RE: [sleuthkit-users] Split images
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Split images
|
From: Horner, J. J (JH8) <ho...@y1...> - 2005-02-07 13:34:09
|
I generally have to work with my customers to see what media they prefer = then work around them. Some have no DVD drives, while others want Encase, = while others would just prefer the images and examination records copied to a = large drive. Now that 300GB drives are getting cheaper, my drive space will be okay = for a while. Once the average user buys a 300GB drive, I'm off to the races = again. I do love this profession. So much excitement. JJ=20 -----Original Message----- From: sle...@li... [mailto:sle...@li...] On Behalf Of = Nicholas Sharples Sent: Monday, February 07, 2005 7:38 AM To: sle...@li... Subject: [sleuthkit-users] Split images AFternoon! Just following up on this split image question. Here's what I do with = split images When I image an exhibit I produce a series of image chunks, each 630Mb = in size.=20 I do this so that I can secure the exhibit to CDROM. Saying that, = since hard=20 drives are so big these days I never have a call to do that anymore. = Chunks are=20 named: exhibit_number.000 - exhibit_number.999 These, and some meta data about the exhibit, are stored in a separate directory,=20 named exhibit_number. I produce a MD5 hash of the complete image, for=20 validation purposes. I often image 160Gb or 120Gb hard drives and reassemble the chunks into = a disk=20 image (cat `ls --color=3Dnever -1 exhibit_number.?00` > exhibit.img), so = I can=20 pull out a partition. This is a real pain with big drives. If I want to use Encase I add a "Raw Image" to the case and do a = reverse, group=20 selection. That is, select the last file in the set, hold the shift key = down, and select the first file in the set. I always image to a FAT32 partition because I image under Linux but need = to keep=20 Windows compatible. This causes a problem, since the FAT32 partition = limit is somewhere around 130Gb. I have to hold the first 120Gb or so on one = partition and the rest on another partition. ..Nick ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
