sleuthkit-users

[sleuthkit-users] dd of entire HD

[Paul B. <ba...@fo...>]

=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

In my knowledge, Autopsy is only able to work with dd images of =
partitions.
(As it is able to mount these via the loop device)

In a case I am handling now I received the image of an entire harddisk.
* Is Autopsy capable of reading this in?
* Is there a tool that can loopback mount the partitions from within the =
hd image?
* Is there a tool that can extract the partitions from the hd image?
  (What to do about unallocated space then (Not partitioned!)? How does =
one investigate
  that using Autopsy?)

Paul Bakker

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPoLSJfjAwPuBNeIlEQLifwCfT2RFEXsrJjLJV0f8YDIDw20NEm8An25o
5a5GS3aSP0cuRn9GtLIM3lxJ
=3D7byL
-----END PGP SIGNATURE-----

Re: [sleuthkit-users] dd of entire HD

[David B. <to...@so...>]

Paul,
since you have the partition table you can 'dd' each partition from the
entire disk (for example dd if=disk of=hda1 bs=1024 count=XX skip=XX)
where count and skip can be obtained from the partition table (or each
extended partition table).

Re: [sleuthkit-users] dd of entire HD

[Brian C. <ca...@ce...>]

The last issue of the Sleuth Kit Informer had an article on splitting
the disk into partitions using 'dd' and 'fdisk'.

	http://sleuthkit.sourceforge.net/informer/sleuthkit-informer-2.html

brian


On Thu, Mar 27, 2003 at 11:28:21AM +0100, Paul Bakker wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello,
> 
> In my knowledge, Autopsy is only able to work with dd images of partitions.
> (As it is able to mount these via the loop device)
> 
> In a case I am handling now I received the image of an entire harddisk.
> * Is Autopsy capable of reading this in?
> * Is there a tool that can loopback mount the partitions from within the hd image?
> * Is there a tool that can extract the partitions from the hd image?
>   (What to do about unallocated space then (Not partitioned!)? How does one investigate
>   that using Autopsy?)
> 
> Paul Bakker
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1.1
> 
> iQA/AwUBPoLSJfjAwPuBNeIlEQLifwCfT2RFEXsrJjLJV0f8YDIDw20NEm8An25o
> 5a5GS3aSP0cuRn9GtLIM3lxJ
> =7byL
> -----END PGP SIGNATURE-----
> 

RE: [sleuthkit-users] dd of entire HD

[Eagle I. S. <in...@ea...>]

I'm a little confused here.

In the docs it says Autopsy will read a dd image.

So what you guys are saying is that if I take a dd image
of a drive, and have Autopsy look at that image, it can't
see the whole thing?

Do I need to split the drive into images matching the
relative partitions first??

What if there's only one partition on the drive?

Thanks,

Niall.

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...]On Behalf Of Paul
Bakker
Sent: Thursday, March 27, 2003 5:28 AM
To: sle...@li...
Subject: [sleuthkit-users] dd of entire HD



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

In my knowledge, Autopsy is only able to work with dd images of partitions.
(As it is able to mount these via the loop device)

In a case I am handling now I received the image of an entire harddisk.
* Is Autopsy capable of reading this in?
* Is there a tool that can loopback mount the partitions from within the hd
image?
* Is there a tool that can extract the partitions from the hd image?
  (What to do about unallocated space then (Not partitioned!)? How does one
investigate
  that using Autopsy?)

Paul Bakker

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPoLSJfjAwPuBNeIlEQLifwCfT2RFEXsrJjLJV0f8YDIDw20NEm8An25o
5a5GS3aSP0cuRn9GtLIM3lxJ
=7byL
-----END PGP SIGNATURE-----