[sleuthkit-users] running `sorter' on raw filesystem
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] running `sorter' on raw filesystem
|
From: ben s. <ben...@gm...> - 2005-06-02 18:40:41
|
Hello all, I am wondering if I can run `sorter' on a raw image with fstype of raw. I know that fstype of raw works with TSK (if I run `fsstat -f raw IMAGEFILE' then it detects it), but running `sorter' with this command says that I am using an invalid fstype: `sorter -v -h -d ~ -f raw -i raw IMAGEFILE'=20 Am I doing something wrong, or can `sorter' not work with that kind of image file the way the other TSK utilities can? Here is what I am ultimately trying to do: I had a Linux ext2 partition with many problems on it. I don't have access to that disk any more, but I have recovered some of the data and copied it onto a CD. I have a bunch of files in one directory named based on the inode they were formerly stored in on my disk, but now they have lost their names and extensions, and I want to determine the file type of each. I put these files on an ISO 9660 format CD-R. Then I used `dd' to make a raw disk image: `dd -if=3D/dev/disk1s0 -of=3DIMAGEFILE -conv=3Dnoerror, sync' Can TSK work with a disk image made in this type of way? If not, how can I create the right type of image file? Right now the files I want to analyze with `sorter' are in a directory on my hard disk (I am running a Mac OS X system and they are on an HFS+ drive) but I know TSK can't work directly with a directory. I am using SleuthKit 2.0.1. Thanks for your help! |
