Re: [sleuthkit-users] Partial image file recovery
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Partial image file recovery
|
From: Ketil F. <ke...@fr...> - 2014-03-20 11:55:36
|
Thanks. This image was made with data recovery tools, and some sectors couldn't be read. Cheers, Ketil On 20 March 2014 12:38, Atila <ati...@dp...> wrote: > I don't know how you made your image, but it's worth mentioning that gnu > ddrescue is very good in those cases. While some other tools just skip bad > sectors, gnu ddrescue keeps a log of them, so you can retry again later how > many times you like. > > > On 20-03-2014 07:37, Ketil Froyn wrote: > > I tried autopsy 3.0.9, and autopsy seems to do just as well as EnCase 6 > for the folder I was looking for, so that is very good! I guess part of my > mistake was using the sleuthkit bundled with Ubuntu, which is v3.2.3... > Sorry for the noise, I'll try some more. > > > On 20 March 2014 10:47, Ketil Froyn <ke...@fr...> wrote: > >> Hi, >> >> I have an image from a malfunctioning hard drive where some sectors could >> not be read. Using different tools, I am getting different success rates >> when recovering files from an NTFS file system. >> >> With sleuthkit I am not getting very far at all. FLS gives me some >> different errors depending on how I run it: >> >> $ fls -i split -o 64 -l -p -r file*.bin >> Error in metadata structure (Extension record 90739 (file ref = 0) is not >> for attribute list of 2584) >> $ fls -i split -o 64 -l -p -r file*.bin 2 >> Attribute not found in file (tsk_fs_attrlist_get: Attribute 144 not >> found) ( - dent_walk: $IDX_ROOT not found) >> >> EnCase 6 actually manages to read this file system very well, and >> reconstructed lots of files from a folder where the MFT was actually >> unreadable, but it seems to have used an old version of that folder's MFT >> instead. >> >> Are there any tricks to getting sleuthkit to work better with partial >> images like this? >> >> Regards, Ketil >> > > > > -- > -Ketil > > > ------------------------------------------------------------------------------ > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today!http://p.sf.net/sfu/13534_NeoTech > > > > _______________________________________________ > sleuthkit-users mailing listhttps://lists.sourceforge.net/lists/listinfo/sleuthkit-usershttp://www.sleuthkit.org > > > -- -Ketil <http://ketil.froyn.name/> |
