Re: [sleuthkit-users] TSK and VMDK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] TSK and VMDK
|
From: Tony R. <dar...@gm...> - 2010-06-25 01:23:50
|
Unfortunately, I cannot, Simson. I think the problem may be with CAINE's TSK. I used fls -o 63 -i afflib disco.vmdk and nothing ... It says Unsupported image type: afflib. Anybody knows a Forensics live CD that this -i afflib could work ? Thanks, guys. Tony On Thu, Jun 24, 2010 at 8:53 AM, Simson Garfinkel <si...@ac...> wrote: > Hi, Tony. > > I haven't looked into this myself. I'm not sure how the AFFLIB passthrough > works on TSK. Are you able to trace through the C code? > > > On Jun 23, 2010, at 11:16 PM, Tony Rodrigues wrote: > > Hi, all. > > Finally, I got some time to test TSK and VMDK files. For this test: > > 1) I created a small (200Mb) virtual disk and formatted it with fat32. I > copied 2 small files to its root dir. After that, I shutdown the VM and got > the vmdk file. Its actual size was around 1Mb. > 2) Just to check the vmdk file, I mounted it using VMWare DiskMount. So > far, so good. > 3) I started CAINE 1.5 and copied the vmdk file to its disk. Then, I tried > some TSK commands with no success: > mmls -i aff disco.vmdk > mmls -i afflib disco.vmdk > mmls -i afd disco.vmdk > > Just to complete, mmls -i list says: raw, aff, afd, afm, ewf and split > > Any ideas on what is going wrong ? > > Thanks in advance, > > Tony > > On Thu, Mar 18, 2010 at 8:09 PM, Tony Rodrigues <dar...@gm...>wrote: > >> Thanks to everybody ! >> >> I'll do some tests with TSK in CAINE. It's linked with AFFLIB there. >> >> []s >> >> Tony >> >> >> On Thu, Mar 18, 2010 at 1:50 PM, Brian Carrier <ca...@sl...>wrote: >> >>> To expand on this a little, TSK officially supports a subset of the image >>> formats that AFFLIB supports. To use the other image formats, specify the >>> image type as "afflib". For example: >>> >>> # fls -o 63 -i afflib foo.vmdk >>> >>> brian >>> >>> >>> >>> On Mar 18, 2010, at 12:40 PM, Simson Garfinkel wrote: >>> >>> > AFFLIB has support for VMDK and you can link TSK with AFFLIB. I have >>> modified my copy of TSK to use AFFLIB for VMDK files. However, the support >>> is not reliable enough to enable by default. >>> > >>> > On Mar 18, 2010, at 9:24 AM, RB wrote: >>> > >>> >> On Thu, Mar 18, 2010 at 09:58, Tony Rodrigues <dar...@gm...> >>> wrote: >>> >>> Is it possible to access VMDK files with TSK ? How can I do that ? >>> >> >>> >> This falls back to the ntfsclone discussion, and the answer is: no, >>> >> not directly. You can: >>> >> >>> >> - use qemu-img or another similar tool to convert the VMDK to a raw >>> image >>> >> - use VMware Workstation's loopback tools to deal with it directly >>> >> - use TSK linked against afflib that has been compiled with >>> >> --enable-qemu image support >>> >> >>> >> >>> ------------------------------------------------------------------------------ >>> >> Download Intel® Parallel Studio Eval >>> >> Try the new software tools for yourself. Speed compiling, find bugs >>> >> proactively, and fine-tune applications for parallel performance. >>> >> See why Intel Parallel Studio got high marks during beta. >>> >> http://p.sf.net/sfu/intel-sw-dev >>> >> _______________________________________________ >>> >> sleuthkit-users mailing list >>> >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> >> http://www.sleuthkit.org >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ >>> > Download Intel® Parallel Studio Eval >>> > Try the new software tools for yourself. Speed compiling, find bugs >>> > proactively, and fine-tune applications for parallel performance. >>> > See why Intel Parallel Studio got high marks during beta. >>> > http://p.sf.net/sfu/intel-sw-dev >>> > _______________________________________________ >>> > sleuthkit-users mailing list >>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> > http://www.sleuthkit.org >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Download Intel® Parallel Studio Eval >>> Try the new software tools for yourself. Speed compiling, find bugs >>> proactively, and fine-tune applications for parallel performance. >>> See why Intel Parallel Studio got high marks during beta. >>> http://p.sf.net/sfu/intel-sw-dev >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >> >> >> >> -- >> Tony Rodrigues, CISSP, CFCP >> Forense Computacional http://forcomp.blogspot.com >> >> Treinamento em Forense Computacional: Novas turmas em Brasília >> (Abril/2010) >> http://www.tisafe.com/solucoes/academia-ti-safe/ >> > > > > -- > Tony Rodrigues, CISSP, CFCP > Forense Computacional e Investigação Digital > http://forcomp.blogspot.com > > > -- Tony Rodrigues, CISSP, CFCP Forense Computacional e Investigação Digital http://forcomp.blogspot.com |
