Re: [sleuthkit-users] Partial image file recovery
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Partial image file recovery
|
From: Ketil F. <ke...@fr...> - 2014-03-20 10:37:25
|
I tried autopsy 3.0.9, and autopsy seems to do just as well as EnCase 6 for the folder I was looking for, so that is very good! I guess part of my mistake was using the sleuthkit bundled with Ubuntu, which is v3.2.3... Sorry for the noise, I'll try some more. On 20 March 2014 10:47, Ketil Froyn <ke...@fr...> wrote: > Hi, > > I have an image from a malfunctioning hard drive where some sectors could > not be read. Using different tools, I am getting different success rates > when recovering files from an NTFS file system. > > With sleuthkit I am not getting very far at all. FLS gives me some > different errors depending on how I run it: > > $ fls -i split -o 64 -l -p -r file*.bin > Error in metadata structure (Extension record 90739 (file ref = 0) is not > for attribute list of 2584) > $ fls -i split -o 64 -l -p -r file*.bin 2 > Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 not found) > ( - dent_walk: $IDX_ROOT not found) > > EnCase 6 actually manages to read this file system very well, and > reconstructed lots of files from a folder where the MFT was actually > unreadable, but it seems to have used an old version of that folder's MFT > instead. > > Are there any tricks to getting sleuthkit to work better with partial > images like this? > > Regards, Ketil > -- -Ketil <http://ketil.froyn.name/> |
