Thread: [sleuthkit-users] Re: sleuthkit-users digest, Vol 1 #202 - 1 msg

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Just FYI: The Maxtor OneTouch external drives are pre-formatted as a
250GB FAT32 partition, and include a bootable cd with software that
allows you to quick-format any large disk with a FAT32.

- Dev

On Mon, 13 Sep 2004 20:52:11 -0700,
sle...@li...
<sle...@li...> wrote:
> Send sleuthkit-users mailing list submissions to
>         sle...@li...
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> or, via email, send a message with subject or body 'help' to
>         sle...@li...
> 
> You can reach the person managing the list at
>         sle...@li...
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sleuthkit-users digest..."
> 
> Today's Topics:
> 
>    1. Re: Autopsy - FAT32 images problem ? (Angus Marshall)
> 
> --__--__--
> 
> Message: 1
> From: Angus Marshall <an...@n-...>
> Organization: Dis-
> To: Brian Carrier <ca...@sl...>
> Subject: Re: [sleuthkit-users] Autopsy - FAT32 images problem ?
> Date: Mon, 13 Sep 2004 19:55:12 +0100
> Cc: "sleuthkit-users <sle...@li...>" <sle...@li...>
> 
> On Monday 13 September 2004 03:09, Brian Carrier wrote:
> > On Sep 12, 2004, at 10:46 AM, Angus Marshall wrote:
> > > I have a 160Gb partition formatted as FAT32 which has been imaged
> > > using dd.
> > >
> > > I can mount it ro on a loop device on Linux and confirm that is it
> > > FAT32, but
> > > when I try to symlink the image into the case on Autopsy 2.03 it's
> > > reporting
> > > that the images is not FAT32. The autopsy shell window reports :
> > >
> > > "bin/fsstat: FAT Volume too large for analysis"
> > >
> > > so I guess there's a hard limit set somewhere in sleuthkit. Can this be
> > > overcome ?
> >
> > Not until version 2 when I start to use the fixed size variables.  This
> > limit is because FAT directory entries do not have any form of address
> > and therefore I assign them one based on the sector they are located in
> > and their location in the sector.  To keep in a 32-bit inode address,
> > there can only be 2^28 sectors, which is a 128 GB file system.  I had
> > assumed that few people would be using FAT for such a large file
> > system.  In version 2, the internal inode address will be 64-bits and
> > will be able to assign larger addresses.
> >
> > Sorry.  If you want to do keyword searching you can import it as a raw
> > image.
> >
> > brian
> 
> Thanks Brian - it's the first large disk I've encountered where the suspect
> has used FAT32 instead of NTFS. I reckon I can handle it using the loopback
> mount instead. It's only a CD-piracy case, so the evidence is likely to be
> fairly obvious anyway.
> 
> --__--__--
> 
> _______________________________________________
> sleuthkit-users mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> 
> End of sleuthkit-users Digest
>