I’m trying to parse out a hive file from a mounted forensic container. I’m using the line icat -o 2048 ./ewf1 “inode numbre” > SYSTEM.
The answer I get is “bash: SYSTEM: Function not implemented”
I have done this before and it has worked. What am I doing wrong
//Magnus
What kind of filesystem are you trying to redirect that output to? I’m making an assumption here but am wondering if it’s a FUSE volume and you’ve run into a bug. Can you try “> SYSTEM” to the local hard drive or a exFAT/ext[234] filesystem?
The issue is that you are executing the command in the fuse mount directory (./ewf1 shows you are in the directory you used ewfmount on). Either call icat on ewf1 from the parent directory, or write your redirected output in the parent directory (or some other writable directory).
rerun the command like this and you will find the file “SYSTEM” one directory level up (assuming that directory is writable to your user):
icat -o 2048 ./ewf1 > ../SYSTEM
Thank you! Now I got it working.