Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] AddImageProcess Problem with NTFS partition
|
From: Luís F. N. <lfc...@gm...> - 2015-01-09 11:28:33
|
Sorry for the lack of information, Actually it is a problem with a colleague's image. He was able to view the file system contents with FTKImager, so I supposed the image is not corrupted. Is it true, André? Can you mount the FS in Windows or Linux? Also I suspected the problem is with the root folder metadata, because no content is shown after loaddb, so I attached the initial kilobytes of the partition to the first email. Luis 2015-01-08 11:34 GMT-02:00 Simson Garfinkel <si...@ac...>: > Hi, Luis. > > You haven't given enough information. Is the partition corrupt or not? > What was the other tool? How did you decode it? > > Not being able to decode a corrupt partition is not a bug, it's simply the > lack of a capability. Being unable to decode an valid partition is a bug. > > Of course it is possible to improve sleuthkit to recover from this kind of > corrupt partition. But you have the partition and the file system. You > either need to release the data, so other people can work with it, or you > need to fix sleuthkit yourself! > > > > On Jan 8, 2015, at 8:29 AM, Luís Filipe Nassif <lfc...@gm...> > wrote: > > Thank you, guys. > > We had already decoded the partition with another forensic tool. My > question is if the error is a sleuthkit bug or, if not, if it is possible > to improve sleuthkit to recover from this kind of error. > > Regards, > Luis > > 2015-01-07 20:00 GMT-02:00 slo...@gm... <slo...@gm...>: > >> Building on Simson's comments, the Linux xmount tool allows you to mount >> an image with a cache file that catches any changes that would normally be >> written to a device. You could mount with 'xmount --cache' and then run >> ntfsck or testdisk to try to correct any file system/partition errors. >> Changes are written to the cache file and your image remains unaltered. >> >> xmount v0.7.3 Copyright (c) 2008-2014 by Gillen Daniel < >> gil...@pi...> >> >> Usage: >> xmount [fopts] <xopts> <mntp> >> >> Options: >> fopts: >> -d : Enable FUSE's and xmount's debug mode. >> -h : Display this help message. >> -s : Run single threaded. >> -o no_allow_other : Disable automatic addition of FUSE's allow_other >> option. >> -o <fopts> : Specify fuse mount options. Will also disable automatic >> addition of FUSE's allow_other option! >> >> xopts: >> --cache <cfile> : Enable virtual write support. >> <cfile> specifies the cache file to use. >> --in <itype> <ifile> : Input image format and source file(s). May be >> specified multiple times. >> <itype> can be "aewf", "ewf", "raw", "dd", "aaff". >> <ifile> specifies the source file. If your image is split into >> multiple files, you have to specify them all! >> >> >> >> On Wed Jan 07 2015 at 10:50:55 AM Simson Garfinkel <si...@ac...> >> wrote: >> >>> You might try making a copy of the file system to another drive and then >>> running an NTFS recovery program, such as chkdsk or a commercial program. >>> Not forensically sound, but at least you might get the data. >>> >>> On Wed, Jan 7, 2015 at 11:44 AM, Luís Filipe Nassif <lfc...@gm... >>> > wrote: >>> >>>> Hi, >>>> >>>> AddImageProcess is not being able to decode the directory tree of a >>>> NTFS partition with dozens of thousands of files (none of them was >>>> located). The following error is shown: >>>> >>>> "Error in metadata structure (Extension record 148369 (file ref = 0) is >>>> not for attribute list of 148368) (Error walking directory in file system >>>> at offset 869269504)" >>>> >>>> I attached the first 100KB of the referenced partition. Any help will >>>> be appreciated. >>>> >>>> Thank you, >>>> Luis >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Dive into the World of Parallel Programming! The Go Parallel Website, >>>> sponsored by Intel and developed in partnership with Slashdot Media, is >>>> your >>>> hub for all things parallel software development, from weekly thought >>>> leadership blogs to news, videos, case studies, tutorials and more. >>>> Take a >>>> look and join the conversation now. http://goparallel.sourceforge.net >>>> _______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>>> >>>> >>> ------------------------------------------------------------ >>> ------------------ >>> Dive into the World of Parallel Programming! The Go Parallel Website, >>> sponsored by Intel and developed in partnership with Slashdot Media, is >>> your >>> hub for all things parallel software development, from weekly thought >>> leadership blogs to news, videos, case studies, tutorials and more. Take >>> a >>> look and join the conversation now. http://goparallel.sourceforge.net >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >> > > |
