Re: [sleuthkit-users] filesystem recovery using sleuthkit

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Jan 9, 2005, at 12:50 PM, Jim Cromie wrote:
> Qs:
>
> is it common on MS OSs that partition type and fs type are different ?

No.  Windows uses the partition type to determine if it will mount the  
partition and how to mount it.

> is the choice of filesystem completely dictated by the root-directory ?

The other way around.  Each file system has its own way of storing the  
contents of a directory and FAT and NTFS are MUCH different.

> is the choice overridable ?
> is there a reason its not automatic - since it seems to reject the  
> 'wrong' choices ?

Autopsy does some sanity checks when you import the image so that you  
can more quickly determine when you select the wrong one (I am  
currently working on autodetect for the next version).   FAT and NTFS  
(and partition tables) are difficult because they all use the same  
signature value in the last two bytes of the first sector.  FYI -  
choosing just fat will autodetect which type of FAT.

> is it possible to not care ?
> in my case, I hope to find that the vast majority of directories
> look to be uncorrupted - ie the directory entries are legal,
> and point to files that match whatever metadata is stored in the  
> directory entry itself,
> and link to each other properly.

I have no clue what happened during the Windows recovery stuff.  TSK /  
Autopsy does not fix damaged file systems.  It only shows what is  
there.  I think you need to look into some FAT/NTFS fixing tools.

Just to confirm, you did import the partition image and not the disk  
image right?  The current version supports only partition images.  The  
'$Data not found while loading the MFT' is sometimes found when you try  
to process a disk image as NTFS (because they share the same magic  
value).

> wrt:
> Calculating MD5 of images/whole.img (this could take a while)
> +----+----+----+----+----+----+----+----+----+----+----+----+----+---- 
> +-
>
> it would be nice to have some estimate of ' a while',
> ie how big the ticks are,

The ticks are every few seconds, not a percentage.  Percentage would be  
nice, but difficult given the current design.

brian