- when analyzing an image do you have to convert vmdk files to raw ? saw hwo to do it but since it take it not sure what the optimal way is. i added a raw image and it only sees the boot volume not the rest
- also i added encase hashset and nist rl set, i selected known for all three (encase is split in two) when and how will start to index the hash tables ? it states “ingest is ongoing” will it only index the hashtables once all the models finish running on the image i added as a data source ?
- google just sends to help docs but they dont cover the questions i have
- There should be no need to convert vmdk files to raw.
- I’m not sure what you mean by “index the hashtables”. When running ingest Autopsy will calculate the hash value for each file and perform hash lookup for each file as it is processed (assuming you have the "Hash Lookup module enabled). It does not wait until all modules finish.
Hope that answers your questions.
[quote=“clinthulk2, post:1, topic:651”]
- en analyzing an image do you have to convert vmdk files to raw ? saw hwo to do it but since it take it not sure what the optimal way is. i added a raw image and it only sees the boot volume not the rest
- also i added encase hashset and nist rl set, i selected known for all three (encase is split in two) when and how will start to index the hash tables ? it states “ingest is ongoing” will it only index the hashtables once all the models finish running on the image i added as a data source ?
- google just sends to help docs but they dont cover the questions i have
[/quote] VidMate
- ere should be no need to convert vmdk files to raw.
- I’m not sure what you mean by “index the hashtables”. When running ingest Autopsy will calculate the hash value for each file and perform hash lookup for each file as it is processed (assuming you have the "Hash Lookup module enabled). It does not wait until all modules finish.word counter
Hope that answers your questions.
- when analyzing an image do you have to convert vmdk files to raw ? saw hwo to do it but since it take it not sure what the optimal way is. i added a raw image and it only sees the boot volume not the rest
- also i added encase hashset and nist rl set, i selected known for all three (encase is split in two) when and how will start to index the hash tables ? it states “ingest is ongoing” will it only index the hashtables once all the models finish running on the image i added as a data source ?
- google just sends to help docs but they dont cover the questions i have