Usually, I use Autpsy on Windows's forensic copy (E01). I like it.
This time I am analyzing the forensic copy of an iMac. The software show me files, If it possibile I see the preview. When I extract them, the file is empty 0 Byte. I wrote a mail to them, with no answer.
Anybody can help me?
thanks
What version of Autopsy? What does the file look like in hex? If you open the E01 in another program can you extract the file?
I am using the last version of Autopsy. I don't opened it in hex editor.
Which software may I use to open it?
What version of Autopsy? What does the file look like in hex? If you open the E01 in another program can you extract the file?
I tried to open it in hex, but it is empty.
What other software did you try to view the E01 with?
Are you looking at the file system (MDB), or the entire image?
What software did you try to extract the file with?
What is the imaged file system reporting for the file size?
What is the extracted file size?
What version of Autopsy? What does the file look like in hex? If you open the E01 in another program can you extract the file?
I tried to open it in hex, but it is empty.
>What other software did you try to view the E01 with?
Actually only the last version of autopsy
>Are you looking at the file system (MDB), or the entire image?
I need to extract a few file
> What software did you try to extract the file with?
Autopsy
>What is the imaged file system reporting for the file size?
Actually the software i closed. But I see something that can be the correct size. In the Autopsy's preview I see the content of the file
>What is the extracted file size?
zero byte
>What other software did you try to view the E01 with?
Actually only the last version of autopsy
Try AccessData FTK Imager
>Are you looking at the file system (MDB), or the entire image?
I need to extract a few file
That was not what he asked. In Autopsy did you mount the file system or the forensic image (including slack and unallocated space)?
> What software did you try to extract the file with?
Autopsy
Most examiners would try at least one other tool . . . like a hex editor.
>What is the imaged file system reporting for the file size?
Actually the software i closed. But I see something that can be the correct size. In the Autopsy's preview I see the content of the file
You see a thumbnail representation of the file or you see the contents of the actual file?
>What is the extracted file size?
zero byte
When you look at the hex view of the file do you see the headers and footers of the file?
> Try AccessData FTK Imager
I tried it. Mounting the forensic image, later I see two disk, first is EFI but I can't see the second. I am analyzing an iMAC. So Windows Did'nt recognize HFS
In Autopsy I mount the forensic image
I see the content not the thumbnail
In the hex I see only this sequence 00,01,02,03,04,05 the stop zero byte
> Try AccessData FTK Imager
I tried it. Mounting the forensic image, later I see two disk, first is EFI but I can't see the second. I am analyzing an iMAC. So Windows Did'nt recognize HFS
You see two "disks" but the second is unrecognized? Or you see one disk with multiple partitions and the second/HFS partition is unrecognized?
While Windows may not recognize HFS, FTK Imager does. See associated link http//
Are you sure you have a good image of the drive?
In Autopsy I mount the forensic image
I see the content not the thumbnail
In the hex I see only this sequence 00,01,02,03,04,05 the stop zero byte
If that is the hex you are seeing, you are not seeing the content of the file, you are seeing a representation of what used to be the file from the journal. See the following for information on the journal http//
If you have two tools that are showing you zero byte files, either the image is corrupt, or the files were damaged/deleted.
If the image is not corrupt you may be able to perform some data carving/file recovery activities and be able to gain access to the data in the image.
Also, in searching the TSK/Autopsy list it seems as if quite a few people are having issues in V3 with HFS+, however 2.0 from the various "Live" CDs seems to work fine.