Forensics tools for disk image / individual directory

[Y H]

Hi, All, 

I have used and checked tools available at "Forensics tools" folder. 

It seems to me that these tools were designed /used with the assumption of "disk image/floppy image files" for all. For example, "BitCurator Reporting Tool" requires image file to output. so does "Bulk Extractor Viewer (BEViewer). 

I know that many tools in the "Forensics tools" work with directory, file as well. These tools are FsLint, pyExifTool , FITS, and Bagger. 

So here is my issue:

If I have a 1TB hard disk only containing a directory of 10 GB files, I will waste a lot of space to make a disk image of this 1TB hard disk. If I simply just use "-a" to copy over the directory, then certain tools in the "Forensics tools" will not work this way.  So what is your opinion on this case? 

Thanks,

Yan

The University of Arizona Libraries

[Kam Woods]

The BitCurator Reporting Tool requires a disk image as input (since it uses fiwalk, among others) but bulk_extractor / BEViewer can process directories of files. The option is at the very top of the interface when you select "Run bulk_extractor".

A 1TB disk containing 10GB of files (and otherwise zero'd-out) will result in a 10GB (or smaller) disk image when creating an EWF or AFF image, at the default lossless compression rates. Of course, you still have to *read* all the blocks initially to know whether they're zero or non-zero. Only when you're creating a raw image will you get a 1TB image (mostly full of empty data).

Kam

--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To post to this group, send email to bitcurat...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/a9830473-a2a4-42f0-8968-bbc2e5e27933%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Y H]

Great info. Thanks much. Kam

You received this message because you are subscribed to a topic in the Google Groups "BitCurator Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bitcurator-users/gVk_YSNj2S8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bitcurator-use...@googlegroups.com.

To post to this group, send email to bitcurat...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CAAOjFxCVDY0O%3DAoipvT1%3DDSc1euosFM18sZpnjq-Q_iPg4exEQ%40mail.gmail.com.