Re: [sleuthkit-users] Warning: Autopsy could not determine the volume system type for the disk image error UPDATED

[Oscar V. <osc...@gm...>]

I'm not sure which tools are included with cygwin, but you might want
to consider switching to linux (possibly by using one of the forensic
live cd's). This might give you some more tools to troublshoot the
image you have. Did you try the fsstat command? Maybe the 'file'
command could give you some clues (at least it recognizes nfts, not
sure which other fs-es it recognizes).
Using hexdump -C (and google) you might be able to get some clues
about what you are dealing with.
Good sources for reading are brian carriers 'file system forensics'
and barry grundies linux forensic howto (http://linuxleo.com/).

hth
oscar

On Wed, May 25, 2011 at 5:30 AM, k m <com...@gm...> wrote:
> Thanks for the reply, my mistake I believe it is a partition, if i select
> partition however I still get the error "Warning: The file system type of
> the volume image file could not be determined.
> If this is a disk image file, return to the previous page and change the
> type." if i choose fat32  I get this error "Testing partitions
> Partition 1 is not a fat32 file system
> Use the browser's back button to fix the data"  thanks for any and all help
>
> Regards
>
>
>
>
> On Tue, May 24, 2011 at 1:43 AM, Oscar Vermaas <osc...@gm...>
> wrote:
>>
>> Are you sure you're feeding it an image of a whole disk? Or does your
>> image contain only a filesystem (thus, a partition)?
>> You can easily check by running fsstat on the image. That should tell
>> you what kind of filesystem is in the image. If it is unable to
>> determine the fs type, then try mmls on the image.
>> mmls works on 'whole' disk images and should give you the offset where
>> the partition starts.
>> Both mmls and fsstat are tools from the sleuthkit suite.
>>
>> regards
>> Oscar
>>
>> On Tue, May 24, 2011 at 3:40 AM, k m <com...@gm...> wrote:
>> > I am using tsk and autopsy after i get my image into the case
>> >  via autopsy, i get this warning "Warning: Autopsy could not determine
>> > the
>> >  volume system type for the disk image (i.e. the type of partition
>> > table).
>> >  Please select the type from the list below or reclassify the image as a
>> >  volume image instead of as a disk image" if i select fat which i
>> > believe
>> > the
>> >  image is, it  it seems to only allow me to do a keyword search, I have
>> > tried to view the image with the ftk demo and it does load into that,
>> > the I
>> > have tried the image in DD and E01 neither works how can i fix this to
>> > examine this image, i
>> >  am quite new to the forensics field in general so any additional tips
>> > would
>> >  also be appreciated, i am running via cygwin, using tsk 3.2.1 and
>> > autopsy
>> > 2.24
>> >  thanks
>> >
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > vRanger cuts backup time in half-while increasing security.
>> > With the market-leading solution for virtual backup and recovery,
>> > you get blazing-fast, flexible, and affordable data protection.
>> > Download your free trial now.
>> > http://p.sf.net/sfu/quest-d2dcopy1
>> > _______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>> >
>> >
>
>