Capturing Windows System for Sleuthkit Analysis

Hi

What is the best way to capture a Windows system for analysis by
Sleuthkit?

I have Helix and was going to use a big USB drive as a target.  I am
worried
about the image exceeding the FAT 32 file sizes of the drive.

Thanks

Frank

------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

If you use a FAT32 drive, then you need to split the image into
multiple chunks.  But that makes analysis a bit more bothersome.

Helix includes the ntfs-3g driver to write to NTFS as well.

To use it you open up a Root Terminal and mount the target drive
read/write with something like this:

mount -t ntfs-3g -o rw /dev/sdb1 /media/sdb1

If it works correctly your drive should be mounted under /media and
can take single file images.  I forget what the NTFS max file size is,
but given the partition limits on MBR style partitions, you're
effectively limited to just under 2TB.



On Sat, Oct 31, 2009 at 3:39 PM,  <fsheathiii@...> wrote:
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

> What is the best way to capture a Windows system for analysis by
> Sleuthkit?
>
> I have Helix and was going to use a big USB drive as a target.  I am
> worried
> about the image exceeding the FAT 32 file sizes of the drive.

As Theodore stated, for writing the image to a fat32 volume, you can
split the image using dd piped to split.  I don't see this as
particularly cumbersome, given that if your goal is to analyze with TSK,
the splits are supported just fine.

My problem would be with write speed.  Writing a large image to fat32 is
just slow.

In addition to what was already stated, if you are considering doing the
analysis with a Linux OS, then just consider formatting the drive ext3
and writing to that.  It's faster and the file size limit is far less
restrictive.  Do you need to be able to read this across platforms?

Barry

/************************************************
Barry J. Grundy
Senior Special Agent
System Intrusion and Network Attack Response Team  
Strategic Enforcement Division  
Treasury Inspector General for Tax Administration
(202) 283-5915 (w)
(202) 527-5778 (c)
Barry.Grundy@...
*************************************************\



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org