Re: [sleuthkit-users] Clonezilla Multi-Disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Clonezilla Multi-Disk
|
From: Derrick K. <dk...@gm...> - 2015-07-11 20:44:41
|
Ah. Is it perhaps because you now also have to use partclone to restore the raw image from your uncompressed file? Something like what they did here? http://askubuntu.com/questions/453114/restoring-clonezilla-images-cat-gzip-partclone-not-working Derrick On Jul 11, 2015 13:14, "Tiago Faria" <tia...@gm...> wrote: > Just some more information ... It seems the files I'm using don't > contain a valid partition table: > > fdisk -l sde1.vfat-ptcl-img > > Disk sde1.vfat-ptcl-img: 15.6 GB, 15580242944 bytes > 255 heads, 63 sectors/track, 1894 cylinders, total 30430162 sectors > Units = sectors of 1 * 512 = 512 bytes > Sector size (logical/physical): 512 bytes / 512 bytes > I/O size (minimum/optimal): 512 bytes / 512 bytes > Disk identifier: 0x00000000 > > Disk sde1.vfat-ptcl-img doesn't contain a valid partition table > > Maybe the partition table is stored somewhere else. Here is the full > information about a certain disk from the clone: > > http://i.imgur.com/WqfvwbP.png > > On Sat, Jul 11, 2015 at 7:53 PM, Tiago Faria > <tia...@gm...> wrote: > > Hi Derrick, > > > > First of all, thank you very much for getting back to me. I thought it > > could be that so I used 7zip to extract the "main" file. Tried both > > USB images I gathered from the evidence PC and the end result was as > > expected: two files with the USBs sizes, however, when trying to add > > as data source, the error is still there: > > > > Errors occured while ingesting image > > 1. Cannot determine file system type (Sector offset: 0) > > > > I would have no problem extracting all three images and using the > > resulting files as source, but it seems, at least for both these two > > vFAT drives, that Autopsy is having a problem with it as well. > > > > This is happening under v3, however, I also used v2 under GNU/Linux > > and had a similar result. > > > > Any tips? > > > > Once again, thank you for your help! > > > > On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote: > >> Hi Tiago. > >> > >> I believe the issue you are seeing is that Clonezilla has created a > >> split gzip image which sleuthkit does not accept. Sleuthkit/Autopsy > >> will support a split raw image, but not a split gzip image. What you > >> can do is uncompress your split image into a single raw image and that > >> should work. Something like this should work: > >> > >> `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img' > >> > >> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes! > >> > >> Derrick > >> > >> > >> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria > >> <tia...@gm...> wrote: > >>> Hi list, > >>> > >>> I'm having quite a hard time importing a data source of a computer > >>> that was clone with CloneZilla. It was a simple clone process with the > >>> only different of also cloning the USB disk drives that were also > >>> connected to the PC. > >>> > >>> The end result is something like this (only part of the content): > >>> > >>> http://i.imgur.com/CHiyGZr.png > >>> > >>> And I can't seem to add it as a data source, since I get the error: > >>> > >>> "Errors occured while ingesting image > >>> 1. Cannot determine file system type (Sector offset: 0)" > >>> > >>> Any tips? I'm really worried since this is all I got and I won't have > >>> access to the computer again. > >>> > >>> Thank you in advance! > >>> > >>> P.S.: Adding all parts of the archive as logical files seems to be > >>> accepted, but nothing useful is gathered (not even time stamps are > >>> displayed). > >>> > >>> > ------------------------------------------------------------------------------ > >>> Don't Limit Your Business. Reach for the Cloud. > >>> GigeNET's Cloud Solutions provide you with the tools and support that > >>> you need to offload your IT needs and focus on growing your business. > >>> Configured For All Businesses. Start Your Cloud Today. > >>> https://www.gigenetcloud.com/ > >>> _______________________________________________ > >>> sleuthkit-users mailing list > >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > >>> http://www.sleuthkit.org > |
