Review disk image extraction workflows against workflows/scripts by Tim Walsh #4
Comments
bitsgalore
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See:
https://www.bitarchivist.net/blog/2017-05-01-buf2017/
This seems to be better suited to our needs.
Question: not clear how script deals with disk images that have multiple partitions, as call to tsk_recover doesn' t use
-o(offset) switch:https://github.com/CCA-Public/diskimageprocessor/blob/master/diskimageprocessor.py#L436
Update: volumes with multiple partitions are not supported:
CCA-Public/diskimageprocessor#16
A possible refinement could be to parse the disktype output and iterate over all detected file systems.
Also tsk_recover doesn't keep original timestamps! Some ideas on this here:
https://twitter.com/dericed/status/968537979873648640
In particular (which is already implemented in Tim's script):
https://github.com/CCA-Public/diskimageprocessor/blob/master/diskimageprocessor.py#L446-L489
Note that Bitcurator's default workflow doesn't use tsk_recover but applies the icat tool on a file-by-file basis:
https://github.com/BitCurator/bitcurator-distro-tools/blob/master/bc_disk_access_v2.py#L1134
The text was updated successfully, but these errors were encountered: