Re: [sleuthkit-users] running `sorter' on raw filesystem
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] running `sorter' on raw filesystem
|
From: Barry J. G. <bg...@im...> - 2005-06-02 18:55:21
|
On Thu, 2005-06-02 at 14:40 -0400, ben scent wrote: > I am wondering if I can run `sorter' on a raw image with fstype of > raw. I know that fstype of raw works with TSK (if I run `fsstat -f raw > IMAGEFILE' then it detects it), but running `sorter' with this command > says that I am using an invalid fstype: > `sorter -v -h -d ~ -f raw -i raw IMAGEFILE' I think you are confusing "imgtype" with "fstype". You are specifying "raw" for both in your command above. imgtype refers to the *format* of the image. A "raw" dd type image or a "split" image file set. fstype refers to the filesystem type. NTFS, FAT, ext, etc. The "raw" disk image you created has the file system type you created on the CD. Might not be supported by TSK (AFAIK). Barry -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes Division Goddard Space Flight Center Code 190 Greenbelt Rd. Greenbelt, MD 20771 (301)286-3358 **************************************/ |
