Re: [sleuthkit-users] problem analysing apple hard disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] problem analysing apple hard disk
|
From: Alessandro F. <at...@gm...> - 2014-09-10 16:54:21
|
Hi Brian don't worry for the delay...I'm very grateful for your answers ;) I've started another time Autopsy, new case, same image, file ingestion. In the log I've find these "non critical" errors: ******************* Errors occured while ingesting image 1. Database Error (TskDbSqlite::findParObjId: Error selecting file id by meta_addr: unknown error (result code 101) ) 2. 3. Database Error (TskDbSqlite::findParObjId: Error selecting file id by meta_addr: unknown error (result code 101) ) 4. ) ...... 550485. Database Error (TskDbSqlite::findParObjId: Error selecting file id by meta_addr: unknown error (result code 101) ) 550486. Cannot determine file system type (Sector offset: 235708600, Partition Type: Recovery HD) 550487. Error reading image file (ewf_image_read - offset: 20480 - len: 65536 - Result too large) (TskAutoDb::addFsInfoUnalloc: error opening fs at offset 20480) 550488. Error reading image file (ewf_image_read - offset: 209736704 - len: 65536 - Result too large) (TskAutoDb::addFsInfoUnalloc: error opening fs at offset 209735680) ******************** The first errors are repeated a lot of times. The the error about the image. I assure you that the image is ok, I manage to mount and browse with ftk (in Windows) and ewfmount (in linux). If you think can be useful, I could send in private a cople of screenshot whit Autopsy and FTK. Thanks in advance for your help Alessandro 2014-09-10 3:39 GMT+02:00 Brian Carrier <ca...@sl...>: > Hi Alessandro, > > Sorry for the delayed response. I had a bit of travel going on. > > Can you add the image to a case again and notice if in the final panel of > the "Add Data Source" wizard if there is a button that says that there were > errors ingesting the image? If so, can you click on the button and send the > messages? > > We should review that panel because there have been several cases where > people don't notice that some errors occurred... > > thanks, > brian > > > > On Sep 2, 2014, at 12:14 PM, Alessandro Farina <at...@gm...> wrote: > > > Yes. > > If I select the partition in the partitions tree, nothing is show in the > detail window. > > > > > > 2014-08-21 4:09 GMT+02:00 Brian Carrier <ca...@sl...>: > > So the image has four partitions, but one of them isn't showing any > files? > > > > > > On Aug 14, 2014, at 5:42 AM, Alessandro Farina <at...@gm...> > wrote: > > > > > Hi > > > I'm analysing an image (EWF) extracted from an IMAC. > > > The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). > > > I'm using Autopsy 3.0.10 on Window 7 SP1. > > > From the partition browser I can't access to one of the HFS+ partition. > > > The image file is ok, infact I can mount and browse all the partition > in > > > linux (via ewfmount) without any problem. The same happens if I access > > > the image via ftk mounter on windows. > > > I think there is some sort of problem with Autopsy and I would like to > > > help whith analysis and debug. > > > I can't send to many info on the contents because is part of an ongoing > > > investigation, but I think I can share info on disk and partition > structure. > > > Any help will be very appreciated. > > > > > > Thanks in advance > > > Alessandro > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > > > ------------------------------------------------------------------------------ > > Slashdot TV. > > Video for Nerds. Stuff that matters. > > http://tv.slashdot.org/_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
