Re: [sleuthkit-users] Help!! New to TSK and Linux

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Brian, I am not sure whether you can import a /dev file into Autopsy. But I 
do know all dead forensics analysis methodologies I've read import the 
image, not raw devices like /dev/hda1.

I do not know the answer to your question re grep. Alan

At 19:05 3/15/2005, you wrote:
>Hi, I am new to Linux and have a lot of questions.  Any help is HUGELY 
>appreciated . . . here is what I am trying to do.
>IMAGING
>I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). 
>I am using the TSK bootable cd to do the imaging. My target drive is a 
>FAT32 formatted hard disk that is partitioned several times - All FAT32. I 
>am using the following command:
>
>dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 
>hashlog= hash.txt
>
>This stops after 2 Gigs of copying due to the FAT32 file size limit being 
>exceeded. How do I get around this? Is it even possible with any 
>filesystem to create a 17 Gig image file?  Would I use a formatted ext3 
>file system?
>
>What is the advantage of imaging a drive over just cloning it? In other 
>words, why would I want to create an image as opposed to a bit-for-bit 
>copy of one drive to another?  Does it allow the forensic analyses to be 
>performed quicker?
>Also, why wouldn't I use bs=8k as opposed bs=512?
>
>AUTOPSY
>Because of the file size limit, I created a bit for bit clone of the disk, 
>from which I am attempting to use TSK forensic tools (which may or may not 
>be the correct approach).
>So with that, I began using autopsy.  I added a new case.  Gave it a host 
>name of 192.168.1.1 and timezone of PST.  I then added an image location 
>of /dev/hda1, symlink as the import method, fstype of fat32, mounting 
>point of /mnt/hda1, and ignore md5.  Is this a correct setup?  With this 
>setup I began to use the autopsy tools with the following results:
>
>-The keyword search didn't work - is this because I am using /mnt/hda1 
>instead of an image file?  Does this version of autopsy work using /mnt/hda1?
>-The sorter also did not work.  No output files in the directories 
>specified.  Is this also because I am not using an image as well?
>
>GREP
>Also, I have a general linux question.  Is there a way to speed up 
>grep?  I am searching the unallocated/slack space and it is taking forever 
>. . . here is the command I am using:
>             tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 > 
> grephits.txt
>
>I would really like to use TSK - just need these issues addressed.  I 
>really want to use linux.  Heaven forbid purchasing a windows forensic 
>software package.
>
>Thanks so much in advance.
>
>Brian
>