Re: [sleuthkit-users] Image searching qurestion

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mar 30, 2004, at 2:55 AM, Enda Cronnolly wrote:
> What happens Brian if you are working with a corrupt filesystem from a
> system crash, and the parition is not mountable? is it possible to 
> analyse
> fragments / chunks of a damaged partition using the filesystem rules?

It depends on why the image is corrupt.  TSK doesn't do a full check of 
the FS before it starts to analyze it.  Autopsy checks the image when 
importing into Autopsy by running the 'fsstat' tool on the image to see 
if it can read the superblock and other general file system data.  That 
goal of that is to detect when users enter the wrong file system type.

TSK tools will process a file system image until they encounter an 
error.  They will not try to fix the error or "guess" what the correct 
value is.  TSK also ignores the "dirty" status of a file system, as 
marked in the super block (or equivalent).

brian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFAaXuvOK1gLsdFTIsRAsUPAJ9xKoYJ64XBI3/YyZ8zTjXVfsQpSgCfcyWN
3lE0aWjd9r817dsZAmb2iBk=
=rXYW
-----END PGP SIGNATURE-----