sleuthkit-developers

[sleuthkit-developers] Synthetic image types

[RB <ao...@gm...>]

There's a good bit of traffic lately about Sleuthkit supporting
"synthetic" images of various types, and I'm curious what others'
opinion is.  I personally am of two minds - on one hand, most of these
images have other tools available that makes them accessible by
Sleuthkit (if in Linux only), and duplicating their efforts seems
backwards.  On the other hand, I recognize the value of having that
integrated support, particularly for platforms that may not have the
same depth of facilities available.

Some formats would be relatively trivial to duplicate - ntfsclone's
"special" format is simple, but isn't part of the core libntfs so
would have to be a standalone implementation.  VMDK is more complex,
but is technically "supported" if indirectly.  I like the idea of a
one-stop shop, particularly since I'm looking at using Sleuthkit more
and more on Windows, but sit the fence as to whether the duplication
is meritable.  Thoughts?


RB

Re: [sleuthkit-developers] Synthetic image types

[Brian C. <ca...@sl...>]

Hi RB,

In general, I support the idea of supporting as many types of formats as people need so that the process can be as automated as possible for the user (instead of needing to do a lot of conversions). That being said, I think that how they get implemented (i.e. built into TSK or linked in with a specific library) will be different in each case.   If there isn't a portable and easy to incorporate version of the libntfs sparse image format and it is relatively easy, then it may be easier to manually incorporate in. But, if there is a library that works on the platforms that people care about, then maybe that is the easiest... 

thanks,
brian



On Mar 18, 2010, at 12:46 PM, RB wrote:

> There's a good bit of traffic lately about Sleuthkit supporting
> "synthetic" images of various types, and I'm curious what others'
> opinion is.  I personally am of two minds - on one hand, most of these
> images have other tools available that makes them accessible by
> Sleuthkit (if in Linux only), and duplicating their efforts seems
> backwards.  On the other hand, I recognize the value of having that
> integrated support, particularly for platforms that may not have the
> same depth of facilities available.
> 
> Some formats would be relatively trivial to duplicate - ntfsclone's
> "special" format is simple, but isn't part of the core libntfs so
> would have to be a standalone implementation.  VMDK is more complex,
> but is technically "supported" if indirectly.  I like the idea of a
> one-stop shop, particularly since I'm looking at using Sleuthkit more
> and more on Windows, but sit the fence as to whether the duplication
> is meritable.  Thoughts?
> 
> 
> RB
> 
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers