patrickdalla
commented
2 months ago Also, after processing, I compress the result in a password protected file with zip, that is not included in ipeddocker/iped:dependencies.
Open patrickdalla opened 2 months ago
patrickdalla
commented
2 months ago Also, after processing, I compress the result in a password protected file with zip, that is not included in ipeddocker/iped:dependencies.
Hi,
I am adjusting my env to use this docker instead of the one I've created. I use ipeddocker/iped:dependencies as I want to load IPED binaries and config profiles from central location in my NET.
I start ipeddocker/iped:dependencies with an script that automatically detects evidences not yet processed and runs IPED to process them.
ipeddocker/iped:dependencies has the dependecies to start processing the case. Although, IPED have some limitations that can be overcomed with the aid of some linux tools.
For example shadow-copies processing. My script mounts the image before processing and checks for shadow copies, and prepares the env to process them too.
But for this ipeddocker/iped:dependencies, or some other alternate docker image project that can be created, should include some utilities like vshadowmount, partprobe, losetup.
Also, for some reason I could not identify, the processing of E01 works with ipeddocker/iped:dependencies, but executing ewfmount to check for shadow copies leads to "No subsystem to mount EWF format". This https://github.com/libyal/libewf/issues/56 suggests that https://github.com/libfuse/libfuse should be installed.
I think we could create a new dockerfile, derived from ipeddocker/iped:dependencies, with some utilities like the ones I mentioned.
PS.: I think this is not exactly an issue, but as I could not find a "discussions" session in this project, I opened this issue.