Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata
|
From: Bala <bal...@cs...> - 2013-09-16 09:24:14
|
Simson Here's what I'm trying to do. Develop a program on .Net platform to do the following. 1. Extract metadata from the forensic image (Investigator, case number etc.) 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files I can't use the tools (.exe) which you have mentioned as they are. The best would be to write my own wrapper in a .Net language and make calls to the sleuth kit API to do the above. Hence the reason for me to ask my previous question BTW tsk_recover doesn't seem to iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Is there another tool which I could use for this purpose ? Regards Bala From: Simson Garfinkel [mailto:si...@gm...] On Behalf Of Simson Garfinkel Sent: Friday, September 13, 2013 6:15 PM To: Bala Cc: sle...@li...; si...@gm... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata Bala, I think that you have a fundamental misunderstanding about the tools you are using. There are no "method signatures" here. ewfinfo and tsk_recover are both command-line C++ tools. ewfinfo is built upon libewf, which is a C library. There is also libewfcs which is a C# implementation of the EWF format. tsk_recover is based on The SleuthKit, which is a C/C++ library. There is no managed code interface, but I believe that there is a JNI interface that you could call from Java. I'm not sure what you are trying to do, but I suspect that you need to focus on your desired outcome, rather than on the toolset. On Sep 13, 2013, at 1:50 AM, "Bala" <bal...@cs...> wrote: Simson I presume ewfinfo & tsk_recover would suit me ideally according to the descriptions that I find, however I' unable to locate both their method signature which could help me write a manged .Net code to call them. Could you help me find them (method signatures) in this please. <http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html> http://www.sleuthkit.org/sleuthkit/docs/api-docs/index.html Regards Bala From: Simson Garfinkel [mailto:simsong@ <http://gmail.com> gmail.com] On Behalf Of Simson Garfinkel Sent: Thursday, September 12, 2013 5:47 PM To: Bala Cc: <mailto:sle...@li...> sle...@li... Subject: Re: [sleuthkit-users] extracting .E01 and .Ex01 metadata Why do you want to use classes and methods? For #1 - what do you mean by "metadata"? Do you want to use ewfinfo? For #2 - Perhaps you want to use tsk_recover? On Sep 12, 2013, at 3:27 AM, "Bala" < <mailto:bal...@cs...> bal...@cs...> wrote: Hi Guys I'm a newbie to TSK. Could someone help me figure out which classes and methods that I need to use to get the following details from .E01 and Ex01 files 1. Extract metadata from the forensic image 2. Iterate over files in the file structure on .E01 and .Ex01 images and read/copy the files. Environment TSK Version 4.1.0 Core ( not the framework) OS version window 7/ windows 2008 R2 Regards Bala ---------------------------------------------------------------------------- -- How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks <http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk_ ______________________________________________ sleuthkit-users mailing list <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <http://www.sleuthkit.org> http://www.sleuthkit.org |
