Autopsy and AFF or E01 Images

[Zeyn]

Does anyone know how to get autopsy to work with aff or e01 images?  The Sleuth Kit / Autopsy web pages state: "Autopsy and TSK support raw, Expert Witness, and AFF file formats."  But when I try to add an aff or e01 image to a case in Autopsy, it can't figure out what type of file system it is, can't find a partition, provides a bogus hash value, and generally doesn't work. 

Finally found in the autopsy readme.txt file where it says "The image file must be a raw copy of a partition or disk."  And the help pages basically just reference dd (raw) files as image files.  What the heck??? 

Is the only option for using autopsy to convert the image to raw format?  Or am I doing something wrong?

Thanks,
Zeyn

[Joel Fernandez]

I'm about to board a plane so I may be out of reach for a few hours. You can use the afflib tools to pull the raw file out of the aff file. I don't remember the command offhand though. You can also mount both using libewf as well. 

--
You received this message because you are subscribed to the Google Groups "CyForHSF" group.
To post to this group, send email to cyfo...@googlegroups.com.
To unsubscribe from this group, send email to cyforhsf+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/cyforhsf/-/5KpkRcyBcn0J.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Joel Fernandez]

So if you still can't get it mounted by tonight, I will be online in about 5 hours or so. 

On Jul 22, 2012, at 2:19 PM, Zeyn <zeyn.gr...@gmail.com> wrote:

--

[Jeremy Shafer]

You can mount aff just fine on its own.  I created a case and then just went through the process of adding the hard drive and usb aff's, I was able to access the partitions at that point.  I can't say I have seen your particular issue pop up before but when I work it tonight I will keep my eye open to see if I notice anything in particular that I might have done different than what you mention.

[Eric Black]

Hey Zeyn,

I had converted the aff to raw and raw is the same as dd. So, do that, then mount the raw. I'm not in front of the Mac I used to do it, so can't remember the details. 

eric

[Zeyn]

Ok, I think I resolved it.  I believe it was a library issue.  I installed afflib and then reinstalled tsk and autopsy.  Seems to be working now.

Thanks Eric and Jeremy.

The strange thing to me though is why the hash values wouldn't match when it tried to import something it didn't understand. 
For example, this is the output from attempting to upload the jo-favorites-usb-2009-12-11.aff image and asking it to verify the image hash value against the original capture value (from the midterm file: hash.txt):
-------
Calculating MD5 (this could take a while)
Current MD5: 8FABF27A24E7851C1C448FBC04544C47
Integrity Check Failed

Provided: 9B12E279322223175F4B3E410A5118C3
Image not added to case
-------
When it doesn't recognize the image, is it actually modifying the image during import?  Seems like a bad concept.

Thanks,
Zeyn

[Jeremy Shafer]

The only thing I can think of is maybe Autopsy isn't reading the full image since it doesn't recognize it, so it doesn't hash the full image when it does the calculation.

 

Also, I don't know if you were loading TSK and Autopsy on Windoze or a Mac, but if you were using a Mac, you can install both TSK and Autopsy with the HomeBrew package manager.  It will automatically install the dependencies like afflib for you, and fixes your paths so you can access the tools from anywhere via command line without needing to be in the same directory or type a full path.

 

For Windoze, who knows how it is done....its probably painful and has stability problems there...