I've just rejoined this list, so I missed the original post.
Assuming the filesystems etc are ok, you have a few options.
I noticed while helping someone use another linux-based forensics tool
that it uses the linux kernel 'raid' infastructure to achieve this,
basic summary is:
1. create a loop device for each segment containing parts of the
desired partition, possible providing an offset if required into the
first section to make it start at the start of the filesystem.
2. put them all together with a 'linear' raid array using the linux
kernels 'md' raid subsystem.
Then I presume you could point sk at the raid device (eg. /dev/md0)
which would represent the desired partition.
BIG DISCLAIMER:
I havent done this personally, it may be more complicated than I just
described, In particular I would think that a signature of some kind
might be written to the segments when you create the array, this is
probably an option, so be very careful you know what you are doing if
you choose this approach. Futhermore, I personally think its a bit of
a dangerous choice for a forensics tool to be doing all this stuff as
root using the OS kernel.
Which leads me to another approach. pyFLAG (pyflag.sf.net) uses an IO
Subsystem abstraction to deal with split images (as well as RAID,
Encase, and other file formats). An exciting new tool in flag is
called 'iowrapper', it works by using LD_PRELOAD to load its own file
operations (read, seek, etc) before libc, thus overriding them and
applying the IO Subsystem abstraction. It therefore allows you to use
any unmodified binary program on your 'reconstructed' virtual image
transparently. More details can be found in the pyflag source, but
here's an example of how might use it with 'fls':
export LD_PRELOAD=./libs/libio_hooker.so
./bin/iowrapper -i advanced -o
offset=32256,file=part1.dd,file=part2.dd,file=part3.dd ./bin/fls -r
foo.dd
This is pretty new code and I cannot guarantee it will work for you,
if you wish to try you will need the latest pyflag sources from the
'darcs' repository, details for grabing it are at pyflag.sf.net. This
tool is not in any actual release versions of pyflag, but will be in
the next release.
hope this helps,
Dave
On Wed, 15 Dec 2004 18:57:41 -0500, Brian Carrier <ca...@sl...> wrote:
>
> On Dec 15, 2004, at 10:24 AM, Benjamin J. Weiss wrote:
> > I'm working on a disk image now with damaged partition/file allocation
> > tables. Any idea when the disk-image Autopsy will be ready? :)
>
> If the partition table and file system are damaged, then v2 of TSK will
> not help. It only processes that data that exists.
>
> brian
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
