First let me explain I am new to linux and forensics learning as I go, due to budget issues I can't just go purchase Encase or FTK and go to training. I'm currently working on a case of child porn charges etc… I have created an Expert Witness Format using FTK imager hashes matched etc…
I got a rather old copy of Encase 4.0 which kind of works. I seen the pictures in the pagefile.sys and unallocated spaces. Problem is I can't export them into a report cause the functionality doesn't work. So that puts me where I am currently at. (A big loss… LOL) So I figured no problem plenty of open source tools to help get the job done and learn lots about forensics while doing this.
I currently have Kali Linux installed on my precision m6600 workstation. Here is what I have did…
1. Start Autopsy… create new case..
2. Add Host – leaving all default for now while getting things to work.
3. Add Image – add image file —
Location/media/MyPassportEvidence/PMyers_HardDrive/pmyers.* (If the image is split (either raw or EnCase), then enter '*' for the extension.
Select type to be Disk ( since FTK image is of whole suspect disk)
Import methood I left on Symlink..
clicked on Next.
Split Image Confirmation
The following images will be added to the case.
If this is not the correct order, then you should change the naming convention.
Press the Next button at the bottom of the page if this is correct.
0 /media/MyPassportEvidence/PMyers_HardDrive/pmyers.E01
1 /media/MyPassportEvidence/PMyers_HardDrive/pmyers.E01.csv
2 /media/MyPassportEvidence/PMyers_HardDrive/pmyers.E01.txt
3 /media/MyPassportEvidence/PMyers_HardDrive/pmyers.E02
4 /media/MyPassportEvidence/PMyers_HardDrive/pmyers.E03 ……….
It lists all the files… then I click on Next… And get the below
Warning Autopsy could not determine the volume system type for the disk image (i.e. the type of partition table).
Please select the type from the list below or reclassify the image as a volume image instead of as a disk image.
Disk Image x Volume Image
Volume System Type (disk image only) dos
click on the ok button..
click okay again to add to evidence locker
Testing partitions
Linking image(s) into evidence locker
Image file added with ID img1
Disk image (type dos) added with ID vol1
disk pmyers.E01-disk raw details
Its almost like its not recognizing the Expert Witness File setup.. Can anybody point me in the right direction?
I have already tried add image as /pmyers.E* and /pmyers.E?? etc with no luck. I've searched the forums and came across a similar issue with TSK but I'm not having that issue.. I also have the law enforcement and Forensic Examiners' introduction to linux that I'm following.. I (
root@Shrf-Pete-01/media/MyPassportEvidence/PMyers_HardDrive# mmls pmyers.E01
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors
Slot Start End Length Description
00 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01 —– 0000000000 0000000062 0000000063 Unallocated
02 0000 0000000063 0461434994 0461434932 NTFS (0x07)
03 0001 0461434995 0488392064 0026957070 NTFS (0x07)
04 —– 0488392065 0488397167 0000005103 Unallocated
Anybody have any ideas? I wanted to use Autopsy cause of the case management and gui….
Thanks,
Pete
the txt and csv shouldn't be part of the image, make sure you are not including them while importing the evidence.
Rampage thank you ver much i was including the txt and csv i moved them to another folder and reimported and all is well.. Funny how something so simple can be so hard to find. I gurantee I wont forget the next time I do this.. LOL
Again thank you.
Pete
the reason why looked into it in the first place is because i once ran into the same issue as well ) we learn from our mistakes )