[sleuthkit-users] Partial image file recovery
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Partial image file recovery
|
From: Ketil F. <ke...@fr...> - 2014-03-20 10:51:16
|
Hi, I have an image from a malfunctioning hard drive where some sectors could not be read. Using different tools, I am getting different success rates when recovering files from an NTFS file system. With sleuthkit I am not getting very far at all. FLS gives me some different errors depending on how I run it: $ fls -i split -o 64 -l -p -r file*.bin Error in metadata structure (Extension record 90739 (file ref = 0) is not for attribute list of 2584) $ fls -i split -o 64 -l -p -r file*.bin 2 Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 not found) ( - dent_walk: $IDX_ROOT not found) EnCase 6 actually manages to read this file system very well, and reconstructed lots of files from a folder where the MFT was actually unreadable, but it seems to have used an old version of that folder's MFT instead. Are there any tricks to getting sleuthkit to work better with partial images like this? Regards, Ketil |
