Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
|
From: <slo...@gm...> - 2015-01-07 22:00:11
|
Building on Simson's comments, the Linux xmount tool allows you to mount an
image with a cache file that catches any changes that would normally be
written to a device. You could mount with 'xmount --cache' and then run
ntfsck or testdisk to try to correct any file system/partition errors.
Changes are written to the cache file and your image remains unaltered.
xmount v0.7.3 Copyright (c) 2008-2014 by Gillen Daniel <
gil...@pi...>
Usage:
xmount [fopts] <xopts> <mntp>
Options:
fopts:
-d : Enable FUSE's and xmount's debug mode.
-h : Display this help message.
-s : Run single threaded.
-o no_allow_other : Disable automatic addition of FUSE's allow_other
option.
-o <fopts> : Specify fuse mount options. Will also disable automatic
addition of FUSE's allow_other option!
xopts:
--cache <cfile> : Enable virtual write support.
<cfile> specifies the cache file to use.
--in <itype> <ifile> : Input image format and source file(s). May be
specified multiple times.
<itype> can be "aewf", "ewf", "raw", "dd", "aaff".
<ifile> specifies the source file. If your image is split into
multiple files, you have to specify them all!
On Wed Jan 07 2015 at 10:50:55 AM Simson Garfinkel <si...@ac...> wrote:
> You might try making a copy of the file system to another drive and then
> running an NTFS recovery program, such as chkdsk or a commercial program.
> Not forensically sound, but at least you might get the data.
>
> On Wed, Jan 7, 2015 at 11:44 AM, Luís Filipe Nassif <lfc...@gm...>
> wrote:
>
>> Hi,
>>
>> AddImageProcess is not being able to decode the directory tree of a NTFS
>> partition with dozens of thousands of files (none of them was located). The
>> following error is shown:
>>
>> "Error in metadata structure (Extension record 148369 (file ref = 0) is
>> not for attribute list of 148368) (Error walking directory in file system
>> at offset 869269504)"
>>
>> I attached the first 100KB of the referenced partition. Any help will be
>> appreciated.
>>
>> Thank you,
>> Luis
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming! The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
> ------------------------------------------------------------
> ------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
