RE: [sleuthkit-users] dd of entire HD
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] dd of entire HD
|
From: Eagle I. S. <in...@ea...> - 2003-03-27 15:35:50
|
I'm a little confused here. In the docs it says Autopsy will read a dd image. So what you guys are saying is that if I take a dd image of a drive, and have Autopsy look at that image, it can't see the whole thing? Do I need to split the drive into images matching the relative partitions first?? What if there's only one partition on the drive? Thanks, Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Paul Bakker Sent: Thursday, March 27, 2003 5:28 AM To: sle...@li... Subject: [sleuthkit-users] dd of entire HD -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, In my knowledge, Autopsy is only able to work with dd images of partitions. (As it is able to mount these via the loop device) In a case I am handling now I received the image of an entire harddisk. * Is Autopsy capable of reading this in? * Is there a tool that can loopback mount the partitions from within the hd image? * Is there a tool that can extract the partitions from the hd image? (What to do about unallocated space then (Not partitioned!)? How does one investigate that using Autopsy?) Paul Bakker -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.1 iQA/AwUBPoLSJfjAwPuBNeIlEQLifwCfT2RFEXsrJjLJV0f8YDIDw20NEm8An25o 5a5GS3aSP0cuRn9GtLIM3lxJ =7byL -----END PGP SIGNATURE----- |
