What imager creates...
 
Notifications
Clear all

What imager creates files ending .OBaa etc?

5 Posts
4 Users
0 Likes
625 Views
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
Topic starter
 

Our lab recently received an SSD image taken by another forensic company (we were not told which company). The files were named disk0.split.OBaa with the next segment ending .OBab then .OBac, .OBad etc. Turns out it was just a dd image of a Apple MacBook Pro. We were able to use a bulk rename tool to change the file extension to the more common .001, .002, .003 etc. We were then able to open the image correctly using our favourite tools. No imaging hash was provided so we suspect that the image was not taken using common "forensic" imaging software (or possibly hardware I suppose).

Does anyone recognise this file extension naming convention? Any idea what product this company may have used to create this SSD image?

We've tried googling this file extension (and variations of it) but haven't found anything relevant.

 
Posted : 30/04/2019 8:45 pm
(@athulin)
Posts: 1156
Noble Member
 

Does anyone recognise this file extension naming convention? Any idea what product this company may have used to create this SSD image?

It could perhaps be a result of using split(1), which adds the 'aa', 'ab', … suffixes. (Assumes all segments have the same size, except for the tailing one. If they don't, it's something else.) Whether '.OB' or '.splitOB' is significant or if it's another split command argument (the prefix) …

… well, only way to find out for certain is to ask those who created it.

 
Posted : 01/05/2019 5:04 am
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
Topic starter
 

Thanks,

We can't ask the 'company' as the investigators either can't ascertain which company did it or are refusing to disclose it to us, for some reason…

 
Posted : 01/05/2019 8:53 am
 dega
(@dega)
Posts: 261
Reputable Member
 

usually on the copy there is a txt file that is a log of software. Nothing?

 
Posted : 01/05/2019 2:15 pm
(@dpathan)
Posts: 28
Eminent Member
 

It is a dd image because you can add any thing for extension and it will still be recognized by many forensics software(s). I think in this case the company just used its own naming convention to add different extension (similar to the many DVR manufacturers who implements the same practices to mask the original format).

 
Posted : 01/05/2019 3:13 pm
Share: