Re: Manageable image sizes

Much you can do with acquire and chunk, quick example;

dd if=/dev/target bs=4k conv=noerror,sync | split -b 650m splitdd.


cheers!

farmerdude

www.crazytrain.com



On Mon, 2004-11-29 at 20:18, Greg Freemyer wrote:
> On 29 Nov 2004 20:51:39 -0000, Nick Puetz <nickpuetz@yahoo.com> wrote:
> > I have been working recently with some large image sizes (over 20 GB) and 
> > was curious if mmls was the best way to make these images more manageable.  
> > When working on a large image (using TSK), it can take quite a long time to 
> > do a simple search for a key word.  I am thinking that dd could also be 
> > used cut one large image into a number of smaller, more manageable images.  
> > Does anyone have any ideas surrounding this?  Thanks!
>
> I don't do any analysis under Linux yet, but we do image with it fairly often.
>
> For windows tools to be able to use the image, it has to be broken into 
> pieces.
>
> > From Linux I normally use something like:
>
>    dd if=/dev/hdc conv=noerror,sync | split ....
>     md5sum image.* > md5
>
> I don't remember the split syntax offhand, but you can tell it the
> size of the pieces, to use a numeric suffix, and provide the prefix.
>
> I end up with a bunch of files like image.000, image.001 .....
>
> Then I typically use FTK to do the analysis.  FTK 1.3 had some
> problems, but 1.5 seems to work fine so for.
>
> Greg


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com