Linux BTRFS (Better File System) and BitCurator
80 views
Skip to first unread message
jfarb...@gmail.com
Oct 21, 2024, 12:15:24 PM10/21/24
to BitCurator Users
Hi All,
I am working on disk imaging a computer that runs a software-based artwork at my institution. The computer is a Debian Linux system, and through Disktype, we found out that the main partition on the computer's SSD uses the BTRFS file system.
We created an EWF disk image using Guymager which seemed to work successfully. We tried to run fiwalk on the disk image to create a DFXML file of the contents and received an error message (TSK_error ‘Cannot determine file system type’) presumably when fiwalk tried to read the BTRFS partition. Could the fiwalk error potentially mean that this area of the disk is encrypted? Would there be a way to determine this either on the original computer or by looking at the disk image?
We also tried to mount the EWF file but have so far been unsuccessful. Have others been able to successfully mount BTRFS disk images within BitCurator? If so, do you have any advice?
For reference, I have attached the output of Fiwalk and the output of Disktype, which shows the number of partitions and the BTRFS file system.
Thanks in advance for your advice,
Jonathan
Jonathan Farbowitz (he/him/his)
Associate Conservator of Time-Based Media
Photograph Conservation
212-396-5123
The Metropolitan Museum of Art
1000 Fifth Avenue
New York, NY 10028
@metmuseum
metmuseum.org
Associate Conservator of Time-Based Media
Photograph Conservation
212-396-5123
The Metropolitan Museum of Art
1000 Fifth Avenue
New York, NY 10028
@metmuseum
metmuseum.org
Simson Garfinkel
Oct 21, 2024, 12:45:55 PM10/21/24
to bitcurat...@googlegroups.com
Hi. I’m so glad that I’m on this list now.
Thank you.
TSK currently doesn’t support brtfs, but we have a contribution that does:
I haven’t accepted it because I need a test disk image.
1. Would you be able to release your image to me for testing?
2. Do you have an image that could be made public for public testing?
Thank you.
--
You received this message because you are subscribed to the Google Groups "BitCurator Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcurator-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/2f7de08c-4f86-4f30-9ca1-2978280705ban%40googlegroups.com.
<TR_176a_h_2024_PMx1_fiwalk.xml><Nyen.2024.1_disktype.txt>
Jonathan Farbowitz
Oct 22, 2024, 1:26:32 PM10/22/24
to bitcurat...@googlegroups.com
Hi Simson,
I appreciate the response. It is good news to hear that there is a potential patch. Unfortunately, we are not able to share the disk image that we're working with. I will let you know if we have something else.
Best,
Jonathan
You received this message because you are subscribed to a topic in the Google Groups "BitCurator Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/bitcurator-users/S6QvL66Dm7U/unsubscribe.
To unsubscribe from this group and all its topics, send an email to bitcurator-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CC89C3A9-0848-45B2-9CCD-32193A07367A%40gmail.com.
Simson Garfinkel
Oct 28, 2024, 10:04:14 AM10/28/24
to bitcurat...@googlegroups.com
Hi Everyone,
I have now integrated bitrfs into Sleuth Kit. I can create an fiwalk image for anyone who wants it. I would love to get some testing on this before putting it into the main line.
What would be the easiest way to provide a btrfs-enabled fiwalk to the community? Are people technically sophisticated enough to swap the executable?
Regards,
Simson
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcurator-users/CABD-B1z4s%3D%3DUNqhjvB3Xo9uWuVTcbSmQE06BML3AWWL9O31KsQ%40mail.gmail.com.
Jonathan Farbowitz
Oct 29, 2024, 2:43:14 PM10/29/24
to bitcurat...@googlegroups.com
That's wonderful. I am happy to test the updated fiwalk with the image we have internally. By swapping the executable do you mean putting the new copy in a directory like /usr/bin/ or wherever fiwalk is installed?
Best,
Jonathan
To view this discussion visit https://groups.google.com/d/msgid/bitcurator-users/FB7B5070-D341-4C04-97BF-D657E9D35B0E%40gmail.com.
Simson Garfinkel
Oct 29, 2024, 2:43:57 PM10/29/24
to bitcurat...@googlegroups.com
Yes.
To view this discussion visit https://groups.google.com/d/msgid/bitcurator-users/CABD-B1yVTabyf6pRuhNuwq2MoaNm5GHJhPAHMX4WsECA9GMdaQ%40mail.gmail.com.
jfarb...@gmail.com
Nov 8, 2024, 12:34:29 PM11/8/24
to BitCurator Users
Hi Simson,
Could provide more info on which executable file(s) I should download for testing and where I can download them?
Best,
Jonathan
Simson Garfinkel
Nov 8, 2024, 1:17:05 PM11/8/24
to bitcurat...@googlegroups.com
Hi. Do you have the ability to build from sources?
If not, I can make an executable for you.
To view this discussion visit https://groups.google.com/d/msgid/bitcurator-users/44fc38fb-b04d-48bd-8ace-47179ff4053cn%40googlegroups.com.
Jonathan Farbowitz
Nov 12, 2024, 12:02:55 PM11/12/24
to bitcurat...@googlegroups.com
Providing an executable would be great.
Thank you,
Jonathan
To view this discussion visit https://groups.google.com/d/msgid/bitcurator-users/32607672-0AF8-40F9-9402-0CC99113FDEB%40gmail.com.
Reply all
Reply to author
Forward
0 new messages