Re: [sleuthkit-users] running `sorter' on raw filesystem
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] running `sorter' on raw filesystem
|
From: ben s. <ben...@gm...> - 2005-06-02 21:20:42
|
Thanks for your help, Barry. Maybe this is not true for all TSK utilities, but `fsstat' recognizes an fstype of raw. (Not exactly sure what that means, though, so maybe I am approaching this wrong.) Running `fsstat' without any options tells you: valid fstypes are -- ufs, fat, ext, ntfs, raw, swap valid imgtypes are -- raw, split -ben On 6/2/05, Barry J. Grundy <bg...@im...> wrote: > On Thu, 2005-06-02 at 14:40 -0400, ben scent wrote: > > I am wondering if I can run `sorter' on a raw image with fstype of > > raw. I know that fstype of raw works with TSK (if I run `fsstat -f raw > > IMAGEFILE' then it detects it), but running `sorter' with this command > > says that I am using an invalid fstype: > > `sorter -v -h -d ~ -f raw -i raw IMAGEFILE' >=20 > I think you are confusing "imgtype" with "fstype". You are specifying > "raw" for both in your command above. >=20 > imgtype refers to the *format* of the image. A "raw" dd type image or a > "split" image file set. >=20 > fstype refers to the filesystem type. NTFS, FAT, ext, etc. >=20 > The "raw" disk image you created has the file system type you created on > the CD. Might not be supported by TSK (AFAIK). >=20 > Barry >=20 > -- > /*************************************** > Special Agent Barry J. Grundy > NASA Office of Inspector General > Computer Crimes Division > Goddard Space Flight Center > Code 190 > Greenbelt Rd. > Greenbelt, MD 20771 > (301)286-3358 > **************************************/ >=20 >=20 > |
