file? Would I use a formatted ext3 file system?
What is the advantage of imaging a drive over just cloning it? In other
words, why would I want to create an image as opposed to a bit-for-bit copy
of one drive to another? Does it allow the forensic analyses to be
performed quicker?
Also, why wouldn't I use bs=8k as opposed bs=512?
AUTOPSY
Because of the file size limit, I created a bit for bit clone of the disk,
from which I am attempting to use TSK forensic tools (which may or may not
be the correct approach).
So with that, I began using autopsy. I added a new case. Gave it a host
name of 192.168.1.1 and timezone of PST. I then added an image location of
/dev/hda1, symlink as the import method, fstype of fat32, mounting point of
/mnt/hda1, and ignore md5. Is this a correct setup? With this setup I
began to use the autopsy tools with the following results:
-The keyword search didn't work - is this because I am using /mnt/hda1
instead of an image file? Does this version of autopsy work using
/mnt/hda1?
-The sorter also did not work. No output files in the directories
specified. Is this also because I am not using an image as well?
GREP
Also, I have a general linux question. Is there a way to speed up grep? I
am searching the unallocated/slack space and it is taking forever . . . here
is the command I am using:
tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 >
grephits.txt
I would really like to use TSK - just need these issues addressed. I really
want to use linux. Heaven forbid purchasing a windows forensic software
package.
Thanks so much in advance.
Brian
|
|
From: Brian S. <Br...@Pe...> - 2005-03-16 17:14:21
|
Hey thanks Brian. This has been very helpful. -----Original Message----- From: Baskin, Brian [mailto:ba...@dc...] Sent: Wednesday, March 16, 2005 4:57 AM To: sle...@li... Subject: RE: [sleuthkit-users] Help!! New to TSK and Linux If you would like to continue using a FAT32 as an image repository, the files need to be split. To do this, leave off the "of=..." section of dcfldd, and pipe the output to the split command. Others have already covered the aspect of using EXT2/3 or NTFS. ie: dcfldd if=/dev/hda1 conv=noerror,sync hashwindow=0 hashlog=hash.txt | split -b 650m - /mnt/hdb1/image. The above will create files called image.aa, image.ab, image.ac... in the /mnt/hdb1 directory, each being 650MB (for burning to a CD). You can change the filename, and file size in that command line. Now, with the new version of Autopsy/TSK, you can import those split images directly into Autopsy (/mnt/hdb/image.a*). In prior version, they had to be concatenated back together. ie: cat image.a* > image.dd Creating an image vs. a clone is beneficial in that you don't need to keep a cache of spare hard drives available. All images can just be stored on one large hard drive and analyzed from there. When cloning, extra work, and care, must be taken to each individial hard drive. They have to be wiped and verified prior to receiving data, and if the original hard drive is smaller than then clone hard drive, there'll be an amount of slack space on the clone drive. Good luck! -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Starr Sent: Tuesday, March 15, 2005 7:06 PM To: 'sle...@li...' Subject: [sleuthkit-users] Help!! New to TSK and Linux Hi, I am new to Linux and have a lot of questions. Any help is HUGELY appreciated . . . here is what I am trying to do. IMAGING I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I am using the TSK bootable cd to do the imaging. My target drive is a FAT32 formatted hard disk that is partitioned several times - All FAT32. I am using the following command: dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 hashlog= hash.txt This stops after 2 Gigs of copying due to the FAT32 file size limit being exceeded. How do I get around this? Is it even possible with any filesystem to create a 17 Gig image file? Would I use a formatted ext3 file system? What is the advantage of imaging a drive over just cloning it? In other words, why would I want to create an image as opposed to a bit-for-bit copy of one drive to another? Does it allow the forensic analyses to be performed quicker? |
|
From: Brian S. <Br...@Pe...> - 2005-03-17 00:17:12
|
