Re: [sleuthkit-users] Help can't add NTFS image to autopsy.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Sorry for the delay....

The output is:

Cannot determine file system type

Il 27.06.2012 18:34, Brian Carrier ha scritto:
> Can you send me the first line of output when you run this:
>
> # blkcat -o 63 IMAGE 0 | xxd
>
> Or, if xxd is not found on your system then use 'hexdump'.
>
> I just updated that error message to give more details about what the invalid size is.
>
> thanks,
> brian
>
>
>
> On Jun 19, 2012, at 6:49 PM, M77 wrote:
>
>> Hi to all, I've some problems adding an ntfs image to autopsy, next the adding form:
>>
>>
>> Partition 1 (Type: NTFS (0x07))
>>    Sector Range: 63 to 234420479
>>    Mount Point: 	File System Type:
>>   
>>
>> 	
>>
>> <menu_b_help.jpg>
>> For your reference, the mmls output was the following:
>> DOS Partition Table
>> Offset Sector: 0
>> Units are in 512-byte sectors
>>
>>       Slot    Start        End          Length       Description
>> 02:  00:00   0000000063   0234420479   0234420417   NTFS (0x07)
>>
>>
>> I try to select ntfs from the dropdown menu, but when press add:
>>
>>
>> Testing partitions
>>
>> Partition 1 is not a
>> ntfs
>>   file system
>>
>> Use the browser's back button to fix the data
>>
>> I've mount the image in my system, and it result fully readable.
>> mmls output:
>> DOS Partition Table
>> Offset Sector: 0
>> Units are in 512-byte sectors
>>
>>       Slot    Start        End          Length       Description
>> 00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
>> 01:  -----   0000000000   0000000062   0000000063   Unallocated
>> 02:  00:00   0000000063   0234420479   0234420417   NTFS (0x07)
>> 03:  -----   0234420480   0234441647   0000021168   Unallocated
>>
>>
>> fls output:
>> Invalid magic value (Not a NTFS file system (invalid sector size))
>>
>>
>> I'm using autopsy 2.24 with TSK 3.2.3
>>
>> Suggestions?
>>
>> Thanks
>>
>> M1001101
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
> Return-Path: <ca...@sl...>
> Received: from mailrelay24.libero.it (192.168.32.110) by ims4c2.libero.it (8.6.023.04)
>          id 4FDA41E50083C318 for m7...@li...; Wed, 27 Jun 2012 18:34:15 +0200
> Received: from mtalibero08.libero.it (EHLO mtalibero08.libero.it) ([192.168.36.170])
> 	by mailrelay24.libero.it
> 	with ESMTP id JWW19279;
> 	Wed, 27 Jun 2012 18:34:15 +0200 (CEST)
> Received-SPF: None identity=ilfrom; client-ip 8.97.132.81;
>    receiver=alibero08.libero.it;
>    env...@sl...";
>    x-s...@sl...";
>    x-conformance=f_only
> Authentication-Results: mtalibero08.libero.it; dkim=ss (signature verified [TEST]) hea...@sl...
> X-LREMOTE-IP: 208.97.132.81
> Received: from caiajhbdcaib.dreamhost.com (HELO homiemail-a12.g.dreamhost.com) ([208.97.132.81])
>    by mtalibero08.libero.it with ESMTP; 27 Jun 2012 16:34:14 +0000
> Received: from homiemail-a12.g.dreamhost.com (localhost [127.0.0.1])
> 	by homiemail-a12.g.dreamhost.com (Postfix) with ESMTP id B98E571406B;
> 	Wed, 27 Jun 2012 09:34:12 -0700 (PDT)
> DomainKey-Signature: a=a-sha1; c=nofws; d=sleuthkit.org; h=subject
> 	:mime-version:content-type:from:in-reply-to:date:cc
> 	:content-transfer-encoding:message-id:references:to; q=s; s	sleuthkit.org; b»L96bF2TF7J0YV12MRZ6ljr0K/BlCnluryBdDLZ+8eLING
> 	mkdQxYz/mdvLbTCt+xIOD30WLqhpCqlqDImBzaJ06eF1Ev9qo+h/tWVsAS6Pe0sa
