RE: [sleuthkit-users] Help!! New to TSK and Linux

[Brian S. <Br...@Pe...>]

Thanks, Alan.  Ext3 will support a 17 gig file size?  NTFS as well?

-----Original Message-----
From: Alan [mailto:ts...@as...]
Sent: Tuesday, March 15, 2005 4:16 PM
To: sle...@li...
Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux


Hi Brian, Here are a few answers to your first questions.

Imaging to a Fat32 partition...
Either split up the image (I don't know the specific syntax to do this 
specifically) or format your hdb1 output partition in a filesystem that 
supports larger files. Ext3 will work, NTFS will also.

 >What is the advantage of imaging a drive over just cloning it? In other 
words, why would I want to create an image as opposed to a bit-for->bit 
copy of one drive to another?

When you image using dd, you are creating a bit-for-bit copy. dd reads each 
raw sector from input and writes to output. I think the distinction is 
grey. I consider imaging generally as writing the bit-for-bit to a file, 
while cloning as writing a bit-for-bit image directly to a blank drive.

 >Also, why wouldn't I use bs=8k as opposed bs=512?

Larger block sizes generally makes the imaging go faster. HTH

Alan

At 19:05 3/15/2005, you wrote:
>Hi, I am new to Linux and have a lot of questions.  Any help is HUGELY 
>appreciated . . . here is what I am trying to do.
>IMAGING
>I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). 
>I am using the TSK bootable cd to do the imaging. My target drive is a 
>FAT32 formatted hard disk that is partitioned several times - All FAT32. I 
>am using the following command:
>
>dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 
>hashlog= hash.txt
>
>This stops after 2 Gigs of copying due to the FAT32 file size limit being 
>exceeded. How do I get around this? Is it even possible with any 
>filesystem to create a 17 Gig image file?  Would I use a formatted ext3 
>file system?
>
>What is the advantage of imaging a drive over just cloning it? In other 
>words, why would I want to create an image as opposed to a bit-for-bit 
>copy of one drive to another?  Does it allow the forensic analyses to be 
>performed quicker?
>Also, why wouldn't I use bs=8k as opposed bs=512?
>
>AUTOPSY
>Because of the file size limit, I created a bit for bit clone of the disk, 
>from which I am attempting to use TSK forensic tools (which may or may not 
>be the correct approach).
>So with that, I began using autopsy.  I added a new case.  Gave it a host 
>name of 192.168.1.1 and timezone of PST.  I then added an image location 
>of /dev/hda1, symlink as the import method, fstype of fat32, mounting 
>point of /mnt/hda1, and ignore md5.  Is this a correct setup?  With this 
>setup I began to use the autopsy tools with the following results:
>
>-The keyword search didn't work - is this because I am using /mnt/hda1 
>instead of an image file?  Does this version of autopsy work using
/mnt/hda1?
>-The sorter also did not work.  No output files in the directories 
>specified.  Is this also because I am not using an image as well?
>
>GREP
>Also, I have a general linux question.  Is there a way to speed up 
>grep?  I am searching the unallocated/slack space and it is taking forever 
>. . . here is the command I am using:
>             tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 > 
> grephits.txt
>
>I would really like to use TSK - just need these issues addressed.  I 
>really want to use linux.  Heaven forbid purchasing a windows forensic 
>software package.
>
>Thanks so much in advance.
>
>Brian
>



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org