Re: [sleuthkit-users] Using splitted images in autopsy
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Using splitted images in autopsy
|
From: David C. <dav...@gm...> - 2004-12-16 02:24:52
|
I've just rejoined this list, so I missed the original post. Assuming the filesystems etc are ok, you have a few options. I noticed while helping someone use another linux-based forensics tool that it uses the linux kernel 'raid' infastructure to achieve this, basic summary is: 1. create a loop device for each segment containing parts of the desired partition, possible providing an offset if required into the first section to make it start at the start of the filesystem. 2. put them all together with a 'linear' raid array using the linux kernels 'md' raid subsystem. Then I presume you could point sk at the raid device (eg. /dev/md0) which would represent the desired partition. BIG DISCLAIMER: I havent done this personally, it may be more complicated than I just described, In particular I would think that a signature of some kind might be written to the segments when you create the array, this is probably an option, so be very careful you know what you are doing if you choose this approach. Futhermore, I personally think its a bit of a dangerous choice for a forensics tool to be doing all this stuff as root using the OS kernel. Which leads me to another approach. pyFLAG (pyflag.sf.net) uses an IO Subsystem abstraction to deal with split images (as well as RAID, Encase, and other file formats). An exciting new tool in flag is called 'iowrapper', it works by using LD_PRELOAD to load its own file operations (read, seek, etc) before libc, thus overriding them and applying the IO Subsystem abstraction. It therefore allows you to use any unmodified binary program on your 'reconstructed' virtual image transparently. More details can be found in the pyflag source, but here's an example of how might use it with 'fls': export LD_PRELOAD=./libs/libio_hooker.so ./bin/iowrapper -i advanced -o offset=32256,file=part1.dd,file=part2.dd,file=part3.dd ./bin/fls -r foo.dd This is pretty new code and I cannot guarantee it will work for you, if you wish to try you will need the latest pyflag sources from the 'darcs' repository, details for grabing it are at pyflag.sf.net. This tool is not in any actual release versions of pyflag, but will be in the next release. hope this helps, Dave On Wed, 15 Dec 2004 18:57:41 -0500, Brian Carrier <ca...@sl...> wrote: > > On Dec 15, 2004, at 10:24 AM, Benjamin J. Weiss wrote: > > I'm working on a disk image now with damaged partition/file allocation > > tables. Any idea when the disk-image Autopsy will be ready? :) > > If the partition table and file system are damaged, then v2 of TSK will > not help. It only processes that data that exists. > > brian > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
