[sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Help!! New to TSK and Linux
|
From: Brian S. <Br...@Pe...> - 2005-03-16 00:06:00
|
Hi, I am new to Linux and have a lot of questions. Any help is HUGELY
appreciated . . . here is what I am trying to do.
IMAGING
I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I
am using the TSK bootable cd to do the imaging. My target drive is a FAT32
formatted hard disk that is partitioned several times - All FAT32. I am
using the following command:
dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0
hashlog= hash.txt
This stops after 2 Gigs of copying due to the FAT32 file size limit being
exceeded. How do I get around this? Is it even possible with any filesystem
to create a 17 Gig image file? Would I use a formatted ext3 file system?
What is the advantage of imaging a drive over just cloning it? In other
words, why would I want to create an image as opposed to a bit-for-bit copy
of one drive to another? Does it allow the forensic analyses to be
performed quicker?
Also, why wouldn't I use bs=8k as opposed bs=512?
AUTOPSY
Because of the file size limit, I created a bit for bit clone of the disk,
from which I am attempting to use TSK forensic tools (which may or may not
be the correct approach).
So with that, I began using autopsy. I added a new case. Gave it a host
name of 192.168.1.1 and timezone of PST. I then added an image location of
/dev/hda1, symlink as the import method, fstype of fat32, mounting point of
/mnt/hda1, and ignore md5. Is this a correct setup? With this setup I
began to use the autopsy tools with the following results:
-The keyword search didn't work - is this because I am using /mnt/hda1
instead of an image file? Does this version of autopsy work using
/mnt/hda1?
-The sorter also did not work. No output files in the directories
specified. Is this also because I am not using an image as well?
GREP
Also, I have a general linux question. Is there a way to speed up grep? I
am searching the unallocated/slack space and it is taking forever . . . here
is the command I am using:
tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 >
grephits.txt
I would really like to use TSK - just need these issues addressed. I really
want to use linux. Heaven forbid purchasing a windows forensic software
package.
Thanks so much in advance.
Brian
|
