Re: [sleuthkit-users] Image searching qurestion
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Image searching qurestion
|
From: Brian C. <ca...@sl...> - 2004-03-30 21:22:10
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mar 30, 2004, at 3:54 PM, Enda Cronnolly wrote: > > Yeah, the autopsy stdout trace quotes: > fsstat: Error: /path/sda2.img is not a NTFS file system image > > on an NTFS disk partition that fails to mount on the command line with > error > "bad superblock or incorrect filesystem type, or too many filesystems > mounted". > > It would be nice to be able to force the filesystem in autopsy. You can comment out lines 1854 and 1855 of src/fstools/ntfs.c, recompile, and see how much further it goes :) >> TSK tools will process a file system image until they encounter an >> error. They will not try to fix the error or "guess" what the correct >> value is. TSK also ignores the "dirty" status of a file system, as >> marked in the super block (or equivalent). > > Again, would be *nice* to have conv=noerror type operations. It is a tough line to walk though. It is simple with 'dd' because each block is independent from the next so an error does not get out of control. With TSK, does the force flag remove all sanity checks from the code or just some? My assumption has been that if there is one big error, then there are more errors and it is going to fail at some point. If you drop all sanity checks, then invalid data could be used and you have to seriously question if the results you are seeing are valid. My advice for this scenario would be to make a copy of the image and run 'fsck' with as much verbose logging as possible. Analyze the clean version and then compare how the two are different. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAaeUEOK1gLsdFTIsRAioRAJ9bWOR5kEz8QmHMk6Rajfq6sxouNACeK29o 0mcFtepivP+S/vOayhr2YC0= =WL9K -----END PGP SIGNATURE----- |
