1) ftk imager -> multiple raw file
For Mount
1) mount
ref:
1) https://forensicsferret.wordpress.com/2010/06/28/mounting-split-raw-and-encase-segmented-files-with-affuse/
2) https://digital-forensics.sans.org/blog/2010/09/15/dealing-split-raw-type-images
2) affuse -> /mnt/fuse/multipleRawFile.001.raw
3) mmls (utk cari partition offset)
4) losetup -> /dev/loop0 (guna partition offset)
5) file -s /dev/loop0 (check partition format)
4) losetup -> /dev/loop0 (guna partition offset)
5) file -s /dev/loop0 (check partition format)
For Timeline----
1) fls -r -m C: /dev/loop0 > fls-bodyfile.txt
Then you can create timeline:
mactime -z UTC -y -d -b fls-bodyfile.txt 1500-01-01..2020-01-01 > mactimeline.csv
Then you can create timeline:
mactime -z UTC -y -d -b fls-bodyfile.txt 1500-01-01..2020-01-01 > mactimeline.csv
For Mount
1) mount
ref:
1) https://forensicsferret.wordpress.com/2010/06/28/mounting-split-raw-and-encase-segmented-files-with-affuse/
2) https://digital-forensics.sans.org/blog/2010/09/15/dealing-split-raw-type-images
No comments:
Post a Comment
Terima kasih