Thread: [sleuthkit-users] Help!! New to TSK and Linux
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian S. <Br...@Pe...> - 2005-03-16 00:06:00
|
Hi, I am new to Linux and have a lot of questions. Any help is HUGELY
appreciated . . . here is what I am trying to do.
IMAGING
I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). I
am using the TSK bootable cd to do the imaging. My target drive is a FAT32
formatted hard disk that is partitioned several times - All FAT32. I am
using the following command:
dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0
hashlog= hash.txt
This stops after 2 Gigs of copying due to the FAT32 file size limit being
exceeded. How do I get around this? Is it even possible with any filesystem
to create a 17 Gig image file? Would I use a formatted ext3 file system?
What is the advantage of imaging a drive over just cloning it? In other
words, why would I want to create an image as opposed to a bit-for-bit copy
of one drive to another? Does it allow the forensic analyses to be
performed quicker?
Also, why wouldn't I use bs=8k as opposed bs=512?
AUTOPSY
Because of the file size limit, I created a bit for bit clone of the disk,
from which I am attempting to use TSK forensic tools (which may or may not
be the correct approach).
So with that, I began using autopsy. I added a new case. Gave it a host
name of 192.168.1.1 and timezone of PST. I then added an image location of
/dev/hda1, symlink as the import method, fstype of fat32, mounting point of
/mnt/hda1, and ignore md5. Is this a correct setup? With this setup I
began to use the autopsy tools with the following results:
-The keyword search didn't work - is this because I am using /mnt/hda1
instead of an image file? Does this version of autopsy work using
/mnt/hda1?
-The sorter also did not work. No output files in the directories
specified. Is this also because I am not using an image as well?
GREP
Also, I have a general linux question. Is there a way to speed up grep? I
am searching the unallocated/slack space and it is taking forever . . . here
is the command I am using:
tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 >
grephits.txt
I would really like to use TSK - just need these issues addressed. I really
want to use linux. Heaven forbid purchasing a windows forensic software
package.
Thanks so much in advance.
Brian
|
|
From: Alan <ts...@as...> - 2005-03-16 00:16:45
|
Hi Brian, Here are a few answers to your first questions. Imaging to a Fat32 partition... Either split up the image (I don't know the specific syntax to do this specifically) or format your hdb1 output partition in a filesystem that supports larger files. Ext3 will work, NTFS will also. >What is the advantage of imaging a drive over just cloning it? In other words, why would I want to create an image as opposed to a bit-for->bit copy of one drive to another? When you image using dd, you are creating a bit-for-bit copy. dd reads each raw sector from input and writes to output. I think the distinction is grey. I consider imaging generally as writing the bit-for-bit to a file, while cloning as writing a bit-for-bit image directly to a blank drive. >Also, why wouldn't I use bs=8k as opposed bs=512? Larger block sizes generally makes the imaging go faster. HTH Alan At 19:05 3/15/2005, you wrote: >Hi, I am new to Linux and have a lot of questions. Any help is HUGELY >appreciated . . . here is what I am trying to do. >IMAGING >I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). >I am using the TSK bootable cd to do the imaging. My target drive is a >FAT32 formatted hard disk that is partitioned several times - All FAT32. I >am using the following command: > >dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 >hashlog= hash.txt > >This stops after 2 Gigs of copying due to the FAT32 file size limit being >exceeded. How do I get around this? Is it even possible with any >filesystem to create a 17 Gig image file? Would I use a formatted ext3 >file system? > >What is the advantage of imaging a drive over just cloning it? In other >words, why would I want to create an image as opposed to a bit-for-bit >copy of one drive to another? Does it allow the forensic analyses to be >performed quicker? >Also, why wouldn't I use bs=8k as opposed bs=512? > >AUTOPSY >Because of the file size limit, I created a bit for bit clone of the disk, >from which I am attempting to use TSK forensic tools (which may or may not >be the correct approach). >So with that, I began using autopsy. I added a new case. Gave it a host >name of 192.168.1.1 and timezone of PST. I then added an image location >of /dev/hda1, symlink as the import method, fstype of fat32, mounting >point of /mnt/hda1, and ignore md5. Is this a correct setup? With this >setup I began to use the autopsy tools with the following results: > >-The keyword search didn't work - is this because I am using /mnt/hda1 >instead of an image file? Does this version of autopsy work using /mnt/hda1? >-The sorter also did not work. No output files in the directories >specified. Is this also because I am not using an image as well? > >GREP >Also, I have a general linux question. Is there a way to speed up >grep? I am searching the unallocated/slack space and it is taking forever >. . . here is the command I am using: > tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 > > grephits.txt > >I would really like to use TSK - just need these issues addressed. I >really want to use linux. Heaven forbid purchasing a windows forensic >software package. > >Thanks so much in advance. > >Brian > |
