Re: [sleuthkit-users] TSK and VMDK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] TSK and VMDK
|
From: Simson G. <si...@ac...> - 2010-04-22 13:24:23
|
Hm. AFFLIB is probably not finding all of the splits. I'm not familiar with the VMDK code; it's from QEMU. However, all of the source is there, so if you want to try to figure it out, that would be great! On Apr 22, 2010, at 5:42 AM, James Haughom wrote: > This does not seem to work on split vmdk files such as these. > > Windows Server 2008.vmdk > Windows Server 2008-s001.vmdk > Windows Server 2008-s002.vmdk > Windows Server 2008-s003.vmdk > Windows Server 2008-s004.vmdk > Windows Server 2008-s005.vmdk > Windows Server 2008-s006.vmdk > > Is there another option? > > Thanks > > Brian Carrier wrote: >> To expand on this a little, TSK officially supports a subset of the image formats that AFFLIB supports. To use the other image formats, specify the image type as "afflib". For example: >> >> # fls -o 63 -i afflib foo.vmdk >> >> brian >> >> >> >> On Mar 18, 2010, at 12:40 PM, Simson Garfinkel wrote: >> >>> AFFLIB has support for VMDK and you can link TSK with AFFLIB. I have modified my copy of TSK to use AFFLIB for VMDK files. However, the support is not reliable enough to enable by default. >>> >>> On Mar 18, 2010, at 9:24 AM, RB wrote: >>> >>>> On Thu, Mar 18, 2010 at 09:58, Tony Rodrigues <dar...@gm...> wrote: >>>>> Is it possible to access VMDK files with TSK ? How can I do that ? >>>> This falls back to the ntfsclone discussion, and the answer is: no, >>>> not directly. You can: >>>> >>>> - use qemu-img or another similar tool to convert the VMDK to a raw image >>>> - use VMware Workstation's loopback tools to deal with it directly >>>> - use TSK linked against afflib that has been compiled with >>>> --enable-qemu image support >>>> >>>> ------------------------------------------------------------------------------ >>>> Download Intel® Parallel Studio Eval >>>> Try the new software tools for yourself. Speed compiling, find bugs >>>> proactively, and fine-tune applications for parallel performance. >>>> See why Intel Parallel Studio got high marks during beta. >>>> http://p.sf.net/sfu/intel-sw-dev >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>> >>> ------------------------------------------------------------------------------ >>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> >> ------------------------------------------------------------------------------ >> Download Intel® Parallel Studio Eval >> Try the new software tools for yourself. Speed compiling, find bugs >> proactively, and fine-tune applications for parallel performance. >> See why Intel Parallel Studio got high marks during beta. >> http://p.sf.net/sfu/intel-sw-dev >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > |