Re: [sleuthkit-users] Help: invalid MFT magic error message
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Help: invalid MFT magic error message
|
From: Brian C. <ca...@sl...> - 2004-07-30 19:37:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Jul 30, 2004, at 12:26 PM, Paul wrote: > Hi, > I am getting an error message using Autopsy when I press the link to > 'Find > Meta Data Address' in the the 'keyword search' results window. ... > The result in the console window is: ifind: entry 16 has an invalid > MFT magic: > 1 1? I hadn't seen that yet. There is a 4 byte magic value at the start of each MFT entry and it should say "FILE" (or "BAAD" if it is corrupt). Some users have reported a value of 0. I had been planning a larger scale fix to these errors with 'ifind' when it finds a strange image, but I've made a more specific fix (since others run into this as well). Replace src/fstools/ntfs.c with the one at: http://www.sleuthkit.org/sleuthkit/ntfs.c This will still give the magic error for normal analysis, but not for running 'ifind'. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBCqNlOK1gLsdFTIsRAmf5AJ9Vkws2+cZBQN5QQbo/O53lzN5CEQCeOtmZ hH7LfNzrXsOeJtlehVXA9Qc= =Kx7z -----END PGP SIGNATURE----- |
