Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
|
From: Luís F. N. <lfc...@gm...> - 2015-01-08 13:29:16
|
Thank you, guys. We had already decoded the partition with another forensic tool. My question is if the error is a sleuthkit bug or, if not, if it is possible to improve sleuthkit to recover from this kind of error. Regards, Luis 2015-01-07 20:00 GMT-02:00 slo...@gm... <slo...@gm...>: > Building on Simson's comments, the Linux xmount tool allows you to mount > an image with a cache file that catches any changes that would normally be > written to a device. You could mount with 'xmount --cache' and then run > ntfsck or testdisk to try to correct any file system/partition errors. > Changes are written to the cache file and your image remains unaltered. > > xmount v0.7.3 Copyright (c) 2008-2014 by Gillen Daniel < > gil...@pi...> > > Usage: > xmount [fopts] <xopts> <mntp> > > Options: > fopts: > -d : Enable FUSE's and xmount's debug mode. > -h : Display this help message. > -s : Run single threaded. > -o no_allow_other : Disable automatic addition of FUSE's allow_other > option. > -o <fopts> : Specify fuse mount options. Will also disable automatic > addition of FUSE's allow_other option! > > xopts: > --cache <cfile> : Enable virtual write support. > <cfile> specifies the cache file to use. > --in <itype> <ifile> : Input image format and source file(s). May be > specified multiple times. > <itype> can be "aewf", "ewf", "raw", "dd", "aaff". > <ifile> specifies the source file. If your image is split into > multiple files, you have to specify them all! > > > > On Wed Jan 07 2015 at 10:50:55 AM Simson Garfinkel <si...@ac...> > wrote: > >> You might try making a copy of the file system to another drive and then >> running an NTFS recovery program, such as chkdsk or a commercial program. >> Not forensically sound, but at least you might get the data. >> >> On Wed, Jan 7, 2015 at 11:44 AM, Luís Filipe Nassif <lfc...@gm...> >> wrote: >> >>> Hi, >>> >>> AddImageProcess is not being able to decode the directory tree of a NTFS >>> partition with dozens of thousands of files (none of them was located). The >>> following error is shown: >>> >>> "Error in metadata structure (Extension record 148369 (file ref = 0) is >>> not for attribute list of 148368) (Error walking directory in file system >>> at offset 869269504)" >>> >>> I attached the first 100KB of the referenced partition. Any help will be >>> appreciated. >>> >>> Thank you, >>> Luis >>> >>> >>> ------------------------------------------------------------------------------ >>> Dive into the World of Parallel Programming! The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> ------------------------------------------------------------ >> ------------------ >> Dive into the World of Parallel Programming! The Go Parallel Website, >> sponsored by Intel and developed in partnership with Slashdot Media, is >> your >> hub for all things parallel software development, from weekly thought >> leadership blogs to news, videos, case studies, tutorials and more. Take a >> look and join the conversation now. http://goparallel.sourceforge.net >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > |
