Thread: [sleuthkit-users] Some hyperlinks to directories are missing on newer Sleuthkit/Autopsy
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Rose, J. L S. C. <Jer...@sa...> - 2006-09-27 15:32:49
|
I am using Sleuthkit version 2.06 and Autopsy version 2.08 on a Linux = x86 box. The image file is NTFS. In Autopsy some of the directories are = showing as "d/-" and there is no drill down hyperlink for them. But, when I run Sleuthkit version 2.03 and Autopsy version 2.06 on the same system and analyze the same image file the older versions show the "missing" links = as normal "d/d". What am I doing wrong? |
|
From: Brian C. <ca...@sl...> - 2006-09-28 21:35:42
|
Are the directories that are different deleted? Autopsy determines if it=20 should provide a link based on the letter after the slash, which is why=20 it isn't showing you a link. The question is why a "-" is being given... brian Rose, Jerry L SAJ Contractor wrote: > I am using Sleuthkit version 2.06 and Autopsy version 2.08 on a Linux=20 > x86 box. The image file is NTFS. In Autopsy some of the directories are= =20 > showing as =93d/-=93 and there is no drill down hyperlink for them. But= ,=20 > when I run Sleuthkit version 2.03 and Autopsy version 2.06 on the same=20 > system and analyze the same image file the older versions show the=20 > =93missing=94 links as normal =93d/d=94. What am I doing wrong? >=20 >=20 > -----------------------------------------------------------------------= - >=20 > -----------------------------------------------------------------------= -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share= your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV >=20 >=20 > -----------------------------------------------------------------------= - >=20 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Rose, J. L S. C. <Jer...@sa...> - 2006-09-29 11:10:25
|
No, the directories can be opened by either using the previous = version(s) or by using the new version and typing them into the browse field. For this = case the NTFS image is for the "C:" partition. When I browse I can type in to = the form "winnt" below the C:\ and the files show up. Jerry -----Original Message----- From: Brian Carrier [mailto:ca...@sl...]=20 Sent: Thursday, September 28, 2006 5:36 PM To: Rose, Jerry L SAJ Contractor Cc: sle...@li... Subject: Re: [sleuthkit-users] Some hyperlinks to directories are = missing on newer Sleuthkit/Autopsy Are the directories that are different deleted? Autopsy determines if it = should provide a link based on the letter after the slash, which is why=20 it isn't showing you a link. The question is why a "-" is being = given... brian Rose, Jerry L SAJ Contractor wrote: > I am using Sleuthkit version 2.06 and Autopsy version 2.08 on a Linux=20 > x86 box. The image file is NTFS. In Autopsy some of the directories = are=20 > showing as "d/-" and there is no drill down hyperlink for them. But,=20 > when I run Sleuthkit version 2.03 and Autopsy version 2.06 on the same = > system and analyze the same image file the older versions show the=20 > "missing" links as normal "d/d". What am I doing wrong? >=20 >=20 > = ------------------------------------------------------------------------ >=20 > = -------------------------------------------------------------------------= > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to = share your > opinions on IT & business topics through brief surveys -- and earn = cash > = http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV >=20 >=20 > = ------------------------------------------------------------------------ >=20 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Brooks, P. <pre...@tw...> - 2006-09-29 12:02:38
|
=0D=0AThe only time I have seen something like this is when the file's inod= e was reallocated as a directory, yet still there was some vestigial data l= eft for sleuthkit to see=2E In this case, however, it still reflects this = in the color of the file name and one of the columns will indicate the real= located status=2E In the previous versions where it provided a link, that = link would take me to the new directory=2E It actually made things more co= nfusing until I realized that it was effectively linking to a new existing = directory and there wasn't anything left of the old file, but the name=2E= =0D=0A=0D=0A-----Original Message-----=0D=0AFrom: sleuthkit-users-bounces@l= ists=2Esourceforge=2Enet on behalf of Rose, Jerry L SAJ Contractor=0D=0ASen= t: Fri 9/29/2006 7:10 AM=0D=0ATo: Brian Carrier=0D=0ACc: sleuthkit-users@li= sts=2Esourceforge=2Enet=0D=0ASubject: Re: [sleuthkit-users] Some hyperlinks= to directories are missingon newer Sleuthkit/Autopsy=0D=0A =0D=0ANo, the d= irectories can be opened by either using the previous version(s) or=0D=0Aby= using the new version and