OK - I created an ext3 partition and formatted it. I rebooted with PSK disc in the cd rom. I right clicked the hda1 hard disk I partitioned and formatted and deselected read only on the device tab. If I now attempt to create a directory called 'Directory' on this drive, I get the error Access denied to /mnt/hda1/Directory . One other thing, there is a lost+found lock ed directory on this drive subsequent to formatting. Is that normal? -----Original Message----- From: Enda Cronnolly [mailto:en...@co...] Sent: Wednesday, March 16, 2005 6:26 AM To: sle...@li... Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux Alan wrote: > Hi Brian, Yes, both NTFS and Ext3 filesystems support files much larger > than 17 GB. NTFS I think is 2 TB, and Ext3 16 exibytes. Alan I'm making an assumption here that you're going to continue running linux, and then of course writing anything to an NTFS parition is going to be problematic without a valid licenced copy of windows and a tool such as: http://www.jankratochvil.net/project/captive/ -Enda. > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Seth A. <sa...@im...> - 2005-03-17 00:59:13
|
On Wed, Mar 16, 2005 at 04:16:54PM -0800, Brian Starr wrote: > If I now attempt to create a directory called 'Directory' on this > drive, I get the error Access denied to /mnt/hda1/Directory . One File system permission semantics take some time to get used to. In order for your user (lets call the account "brian" :) to create a directory in /mnt/hda1, brian would need execute access to /mnt, to /mnt/hda1, and write access to /mnt/hda1. Run ls -ld / /mnt /mnt/hda1 -- this will show you information on all three directories, so you can find out if you've got sufficient permissions. Typically, user accounts won't have such access to /mnt/<foo>. > other thing, there is a lost+found lock ed directory on this drive > subsequent to formatting. Is that normal? Every ext2 and ext3 filesystem has a lost+found directory, used when running fsck(8). I've seen this idiom on other Unix systems, so it isn't special to just ext2 and ext3, it is just those are the two filesystems I use. :) |
|
From: Poldervaart, C. A <chr...@lm...> - 2005-03-17 00:38:51
|
Am I crazy...or is the latest release of the Penguin Sleuth Kit Live CD still from July of 2003? Just curious, since I was going to download it to look into your write problems. Have you tried going into the terminal and mounting the device rw manually, such as mount -o rw /dev/hda1 /mnt/hda1 ? I would try that (you'll need to unmount it first, of course) The lost+found is normal with ext3. Chris A. Poldervaart -----Original Message----- From: sle...@li... [mailto:sle...@li...] On Behalf Of Brian Starr Sent: Wednesday, March 16, 2005 5:17 PM To: sle...@li... Subject: RE: [sleuthkit-users] Help!! New to TSK and Linux OK - I created an ext3 partition and formatted it. I rebooted with PSK disc in the cd rom. I right clicked the hda1 hard disk I partitioned and formatted and deselected read only on the device tab. If I now attempt to create a directory called 'Directory' on this drive, I get the error Access denied to /mnt/hda1/Directory . One other thing, there is a lost+found lock ed directory on this drive subsequent to formatting. Is that normal? -----Original Message----- From: Enda Cronnolly [mailto:en...@co...] Sent: Wednesday, March 16, 2005 6:26 AM To: sle...@li... Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux Alan wrote: > Hi Brian, Yes, both NTFS and Ext3 filesystems support files much > larger than 17 GB. NTFS I think is 2 TB, and Ext3 16 exibytes. Alan I'm making an assumption here that you're going to continue running linux, and then of course writing anything to an NTFS parition is going to be problematic without a valid licenced copy of windows and a tool such as: http://www.jankratochvil.net/project/captive/ -Enda. > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide Read honest & candid > reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian S. <Br...@Pe...> - 2005-03-17 00:42:51
|
OK, i mounted with write permissions from the command line and created a new directory from the command line, and it worked. However, from within Konqueror, I still cannot create directories. Why would that be? -----Original Message----- From: Poldervaart, Christopher A [mailto:chr...@lm...] Sent: Wednesday, March 16, 2005 4:39 PM To: Brian Starr; sle...@li... Subject: RE: [sleuthkit-users] Help!! New to TSK and Linux Am I crazy...or is the latest release of the Penguin Sleuth Kit Live CD still from July of 2003? Just curious, since I was going to download it to look into your write problems. Have you tried going into the terminal and mounting the device rw manually, such as mount -o rw /dev/hda1 /mnt/hda1 ? I would try that (you'll need to unmount it first, of course) The lost+found is normal with ext3. Chris A. Poldervaart -----Original Message----- From: sle...@li... [mailto:sle...@li...] On Behalf Of Brian Starr Sent: Wednesday, March 16, 2005 5:17 PM To: sle...