[Discussion] Tag/Comment disk volumes

Discuss new features that you would like to see in Autopsy. Consider creating a github issue instead of this forum, as we review those more when adding features and many of the discussions ultimately end up as github issues.

https://github.com/sleuthkit/autopsy/issues

Moderator: carrier

[Discussion] Tag/Comment disk volumes

Postby eric.baechle » Wed Dec 09, 2015 9:32 pm

I am respectfully requesting the feature to be added to tag/comment volumes at the disk image level.

Scenario description: In working on a Windows 7 disk image, the disk contains multiple volumes. These volumes are labeled with the internal vol1, vol2, vol3, descriptors. The volumes are not immediately apparent to their contents. In this scenario, the first volume was the 2048 slack; the second was a Recovery partition put there by the computer vendor; the third was the Boot/System Reserved partition created by Windows 7; the fourth was the actual system drive with Windows installed; and the fifth was slack space at the end of the previous partition.

These partitions will need to be described during testimony in order to walk the Jury into where the subject/defendant stored their files. Although information regarding the partitions could be taken as examiner notes, it would be helpful to be able to note this directly in the Autopsy Tagging and Reporting system.

Thank you!

Sincerely,

Eric
eric.baechle
 
Posts: 4
Joined: Wed Dec 09, 2015 9:24 pm

Return to Autopsy Feature Requests

Who is online

Users browsing this forum: No registered users and 2 guests