typing them into the browse field=2E For this ca= se=0D=0Athe NTFS image is for the "C:" partition=2E When I browse I can typ= e in to the=0D=0Aform "winnt" below the C:\ and the files show up=2E=0D=0A= =0D=0AJerry=0D=0A=0D=0A=0D=0A-----Original Message-----=0D=0AFrom: Brian Ca= rrier [mailto:carrier@sleuthkit=2Eorg] =0D=0ASent: Thursday, September 28, = 2006 5:36 PM=0D=0ATo: Rose, Jerry L SAJ Contractor=0D=0ACc: sleuthkit-users= @lists=2Esourceforge=2Enet=0D=0ASubject: Re: [sleuthkit-users] Some hyperli= nks to directories are missing on=0D=0Anewer Sleuthkit/Autopsy=0D=0A=0D=0AA= re the directories that are different deleted? Autopsy determines if it =0D= =0Ashould provide a link based on the letter after the slash, which is why = =0D=0Ait isn't showing you a link=2E The question is why a "-" is being gi= ven=2E=2E=2E=0D=0A=0D=0Abrian=0D=0A=0D=0A=0D=0A=0D=0A=0D=0ARose, Jerry L SA= J Contractor wrote:=0D=0A> I am using Sleuthkit version 2=2E06 and Autopsy = version 2=2E08 on a Linux =0D=0A> x86 box=2E The image file is NTFS=2E In A= utopsy some of the directories are =0D=0A> showing as "d/-" and there is no= drill down hyperlink for them=2E But, =0D=0A> when I run Sleuthkit version= 2=2E03 and Autopsy version 2=2E06 on the same =0D=0A> system and analyze t= he same image file the older versions show the =0D=0A> "missing" links as n= ormal "d/d"=2E What am I doing wrong?=0D=0A> =0D=0A> =0D=0A> --------------= ----------------------------------------------------------=0D=0A> =0D=0A> -= ------------------------------------------------------------------------=0D= =0A> Take Surveys=2E Earn Cash=2E Influence the Future of IT=0D=0A> Join So= urceForge=2Enet's Techsay panel and you'll get the chance to share=0D=0Ayou= r=0D=0A> opinions on IT & business topics through brief surveys -- and earn= cash=0D=0A> http://www=2Etechsay=2Ecom/default=2Ephp?page=3Djoin=2Ephp&p= =3Dsourceforge&CID=3DDEVDEV=0D=0A> =0D=0A> =0D=0A> ------------------------= ------------------------------------------------=0D=0A> =0D=0A> ___________= ____________________________________=0D=0A> sleuthkit-users mailing list=0D= =0A> https://lists=2Esourceforge=2Enet/lists/listinfo/sleuthkit-users=0D=0A= > http://www=2Esleuthkit=2Eorg=0D=0A=0D=0A---------------------------------= ----------------------------------------=0D=0ATake Surveys=2E Earn Cash=2E = Influence the Future of IT=0D=0AJoin SourceForge=2Enet's Techsay panel and = you'll get the chance to share your=0D=0Aopinions on IT & business topics t= hrough brief surveys -- and earn cash=0D=0Ahttp://www=2Etechsay=2Ecom/defau= lt=2Ephp?page=3Djoin=2Ephp&p=3Dsourceforge&CID=3DDEVDEV=0D=0A______________= _________________________________=0D=0Asleuthkit-users mailing list=0D=0Aht= tps://lists=2Esourceforge=2Enet/lists/listinfo/sleuthkit-users=0D=0Ahttp://= www=2Esleuthkit=2Eorg=0D=0A=0D=0A=0D=0A------------------------------------= -----=0D=0AThis E-mail and any of its attachments may contain Time Warner= =0D=0ACable proprietary information, which is privileged, confidential,=0D= =0Aor subject to copyright belonging to Time Warner Cable=2E This E-mail=0D= =0Ais intended solely for the use of the individual or entity to which=0D= =0Ait is addressed=2E If you are not the intended recipient of this=0D=0AE-= mail, you are hereby notified that any dissemination,=0D=0Adistribution, co= pying, or action taken in relation to the contents=0D=0Aof and attachments = to this E-mail is strictly prohibited and may be=0D=0Aunlawful=2E If you ha= ve received this E-mail in error, please notify=0D=0Athe sender immediately= and permanently delete the original and any=0D=0Acopy of this E-mail and a= ny printout=2E=0D=0A |
|
From: Rose, J. L S. C. <Jer...@sa...> - 2006-09-29 13:23:12
|
I'll try an NTFS image file from another system to see if this is = something specific to this one image. -----Original Message----- From: Brooks, Prentis [mailto:pre...@tw...]=20 Sent: Friday, September 29, 2006 7:58 AM To: Rose, Jerry L SAJ Contractor; Brian Carrier Cc: sle...@li... Subject: RE: [sleuthkit-users] Some hyperlinks to directories are = missingon newer Sleuthkit/Autopsy The only time I have seen something like this is when the file's inode = was reallocated as a directory, yet still there was some vestigial data left = for sleuthkit to see. In this case, however, it still reflects this in the = color of the file name and one of the columns will indicate the reallocated = status. In the previous versions where it provided a link, that link would take = me to the new directory. It actually made things more confusing until I = realized that it was effectively linking to a new existing directory and there = wasn't anything left of the old file, but the name. -----Original Message----- << snipped >> |
Thanks for helping keep SourceForge clean.
X