logical disk images and imaging directories
840 views
Skip to first unread message
Marisa Bruhns
Mar 14, 2014, 11:49:00 AM3/14/14
to bitcurat...@googlegroups.com
Hello,
I am hoping to forgo use of FTK Imager in favor of using Guymager within the Bitcurator environment. It would make our workflow smoother and be one less tool to maintain.
There are two things I was able to do in FTK Imager, however, that I do not see a way to do in Guymager:
1) Is it possible to just create a logical disk image?
2) Is it possible to image a directory of files stored on a server, not on physical media?
Many thanks,
Marisa Bruhns
Digital Preservation Archivist
MIT Lincoln Laboratory
I am hoping to forgo use of FTK Imager in favor of using Guymager within the Bitcurator environment. It would make our workflow smoother and be one less tool to maintain.
There are two things I was able to do in FTK Imager, however, that I do not see a way to do in Guymager:
1) Is it possible to just create a logical disk image?
2) Is it possible to image a directory of files stored on a server, not on physical media?
Many thanks,
Marisa Bruhns
Digital Preservation Archivist
MIT Lincoln Laboratory
Porter Olsen
Mar 14, 2014, 3:40:48 PM3/14/14
to bitcurat...@googlegroups.com
Hi Marisa,
Unfortunately Guymager only works with physical drives and using forensics disk images. I'm going to run this one by Guy, however, and see if there are any backend tools that might be able to complete one or both of those tasks. Porter
--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To post to this group, send email to bitcurat...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/d9bdb407-5d6d-4d7e-918b-45c9ed0b0ae6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Kam Woods
Mar 14, 2014, 4:24:35 PM3/14/14
to bitcurat...@googlegroups.com
Some additional clarification -
Guymager depends on the libewf open source library to produce forensic disk images. The libewf code has read-only support for L01 images (the logical evidence format used by EnCase), so there is no change the author of Guymager could make, currently, to add support for writing out such containers.To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAHhETMXNkyXZqKU8KHFRSSPvK79TByeSmhgfTQtKyan1913Acw%40mail.gmail.com.
Porter Olsen
Mar 19, 2014, 5:23:44 PM3/19/14
to bitcurat...@googlegroups.com
Hi Marisa,
I emailed Guy about logical disk images and his response was pretty close to Kam's. That is, it's a question of standards and their support in the various libraries that facilitate disk imaging. Here's his response in full: "In deed, Guymager does not support logical images. I'm not sure if I'll support this in future because I have no precise idea how it could be done. L01 format is not a standard (and Joachim Metz only provides read support in his libs). X-Ways has its containers - again, not a standard - and they change the file format more often than others their underwear.
The question is: Where are the standards for the forensic world? The EWF (E01) format only became a kind of standard because great Joachim Metz reverse-engineered the whole thing. The only standard that really exists probably is the good old raw dd format.
A workaround might be (though a lot of work):
- Create a file of about the size you need, filled with zeros (with dd, for example). A sparse file also is ok, as it gets created faster and the non-used area will anyway result in zero bytes being returned when trying to read such an area.
- Put a file system on it, preferrably the same than the one found on the source disk; mount the file system.
- Find a program that copies files with meta data 1:1 from source to your file partition. This would need some testing in order to find such a program.... no idea what could the job.
- Unmount the file system. Add the file as special device into Guymager and image it.
It's probably faster to image the whole disk...."
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAAOjFxDysQDTDc8i4Yku%2B0X13u8Wz%3DAapC2S5GJx4WK0_kQK6A%40mail.gmail.com.
Marisa Bruhns
Mar 20, 2014, 7:37:54 AM3/20/14
to bitcurat...@googlegroups.com
Hi,
Thank you, I appreciate all the information whether I like it or not! I understand the considerations around the logical disk image formats, which is why we are only using them as a part of our submission and ingest processes not as any long-term preservation solution. We continue to periodically re-evaluate whether creating forensic disk images makes sense for our collections, so it is always good to hear more perspectives.
While there are aspects of Bitcurator that I wish did not require forensic disk images so we could use them on all our transfers, luckily the two tools most critical to our workflow, Bulk Extractor and Identify Duplicates, can be executed on directories. I hope there is no intention to change that going forward! I do not think our organization is alone in that not all our digital records are transferred to the Archives via physical storage media that can be forensically imaged. Even if we cannot use the full functionality, Bitcurator has been a great addition to our tool set. Thank you so much to everyone who has and is contributing to its development.
Kind regards,
Marisa
Thank you, I appreciate all the information whether I like it or not! I understand the considerations around the logical disk image formats, which is why we are only using them as a part of our submission and ingest processes not as any long-term preservation solution. We continue to periodically re-evaluate whether creating forensic disk images makes sense for our collections, so it is always good to hear more perspectives.
While there are aspects of Bitcurator that I wish did not require forensic disk images so we could use them on all our transfers, luckily the two tools most critical to our workflow, Bulk Extractor and Identify Duplicates, can be executed on directories. I hope there is no intention to change that going forward! I do not think our organization is alone in that not all our digital records are transferred to the Archives via physical storage media that can be forensically imaged. Even if we cannot use the full functionality, Bitcurator has been a great addition to our tool set. Thank you so much to everyone who has and is contributing to its development.
Kind regards,
Marisa
Kam Woods
Mar 20, 2014, 9:38:55 AM3/20/14
to bitcurat...@googlegroups.com
Marisa,
A heads up: we've removed the old duplicate identification tools from 0.8.0, and replaced it with a tool that has the same functionality (and more), but is much faster (and warns you if you try to delete anything). It's called FSLint, and it's in the "Forensics Tools" folder on the Desktop for convenience (although it is not strictly a forensics tool).--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To post to this group, send email to bitcurat...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/33cf8cb2-7501-45c9-ac61-b47938c77720%40googlegroups.com.
Marisa Bruhns
Mar 20, 2014, 10:22:45 AM3/20/14
to bitcurat...@googlegroups.com
Hi Kam,
Thank you for the heads up! I must have missed that on the roadmap. I was actually considering holding off for a bit on upgrading again, but you just changed my mind.
All the best,
Marisa
Thank you for the heads up! I must have missed that on the roadmap. I was actually considering holding off for a bit on upgrading again, but you just changed my mind.
All the best,
Marisa
Reply all
Reply to author
Forward
0 new messages