I have a problem with this software. I have a virtual machine and inside the virtual machine I perform activities such as creating a file, deleting a file, creating a photo, and I enter the output of this virtual machine in VMDK format into the Autopsy software, but after taking the output from the software, none of I can't see my files and there are files that have nothing to do with what I did recently. Thank you for helping me.
Did you acquire the VMDK file into an image file like a E01, DD, .aa, .001, or did you use the "Disk Image or VM File" option? Whichever you choose, make sure you are telling Autopsy the correct thing to expect. THEN - you should be able to set your INGEST MODULES in Autopsy to tell the software what you want it to look for. -- You say you have 'files that have nothing to do with what I did' -- what are the files that you are seeing? Can you tell where they came from?
Hello Sir; thank you for your video lecture. I got a question. I got an image of my laptop's hard drive using the FTK Imager. I then formatted (partitioned) my hard drive and installed another windows OS. I later carved the image, added evidence items using the imager. I noticed that I have everything but they are unreadable (encrypted). I guess by bitlocker was on my laptop was on during imaging. I have my bitlocker key for my laptop. Now, is there any solution for this problem?
Hello Sir; thank you for your video lecture. I got a question. I got an image of my laptop's hard drive using the FTK Imager. I then formatted (partitioned) my hard drive and installed another windows OS. I later carved the image, added evidence items using the imager. I noticed that I have everything but they are unreadable (encrypted). I guess by bitlocker was on my laptop was on during imaging. I have my bitlocker key for my laptop. Now, is there any solution for this problem?
Hello Sir; thank you for your video lecture. I got a question. I got an image of my laptop's hard drive using the FTK Imager. I then formatted (partitioned) my hard drive and installed another windows OS. I later carved the image, added evidence items using the imager. I noticed that I have everything but they are unreadable (encrypted). I guess by bitlocker was on my laptop was on during imaging. I have my bitlocker key for my laptop. Now, is there any solution for this problem?
You can TRY to convert the image file back to a disk file - such as a vmdk - then boot that up in virtualbox or vmware - stackoverflow.com/questions/454899/how-to-convert-flat-raw-disk-image-to-vmdk-for-virtualbox-or-vmplayer OR load your image file in Autopsy and then follow this tutorial - echobytes.info/tag/autopsy/
Hello Sir; thank you for your video lecture. I got a question. I got an image of my laptop's hard drive using the FTK Imager. I then formatted (partitioned) my hard drive and installed another windows OS. I later carved the image, added evidence items using the imager. I noticed that I have everything but they are unreadable (encrypted). I guess by bitlocker was on my laptop was on during imaging. I have my bitlocker key for my laptop. Now, is there any solution for this problem?
If you have the key - it is likely possible. There is a place in the full version of FTK to input the keys -- or you can try to write the image to a disk, then try to access the encrypted files and hopefully it will try to ask you for the key.
Thanks for the video! You really helped me with my class!
Glad I could help!
Thanks for the info! Really useful.
You bet!
Hello
I have a problem with this software. I have a virtual machine and inside the virtual machine I perform activities such as creating a file, deleting a file, creating a photo, and I enter the output of this virtual machine in VMDK format into the Autopsy software, but after taking the output from the software, none of I can't see my files and there are files that have nothing to do with what I did recently. Thank you for helping me.
Best Regards
Did you acquire the VMDK file into an image file like a E01, DD, .aa, .001, or did you use the "Disk Image or VM File" option? Whichever you choose, make sure you are telling Autopsy the correct thing to expect. THEN - you should be able to set your INGEST MODULES in Autopsy to tell the software what you want it to look for. -- You say you have 'files that have nothing to do with what I did' -- what are the files that you are seeing? Can you tell where they came from?
Hello Sir; thank you for your video lecture. I got a question. I got an
image of my laptop's hard drive using the FTK Imager. I then formatted
(partitioned) my hard drive and installed another windows OS. I later
carved the image, added evidence items using the imager. I noticed that I
have everything but they are unreadable (encrypted). I guess by
bitlocker was on my laptop was on during imaging. I have my bitlocker
key for my laptop. Now, is there any solution for this problem?
Does this only work for single file virtual disks or is there a way to do it for a multiple files virtual disk?
have some problem!
USUALLY, you point the source to the first file in the sequence and it USUALLY figures out to put them together.
Hello Sir; thank you for your video lecture. I got a question. I got an
image of my laptop's hard drive using the FTK Imager. I then formatted
(partitioned) my hard drive and installed another windows OS. I later
carved the image, added evidence items using the imager. I noticed that I
have everything but they are unreadable (encrypted). I guess by
bitlocker was on my laptop was on during imaging. I have my bitlocker
key for my laptop. Now, is there any solution for this problem?
Hello Sir; thank you for your video lecture. I got a question. I got an
image of my laptop's hard drive using the FTK Imager. I then formatted
(partitioned) my hard drive and installed another windows OS. I later
carved the image, added evidence items using the imager. I noticed that I
have everything but they are unreadable (encrypted). I guess by
bitlocker was on my laptop was on during imaging. I have my bitlocker
key for my laptop. Now, is there any solution for this problem?
You can TRY to convert the image file back to a disk file - such as a vmdk - then boot that up in virtualbox or vmware - stackoverflow.com/questions/454899/how-to-convert-flat-raw-disk-image-to-vmdk-for-virtualbox-or-vmplayer
OR
load your image file in Autopsy and then follow this tutorial - echobytes.info/tag/autopsy/
Hello Sir; thank you for your video lecture. I got a question. I got an
image of my laptop's hard drive using the FTK Imager. I then formatted
(partitioned) my hard drive and installed another windows OS. I later
carved the image, added evidence items using the imager. I noticed that I
have everything but they are unreadable (encrypted). I guess by
bitlocker was on my laptop was on during imaging. I have my bitlocker
key for my laptop. Now, is there any solution for this problem?
If you have the key - it is likely possible. There is a place in the full version of FTK to input the keys -- or you can try to write the image to a disk, then try to access the encrypted files and hopefully it will try to ask you for the key.