I am using TSK in both a Windows and Linux environment, and have noticed a difference in the imgtype availability for determining the offsets for certain images. When I install TSK in Linux, and I type mmls on an E01 (example image used was nps-2008-jean.E01 from NIST CFReDS), I get ‘Cannot determine partition type’ (sudo AND regular user) and tried ‘mmls -i list’ to find that I only get ‘raw (Single or split raw file (dd))’ as an option. No EWF, VHD, VMDK.
I use the Windows binary to run ‘mmls nps-2008-jean.E01’ and get the appropriate offset. Strange, so now I check ‘mmls -i list’ using the Windows binary and get raw, ewf, vmdk, AND vhd as supported image format types.
My question is, what is it that determines what provides the extra image types for mmls? I’d like to be able to enable these same supports in the linux binary/OS if possible.
Linux version: 4.7.0 (only has raw as an option)
Windows version: 4.6.4 (has raw, ewf, vmdk, vhd)
It’s determined by whether you have libewf, libvhdi, and libvmdk when you’re building TSK. The Windows binaries have the libraries included. If you’re building on linux, you can see what libraries were found at the end of running .configure. There’s some information here about libewf:
The Windows page has some information about the libvhdi and libvmdk libraries.
The installation I am using is from the GIFT PPA repo and only seems to include the RAW image type. This provides sleuthkit 4.7.0 via
‘sudo apt-add-repository ppa:gift/stable’
‘sudo apt-get update’
‘sudo apt-get install sleuthkit’
When I use the standard Ubuntu repo, I get version 4.4 with ALL of the image types. Can you perhaps direct me which is the most correct location to get the most up-to-date and maintained version of sleuthkit with all of the image types
(without building manually)?