@li... Subject: RE: [sleuthkit-users] Help!! New to TSK and Linux OK - I created an ext3 partition and formatted it. I rebooted with PSK disc in the cd rom. I right clicked the hda1 hard disk I partitioned and formatted and deselected read only on the device tab. If I now attempt to create a directory called 'Directory' on this drive, I get the error Access denied to /mnt/hda1/Directory . One other thing, there is a lost+found lock ed directory on this drive subsequent to formatting. Is that normal? -----Original Message----- From: Enda Cronnolly [mailto:en...@co...] Sent: Wednesday, March 16, 2005 6:26 AM To: sle...@li... Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux Alan wrote: > Hi Brian, Yes, both NTFS and Ext3 filesystems support files much > larger than 17 GB. NTFS I think is 2 TB, and Ext3 16 exibytes. Alan I'm making an assumption here that you're going to continue running linux, and then of course writing anything to an NTFS parition is going to be problematic without a valid licenced copy of windows and a tool such as: http://www.jankratochvil.net/project/captive/ -Enda. > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide Read honest & candid > reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Linux T. <lin...@ya...> - 2005-03-17 02:49:03
|
You should put this on the PSK forum because it focuses on that, not Autopsy and The Sleuth Kit. All we do here is guess, but Ernie created it so he should have answer for you quickly. Perhaps KDE is not starting with appropriate permissions for you to write directories? -lt --- Brian Starr <Br...@Pe...> wrote: > OK, i mounted with write permissions from the > command line and created a new > directory from the command line, and it worked. > However, from within > Konqueror, I still cannot create directories. Why > would that be? > > -----Original Message----- > From: Poldervaart, Christopher A > [mailto:chr...@lm...] > Sent: Wednesday, March 16, 2005 4:39 PM > To: Brian Starr; > sle...@li... > Subject: RE: [sleuthkit-users] Help!! New to TSK and > Linux > > > Am I crazy...or is the latest release of the Penguin > Sleuth Kit Live CD > still from July of 2003? Just curious, since I was > going to download it > to look into your write problems. > > Have you tried going into the terminal and mounting > the device rw > manually, such as mount -o rw /dev/hda1 /mnt/hda1 ? > > I would try that (you'll need to unmount it first, > of course) > > The lost+found is normal with ext3. > > > Chris A. Poldervaart > > -----Original Message----- > From: sle...@li... > [mailto:sle...@li...] > On Behalf Of Brian > Starr > Sent: Wednesday, March 16, 2005 5:17 PM > To: sle...@li... > Subject: RE: [sleuthkit-users] Help!! New to TSK and > Linux > > > OK - I created an ext3 partition and formatted it. > I rebooted with PSK > disc in the cd rom. I right clicked the hda1 hard > disk I partitioned > and formatted and deselected read only on the device > tab. If I now > attempt to create a directory called 'Directory' on > this drive, I get > the error Access denied to /mnt/hda1/Directory . One > other thing, there > is a lost+found lock ed directory on this drive > subsequent to > formatting. Is that normal? > -----Original Message----- > From: Enda Cronnolly [mailto:en...@co...] > Sent: Wednesday, March 16, 2005 6:26 AM > To: sle...@li... > Subject: Re: [sleuthkit-users] Help!! New to TSK and > Linux > > > > Alan wrote: > > > > Hi Brian, Yes, both NTFS and Ext3 filesystems > support files much > > larger than 17 GB. NTFS I think is 2 TB, and Ext3 > 16 exibytes. Alan > > I'm making an assumption here that you're going to > continue running > linux, and then of course writing anything to an > NTFS parition is going > to be problematic without a valid licenced copy of > windows and a tool > such as: > http://www.jankratochvil.net/project/captive/ > > -Enda. > > > > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > Read honest & candid > > reviews on hundreds of IT Products from real > users. > > Discover which products truly live up to the hype. > Start reading now. > > > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > > _______________________________________________ > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide Read > honest & candid > reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. > Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide Read > honest & candid > reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. > Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT > Products from real users. > Discover which products truly live up to the hype. > Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X