[sleuthkit-users] Split images
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Split images
|
From: Nicholas S. <nic...@nt...> - 2005-02-07 12:38:37
|
AFternoon! Just following up on this split image question. Here's what I do with split images When I image an exhibit I produce a series of image chunks, each 630Mb in size. I do this so that I can secure the exhibit to CDROM. Saying that, since hard drives are so big these days I never have a call to do that anymore. Chunks are named: exhibit_number.000 - exhibit_number.999 These, and some meta data about the exhibit, are stored in a separate directory, named exhibit_number. I produce a MD5 hash of the complete image, for validation purposes. I often image 160Gb or 120Gb hard drives and reassemble the chunks into a disk image (cat `ls --color=never -1 exhibit_number.?00` > exhibit.img), so I can pull out a partition. This is a real pain with big drives. If I want to use Encase I add a "Raw Image" to the case and do a reverse, group selection. That is, select the last file in the set, hold the shift key down, and select the first file in the set. I always image to a FAT32 partition because I image under Linux but need to keep Windows compatible. This causes a problem, since the FAT32 partition limit is somewhere around 130Gb. I have to hold the first 120Gb or so on one partition and the rest on another partition. ..Nick |
