'Re: [sleuthkit-users] fls, ils outputs zero data file'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-users
Subject:    Re: [sleuthkit-users] fls, ils outputs zero data file
From:       Martin Finegan <martyfinegan () yahoo ! com>
Date:       2008-03-10 15:44:39
Message-ID: 274923.80921.qm () web45716 ! mail ! sp1 ! yahoo ! com
[Download RAW message or body]

Brian, 

The missing mountpoint was the problem. I now have a
huge amount of data. 

Thanks very much for the pointer. 

Marty

--- Brian Carrier <carrier@sleuthkit.org> wrote:

> Hi Marty,
> 
> On the 'fls' command, you should have a "mount
> point" name after the  
> '-m'. i.e.
> fls -r ntfs -m "c:/" -r /mnt/XXXXXX
> 
> What happens when you just do a 'fls
> /mnt/dest/partition_image.dd'?
> 
> Yes, this does use the MFT, but you should see at
> least some FS  
> metadata files or get an error about corrupt data
> structures.
> 
> brian
> 
> 
> On Mar 9, 2008, at 1:18 PM, Martin Finegan wrote:
> 
> > Hello,
> > 
> > I'm wondering what I'm doing wrong here.
> > 
> > I have a drive containing an NTFS partition. I
> carved
> > out the partition, and ran fls, and ils on it is
> > follows:
> > 
> > # ./fls -f ntfs -m -r /mnt/dest/partition_image.dd
> > 
> > body
> > # ./ils -f ntfs -m  /mnt/dest/partition_image.dd
> > > 
> > body
> > 
> > The resulting "body" file was empty. When I run
> the
> > commands independantly, the file was also empty.
> > 
> > There is plenty of data on the partition itself.
> > 
> > I have two questions - does fls draw information
> from
> > the MFT? (I think it may have been tampered with)
> > 
> > and am I doing something wrong?
> > 
> > Thanks in advance for any assistance,
> > 
> > Marty.
> > 
> > 
> > 
> > 
> 
______________________________________________________________________
> 
> > ______________
> > Be a better friend, newshound, and
> > know-it-all with Yahoo! Mobile.  Try it now. 
> http:// 
> > 
> mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
> > 
> > 
> > 
> > 
> 
----------------------------------------------------------------------
> 
> > ---
> > This SF.net email is sponsored by: Microsoft
> > Defy all challenges. Microsoft(R) Visual Studio
> 2008.
> > 
> 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> > _______________________________________________
> > sleuthkit-users mailing list
> > 
> 
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
> 
> 



      ____________________________________________________________________________________
 Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  \
http://tools.search.yahoo.com/newsearch/category.php?category=shopping


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic