[sleuthkit-users] running `sorter' on raw filesystem

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

I am wondering if I can run `sorter' on a raw image with fstype of
raw. I know that fstype of raw works with TSK (if I run `fsstat -f raw
IMAGEFILE' then it detects it), but running `sorter' with this command
says that I am using an invalid fstype:
`sorter -v -h -d ~ -f raw -i raw IMAGEFILE'=20

Am I doing something wrong, or can `sorter' not work with that kind of
image file the way the other TSK utilities can?

Here is what I am ultimately trying to do: I had a Linux ext2
partition with many problems on it. I don't have access to that disk
any more, but I have recovered some of the data and copied it onto a
CD. I have a bunch of files in one directory named based on the inode
they were formerly stored in on my disk, but now they have lost their
names and extensions, and I want to determine the file type of each.

I put these files on an ISO 9660 format CD-R. Then I used `dd' to make
a raw disk image:
`dd -if=3D/dev/disk1s0 -of=3DIMAGEFILE -conv=3Dnoerror, sync'

Can TSK work with a disk image made in this type of way? If not, how
can I create the right type of image file? Right now the files I want
to analyze with `sorter' are in a directory on my hard disk (I am
running a Mac OS X system and they are on an HFS+ drive) but I know
TSK can't work directly with a directory.

I am using SleuthKit 2.0.1.

Thanks for your help!