Troubleshooting

1) Don't use the "*" for retrieving the files. SFDumper is selective, you can use only specific extensions (eg. doc, jpg, etc.)

2) In Helix Live distro ver. 1.9a there is not the path to the Sleuthkit, so sfdumper doesn't works in any directory.In SFDumper 1.5 release there is a special script for solving this problem lnk4helix.sh, use it before executing sfdumper in the Helix 1.9a distro.

3) SFDumper can retrieve every active and deleted files type by their extensions, but for the carving operations it uses the Foremost configuration file (inside the script), so if you need to carve special extensions you must expand the Foremost configurations file adding the file's header requested.

4) SFDUMPER uses FLS for recovering the deleted files.
With NTFS file systems, there are two ways to recover files. One is with 'fls' and the other is with 'ifind'. Historically, 'fls' displays only the file names that are stored by the parent directory. That works well for most file systems except for NTFS because NTFS stores the file names in a tree structure and it resorts the tree after any file is added or deleted. This causes the deleted entries to be overwritten. So, ifind is needed to hunt around other parts of the file system. In any case, SFDUMPER uses the Foremost for the data carving, so it can retrieve all the files, included the deleted ones that FLS can't retrieve.
By the TSK 3.0 you also no longer need to run 'ifind -p' in NTFS to get all deleted files for a given directory. 'fls' does all of that for you. http://www.sleuthkit.org/betas/

For reporting troubles, please contact us:
sfdumper[AT]users.sourceforge.net

Get Selective File Dumper at SourceForge.net. Fast, secure and Free Open Source software downloads