[sleuthkit-users] Help!! New to TSK and Linux

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi, I am new to Linux and have a lot of questions.  Any help is HUGELY
appreciated . . . here is what I am trying to do. 
IMAGING
I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I
am using the TSK bootable cd to do the imaging. My target drive is a FAT32
formatted hard disk that is partitioned several times - All FAT32. I am
using the following command: 

dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0
hashlog= hash.txt 

This stops after 2 Gigs of copying due to the FAT32 file size limit being
exceeded. How do I get around this? Is it even possible with any filesystem
to create a 17 Gig image file?  Would I use a formatted ext3 file system?  

What is the advantage of imaging a drive over just cloning it? In other
words, why would I want to create an image as opposed to a bit-for-bit copy
of one drive to another?  Does it allow the forensic analyses to be
performed quicker?  
Also, why wouldn't I use bs=8k as opposed bs=512?

AUTOPSY 
Because of the file size limit, I created a bit for bit clone of the disk,
from which I am attempting to use TSK forensic tools (which may or may not
be the correct approach).

So with that, I began using autopsy.  I added a new case.  Gave it a host
name of 192.168.1.1 and timezone of PST.  I then added an image location of
/dev/hda1, symlink as the import method, fstype of fat32, mounting point of
/mnt/hda1, and ignore md5.  Is this a correct setup?  With this setup I
began to use the autopsy tools with the following results:

-The keyword search didn't work - is this because I am using /mnt/hda1
instead of an image file?  Does this version of autopsy work using
/mnt/hda1?
-The sorter also did not work.  No output files in the directories
specified.  Is this also because I am not using an image as well?

GREP
Also, I have a general linux question.  Is there a way to speed up grep?  I
am searching the unallocated/slack space and it is taking forever . . . here
is the command I am using:
            tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 >
grephits.txt

I would really like to use TSK - just need these issues addressed.  I really
want to use linux.  Heaven forbid purchasing a windows forensic software
package.  

Thanks so much in advance. 

Brian