I downloaded a file which was supposed to be a "raw" drive image. However, after I downloaded and unzipped on my Harddrive (XP) I ended up with four files labelled
freespace.000-003 😯
This is what I see when I view file w/Qview
http//
I have been told that these were supposed to be "raw" files suitable for FTK, does anyone have any ideawhat the heck is happening here? and how I can fix this
Thanks,
Mike
Use WINHEX to concatenate them?
Hi,
I'm running XP/FTK, not Unix, so the cat command would not likely work, correct?
Mike
Unless you have a *nix shell (lots available), no. Cat is not native to Wondows.
Highly recommend UnxUtils, I have it installed on all my XP machines and added the install directory to my $PATH variable.
Seriously?? Linux is the only answer? The church of Pingu have once more not failed to amuse me greatly.
There is a DOS command (been around for donkey's years, pre-dates Linux (prob not Unix before anyone starts)) that will do exactly what you require, no installing pseudo Linux applications, no booting an alternate OS. It's called… wait for it…. COPY.
copy test1.doc+test2.doc test3
I may not have the syntax exactly correct, google is your friend.
Yours, chuckling,
Crutey
You are quite right. It's been a while.
Seriously?? Linux is the only answer? The church of Pingu have once more not failed to amuse me greatly.
There is a DOS command (been around for donkey's years, pre-dates Linux (prob not Unix before anyone starts)) that will do exactly what you require, no installing pseudo Linux applications, no booting an alternate OS. It's called… wait for it…. COPY.
copy test1.doc+test2.doc test3
I may not have the syntax exactly correct, google is your friend.
Yours, chuckling,
Crutey
ahhh …the good old DOS concatenate.
Thats was pretty much right, but you forgot the /b for binary files though )
Nobody else uses WINHEX to do this? I ask because I'm a student and we use WINHEX a lot especially to concatenate raw files from wireshark carving, but it doesn't seem like my answer was well received. Do you pros not use WINHEX very often or was I just way off base in regards to the OP's problem? Please, don't misunderstand and think I'm patronizing, I'm truely here to learn.
Winhex is a great tool and I'm sure would be good for the investigation side of things, but it seems that all thats needed here is to create one big file out of several small ones so he can use FTK, which can be easily done on the commandline without having to fork out for a winhex licence.
Looks like whoever created the image in question output all un-allocated space to a single file and split that file at 670MB (CD Size).
The real problem is going to be that once you start investigating the file, you can only give locations of keyword hits/data of interest as offsets within the file as apposed to the actual sectors they originated from.
Encase shows unallocated as one big chunk of data, so has the same problem if you export it. FTK's method seems to be to split unallocated data into logical chunks depending on where it hits the next allocated block, so unallocated space appears as numurous files of varying sizes …which is also pretty messy if you ask me.