Re: [sleuthkit-users] Disk image in TSK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Disk image in TSK
|
From: Edward D. <eld...@tr...> - 2016-06-27 22:02:58
|
On 6/27/2016 4:32 PM, Simson Garfinkel wrote: > I don't recommend using AFF at this point for production purposes. > > Why do you want to use it? I was curious whether it is integrated into TSK or not and, if so, how was it done ? I actually have little use for it in the project on which I am working. Eddie Diener > > > ---- > Sent from my phone. > >> On Jun 27, 2016, at 3:16 PM, Edward Diener <eld...@tr...> wrote: >> >>> On 6/27/2016 3:08 PM, Edward Diener wrote: >>> Hello Eddie, >>> >>> You're correct regarding RAW files. RAW can have different extensions >>> other >>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes >>> all of those. Single refers to a single disk image file such as >>> someimage.dd, and split refers to a disk image file separated into >>> multiple >>> chunks such as someotherimage.001, someotherimage.002, >>> someotherimage.003, >>> ... Windows doesn't come with an included disk imager as far as I'm >>> aware. >> There is a product called FTK Imager from AccessData which can create >> EWF image files. >>> RAW and .dd is pretty much considered an industry standard, regardless of >>> the file extension actually used or the examiner's chosen platform. >> I will investigate these on the web. >>> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced >>> Forensic Format) uses AFFLIB, which can be found here: >>> https://github.com/sshock/AFFLIBv3/releases. >> How do I add support for AFF to TSK if I need it ? The docs don't seem >> to mention this. >>> I hope this helps! >> Very helpful. Thanks ! >>> Hoyt >>> >>> >>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < >>> eldlistmailingz@...> wrote: >>> >>>> What are the disk image formats in TSK ? >>>> >>>> I see mention of single and split raw images. To what do these refer ? >>>> Are these files created by the Linux 'dd' command ? What about on other >>>> operating systems such as Windows ? >>>> >>>> I also see mention of EWF and AFF. I assume that EWF are images created >>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What >>>> is needed to support AFF and where would I find more information >>>> about it ? >>>> >>>> Eddie Diener >> ------------------------------------------------------------------------------ >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries >> present their vision of the future. This family event has something for >> everyone, including kids. Get more information and register today. >> http://sdm.link/attshape >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org |
