Hi
Overall I want to use the tool "ewfacquire" on a USB stick.Â
I have set up a forensic work station, a SIFT VM on VirtualBox on a Windows 10 host. Writeblocker OK.
I have enabled USB on virtualbox and can see the USB in SIFT when i run "df -h".
But when I run "fdisk -l" or "lsblk" the USB does not show up.
ewfacquire wont accept commands such as:
$ ewfacquire /media/sf_D_DRIVE/ /home/sansforensics/Documents/A1/
My working hypothesis is that I have to get the USB to show up as partition.Â
I want to use ewfacquire directly from the USB.Â
Any ideas how to proceed?Â
So I find this confusing. Are you trying to take an bit for bit image of the USB stick or are you trying to save a bit fior bit image of another device directly onto the USB stick? You certainily aren't trying to image a USB onto itself, are you?
So a USB stick would normally show up as say /dev/sdc (or sdb or sdd etc.) and any partitions would show as /dev/sdc1 (and possibly sdc2, sdc3 etc but multiple partitions on a USB stick are unusual.)Â The partition may be mounted as:
Filesystem Size Used Avail Use% Mounted on
/dev/sdc1 29G 288K 29G 1% /media/user/Vol_Label
so use teh command:
$ sudo ewfacquire /dev/sdc
Â