[sleuthkit-users] fsstat: Incorrect update sequence value in MFT entry
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] fsstat: Incorrect update sequence value in MFT entry
|
From: Joerg F. <Joe...@un...> - 2004-10-12 11:53:35
|
Hi, I encountered the same problem as Hans-Peter: see: http://sourceforge.net/mailarchive/forum.php?thread_id=3D5697461&forum_id= =3D10358 root@hitchhiker:/mnt# fsstat -v -f ntfs disk.p1.dd ntfs_mft_lookup: Processing MFT 0 fs_read_random: read offs 65536 len 1024 (mft read) fsstat: Incorrect update sequence value in MFT entry Update Value: 0x0 Actual Value: 0x993 Replacement Value: 0x0 This is typically because of a corrupted entry root@hitchhiker:/mnt# fsstat -v -f ntfs disk.p2.dd ntfs_mft_lookup: Processing MFT 0 fs_read_random: read offs 8192 len 1024 (mft read) fsstat: Incorrect update sequence value in MFT entry Update Value: 0x0 Actual Value: 0x28 Replacement Value: 0x0 This is typically because of a corrupted entry root@hitchhiker:/mnt# fsstat -v -f ntfs disk.p3.dd ntfs_mft_lookup: Processing MFT 0 fs_read_random: read offs 16384 len 1024 (mft read) fsstat: Incorrect update sequence value in MFT entry Update Value: 0x0 Actual Value: 0x23 Replacement Value: 0x0 This is typically because of a corrupted entry I attached the MFTs. Hope this helps debugging this problem btw: I also use Debian Sarge, sleuthkit 1.72. I created a hd-image with dd and splitted the three partitions. with the help of mmls. maybe you need also this info: root@hitchhiker:/mnt# file disk.* disk.dd: x86 boot sector disk.p1.dd: x86 boot sector, code offset 0x52, OEM-ID "NTFS ", sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, heads 255, hidden sectors 63, dos < 4.0 BootSector (0x80) disk.p2.dd: x86 boot sector, code offset 0x52, OEM-ID "NTFS ", reserved sectors 0, Media descriptor 0xf8, heads 255, hidden sectors 63, dos < 4.0 BootSector (0x80) disk.p3.dd: x86 boot sector, code offset 0x52, OEM-ID "NTFS ", sectors/cluster 2, reserved sectors 0, Media descriptor 0xf8, heads 255, hidden sectors 63, dos < 4.0 BootSector (0x80) --=20 J=F6rg Friedrich There are only 10 types of people: Those who understand binary and those who don't. |
