sleuthkit-users

[sleuthkit-users] problem to image

[philippe J. <ph....@ab...>]

Hello,

I'm coming back into this list after a year :-)

And I have a question. I'm trying to imaging on Mac OS X
to use autopsy. Autopsy is working well but

- I can't image a usb drive :
Ordinateur-de-moi:/Volumes/PHIL_USB moi$ dd if=/dev/disk2s1 
of=/Users/moi/image_clefusb/image_clefusb.img
dd: /dev/disk2s1: Device busy

How can I change this ?

Thank you very much, I use usualy autopsy on Linux system, and
I'm discovering Mac OS X...hum some change...

Philippe Jarlov
France

Re: [sleuthkit-users] problem to image

[Michel R. <mi...@ro...>]

philippe Jarlov wrote:

> Hello,
>
> I'm coming back into this list after a year :-)
>
> And I have a question. I'm trying to imaging on Mac OS X
> to use autopsy. Autopsy is working well but
>
> - I can't image a usb drive :
> Ordinateur-de-moi:/Volumes/PHIL_USB moi$ dd if=/dev/disk2s1 
> of=/Users/moi/image_clefusb/image_clefusb.img
> dd: /dev/disk2s1: Device busy
>
> How can I change this ?

hi Philippe,

Maybe you have to unmount your usb key. As I did below :

bonite:~ root# df
Filesystem              512-blocks     Used     Avail Capacity  Mounted on
.
.
.
/dev/disk1s1                127176    86932     40244    68%    
/Volumes/NO NAME
bonite:~ root# dd if=/dev/disk1s1 of=~kato/image_clefusb.img
dd: /dev/disk1s1: Device busy
bonite:~ root# umount /Volumes/NO\ NAME/
bonite:~ root# dd if=/dev/disk1s1 of=~kato/image_clefusb.img
127456+0 records in
127456+0 records out
65257472 bytes transferred in 123.628805 secs (527850 bytes/sec)
bonite:~ root#

>
> Thank you very much, I use usualy autopsy on Linux system, and
> I'm discovering Mac OS X...hum some change...
>
> Philippe Jarlov
> France
>
Michel Roukine

Re: [sleuthkit-users] problem to image

[philippe J. <ph....@ab...>]

Michel Roukine wrote:

> 
> 
> hi Philippe,
> 
> Maybe you have to unmount your usb key. As I did below :
> 
> bonite:~ root# df
> Filesystem              512-blocks     Used     Avail Capacity  Mounted on
> .
> .
> .
> /dev/disk1s1                127176    86932     40244    68%    
> /Volumes/NO NAME
> bonite:~ root# dd if=/dev/disk1s1 of=~kato/image_clefusb.img
> dd: /dev/disk1s1: Device busy
> bonite:~ root# umount /Volumes/NO\ NAME/
> bonite:~ root# dd if=/dev/disk1s1 of=~kato/image_clefusb.img
> 127456+0 records in
> 127456+0 records out
> 65257472 bytes transferred in 123.628805 secs (527850 bytes/sec)
> bonite:~ root#

Thank you very much Michel, it is working well now with this umount.

Could you tell me what kind of options I must use to use this .img with 
autopsy now, or is there a documentation on how to use autopsy with Mac 
OS X ?

Philippe (and I hope that's all ;-)

Re: [sleuthkit-users] problem to image

[Michel R. <mi...@ro...>]

> Thank you very much Michel, it is working well now with this umount.
>
> Could you tell me what kind of options I must use to use this .img 
> with autopsy now, or is there a documentation on how to use autopsy 
> with Mac OS X ?

If it is an usb key, I think its file system is FAT, so you just have to 
specify "fat" as file system type in the "add a new image" page.

But I do not know if there is a specific documentation for Autopsy under 
MacOS X.

hth

Michel (à la prochaine :^)

> Philippe (and I hope that's all ;-)
>

Re: [sleuthkit-users] problem to image

[Brian C. <ca...@sl...>]

On Nov 12, 2004, at 7:57 AM, philippe Jarlov wrote:

> Michel Roukine wrote:
>
>> hi Philippe,
>> Maybe you have to unmount your usb key. As I did below :

> Thank you very much Michel, it is working well now with this umount.

Alternatively, you can use the raw device instead of unmounting it 
(i.e. /dev/rdiskX).  Unmounting it is better though because it ensures 
that the file system is in a clean state.

> Could you tell me what kind of options I must use to use this .img 
> with autopsy now, or is there a documentation on how to use autopsy 
> with Mac OS X ?

Nothing special is needed as long as you have the latest versions of 
Autopsy and TSK.  OS X used to need a special version of 'strings', but 
no longer.

brian

Re: [sleuthkit-users] problem to image

[philippe J. <ph....@ab...>]

Brian Carrier wrote:
> 
> On Nov 12, 2004, at 7:57 AM, philippe Jarlov wrote:
> 
>> Michel Roukine wrote:
>>
>>> hi Philippe,
>>> Maybe you have to unmount your usb key. As I did below :
> 
> 
>> Thank you very much Michel, it is working well now with this umount.
> 
> 
> Alternatively, you can use the raw device instead of unmounting it (i.e. 
> /dev/rdiskX).  Unmounting it is better though because it ensures that 
> the file system is in a clean state.

Thank you Brian.

I use the usb key for testing. Of course it's better to shutdown 
automount in real case or use a drive lock on hard drive.


> 
> Nothing special is needed as long as you have the latest versions of 
> Autopsy and TSK.  OS X used to need a special version of 'strings', but 
> no longer.
> 

Yes, it is working well, and I have de latest version. So I enjoy now to
work to on mac os x if I need :-)

Thank you Brian for your work !!

Philippe Jarlov