Disk image in TSK

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Disk image in TSK

Edward Diener
What are the disk image formats in TSK ?

I see mention of single and split raw images. To what do these refer ?
Are these files created by the Linux 'dd' command ? What about on other
operating systems such as Windows ?

I also see mention of EWF and AFF. I assume that EWF are images created
by the libewf project and I can see that TSK 4.2.0 supports libewf. What
is needed to support AFF and where would I find more information about it ?

Eddie Diener


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Disk image in TSK

Hoyt Harness
Hello Eddie,

You're correct regarding RAW files. RAW can have different extensions other than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes all of those. Single refers to a single disk image file such as someimage.dd, and split refers to a disk image file separated into multiple chunks such as someotherimage.001, someotherimage.002, someotherimage.003, ... Windows doesn't come with an included disk imager as far as I'm aware. RAW and .dd is pretty much considered an industry standard, regardless of the file extension actually used or the examiner's chosen platform.

You're also correct regarding EWF (Expert Witness Format). AFF (Advanced Forensic Format) uses AFFLIB, which can be found here: https://github.com/sshock/AFFLIBv3/releases.

I hope this helps!

Hoyt


On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener <[hidden email]> wrote:
What are the disk image formats in TSK ?

I see mention of single and split raw images. To what do these refer ?
Are these files created by the Linux 'dd' command ? What about on other
operating systems such as Windows ?

I also see mention of EWF and AFF. I assume that EWF are images created
by the libewf project and I can see that TSK 4.2.0 supports libewf. What
is needed to support AFF and where would I find more information about it ?

Eddie Diener


------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



--
Hoyt
-----------------
There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary.

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Disk image in TSK

Edward Diener
In reply to this post by Edward Diener
On 6/27/2016 3:08 PM, Edward Diener wrote:

> Hello Eddie,
>
> You're correct regarding RAW files. RAW can have different extensions
> other
> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes
> all of those. Single refers to a single disk image file such as
> someimage.dd, and split refers to a disk image file separated into
> multiple
> chunks such as someotherimage.001, someotherimage.002,
> someotherimage.003,
> ... Windows doesn't come with an included disk imager as far as I'm
> aware.
There is a product called FTK Imager from AccessData which can create
EWF image files.
> RAW and .dd is pretty much considered an industry standard, regardless of
> the file extension actually used or the examiner's chosen platform.
I will investigate these on the web.
>
> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced
> Forensic Format) uses AFFLIB, which can be found here:
> https://github.com/sshock/AFFLIBv3/releases.
How do I add support for AFF to TSK if I need it ? The docs don't seem
to mention this.
>
> I hope this helps!
Very helpful. Thanks !

>
> Hoyt
>
>
> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener <
> eldlistmailingz@...> wrote:
>
>> What are the disk image formats in TSK ?
>>
>> I see mention of single and split raw images. To what do these refer ?
>> Are these files created by the Linux 'dd' command ? What about on other
>> operating systems such as Windows ?
>>
>> I also see mention of EWF and AFF. I assume that EWF are images created
>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What
>> is needed to support AFF and where would I find more information
>> about it ?
>>
>> Eddie Diener

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Disk image in TSK

Edward Diener
On 6/27/2016 4:32 PM, Simson Garfinkel wrote:
> I don't recommend using AFF at this point for production purposes.
>
> Why do you want to use it?
I was curious whether it is integrated into TSK or not and, if so, how
was it done ? I actually have little use for it in the project on which
I am working.

Eddie Diener

>
>
> ----
> Sent from my phone.
>
>> On Jun 27, 2016, at 3:16 PM, Edward Diener <[hidden email]> wrote:
>>
>>> On 6/27/2016 3:08 PM, Edward Diener wrote:
>>> Hello Eddie,
>>>
>>> You're correct regarding RAW files. RAW can have different extensions
>>> other
>>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes
>>> all of those. Single refers to a single disk image file such as
>>> someimage.dd, and split refers to a disk image file separated into
>>> multiple
>>> chunks such as someotherimage.001, someotherimage.002,
>>> someotherimage.003,
>>> ... Windows doesn't come with an included disk imager as far as I'm
>>> aware.
>> There is a product called FTK Imager from AccessData which can create
>> EWF image files.
>>> RAW and .dd is pretty much considered an industry standard, regardless of
>>> the file extension actually used or the examiner's chosen platform.
>> I will investigate these on the web.
>>> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced
>>> Forensic Format) uses AFFLIB, which can be found here:
>>> https://github.com/sshock/AFFLIBv3/releases.
>> How do I add support for AFF to TSK if I need it ? The docs don't seem
>> to mention this.
>>> I hope this helps!
>> Very helpful. Thanks !
>>> Hoyt
>>>
>>>
>>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener <
>>> eldlistmailingz@...> wrote:
>>>
>>>> What are the disk image formats in TSK ?
>>>>
>>>> I see mention of single and split raw images. To what do these refer ?
>>>> Are these files created by the Linux 'dd' command ? What about on other
>>>> operating systems such as Windows ?
>>>>
>>>> I also see mention of EWF and AFF. I assume that EWF are images created
>>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What
>>>> is needed to support AFF and where would I find more information
>>>> about it ?
>>>>
>>>> Eddie Diener
>> ------------------------------------------------------------------------------
>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> present their vision of the future. This family event has something for
>> everyone, including kids. Get more information and register today.
>> http://sdm.link/attshape
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org



------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Disk image in TSK

Hoyt Harness
Simson is the man behind AFF and he has the authoritative opinion on this, together with Michael Cohen and Bradley Schatz. They're working on AFF4 currently and, based on what he said, it doesn't sound like that's ready yet. Previous versions of AFF are deprecated.

