Re: [sleuthkit-users] Disk image in TSK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Disk image in TSK
|
From: Hoyt H. <hoy...@gm...> - 2016-06-28 17:14:02
|
Simson is the man behind AFF and he has the authoritative opinion on this, together with Michael Cohen and Bradley Schatz. They're working on AFF4 currently and, based on what he said, it doesn't sound like that's ready yet. Previous versions of AFF are deprecated. Once it's ready, TSK would need to be compiled against the AFF4 library similar to the way it's done using libewf. For what it's worth, I've been tinkering around this past month compiling TSK against the latest version of AFF4 from Github resulting in errors. You can experiment with it as well if you'd like, but I'd wait until the AFF4 guys have a stable release they're happy with. Otherwise, here's more detailed information: http://forensicswiki.org/wiki/AFF4 ...and here's AFF4 on Github (read the README.md, then find the releases): https://github.com/google/aff4 Hoyt On Mon, Jun 27, 2016 at 5:02 PM, Edward Diener < eld...@tr...> wrote: > On 6/27/2016 4:32 PM, Simson Garfinkel wrote: > > I don't recommend using AFF at this point for production purposes. > > > > Why do you want to use it? > I was curious whether it is integrated into TSK or not and, if so, how > was it done ? I actually have little use for it in the project on which > I am working. > > Eddie Diener > > > > > > ---- > > Sent from my phone. > > > >> On Jun 27, 2016, at 3:16 PM, Edward Diener < > eld...@tr...> wrote: > >> > >>> On 6/27/2016 3:08 PM, Edward Diener wrote: > >>> Hello Eddie, > >>> > >>> You're correct regarding RAW files. RAW can have different extensions > >>> other > >>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" > includes > >>> all of those. Single refers to a single disk image file such as > >>> someimage.dd, and split refers to a disk image file separated into > >>> multiple > >>> chunks such as someotherimage.001, someotherimage.002, > >>> someotherimage.003, > >>> ... Windows doesn't come with an included disk imager as far as I'm > >>> aware. > >> There is a product called FTK Imager from AccessData which can create > >> EWF image files. > >>> RAW and .dd is pretty much considered an industry standard, regardless > of > >>> the file extension actually used or the examiner's chosen platform. > >> I will investigate these on the web. > >>> You're also correct regarding EWF (Expert Witness Format). AFF > (Advanced > >>> Forensic Format) uses AFFLIB, which can be found here: > >>> https://github.com/sshock/AFFLIBv3/releases. > >> How do I add support for AFF to TSK if I need it ? The docs don't seem > >> to mention this. > >>> I hope this helps! > >> Very helpful. Thanks ! > >>> Hoyt > >>> > >>> > >>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener < > >>> eldlistmailingz@...> wrote: > >>> > >>>> What are the disk image formats in TSK ? > >>>> > >>>> I see mention of single and split raw images. To what do these refer ? > >>>> Are these files created by the Linux 'dd' command ? What about on > other > >>>> operating systems such as Windows ? > >>>> > >>>> I also see mention of EWF and AFF. I assume that EWF are images > created > >>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. > What > >>>> is needed to support AFF and where would I find more information > >>>> about it ? > >>>> > >>>> Eddie Diener > >> > ------------------------------------------------------------------------------ > >> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > >> Francisco, CA to explore cutting-edge tech and listen to tech luminaries > >> present their vision of the future. This family event has something for > >> everyone, including kids. Get more information and register today. > >> http://sdm.link/attshape > >> _______________________________________________ > >> sleuthkit-users mailing list > >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >> http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > -- Hoyt ----------------- There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary. |
