[sleuthkit-users] Problems with NTFS image from FAU's dd
Brought to you by:
carrier
From: Jan M. <jan...@nr...> - 2008-02-20 10:34:59
|
Hello there, finally, the nuisance caught up with me, and for the first time ever I had to deal with full disk encryption (SafeBoot in this case). I've used the FAU tools (well, dd and netcat in their respective versions) in order to create an image of the system's NTFS partition. While that generally seemed to have worked well, sleuthkit doesn't love the resulting image file... Output e.g. from istat: Error reading image file (raw_read_random - offset: 3221225472 - len: 1024 - Arg ument list too long) (ntfs_dinode_lookup: Error reading MFT Entry at 3221225472) file(1) e.g. says the following: # file notebook.1.img notebook.1.img: x86 boot sector, code offset 0x52, OEM-ID "NTFS ", sectors/cl uster 8, reserved sectors 0, Media descriptor 0xf8, heads 240, hidden sectors 63 , dos < 4.0 BootSector (0x80) Has any of you successfully dealt with a similar situation? Thanks, Jan -- Jan Muenther, CTO Security, n.runs AG |