Re: [sleuthkit-users] Disk image in TSK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Disk image in TSK
|
From: Edward D. <eld...@tr...> - 2016-06-27 19:17:01
|
On 6/27/2016 3:08 PM, Edward Diener wrote: > Hello Eddie, > > You're correct regarding RAW files. RAW can have different extensions > other > than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes > all of those. Single refers to a single disk image file such as > someimage.dd, and split refers to a disk image file separated into > multiple > chunks such as someotherimage.001, someotherimage.002, > someotherimage.003, > ... Windows doesn't come with an included disk imager as far as I'm > aware. There is a product called FTK Imager from AccessData which can create EWF image files. > RAW and .dd is pretty much considered an industry standard, regardless of > the file extension actually used or the examiner's chosen platform. I will investigate these on the web. > > You're also correct regarding EWF (Expert Witness Format). AFF (Advanced > Forensic Format) uses AFFLIB, which can be found here: > https://github.com/sshock/AFFLIBv3/releases. How do I add support for AFF to TSK if I need it ? The docs don't seem to mention this. > > I hope this helps! Very helpful. Thanks ! > > Hoyt > > > On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < > eldlistmailingz@...> wrote: > >> What are the disk image formats in TSK ? >> >> I see mention of single and split raw images. To what do these refer ? >> Are these files created by the Linux 'dd' command ? What about on other >> operating systems such as Windows ? >> >> I also see mention of EWF and AFF. I assume that EWF are images created >> by the libewf project and I can see that TSK 4.2.0 supports libewf. What >> is needed to support AFF and where would I find more information >> about it ? >> >> Eddie Diener |
