RE: [sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Help!! New to TSK and Linux
|
From: Baskin, B. <ba...@dc...> - 2005-03-16 12:59:43
|
If you would like to continue using a FAT32 as an image repository, the = files need to be split. To do this, leave off the "of=3D..." section of = dcfldd, and pipe the output to the split command. Others have already = covered the aspect of using EXT2/3 or NTFS. =20 ie: dcfldd if=3D/dev/hda1 conv=3Dnoerror,sync hashwindow=3D0 = hashlog=3Dhash.txt | split -b 650m - /mnt/hdb1/image. =20 The above will create files called image.aa, image.ab, image.ac... in = the /mnt/hdb1 directory, each being 650MB (for burning to a CD). You = can change the filename, and file size in that command line. Now, with = the new version of Autopsy/TSK, you can import those split images = directly into Autopsy (/mnt/hdb/image.a*). In prior version, they had = to be concatenated back together. ie: cat image.a* > image.dd =20 Creating an image vs. a clone is beneficial in that you don't need to = keep a cache of spare hard drives available. All images can just be = stored on one large hard drive and analyzed from there. When cloning, = extra work, and care, must be taken to each individial hard drive. They = have to be wiped and verified prior to receiving data, and if the = original hard drive is smaller than then clone hard drive, there'll be = an amount of slack space on the clone drive. =20 Good luck! =20 -----Original Message----- From: sle...@li... = [mailto:sle...@li...]On Behalf Of Brian = Starr Sent: Tuesday, March 15, 2005 7:06 PM To: 'sle...@li...' Subject: [sleuthkit-users] Help!! New to TSK and Linux Hi, I am new to Linux and have a lot of questions. Any help is HUGELY = appreciated . . . here is what I am trying to do.=20 IMAGING I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on = it). I am using the TSK bootable cd to do the imaging. My target drive = is a FAT32 formatted hard disk that is partitioned several times - All = FAT32. I am using the following command:=20 dcfldd if=3D/dev/hda1 of=3D/mnt/hdb1/image.dd conv=3Dnoerror,sync = hashwindow=3D0 hashlog=3D hash.txt=20 This stops after 2 Gigs of copying due to the FAT32 file size limit = being exceeded. How do I get around this? Is it even possible with any = filesystem to create a 17 Gig image file? Would I use a formatted ext3 = file system? =20 What is the advantage of imaging a drive over just cloning it? In other = words, why would I want to create an image as opposed to a bit-for-bit = copy of one drive to another? Does it allow the forensic analyses to be = performed quicker? =20 |
