Re: [sleuthkit-users] analyze compressed image
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] analyze compressed image
|
From: jfb f. <jfb...@gm...> - 2007-01-08 06:17:37
|
Hi Jeff, > I'm looking for information to see if Sleuthkit/Autopsy can analyze a dd > image that has been compressed with either tar or gzip. I've attempted this > with a floppy disk and Autopsy was unable to import the image. Am I doing > something wrong? I've searched the mailing list archive, but haven't found > any messages concerning this. It's not possible to use dd.gz or tar images with sleuthkit/autopsy. You need to work with a RAW non-compressed image. > Secondly, is there a different way to > compress the image so that Sleuthkit/Autopsy can interpret it but still use > a raw or open format? Thanks, You can work with AFF images. It will compress the images and it's supported by Sleuthkit/Autopsy. The format is open and the image structure is described on the AFF website - http://www.afflib.org . At this time, Sleuthkit is the only forensic software supporting this image format. Aff tools allow you to acquire a image from a device or convert a 'raw image' to a aff one. The image is compressed and contain meta-data such as md5, sha1, ... Sleuthkit/Autopsy also support EnCase (E01) images with the use of LibEWF. This format is not open. The images are also compressed and contain meta-data. LibEWF provide tools to acquire image from a device or convert a 'raw' one. This format is normally recognized by commercial softwares. Regards. -- Jean-Francois BECKERS |
