joachimmetz
commented
4 years ago What do you mean with "logical_imager function"?
Closed yanjunlim closed 4 years ago
joachimmetz
commented
4 years ago What do you mean with "logical_imager function"?
yanjunlim
commented
4 years ago Hi, sorry i think my question dont really express what i wanted to ask. I see that autopsy has the function to create an image of a live logical drive, and i am wondering if the pytsk3 can do the same as well?
joachimmetz
commented
4 years ago What storage media image format?
pytsk is a wrapper around libtsk. You might be able to read a storage media device through libtsk and write that to a storage media image file, but that is quite obscure way of doing things I would recommend against it.
I'm also unsure if libtsk deals with errors like a specialized disk imaging tool would.
yanjunlim
commented
4 years ago I am trying to create a forensic disk image, so i guess any will do, maybe VHD.
Basically, the main idea here is to search unallocated space within a logical drive. The only solution i found was to provide a forensic disk and using python to do so. I was thinking, since pytsk is a wrapper around libtsk, it might be possible to search unallocated space of a running logical drive. If not, i was wondering if pytsk can help to create the forensic disk image.
joachimmetz
commented
4 years ago I am trying to create a forensic disk image, so i guess any will do, maybe VHD.
Correct me if I'm wrong but it sounds to me you're trying to search unallocated space of a mounted logical drive ? And that creating a disk image (forensic or not) is a possible solution you've already decided on.
You can likely use libtsk/pytsk to get the file system unallocated information and scan those ranges. But that sounds like a lot of trouble if there are tools like bulk-extractor?
yanjunlim
commented
4 years ago I am trying to create a forensic disk image, so i guess any will do, maybe VHD.
Correct me if I'm wrong but it sounds to me you're trying to search unallocated space of a mounted logical drive ? And that creating a disk image (forensic or not) is a possible solution you've already decided on.
- If you say "forensic disk image" what do you mean? Do you mean you want a storage media image that includes unallocated space? Or are there other requirements?
- What file system are you talking about?
- What do you mean with "unallocated space"? Does your definition include slack and/or free space or do you only mean space marked by the file system as unallocated?
You can likely use libtsk/pytsk to get the file system unallocated information and scan those ranges. But that sounds like a lot of trouble if there are tools like bulk-extractor?
I am trying to search unallocated space of a mounted logical drive. As my end-goal is to search and recover data from unallocated space,i would want a disk image (i.e., .raw, .dd) which includes the unallocated space. I would guess the file system is NTFS. By unallocated space, it is more of space occupied by deleted files previously, that is marked as unallocated by the system, so i guess it includes free space.
joachimmetz
commented
4 years ago I am trying to search unallocated space of a mounted logical drive.
For what purpose? File recovery? Fragment recovery? Textual string recovery?
Why do you want to build it yourself / use pytsk/libtsk? Why not use an existing tool that already does this?
yanjunlim
commented
4 years ago I am trying to search unallocated space of a mounted logical drive.
For what purpose? File recovery? Fragment recovery? Textual string recovery?
Why do you want to build it yourself / use pytsk/libtsk? Why not use an existing tool that already does this?
For file recovery, and i wanted to build a forensic tool, which can search unallocated space and recover data from it. If the existing tool allow me to do so via command line and in daemon mode, i would like to try as well. I just came across pytsk, as i saw that autopsy has that functionality.
joachimmetz
commented
4 years ago The scope of your goal is beyond pytsk/libtsk. libtsk (Sleuthkit) is not the same as Autopsy. You can use pytsk/libtsk to solve part of the problem but not entirely.
There are already tons of file carving tools (including command line ones) have a look at https://forensicswiki.xyz/wiki/index.php?title=Tools:Data_Recovery#Carving
How do you imagine using such a tool in daemon mode? once the recovery is done there is no need to keep the process running?
yanjunlim
commented
4 years ago oh thanks for the clarification. Would explore the links you provided, appreciate the help. I was thinking that the tool will stop the process after recovery is done.
joachimmetz
commented
4 years ago I was thinking that the tool will stop the process after recovery is done.
It is unclear to me why do you need a daemon then, but that's a different topic. See https://en.wikipedia.org/wiki/Daemon_(computing) for an explanation strict sense of the terminology
I'll close this issue since you're initial question appears to be answered.
Hi, just want to know if pytsk support the use of logical_imager function?