|
From: Alan <ts...@as...> - 2005-03-16 01:48:54
|
Brian, I am not sure whether you can import a /dev file into Autopsy. But I do know all dead forensics analysis methodologies I've read import the image, not raw devices like /dev/hda1. I do not know the answer to your question re grep. Alan At 19:05 3/15/2005, you wrote: >Hi, I am new to Linux and have a lot of questions. Any help is HUGELY >appreciated . . . here is what I am trying to do. >IMAGING >I need to image a 17 Gig hard drive that is FAT32 (has Windows ME on it). >I am using the TSK bootable cd to do the imaging. My target drive is a >FAT32 formatted hard disk that is partitioned several times - All FAT32. I >am using the following command: > >dcfldd if=/dev/hda1 of=/mnt/hdb1/image.dd conv=noerror,sync hashwindow=0 >hashlog= hash.txt > >This stops after 2 Gigs of copying due to the FAT32 file size limit being >exceeded. How do I get around this? Is it even possible with any >filesystem to create a 17 Gig image file? Would I use a formatted ext3 >file system? > >What is the advantage of imaging a drive over just cloning it? In other >words, why would I want to create an image as opposed to a bit-for-bit >copy of one drive to another? Does it allow the forensic analyses to be >performed quicker? >Also, why wouldn't I use bs=8k as opposed bs=512? > >AUTOPSY >Because of the file size limit, I created a bit for bit clone of the disk, >from which I am attempting to use TSK forensic tools (which may or may not >be the correct approach). >So with that, I began using autopsy. I added a new case. Gave it a host >name of 192.168.1.1 and timezone of PST. I then added an image location >of /dev/hda1, symlink as the import method, fstype of fat32, mounting >point of /mnt/hda1, and ignore md5. Is this a correct setup? With this >setup I began to use the autopsy tools with the following results: > >-The keyword search didn't work - is this because I am using /mnt/hda1 >instead of an image file? Does this version of autopsy work using /mnt/hda1? >-The sorter also did not work. No output files in the directories >specified. Is this also because I am not using an image as well? > >GREP >Also, I have a general linux question. Is there a way to speed up >grep? I am searching the unallocated/slack space and it is taking forever >. . . here is the command I am using: > tr '[:cntrl:]' '\n' < /dev/hda1 | grep -aib tonja /dev/hda1 > > grephits.txt > >I would really like to use TSK - just need these issues addressed. I >really want to use linux. Heaven forbid purchasing a windows forensic >software package. > >Thanks so much in advance. > >Brian > |
|
From: Brian C. <ca...@sl...> - 2005-03-16 03:46:08
|
On Mar 15, 2005, at 7:05 PM, Brian Starr wrote: > > AUTOPSY=A0 > Because of the file size limit, I created a bit for bit clone of the=20= > disk, from which I am attempting to use TSK forensic tools (which may=20= > or may not be the correct approach). > So with that, I began using autopsy.=A0 I added a new case.=A0 Gave it = a=20 > host name of 192.168.1.1 and timezone of PST.=A0 I then added an image=20= > location of /dev/hda1, symlink as the import method, fstype of fat32,=20= > mounting point of /mnt/hda1, and ignore md5.=A0 Is this a correct=20 > setup?=A0 With this setup I began to use the autopsy tools with the=20 > following results: The image location should be the name of the file that you create using=20= 'dd' (or similar tool). The mounting point is the location where the=20 file system originally existed (i.e. C:\ or '/usr/'). It is cosmetic=20 only. > =A0-The keyword search=A0didn't work=A0- is this because I am using=20 > /mnt/hda1 instead of an image file?=A0 Does this version of autopsy = work=20 > using /mnt/hda1? Can you be more specific about how it didn't work? Did you run autopsy=20= in live analysis mode or just with (./autopsy)? > -The sorter also did not work.=A0 No output files in the directories=20= > specified.=A0 Is this also because I am not using an image as well? Are sure it completed? It takes a while. There should be an=20 index.html file that lists how many files existed, how many were=20 ignored, and which were put into different categories. brian |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X