image acquisition best practice?

Hello,

I was reading the other day that I could use a squashfsf to reduce the size of my dd images in order to be able to store more images on a single disk.

WHERE did you read that? ?

jaclaz

I'm not sure of the syntax of mksquashfs but could you not use Xargs to concatenate the two commands ?

http//www.linuxleo.org/Docs/linuxintro-LEFE-3.78.pdf

Look at page 87 for an alternative that may work.

http//www.linuxleo.org/Docs/linuxintro-LEFE-3.78.pdf

Look at page 87 for an alternative that may work.

But how would you check the contents of the gzipped archive without extracting/expanding them?

You can also use the dd for Windows that has gzip and also "lznt1" conversion enabled
http//gmgsystemsinc.com/fau/

But it won't change the fact that the result is a compressed archive and not a filesystem.

Maybe using some FUSE based thingies?
http//sourceforge.net/apps/mediawiki/fuse/index.php?title=ArchiveFileSystems

jaclaz

For those linux gurus out there, is there a way to pipe the output of dd into mksquashfs to combine the process of taking the dd image with the compressing of that image?

The man page should tell you that. As far as I can find, mksquashfs is invoked with a series of source files/directories as input and a single destination as output. That is, it does not work with pipes … which makes sense if you read the description closely.

So … the answer is no.

I tried dd if=/dev/sda | mksquashfs > dd.squash

How about using gzip or bzip2 instead? If you tried, why don't they work? I imagine they probably won't handle media-full conditions very well on their own, for one thing.

For those linux gurus out there, is there a way to pipe the output of dd into mksquashfs to combine the process of taking the dd image with the compressing of that image?

The man page should tell you that. As far as I can find, mksquashfs is invoked with a series of source files/directories as input and a single destination as output. That is, it does not work with pipes … which makes sense if you read the description closely.

So … the answer is no.

I tried dd if=/dev/sda | mksquashfs > dd.squash

How about using gzip or bzip2 instead? If you tried, why don't they work? I imagine they probably won't handle media-full conditions very well on their own, for one thing.

The problem I have with using gzip or bzip2 is that while I can store more images, with my limited diskspace currently, I can't unzip one of the bigger images and examine it.

Unless… is there a way to mount a gzip or bzip2 file as a read-only loop device…?

Why are you not using E01 or AFF files then? You can make images with DD, then use FTK Imager, or ewf_convert (I think the name is) to convert them to E01 format. I would be surprised if there wasn't an AFF equivalent.

You are trying to force non-forensic tools into a space that can better be filled with forensic tools.

I am just in the learning stages of this field, and have a $0.00 budget for software/hardware. So admittedly, I am just trying to figure out the best way to do stuff with opensource tools on my current hardware.

In addition, I am not sure how accessible some of these forensics tools are to someone who is blind.

also my "forensics" workstation is a laptop running ubuntu 11.4 and while it seems like there are more "standard forensics tools" on windows, I would prefer to stick with linux for now.

ewf_convert can easily be gotten on Ubuntu, I believe it is in the libewf package. AccessData has a command line version of FTK Imager, so you could use that for Linux or Windows, if you are imaging a live Windows machine. I can't testify as to what formats it puts out, however.

All of the above is free.

As for being blind. I do not know of anyone who is blind in this business, not that I know alot of people either. I have wondered if I could pursue this career if I lost sight. As such, I think it would be an interesting paper to read on how you overcame the obstacles in a very sight-orientated profession.