RE: [sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] Help!! New to TSK and Linux
|
From: Brian S. <Br...@Pe...> - 2005-03-16 17:14:21
|
Hey thanks Brian. This has been very helpful. -----Original Message----- From: Baskin, Brian [mailto:ba...@dc...] Sent: Wednesday, March 16, 2005 4:57 AM To: sle...@li... Subject: RE: [sleuthkit-users] Help!! New to TSK and Linux If you would like to continue using a FAT32 as an image repository, the files need to be split. To do this, leave off the "of=..." section of dcfldd, and pipe the output to the split command. Others have already covered the aspect of using EXT2/3 or NTFS. ie: dcfldd if=/dev/hda1 conv=noerror,sync hashwindow=0 hashlog=hash.txt | split -b 650m - /mnt/hdb1/image. The above will create files called image.aa, image.ab, image.ac... in the /mnt/hdb1 directory, each being 650MB (for burning to a CD). You can change the filename, and file size in that command line. Now, with the new version of Autopsy/TSK, you can import those split images directly into Autopsy (/mnt/hdb/image.a*). In prior version, they had to be concatenated back together. ie: cat image.a* > image.dd Creating an image vs. a clone is beneficial in that you don't need to keep a cache of spare hard drives available. All images can just be stored on one large hard drive and analyzed from there. When cloning, extra work, and care, must be taken to each individial hard drive. They have to be wiped and verified prior to receiving data, and if the original hard drive is smaller than then clone hard drive, there'll be an amount of slack space on the clone drive. Good luck! -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Starr Sent: Tuesday, March 15, 2005 7:06 PM To: 'sle...@li...' Subject: [sleuthkit-users] Help!! New to TSK and Linux Hi, I am new to Linux and have a lot of questions. Any help is HUGELY appreciated . . . here is what I am trying to do. IMAGING I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I am using the TSK bootable cd to do the imaging. My target drive is a FAT32 formatted hard disk that is partitioned several times - All FAT32. I am using the following command: dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 hashlog= hash.txt This stops after 2 Gigs of copying due to the FAT32 file size limit being exceeded. How do I get around this? Is it even possible with any filesystem to create a 17 Gig image file? Would I use a formatted ext3 file system? What is the advantage of imaging a drive over just cloning it? In other words, why would I want to create an image as opposed to a bit-for-bit copy of one drive to another? Does it allow the forensic analyses to be performed quicker? |
