Trouble on files ex...
 
Notifications
Clear all

Trouble on files extraction in Autopsy..

9 Posts
3 Users
0 Likes
2,707 Views
 dega
(@dega)
Posts: 261
Reputable Member
Topic starter
 

Usually, I use Autpsy on Windows's forensic copy (E01). I like it.
This time I am analyzing the forensic copy of an iMac. The software show me files, If it possibile I see the preview. When I extract them, the file is empty 0 Byte. I wrote a mail to them, with no answer.
Anybody can help me?
thanks

 
Posted : 26/10/2014 10:52 pm
(@bithead)
Posts: 1206
Noble Member
 

What version of Autopsy? What does the file look like in hex? If you open the E01 in another program can you extract the file?

 
Posted : 27/10/2014 12:49 am
 dega
(@dega)
Posts: 261
Reputable Member
Topic starter
 

I am using the last version of Autopsy. I don't opened it in hex editor.
Which software may I use to open it?

 
Posted : 27/10/2014 11:53 am
 dega
(@dega)
Posts: 261
Reputable Member
Topic starter
 

What version of Autopsy? What does the file look like in hex? If you open the E01 in another program can you extract the file?

I tried to open it in hex, but it is empty.

 
Posted : 29/10/2014 9:19 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

What other software did you try to view the E01 with?

Are you looking at the file system (MDB), or the entire image?

What software did you try to extract the file with?

What is the imaged file system reporting for the file size?

What is the extracted file size?

What version of Autopsy? What does the file look like in hex? If you open the E01 in another program can you extract the file?

I tried to open it in hex, but it is empty.

 
Posted : 29/10/2014 10:30 pm
 dega
(@dega)
Posts: 261
Reputable Member
Topic starter
 

>What other software did you try to view the E01 with?

Actually only the last version of autopsy

>Are you looking at the file system (MDB), or the entire image?

I need to extract a few file

> What software did you try to extract the file with?

Autopsy

>What is the imaged file system reporting for the file size?

Actually the software i closed. But I see something that can be the correct size. In the Autopsy's preview I see the content of the file

>What is the extracted file size?
zero byte

 
Posted : 29/10/2014 11:08 pm
(@bithead)
Posts: 1206
Noble Member
 

>What other software did you try to view the E01 with?

Actually only the last version of autopsy

Try AccessData FTK Imager

>Are you looking at the file system (MDB), or the entire image?

I need to extract a few file

That was not what he asked. In Autopsy did you mount the file system or the forensic image (including slack and unallocated space)?

> What software did you try to extract the file with?

Autopsy

Most examiners would try at least one other tool . . . like a hex editor.

>What is the imaged file system reporting for the file size?

Actually the software i closed. But I see something that can be the correct size. In the Autopsy's preview I see the content of the file

You see a thumbnail representation of the file or you see the contents of the actual file?

>What is the extracted file size?
zero byte

When you look at the hex view of the file do you see the headers and footers of the file?

 
Posted : 30/10/2014 4:32 am
 dega
(@dega)
Posts: 261
Reputable Member
Topic starter
 

> Try AccessData FTK Imager

I tried it. Mounting the forensic image, later I see two disk, first is EFI but I can't see the second. I am analyzing an iMAC. So Windows Did'nt recognize HFS

In Autopsy I mount the forensic image

I see the content not the thumbnail
In the hex I see only this sequence 00,01,02,03,04,05 the stop zero byte

 
Posted : 30/10/2014 12:00 pm
(@bithead)
Posts: 1206
Noble Member
 

> Try AccessData FTK Imager

I tried it. Mounting the forensic image, later I see two disk, first is EFI but I can't see the second. I am analyzing an iMAC. So Windows Did'nt recognize HFS

You see two "disks" but the second is unrecognized? Or you see one disk with multiple partitions and the second/HFS partition is unrecognized?

While Windows may not recognize HFS, FTK Imager does. See associated link http//www.appleexaminer.com/Resources/FTKMacForensics/FTKMacForensics.html

Are you sure you have a good image of the drive?

In Autopsy I mount the forensic image

I see the content not the thumbnail
In the hex I see only this sequence 00,01,02,03,04,05 the stop zero byte

If that is the hex you are seeing, you are not seeing the content of the file, you are seeing a representation of what used to be the file from the journal. See the following for information on the journal http//www.kazamiya.net/en/HFSJournalParser

If you have two tools that are showing you zero byte files, either the image is corrupt, or the files were damaged/deleted.

If the image is not corrupt you may be able to perform some data carving/file recovery activities and be able to gain access to the data in the image.

Also, in searching the TSK/Autopsy list it seems as if quite a few people are having issues in V3 with HFS+, however 2.0 from the various "Live" CDs seems to work fine.

 
Posted : 01/11/2014 4:31 pm
Share: