Re: [sleuthkit-users] avoiding creating a dd image
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] avoiding creating a dd image
|
From: Paul S. <pa...@vn...> - 2004-06-17 13:15:15
|
The command you want is not "symlink" but "ln", check the man page and use the -s switch. Devices under Linux for IDE are /dev/hda, hdb, hdc, hdd etc. for the 1st, 2nd, 3rd, 4th IDE disks. For SCSI it's /dev/sda, sdb, sdc etc. Following that would be the partition number, for example - using fdisk -l the partition table for the laptop I'm working on now reads: pauls:~ # fdisk -l /dev/hda Disk /dev/hda: 40.0 GB, 40007761920 bytes 255 heads, 63 sectors/track, 4864 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hda1 1 4 32098+ de Dell Utility /dev/hda2 * 5 17 104422+ 83 Linux /dev/hda3 18 1949 15518790 7 HPFS/NTFS /dev/hda4 1950 4864 23414737+ f Win95 Ext'd (LBA) /dev/hda5 1950 2050 811251 82 Linux swap /dev/hda6 2051 2181 1052226 c Win95 FAT32 (LBA) /dev/hda7 2182 2834 5245191 83 Linux /dev/hda8 2835 4864 16305943+ 83 Linux It's dual boot Dell Inspiron hence all the different partition types. I could link /dev/hda6 to a file and access it as if it were a dd image like so: pauls:~ # ln -s /dev/hda6 ./hda6.dd pauls:~ # ls -l hda6.dd lrwxrwxrwx 1 root root 9 Jun 17 08:21 hda6.dd -> /dev/hda6 One must be careful though, because the device has not been marked read-only and there is a chance that you could contaminate your evidence. If you simply need to examine the file system and search for files, you could mount it read-only and do so safely like so: pauls:~ # mkdir hda6 pauls:~ # mount /dev/hda6 -t vfat -o ro hda6 To verify that it has been mounted read only, issue the mount command and in the resulted listing you will find a line like the following: pauls:~ # mount /dev/hda6 on /root/hda6 type vfat (ro) The (ro) means read only. Hope this helps. Keep in mind the legalities of what you are trying to do. Paul On Thu, 2004-06-17 at 05:37, amouri eddy wrote: > Thanks for the answer ... > But ..symlink command does not exist in linux. > And how to link for example partition 2 (or 1, or 3) > to > a file ? > About the legal reasons, they don't matter in my > case... > > --- Angus Marshall <an...@n-...> a écrit : > On > Thursday 17 June 2004 09:56, amouri eddy wrote: > > > Hello, > > > > > > For analysing a system (booting with a live linux > > CD), it is possible to > > > mount the disks. But the sleuth kit requires > > images, so images of the disks > > > must be created. Is it possible to find a way to > > directly analyse the disk > > > (creating images may takes a long long time and > > one need another hd) ? > > > > > > Thanks > > > > You can symlink the disk device entry (e.g. > > /dev/sda1) instead of imaging but > > > > > This SF.Net email is sponsored by The 2004 > > JavaOne(SM) Conference > > Learn from the experts at JavaOne(SM), Sun's > > Worldwide Java Developer > > Conference, June 28 - July 1 at the Moscone Center > > in San Francisco, CA > > REGISTER AND SAVE! http://java.sun.com/javaone/sf > > Priority Code NWMGYKND > > _______________________________________________ > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous suit partout ! > Créez votre Yahoo! Mail sur http://fr.benefits.yahoo.com/ > > Dialoguez en direct avec vos amis grâce à Yahoo! Messenger !Téléchargez Yahoo! Messenger sur http://fr.messenger.yahoo.com > > > ------------------------------------------------------- > This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference > Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer > Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA > REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
