Re: [sleuthkit-users] Problem with ewf image.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Though I can't be sure, it looks like you have a logical partition image,
and not a disk image with a partition table.  You can verify this with 'fls
image.EO1'.  If you see the root of the file system without passing a
partition offset, then it is an image of a partition.

In that case, in autopsy, select "Partition" on the Add Image page rather
than disk.

On Sun, Jul 17, 2011 at 6:37 PM, k m <com...@gm...> wrote:

> Thank you, This problem occurs in the very beginning whilst trying to add
> the image to autopsy,  autopsy reports it cannot determine the volume system
> type, if I choose dos and ok it then says see below  (note the error
> mentioned in the original post is displayed via the terminal for autopsy)
> File System Details  Analysis of the image file shows the following
> partitions:
>
> For your reference, the mmls output was the following:
>
>
>
>
> Also, the ewfinfo reports the following
>
> EWF information
>     File format:        EnCase 5
>     Sectors per chunk:    64
>     Error granularity:    64
>     Compression type:    good (fast) compression
>     GUID:            162a109d-b417-0c48-afad-893b1ff99c5c
>
> Media information
>     Media type:        fixed disk
>     Is physical:        no
>     Bytes per sector:    512
>     Amount of sectors:    1309824
>     Media size:        639 MiB (670629888 bytes)
>
> My guess by this output the sector size is normal, what do I need to do
> next? Thanks again!
>
>
> On Sat, Jul 16, 2011 at 8:54 PM, Lehr, John <jl...@sl...> wrote:
>
>> k m, it would be very helpful for you to show us the command you passed to
>> get the error, or in the case of Autopsy, what point in the case
>> initialization you get the error.  That would be very informative.
>>
>> Second, show us the output of:
>>
>> ewfinfo image.E01
>>
>> You error indicates that your sector size is incorrect.  ewfinfo will show
>> what the parameters were when the image was made.
>>
>> Finally, if I had a guess and you were using TSK, I'd say you are passing
>> a' -b' for sector size instead of a '-o' for sector offset.  But you say in
>> your message that you get the error with autopsy, and I haven't used autopsy
>> in a long while.  I don't recall if you can set the sector size, but I don't
>> think so.
>> ---------------------------------
>> John Lehr
>> Evidence Technician
>> San Luis Obispo Police Department
>> ________________________________________
>> From: k m [com...@gm...]
>> Sent: Sunday, July 10, 2011 4:20 PM
>> To: sle...@li...
>> Subject: [sleuthkit-users] Problem with ewf image.
>>
>> Hello I have a ewf image I am trying to examine. This image will not load
>> into autopsy correctly the autopsy terminal reports "Invalid magic value
>> (Error: sector size (64543) is not a multiple of device size (512)
>> ",    I am not sure how to input the correct size into tsk /fix this
>> problem  and mmls reports that it cannot determine partition type. I am
>> looking for advice on what to do next I am just learning TSK, all assistance
>> is greatly appreciated. Thank you!
>>
>
>
>
> ------------------------------------------------------------------------------
> AppSumo Presents a FREE Video for the SourceForge Community by Eric
> Ries, the creator of the Lean Startup Methodology on "Lean Startup
> Secrets Revealed." This video shows you how to validate your ideas,
> optimize your ideas and identify your business strategy.
> http://p.sf.net/sfu/appsumosfdev2dev
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>