Re: [sleuthkit-users] Problems Aquiring a Bad Drive

[Brian C. <ca...@sl...>]

On Jun 17, 2004, at 1:33 PM, Jason Fuller wrote:

> To All:
>
> I am using RH9 with Sleuthkit  1.7 & Autopsy 2.01. I am experiencing 
> problems processig an image. I am imaging a "bad" 30gig drive. (i.e. 
> it will no longer boot into Win98).


> When I try to add the image to Autopsy, I receive an error stating 
> that the image is not fat32. This image is win98 fat32.  How can I get 
> Autopsy to add the correct image under Fat32, apparently the bad 
> blocks are preventing Autopsy to view the partition properly.

Autopsy is complaining because you don't have a boot sector.  The first 
eight sectors of the file system have errors, so dd is writing zeros in 
those locations.  Without the boot sector,  TSK doesn't know how big a 
cluster is, where the FAT is, how big the FAT is etc.  FAT32 has a 
backup copy in sector 6, but that is damaged as well.  So, unless you 
can find a tool that will try and recreate the boot sector, then 
Autopsy or TSK won't help.

brian


> [root@localhost levan]# clock ; dcfldd if=/dev/hdb1 of=30gig1.img 
> conv=noerror,sync ; clock
> Thu 17 Jun 2004 11:35:44 AM CDT  -0.214746 seconds
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+0 records in
> 0+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+1 records in
> 1+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+2 records in
> 2+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+3 records in
> 3+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+4 records in
> 4+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+5 records in
> 5+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+6 records in
> 6+0 records out
> dcfldd: reading `/dev/hdb1': Input/output error
> 0+7 records in
> 7+0 records out
> 58620928 blocks (28639Mb) written.
> 58621114+8 records in
> 58621122+0 records out
> Thu 17 Jun 2004 11:58:23 AM CDT  -0.134078 seconds
>