RE: [sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Help!! New to TSK and Linux
|
From: Brian S. <Br...@Pe...> - 2005-03-16 17:03:40
|
Thanks Chris . . . what you are saying about imaging versus clone makes
complete sense. I think I have decided with going to ext2 and copying the
17gig image to the ext2 file system.
-----Original Message-----
From: Poldervaart, Christopher A
[mailto:chr...@lm...]
Sent: Tuesday, March 15, 2005 6:08 PM
To: Br...@Pe...; sle...@li...
Subject: Re: [sleuthkit-users] Help!! New to TSK and Linux
One advantage of imaging a drive vs. cloning is the fact that with an image
you are simply creating a file (or files if you are splitting) on an
existing file system. This makes for portability. You can copy the image
files, move them, mount them. With a clone you are tying up an entire
partition to create the cloned filesystem. I always image to file, then if
needed I can always blow that image off to a device for a cloned copy.
The best way to handle imaging to FAT32 is just to split the image during
the dd by piping the output to split. The caveat with this is that mounting
multiple image files as one is a little more tricky, unless you are using a
tool like SMART, which is very good at seamlessly putting back together
chunks of images.
Chris A. Poldervaart, Investigator
Lockheed Martin Corporation - EIS
Corporate Information Security Office
Computing System Investigations-CSI
3600 Ridgecrest Dr. Casper, WY 82604
Office: 307.265.2152
Cell: 307.258.1292
-----Original Message-----
From: sle...@li...
<sle...@li...>
To: 'sle...@li...'
<sle...@li...>
Sent: Tue Mar 15 17:05:50 2005
Subject: [sleuthkit-users] Help!! New to TSK and Linux
Hi, I am new to Linux and have a lot of questions. Any help is HUGELY
appreciated . . . here is what I am trying to do.
IMAGING
I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I
am using the TSK bootable cd to do the imaging. My target drive is a FAT32
formatted hard disk that is partitioned several times - All FAT32. I am
using the following command:
dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0
hashlog= hash.txt
This stops after 2 Gigs of copying due to the FAT32 file size limit being
exceeded. How do I get around this? Is it even possible with any filesystem
to create a 17 Gig image file? Would I use a formatted ext3 file system?
What is the advantage of imaging a drive over just cloning it? In other
words, why would I want to create an image as opposed to a bit-for-bit copy
of one drive to another? Does it allow the forensic analyses to be
performed quicker?
Also, why wouldn't I use bs=8k as opposed bs=512?
AUTOPSY
Because of the file size limit, I created a bit for bit clone of the disk,
from which I am attempting to use TSK forensic tools (which may or may not
be the correct approach).
So with that, I began using autopsy. I added a new case. Gave it a host
name of 192.168.1.1 and timezone of PST. I then added an image location of
/dev/hda1, symlink as the import method, fstype of fat32, mounting point of
/mnt/hda1, and ignore md5. Is this a correct setup? With this setup I
began to use the autopsy tools with the following results:
-The keyword search didn't work - is this because I am using /mnt/hda1
instead of an image file? Does this version of autopsy work using
/mnt/hda1?
-The sorter also did not work. No output files in the directories
specified. Is this also because I am not using an image as well?
GREP
Also, I have a general linux question. Is there a way to speed up grep? I
am searching the unallocated/slack space and it is taking forever . . . here
is the command I am using:
tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 >
grephits.txt
I would really like to use TSK - just need these issues addressed. I really
want to use linux. Heaven forbid purchasing a windows forensic software
package.
Thanks so much in advance.
Brian
|
