Re: [sleuthkit-users] Attempting to use fiwalk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Attempting to use fiwalk
|
From: Jason W. <jwr...@gm...> - 2015-03-27 18:11:26
|
best way to concatenate them is to use affuse affuse /path/to/image.001 /mnt/aff it will virtualize the split dd's into one raw file in the /mnt/aff directory. takes a second, then you can run fiwalk against it. On Fri, Mar 27, 2015 at 1:33 PM, Alex Nelson <ajn...@cs...> wrote: > Hi Jeff, > > As I recall, as a regular Fiwalk user, the split-files code is just for > the split Encase format files. Split raw files aren't recognized by the > TSK libraries. > > You'll either have to concatenate them, or gerry-rig some way of treating > them as one big virtual file. > > --Alex > > > > On Fri, Mar 27, 2015 at 1:27 PM, Jeff Scarborough < > jef...@gm...> wrote: > >> I am a new user to SleuthKit and I am attempting to run fiwalk on an >> image and output a dfxml file. The image is, I believe called a split raw >> since it is in the form of filename.001, filename.002, filename.003 etc. I >> am having an issue with the command line to output the file. >> >> The below command is the example i usually run across. >> >> fiwalk -X path/report.xml path/image.raw >> >> >> I need to use fiwalk with split files. I used the examples below with >> limited luck. >> >> fiwalk -X path/report.xml path/image.dd -- this one said it had trouble >> opening the file >> >> fiwalk -X path/report.xml path/image.* -- this one also has trouble >> >> >> The command line below seems to start the process but as far as I can see >> only processes the first file in the list and none of the others. >> >> fiwalk -X path/report.xml path/image.001 >> >> >> Am I missing something in the command line that will process all of the >> files? >> >> I am using a virtual machine to run linux with SleuthKit installed and >> the image is on a USB drive. >> >> Thanks, >> Jeff Scarborough >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, >> sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub >> for all >> things parallel software development, from weekly thought leadership >> blogs to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
