Re: [sleuthkit-users] Clonezilla Multi-Disk

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Just some more information ... It seems the files I'm using don't
contain a valid partition table:

fdisk -l sde1.vfat-ptcl-img

Disk sde1.vfat-ptcl-img: 15.6 GB, 15580242944 bytes
255 heads, 63 sectors/track, 1894 cylinders, total 30430162 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk sde1.vfat-ptcl-img doesn't contain a valid partition table

Maybe the partition table is stored somewhere else. Here is the full
information about a certain disk from the clone:

http://i.imgur.com/WqfvwbP.png

On Sat, Jul 11, 2015 at 7:53 PM, Tiago Faria
<tia...@gm...> wrote:
> Hi Derrick,
>
> First of all, thank you very much for getting back to me. I thought it
> could be that so I used 7zip to extract the "main" file. Tried both
> USB images I gathered from the evidence PC and the end result was as
> expected: two files with the USBs sizes, however, when trying to add
> as data source, the error is still there:
>
> Errors occured while ingesting image
> 1. Cannot determine file system type (Sector offset: 0)
>
> I would have no problem extracting all three images and using the
> resulting files as source, but it seems, at least for both these two
> vFAT drives, that Autopsy is having a problem with it as well.
>
> This is happening under v3, however, I also used v2 under GNU/Linux
> and had a similar result.
>
> Any tips?
>
> Once again, thank you for your help!
>
> On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote:
>> Hi Tiago.
>>
>> I believe the issue you are seeing is that Clonezilla has created a
>> split gzip image which sleuthkit does not accept.  Sleuthkit/Autopsy
>> will support a split raw image, but not a split gzip image.  What you
>> can do is uncompress your split image into a single raw image and that
>> should work.  Something like this should work:
>>
>>   `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img'
>>
>> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes!
>>
>> Derrick
>>
>>
>> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria
>> <tia...@gm...> wrote:
>>> Hi list,
>>>
>>> I'm having quite a hard time importing a data source of a computer
>>> that was clone with CloneZilla. It was a simple clone process with the
>>> only different of also cloning the USB disk drives that were also
>>> connected to the PC.
>>>
>>> The end result is something like this (only part of the content):
>>>
>>> http://i.imgur.com/CHiyGZr.png
>>>
>>> And I can't seem to add it as a data source, since I get the error:
>>>
>>> "Errors occured while ingesting image
>>> 1. Cannot determine file system type (Sector offset: 0)"
>>>
>>> Any tips? I'm really worried since this is all I got and I won't have
>>> access to the computer again.
>>>
>>> Thank you in advance!
>>>
>>> P.S.: Adding all parts of the archive as logical files seems to be
>>> accepted, but nothing useful is gathered (not even time stamps are
>>> displayed).
>>>
>>> ------------------------------------------------------------------------------
>>> Don't Limit Your Business. Reach for the Cloud.
>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>> you need to offload your IT needs and focus on growing your business.
>>> Configured For All Businesses. Start Your Cloud Today.
>>> https://www.gigenetcloud.com/
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org