Re: [sleuthkit-users] Split Image Question
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Split Image Question
|
From: LERTI - D. B. <Dav...@le...> - 2005-02-01 08:57:26
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Brian, I'm mainly using AIR with dcfldd for creating the images. The splitted images are suffixed with numbers. I'm using the splitted images for two purposes: 1. I'm acquiring under Linux, and since the support for writing reliably to NTFS is lacking, I have to write the image to FAT32, EXT2 or EXT3. The problem is that I sometimes need to use several forensic softwares for a same case and most of them are running only under Windows. The drivers for EXT2 are correct but little more and EXT3 is not correctly supported. Therefore, the common file system among all forensic softwares is FAT32, with its limitation of 2Go per file. 2. I'm burning the splitted images to DVD for "safe" storage. The method of acquiring via dcfldd calculates a MD5 for each chunk of data and another for the whole image. Concerning the interface with Autopsy, I liked the text file method suggested by Surago. It can be an alternative to native globbing, which is fine, too. Take care, David. Brian Carrier wrote: | As I was adding the new split image features to Autopsy, I realized that | I do not fully understand how people use split images. Is their | purpose so that you can acquire the image in 650MB or 2GB chunks for | burning to disk and then import those images into TSK/Autopsy? | | My issue is about the Autopsy interface. Splitting a 60 GB disk into | 650 MB chunks requires almost 100 chunks and I do not want to have 200 | field boxes where you fill in each file (and I'm assuming that you do | not want to fill in 200 file names for a 120 GB disk). On the other | hand, I do not want to require a naming convention where the extension | is numbered based on its order in the full image (TSK v2 requires you to | enter the file names of the split images in their respective order) | because different tools may have different conventions. | | So, my question for those who have asked for split image support is what | should the interface be? What is a typical number of chunks that may | occur? Are there occasions when you need to use split images and | cannot merge them into one for the analysis (using FAT32 seems to be | such a case)? What extensions do you typically have for the split | images? Do you typically have the MD5 for the full image or for each | individual partition? Anyone who has asked for split image support ... | please speak up :) | | thanks, | brian | | | | ------------------------------------------------------- | This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting | Tool for open source databases. Create drag-&-drop reports. Save time | by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. | Download a FREE copy at http://www.intelliview.com/go/osdn_nl | _______________________________________________ | sleuthkit-users mailing list | https://lists.sourceforge.net/lists/listinfo/sleuthkit-users | http://www.sleuthkit.org | | - -- LERTI - Laboratoire d'Expertise et de Recherche de Traces Informatiques http://www.lerti.fr | mobile : +41 79 746 7305 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB/0Rfv6mUNUu+e+URAmcdAKCMFVZC7otQsYdZV6qLdx2duFZmygCff2Pz oBSOtfBIMBnA9ELrQI/Z5R0= =2H5B -----END PGP SIGNATURE----- |