Once it's ready, TSK would need to be compiled against the AFF4 library similar to the way it's done using libewf. For what it's worth, I've been tinkering around this past month compiling TSK against the latest version of AFF4 from Github resulting in errors. You can experiment with it as well if you'd like, but I'd wait until the AFF4 guys have a stable release they're happy with.

Otherwise, here's more detailed information: http://forensicswiki.org/wiki/AFF4

...and here's AFF4 on Github (read the README.md, then find the releases): https://github.com/google/aff4


Hoyt


On Mon, Jun 27, 2016 at 5:02 PM, Edward Diener <[hidden email]> wrote:
On 6/27/2016 4:32 PM, Simson Garfinkel wrote:
> I don't recommend using AFF at this point for production purposes.
>
> Why do you want to use it?
I was curious whether it is integrated into TSK or not and, if so, how
was it done ? I actually have little use for it in the project on which
I am working.

Eddie Diener
>
>
> ----
> Sent from my phone.
>
>> On Jun 27, 2016, at 3:16 PM, Edward Diener <[hidden email]> wrote:
>>
>>> On 6/27/2016 3:08 PM, Edward Diener wrote:
>>> Hello Eddie,
>>>
>>> You're correct regarding RAW files. RAW can have different extensions
>>> other
>>> than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes
>>> all of those. Single refers to a single disk image file such as
>>> someimage.dd, and split refers to a disk image file separated into
>>> multiple
>>> chunks such as someotherimage.001, someotherimage.002,
>>> someotherimage.003,
>>> ... Windows doesn't come with an included disk imager as far as I'm
>>> aware.
>> There is a product called FTK Imager from AccessData which can create
>> EWF image files.
>>> RAW and .dd is pretty much considered an industry standard, regardless of
>>> the file extension actually used or the examiner's chosen platform.
>> I will investigate these on the web.
>>> You're also correct regarding EWF (Expert Witness Format). AFF (Advanced
>>> Forensic Format) uses AFFLIB, which can be found here:
>>> https://github.com/sshock/AFFLIBv3/releases.
>> How do I add support for AFF to TSK if I need it ? The docs don't seem
>> to mention this.
>>> I hope this helps!
>> Very helpful. Thanks !
>>> Hoyt
>>>
>>>
>>> On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener <
>>> eldlistmailingz@...> wrote:
>>>
>>>> What are the disk image formats in TSK ?
>>>>
>>>> I see mention of single and split raw images. To what do these refer ?
>>>> Are these files created by the Linux 'dd' command ? What about on other
>>>> operating systems such as Windows ?
>>>>
>>>> I also see mention of EWF and AFF. I assume that EWF are images created
>>>> by the libewf project and I can see that TSK 4.2.0 supports libewf. What
>>>> is needed to support AFF and where would I find more information
>>>> about it ?
>>>>
>>>> Eddie Diener
>> ------------------------------------------------------------------------------
>> Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
>> Francisco, CA to explore cutting-edge tech and listen to tech luminaries
>> present their vision of the future. This family event has something for
>> everyone, including kids. Get more information and register today.
>> http://sdm.link/attshape
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org



------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



--
Hoyt
-----------------
There are 11 kinds of people - those who think binary jokes are funny, those who don't, ...and those who don't know binary.

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Disk image in TSK

Simson Garfinkel-3
In reply to this post by Edward Diener
It's pretty easy to add supports for new file formats to TSK. You just add it to the img_open_table() in img_types.c, add the bitfields to TSK_IMG_TYPE_ENUM in tsk_img.h, and update img_open.c. Try this search to see all the places that AFF is referenced:

The issue with AFF is that version 3 doesn't offer compelling features over EWF. Version 4 does, but as others have said, it isn't ready for general use yet.

Simson


On Jun 27, 2016, at 6:02 PM, Edward Diener <[hidden email]> wrote:

On 6/27/2016 4:32 PM, Simson Garfinkel wrote:
I don't recommend using AFF at this point for production purposes.

Why do you want to use it?
I was curious whether it is integrated into TSK or not and, if so, how was it done ? I actually have little use for it in the project on which I am working.

Eddie Diener


----
Sent from my phone.

On Jun 27, 2016, at 3:16 PM, Edward Diener <[hidden email]> wrote:

On 6/27/2016 3:08 PM, Edward Diener wrote:
Hello Eddie,

You're correct regarding RAW files. RAW can have different extensions
other
than ".dd" also, such as .001, .raw, .img, etc., so saying "RAW" includes
all of those. Single refers to a single disk image file such as
someimage.dd, and split refers to a disk image file separated into
multiple
chunks such as someotherimage.001, someotherimage.002,
someotherimage.003,
... Windows doesn't come with an included disk imager as far as I'm
aware.
There is a product called FTK Imager from AccessData which can create
EWF image files.
RAW and .dd is pretty much considered an industry standard, regardless of
the file extension actually used or the examiner's chosen platform.
I will investigate these on the web.
You're also correct regarding EWF (Expert Witness Format). AFF (Advanced
Forensic Format) uses AFFLIB, which can be found here:
https://github.com/sshock/AFFLIBv3/releases.
How do I add support for AFF to TSK if I need it ? The docs don't seem
to mention this.
I hope this helps!
Very helpful. Thanks !
Hoyt


On Sat, Jun 25, 2016 at 7:42 AM, Edward Diener <
eldlistmailingz@...> wrote:

What are the disk image formats in TSK ?

I see mention of single and split raw images. To what do these refer ?
Are these files created by the Linux 'dd' command ? What about on other
operating systems such as Windows ?

I also see mention of EWF and AFF. I assume that EWF are images created
by the libewf project and I can see that TSK 4.2.0 supports libewf. What
is needed to support AFF and where would I find more information
about it ?

Eddie Diener
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org




------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org