[sleuthkit-users] Split Image Question
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Split Image Question
|
From: Brian C. <ca...@sl...> - 2005-01-31 23:27:17
|
As I was adding the new split image features to Autopsy, I realized that I do not fully understand how people use split images. Is their purpose so that you can acquire the image in 650MB or 2GB chunks for burning to disk and then import those images into TSK/Autopsy? My issue is about the Autopsy interface. Splitting a 60 GB disk into 650 MB chunks requires almost 100 chunks and I do not want to have 200 field boxes where you fill in each file (and I'm assuming that you do not want to fill in 200 file names for a 120 GB disk). On the other hand, I do not want to require a naming convention where the extension is numbered based on its order in the full image (TSK v2 requires you to enter the file names of the split images in their respective order) because different tools may have different conventions. So, my question for those who have asked for split image support is what should the interface be? What is a typical number of chunks that may occur? Are there occasions when you need to use split images and cannot merge them into one for the analysis (using FAT32 seems to be such a case)? What extensions do you typically have for the split images? Do you typically have the MD5 for the full image or for each individual partition? Anyone who has asked for split image support ... please speak up :) thanks, brian |