> 	M8znvUHUNXRhb1FT6PFdsHyuYISrEiDFyI33WxlJ36lWnTH9OtOlt6uoEOAoDKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleuthkit.org; h=subject
> 	:mime-version:content-type:from:in-reply-to:date:cc
> 	:content-transfer-encoding:message-id:references:to; s	sleuthkit.org; bh=Z7JqkiZ7DUv7i9kSo5IYTAhhySU=; b=KZAIPixjAkgLd3
> 	sagYHqXlwiT/RbJoyo2/W9lNcMsmih82V2hUrJR7UdAfGUSlLBBQL89gHTt/HhOv
> 	Tnt5eRuvRlx3psikh9owonXYVcKMo+t93GfyQIaT8USyD4sCTy9NbNXVGlRU/xtS
> 	No2ASpZcUipCCzTBc2e8WSHW3/XxcReceived: from [10.1.7.127] (cambridge-vxty.basistech.com [131.239.15.66])
> 	(using TLSv1 with cipher AES128-SHA (128/128 bits))
> 	(No client certificate requested)
> 	(Authenticated sender: ca...@sl...)
> 	by homiemail-a12.g.dreamhost.com (Postfix) with ESMTPSA id 6449571406A;
> 	Wed, 27 Jun 2012 09:34:12 -0700 (PDT)
> Subject: Re: [sleuthkit-users] Help can't add NTFS image to autopsy.
> Mime-Version: 1.0 (Apple Message framework v1084)
> Content-Type: text/plain; charset=-ascii
> From: Brian Carrier <ca...@sl...>
> In-Reply-To: <4FE...@li...>
> Date: Wed, 27 Jun 2012 12:34:10 -0400
> Cc: sleuthkit-users users <sle...@li...>
> Content-Transfer-Encoding: quoted-printable
> Message-Id: <140...@sl...>
> References: <4FE...@li...>
> To: M77 <m7...@li...>
> X-Mailer: Apple Mail (2.1084)
> X-Junkmail-Status: score/55, host=mailrelay24.libero.it
> X-Junkmail-Signature-Raw: score=known,
> 	refid=r	ip 8.97.132.81,
> 	so 11-06-21 16:49:39,
> 	dmn 11-06-08 23:29:05,
> 	mode=ltiengine
> X-Junkmail-IWF: false
> X-Mirapoint-Virus-RAPID-Raw: score=known(0),
> 	refid=r	ip 8.97.132.81,
> 	so 11-06-21 16:49:39,
> 	dmn 11-06-08 23:29:05
> X-Mirapoint-Loop-Id: d4c97e98f68f821d34c16e25e725b9ab
> X-libjamoibt: 2587
>
> Can you send me the first line of output when you run this:
>
> # blkcat -o 63 IMAGE 0 | xxd
>
> Or, if xxd is not found on your system then use 'hexdump'.
>
> I just updated that error message to give more details about what the invalid size is.
>
> thanks,
> brian
>
>
>
> On Jun 19, 2012, at 6:49 PM, M77 wrote:
>
>> Hi to all, I've some problems adding an ntfs image to autopsy, next the adding form:
>>
>>
>> Partition 1 (Type: NTFS (0x07))
>>    Sector Range: 63 to 234420479
>>    Mount Point: 	File System Type:
>>   
>>
>> 	
>>
>> <menu_b_help.jpg>
>> For your reference, the mmls output was the following:
>> DOS Partition Table
>> Offset Sector: 0
>> Units are in 512-byte sectors
>>
>>       Slot    Start        End          Length       Description
>> 02:  00:00   0000000063   0234420479   0234420417   NTFS (0x07)
>>
>>
>> I try to select ntfs from the dropdown menu, but when press add:
>>
>>
>> Testing partitions
>>
>> Partition 1 is not a
>> ntfs
>>   file system
>>
>> Use the browser's back button to fix the data
>>
>> I've mount the image in my system, and it result fully readable.
>> mmls output:
>> DOS Partition Table
>> Offset Sector: 0
>> Units are in 512-byte sectors
>>
>>       Slot    Start        End          Length       Description
>> 00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
>> 01:  -----   0000000000   0000000062   0000000063   Unallocated
>> 02:  00:00   0000000063   0234420479   0234420417   NTFS (0x07)
>> 03:  -----   0234420480   0234441647   0000021168   Unallocated
>>
>>
>> fls output:
>> Invalid magic value (Not a NTFS file system (invalid sector size))
>>
>>
>> I'm using autopsy 2.24 with TSK 3.2.3
>>
>> Suggestions?
>>
>> Thanks
>>
>> M1001101
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org