Re: [sleuthkit-users] Partial image file recovery

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I don't know how you made your image, but it's worth mentioning that gnu 
ddrescue is very good in those cases. While some other tools just skip 
bad sectors, gnu ddrescue keeps a log of them, so you can retry again 
later how many times you like.

On 20-03-2014 07:37, Ketil Froyn wrote:
> I tried autopsy 3.0.9, and autopsy seems to do just as well as EnCase 
> 6 for the folder I was looking for, so that is very good! I guess part 
> of my mistake was using the sleuthkit bundled with Ubuntu, which is 
> v3.2.3... Sorry for the noise, I'll try some more.
>
>
> On 20 March 2014 10:47, Ketil Froyn <ke...@fr... 
> <mailto:ke...@fr...>> wrote:
>
>     Hi,
>
>     I have an image from a malfunctioning hard drive where some
>     sectors could not be read. Using different tools, I am getting
>     different success rates when recovering files from an NTFS file
>     system.
>
>     With sleuthkit I am not getting very far at all. FLS gives me some
>     different errors depending on how I run it:
>
>     $ fls -i split -o 64 -l -p -r file*.bin
>     Error in metadata structure (Extension record 90739 (file ref = 0)
>     is not for attribute list of 2584)
>     $ fls -i split -o 64 -l -p -r file*.bin 2
>     Attribute not found in file (tsk_fs_attrlist_get: Attribute 144
>     not found) ( - dent_walk: $IDX_ROOT not found)
>
>     EnCase 6 actually manages to read this file system very well, and
>     reconstructed lots of files from a folder where the MFT was
>     actually unreadable, but it seems to have used an old version of
>     that folder's MFT instead.
>
>     Are there any tricks to getting sleuthkit to work better with
>     partial images like this?
>
>     Regards, Ketil
>
>
>
>
> -- 
> -Ketil
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
>
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org