Thread: [sleuthkit-users] Autopsy: File Activity Timelines not working
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: <gim...@we...> - 2006-02-21 19:07:14
|
Hi, i want to create timeline of activities with Autopsy. I have build new case, loaded up my image and opened page "File Activity Timelines", then clicked on "Create Data File", OK and then got this error message: No images were given for analysis. At least one must be selected. What could be wrong? Perhaps anything is bad with my image file? It is a dd dump with 4 Partitions. I added Partition 4 to case and it was partition i choosed to make timeline of. regards |
|
From: Brian C. <ca...@sl...> - 2006-02-23 03:01:14
|
On Feb 21, 2006, at 2:12 PM, "" <gim...@we...> <gim...@we...> wrote: > Hi, > > i want to create timeline of activities with Autopsy. > I have build new case, loaded up my image and opened page "File > Activity Timelines", then clicked on "Create Data File", OK and then > got this error message: > > No images were given for analysis. At least one must be selected. > > What could be wrong? > Perhaps anything is bad with my image file? > It is a dd dump with 4 Partitions. > I added Partition 4 to case and it was partition i choosed to make > timeline of. Was partition 4 added as a specific file system (i.e. can you go into the file analysis mode of Autopsy and view the directory listing?)? Only file systems are shown in the timeline view. If it was added as raw or swap then it will not be shown in the timeline view. brian |
|
From: <gim...@we...> - 2006-03-06 11:57:56
|
On Wed, 22 Feb 2006 22:01:00 -0500 Brian Carrier <ca...@sl...> wrote: > > > I added Partition 4 to case and it was partition i choosed to make > > timeline of. > > Was partition 4 added as a specific file system (i.e. can you go > into the file analysis mode of Autopsy and view the directory > listing?)? Only file systems are shown in the timeline view. If it > was added as raw or swap then it will not be shown in the timeline > view. I'm sorry for my late answer (i did overlook this message thread for a while). You are right! I choosed file system type "raw"! That's because fat filesystem wasn't detected properly. Here is what i got: Collecting details on new image file: Warning: Conflicts in the partitions were detected. The full mmls output is given at the bottom of the page For your reference, the mmls output was the following: DOS Partition Table Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000001 0538989390 0538989390 Unallocated 02: 00:02 0538989391 1937352302 1398362912 OnTrack Disk Manager (0x53) 03: 00:01 1330184202 1869160489 0538976288 Unknown Type (0x6B) 04: 00:03 1394627663 1394648999 0000021337 Unknown Type (0x49) 05: ----- 1394649000 1935758367 0541109368 Unallocated 06: 00:00 1935758368 3615603091 1679844724 Unused (0x20) I did make image from iomega zip disk (100 MB). These zip disks use fat16 (fat12?) filesystems on partition 4. But it isn't recognized: Testing partitions Partition 4 is not a fat16 file system Use the browser's back button to fix the data Do you have any idea? regards |
|
From: Brian C. <ca...@sl...> - 2006-03-07 01:25:53
|
Your partition table is screwed up. TSK / Autopsy don't provide any tools to help fix that. You can use a tool like testdisk or gpart to see if the FAT file system exists somewhere on the disk. brian On Mar 6, 2006, at 7:04 AM, "" <gim...@we...> <gim...@we...> wrote: > On Wed, 22 Feb 2006 22:01:00 -0500 > Brian Carrier <ca...@sl...> wrote: > >> >>> I added Partition 4 to case and it was partition i choosed to make >>> timeline of. >> >> Was partition 4 added as a specific file system (i.e. can you go >> into the file analysis mode of Autopsy and view the directory >> listing?)? Only file systems are shown in the timeline view. If it >> was added as raw or swap then it will not be shown in the timeline >> view. > > I'm sorry for my late answer (i did overlook this message thread for > a while). > > You are right! I choosed file system type "raw"! > That's because fat filesystem wasn't detected properly. > > Here is what i got: > > Collecting details on new image file: > > Warning: Conflicts in the partitions were detected. > The full mmls output is given at the bottom of the page > > For your reference, the mmls output was the following: > DOS Partition Table > Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) > 01: ----- 0000000001 0538989390 0538989390 Unallocated > 02: 00:02 0538989391 1937352302 1398362912 OnTrack Disk Manager (0x53) > 03: 00:01 1330184202 1869160489 0538976288 Unknown Type (0x6B) > 04: 00:03 1394627663 1394648999 0000021337 Unknown Type (0x49) > 05: ----- 1394649000 1935758367 0541109368 Unallocated > 06: 00:00 1935758368 3615603091 1679844724 Unused (0x20) > > I did make image from iomega zip disk (100 MB). These zip disks use > fat16 (fat12?) filesystems on partition 4. > > But it isn't recognized: > > Testing partitions > > Partition 4 is not a fat16 file system > Use the browser's back button to fix the data > > > Do you have any idea? > > regards > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the > live webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: <gim...@we...> - 2006-03-07 19:46:20
|
On Mon, 6 Mar 2006 20:25:43 -0500 Brian Carrier <ca...@sl...> wrote: > Your partition table is screwed up. TSK / Autopsy don't provide any > tools to help fix that. You can use a tool like testdisk or gpart > to see if the FAT file system exists somewhere on the disk. > You got it, i tried a simple "fdisk -l image.img" and then i got very clearly message something is wrong with image. I looked at both tools, but gpart seems to be out of date and didn't compile. It's provided static binary doesn't run, too. But never mind, testdisk is a very interesting tool... Thanks. |
Thanks for helping keep SourceForge clean.
X