.

Cool tool: GNU split

<<

jimbob

Post Wed Jun 03, 2009 5:55 am

Cool tool: GNU split

Hi,
I know there are plenty of you out there with an interest in forensics and a small budget so I thought I'd share a tip with you. When you are creating an image of a disk using dd it's often useful to split the dump into chunks. If you are dumping to a FAT32 disk for example you cannot create file greater than 4GB in size.

The Unix command split takes an input source, splits it onto chunks of a specified size. You can use this in conjunction with dd to automatically split and name the output files on the fly. The following command will dump the contents of device /dev/sdb to standard out where split will read it, chop it into 2GB chunks and name each file case0001_disk001_image_<suffix>.

  Code:
$ dd if=/dev/sdb bs=4k | split -b 2G  -d -a 3 - case0001_disk001_image_


The option '-d' tell split to add a numeric suffix instead of the default alphabetic one and option '-a 3' tell split to use a 3 character, suffix e.g. 001, 002, 003 etc.

Hope you find this useful and I hope it serves as a reminder that learning the basic Unix tools is a skill worth having.

Jimbob
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Jun 03, 2009 6:01 am

Re: Cool tool: GNU split

Hey Jimbob,

thanks for sharing, I've used split in the past (not disk image related) and find it *really* easy to forget how useful the standard 'nix tools are. Thanks for the reminder

Andrew
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Jun 03, 2009 7:27 am

Re: Cool tool: GNU split

Split is definitely a great command to know when you are in a bind.  I had to use it on a Mac Server a while back.  There are a few DD based tools, like DCFLDD that have this function built in.  More importantly, DCFLDD and others will hash on the fly, which is one of the most important aspects in forensics.
~~~~~~~~~~~~~~
Ketchup
<<

Otter

Newbie
Newbie

Posts: 41

Joined: Tue Jul 03, 2007 1:03 pm

Post Wed Jun 03, 2009 12:26 pm

Re: Cool tool: GNU split

While we'r etalking about cool tools and GNU,  if you find yourself on the command line of *nix boxes a lot and aren't familiar with Gnu screen (commandline command is just screen), it's the cat's ass. 

multiple virtual command windows,  if you lose your connection of disconnect voluntarily  screen -r  puts you back right where you were.   

How I lived without it, I'll never know.

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software