Re: [sleuthkit-users] FAT12 images unreadable by TSK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] FAT12 images unreadable by TSK
|
From: Simson G. <si...@ac...> - 2012-11-21 14:24:51
|
Your problem is probably that you are using TSK 3.2.3. You should upgrade to 4.0. Unfortunately Brian hasn't yet integrated fiwalk into TSK; it's next on the list. Until Brian finishes the integration, you can grab my fork of TSK 4.0 that has fiwalk installed: https://github.com/simsong/sleuthkit On Nov 20, 2012, at 11:24 PM, Donald Mennerich <don...@ny...> wrote: > Hello list, > > I'm working on a project where we are archiving many floppy disks as raw disk images. We are using TSK/Fiwalk to extract dfxml from all the images, the collection is entirely composed of FAT12 formatted PC disks. Today we hit a patch of disks that the TSK bins (v3.2.3 on OSX) will not parse, but, if I load them into FTK Imager or FTK the file system is identified as FAT12 and the volume seems like a normal floppy disk image. > > The BS and BPB structures look normal, but end directly after the BPB_HiddSec field. I've posted below the BPB info I extracted and an xxd render of the first 160 bytes of the disk. Hopefully this will remain monospaced in your email and does not look like complete rubbish. I am curious if anyone is able to diagnose what it is about these disks that makes them disagreeable to TSK. Does the OEM name "VTI 2.1" mean anything to anyone? Because of confidentiality I unfortunately cannot post entire disk images. > > > dm$ ./fatinfo /Volumes/Staging/Imaging_Workflow/A_Incoming/181.001 > FATVOL INFO > BS_jmpBoot: e9 68 01 > BS_OEMName: VTI 2.1 > BPB_BytsPerSec: 512 > BPB_SecPerClus: 1 > BPB_RsvdSecCnt: 0 > BPB_NumFATs: 2 > BPB_RootEntCnt: 112 > BPB_TotSec16: 720 > BPB_Media: fd > BPB_FATSz16: 2 > BPB_SecPerTrk: 9 > BPB_NumHeads: 2 > BPB_HiddSec: 0 > > > > 0000000: e968 0156 5449 2020 322e 3100 0202 0100 .h.VTI 2.1..... > 0000010: 0270 00d0 02fd 0200 0900 0200 0000 0000 .p.............. > 0000020: 0c00 00df 0225 0209 2aff 50f6 0002 0000 .....%..*.P..... > 0000030: 0d0a 4469 736b 2062 6f6f 7420 6661 696c ..Disk boot fail > 0000040: 7572 e50d 0a4e 6f6e 2d53 7973 7465 6d20 ur...Non-System > 0000050: 6469 736b 206f 7220 6469 736b 2065 7272 disk or disk err > 0000060: 6ff2 0d0a 5265 706c 6163 6520 616e 6420 o...Replace and > 0000070: 7479 7065 2061 6e79 206b 6579 2077 6865 type any key whe > 0000080: 6e20 7265 6164 790d 8a69 626d 6269 6f20 n ready..ibmbio > 0000090: 2063 6f6d 6962 6d64 6f73 2020 636f 6de8 comibmdos com. > > > Thanks, > > Don > > -- > Donald Mennerich, digital archivist > The New York Public Library > don...@ny... > > ------------------------------------------------------------------------------ > Monitor your physical, virtual and cloud infrastructure from a single > web console. Get in-depth insight into apps, servers, databases, vmware, > SAP, cloud infrastructure, etc. Download 30-day Free Trial. > Pricing starts from $795 for 25 servers or applications! > http://p.sf.net/sfu/zoho_dev2dev_nov_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |