Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
|
From: Simson G. <si...@ac...> - 2015-01-08 13:34:25
|
Hi, Luis. You haven't given enough information. Is the partition corrupt or not? What was the other tool? How did you decode it? Not being able to decode a corrupt partition is not a bug, it's simply the lack of a capability. Being unable to decode an valid partition is a bug. Of course it is possible to improve sleuthkit to recover from this kind of corrupt partition. But you have the partition and the file system. You either need to release the data, so other people can work with it, or you need to fix sleuthkit yourself! > On Jan 8, 2015, at 8:29 AM, Luís Filipe Nassif <lfc...@gm...> wrote: > > Thank you, guys. > > We had already decoded the partition with another forensic tool. My question is if the error is a sleuthkit bug or, if not, if it is possible to improve sleuthkit to recover from this kind of error. > > Regards, > Luis > > 2015-01-07 20:00 GMT-02:00 slo...@gm... <mailto:slo...@gm...> <slo...@gm... <mailto:slo...@gm...>>: > Building on Simson's comments, the Linux xmount tool allows you to mount an image with a cache file that catches any changes that would normally be written to a device. You could mount with 'xmount --cache' and then run ntfsck or testdisk to try to correct any file system/partition errors. Changes are written to the cache file and your image remains unaltered. > > xmount v0.7.3 Copyright (c) 2008-2014 by Gillen Daniel <gil...@pi... <mailto:gil...@pi...>> > > Usage: > xmount [fopts] <xopts> <mntp> > > Options: > fopts: > -d : Enable FUSE's and xmount's debug mode. > -h : Display this help message. > -s : Run single threaded. > -o no_allow_other : Disable automatic addition of FUSE's allow_other option. > -o <fopts> : Specify fuse mount options. Will also disable automatic addition of FUSE's allow_other option! > > xopts: > --cache <cfile> : Enable virtual write support. > <cfile> specifies the cache file to use. > --in <itype> <ifile> : Input image format and source file(s). May be specified multiple times. > <itype> can be "aewf", "ewf", "raw", "dd", "aaff". > <ifile> specifies the source file. If your image is split into multiple files, you have to specify them all! > > > > On Wed Jan 07 2015 at 10:50:55 AM Simson Garfinkel <si...@ac... <mailto:si...@ac...>> wrote: > You might try making a copy of the file system to another drive and then running an NTFS recovery program, such as chkdsk or a commercial program. Not forensically sound, but at least you might get the data. > > On Wed, Jan 7, 2015 at 11:44 AM, Luís Filipe Nassif <lfc...@gm... <mailto:lfc...@gm...>> wrote: > Hi, > > AddImageProcess is not being able to decode the directory tree of a NTFS partition with dozens of thousands of files (none of them was located). The following error is shown: > > "Error in metadata structure (Extension record 148369 (file ref = 0) is not for attribute list of 148368) (Error walking directory in file system at offset 869269504)" > > I attached the first 100KB of the referenced partition. Any help will be appreciated. > > Thank you, > Luis > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net <http://goparallel.sourceforge.net/> > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > http://www.sleuthkit.org <http://www.sleuthkit.org/> > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming! The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net <http://goparallel.sourceforge.net/>_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > http://www.sleuthkit.org <http://www.sleuthkit.org/> > |
