Hello Again,
Hi David, I hope you aren't upset re our misunderstanding - I believe you misunderstood and we'll leave it at that - maybe a bad day for both of us (- Yes, the files came from an exercise CD from the forensics course I'm trying to finish, so hopefully there should be no antiforensic code in there. We've only used FTK on the last part of the course (having used low level DOS type tools up until now), so some of this is new to me. I recall using these kind of files before (obviously not using them enough) but also not having this kind of trouble simply getting them unzipped and imported into FTK. One thing also is that I confused the "freespace" file names with "freesecs" which is the low level software we use to recover unallocated space, so I though there was some kind of connection.
Also, thanks again Dennis. Does it matter if I save the FTK image to simple directory on my exam machine, or do I need to save to a partition? Or am I best saving to a separate physical HD?
Do you use the Cygwin product?
Mike
For small images the image can be stored anywhere, even on a network drive.
I've used Cygwin, but don't happen to use it for forensics. Mostly perl and ksh development.
DDOW - thanks. One last thing. If I wanted to use a product like FSuite (low level DOS type tools) to verify what FTK tells me re the image in question, would I have to use a product like Ghost to put together the raw files, and then also put them onto a separate clean wiped HD? I'm a bit confused about this.
1. I thought I read somewhere that FSuite type tools can't read raw/Ghost images.
2. Why the need for a separate wiped HD? Why not a simple partition on the exam drive in a Real DOS environment?
Mike
Haven't used FSuite so I can't speak to that. If you wanted to verify FTK, there are a large number of tools that can read raw images. A hex editor is my tool of choice but people use scalpel, strings, or any number of other utilities.
As to the practice of putting images on a wiped HD or partition, that is a good practice. It's especially helpful when using tools that don't read images files the way FTK does such as listed above. It ensures the tool isn't looking at past data. Separate wiped HDs are simply easier to manage, especially for concert thinkers. A lot of folks don't have the habit of wiping their separate partition as often as they should.
Pls don't confuse Ghost images with raw, they really aren't the same. Ghost is really intended as a restore facility. raw images are bit for bit copies of a partition/HD.
Hello Dennis,
Can the above tools (scapel, strings) read raw images? Because I believe FSuite is similar. If so, what would be a good way (or software) to convert a multi file raw disk image (after unzipping) to a single disk image file suitable for the above tools? Would something like ISOBuster work?
If the image is simply a RAW image spanned on two or more files, you can recreate the whole image by joining the files together, than you can use a tool like VDK or IMDISK to mount the RAW image as a virtual disk.
Hjsplit
http//
Or a simple
Copy /b file1 + file2 +file3 destfile
will do for joining the files.
jaclaz
Thanks JACLAZ! People have been really helpful on this site.
Mike