On Monday 13 September 2004 03:09, Brian Carrier wrote:
> On Sep 12, 2004, at 10:46 AM, Angus Marshall wrote:
> > I have a 160Gb partition formatted as FAT32 which has been imaged
> > using dd.
> >
> > I can mount it ro on a loop device on Linux and confirm that is it
> > FAT32, but
> > when I try to symlink the image into the case on Autopsy 2.03 it's
> > reporting
> > that the images is not FAT32. The autopsy shell window reports :
> >
> > "bin/fsstat: FAT Volume too large for analysis"
> >
> > so I guess there's a hard limit set somewhere in sleuthkit. Can this be
> > overcome ?
>
> Not until version 2 when I start to use the fixed size variables. This
> limit is because FAT directory entries do not have any form of address
> and therefore I assign them one based on the sector they are located in
> and their location in the sector. To keep in a 32-bit inode address,
> there can only be 2^28 sectors, which is a 128 GB file system. I had
> assumed that few people would be using FAT for such a large file
> system. In version 2, the internal inode address will be 64-bits and
> will be able to assign larger addresses.
>
> Sorry. If you want to do keyword searching you can import it as a raw
> image.
>
> brian
Thanks Brian - it's the first large disk I've encountered where the suspect
has used FAT32 instead of NTFS. I reckon I can handle it using the loopback
mount instead. It's only a CD-piracy case, so the evidence is likely to be
fairly obvious anyway.
|
