Re: [sleuthkit-users] Image searching qurestion
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Image searching qurestion
|
From: Enda C. <en...@co...> - 2004-03-30 20:56:53
|
Quoting: "Brian Carrier" <carrier@sle > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mar 30, 2004, at 2:55 AM, Enda Cronnolly wrote: > > What happens Brian if you are working with a corrupt filesystem from a > > system crash, and the parition is not mountable? is it possible to > > analyse > > fragments / chunks of a damaged partition using the filesystem rules? > > It depends on why the image is corrupt. TSK doesn't do a full check of > the FS before it starts to analyze it. Autopsy checks the image when > importing into Autopsy by running the 'fsstat' tool on the image to see > if it can read the superblock and other general file system data. That > goal of that is to detect when users enter the wrong file system type. Yeah, the autopsy stdout trace quotes: fsstat: Error: /path/sda2.img is not a NTFS file system image on an NTFS disk partition that fails to mount on the command line with error "bad superblock or incorrect filesystem type, or too many filesystems mounted". It would be nice to be able to force the filesystem in autopsy. > TSK tools will process a file system image until they encounter an > error. They will not try to fix the error or "guess" what the correct > value is. TSK also ignores the "dirty" status of a file system, as > marked in the super block (or equivalent). Again, would be *nice* to have conv=noerror type operations. End of wish listing.... ;-) -Enda. |
