Re: [sleuthkit-users] Clonezilla Multi-Disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Clonezilla Multi-Disk
|
From: Tiago F. <tia...@gm...> - 2015-07-11 23:09:31
|
Derrick, List, Thank you very much! That worked like a charm! Seems the way to go is to extract the several parts of the image and then use partclone like you mentioned! Thanks for saving my ass! On Sat, Jul 11, 2015 at 11:08 PM, Tiago Faria <tia...@gm...> wrote: > Seems like it. Well, it's going. Still another 50m for the first pen > drive to be converted. I'll make sure to post the update. > > Thank you again for the help and guidance! > > On Sat, Jul 11, 2015 at 9:44 PM, Derrick Karpo <dk...@gm...> wrote: >> Ah. Is it perhaps because you now also have to use partclone to restore the >> raw image from your uncompressed file? Something like what they did here? >> >> >> http://askubuntu.com/questions/453114/restoring-clonezilla-images-cat-gzip-partclone-not-working >> >> Derrick >> >> On Jul 11, 2015 13:14, "Tiago Faria" <tia...@gm...> wrote: >>> >>> Just some more information ... It seems the files I'm using don't >>> contain a valid partition table: >>> >>> fdisk -l sde1.vfat-ptcl-img >>> >>> Disk sde1.vfat-ptcl-img: 15.6 GB, 15580242944 bytes >>> 255 heads, 63 sectors/track, 1894 cylinders, total 30430162 sectors >>> Units = sectors of 1 * 512 = 512 bytes >>> Sector size (logical/physical): 512 bytes / 512 bytes >>> I/O size (minimum/optimal): 512 bytes / 512 bytes >>> Disk identifier: 0x00000000 >>> >>> Disk sde1.vfat-ptcl-img doesn't contain a valid partition table >>> >>> Maybe the partition table is stored somewhere else. Here is the full >>> information about a certain disk from the clone: >>> >>> http://i.imgur.com/WqfvwbP.png >>> >>> On Sat, Jul 11, 2015 at 7:53 PM, Tiago Faria >>> <tia...@gm...> wrote: >>> > Hi Derrick, >>> > >>> > First of all, thank you very much for getting back to me. I thought it >>> > could be that so I used 7zip to extract the "main" file. Tried both >>> > USB images I gathered from the evidence PC and the end result was as >>> > expected: two files with the USBs sizes, however, when trying to add >>> > as data source, the error is still there: >>> > >>> > Errors occured while ingesting image >>> > 1. Cannot determine file system type (Sector offset: 0) >>> > >>> > I would have no problem extracting all three images and using the >>> > resulting files as source, but it seems, at least for both these two >>> > vFAT drives, that Autopsy is having a problem with it as well. >>> > >>> > This is happening under v3, however, I also used v2 under GNU/Linux >>> > and had a similar result. >>> > >>> > Any tips? >>> > >>> > Once again, thank you for your help! >>> > >>> > On Sat, Jul 11, 2015 at 7:25 PM, Derrick Karpo <dk...@gm...> wrote: >>> >> Hi Tiago. >>> >> >>> >> I believe the issue you are seeing is that Clonezilla has created a >>> >> split gzip image which sleuthkit does not accept. Sleuthkit/Autopsy >>> >> will support a split raw image, but not a split gzip image. What you >>> >> can do is uncompress your split image into a single raw image and that >>> >> should work. Something like this should work: >>> >> >>> >> `cat sdd1.vfat-ptcl-img.gz.a* | gzip -d -c > sdd1.vfat-ptcl.img' >>> >> >>> >> Then add 'sdd1.vfat-ptcl.img' to Autopsy and see how that goes! >>> >> >>> >> Derrick >>> >> >>> >> >>> >> On Sat, Jul 11, 2015 at 11:39 AM, Tiago Faria >>> >> <tia...@gm...> wrote: >>> >>> Hi list, >>> >>> >>> >>> I'm having quite a hard time importing a data source of a computer >>> >>> that was clone with CloneZilla. It was a simple clone process with the >>> >>> only different of also cloning the USB disk drives that were also >>> >>> connected to the PC. >>> >>> >>> >>> The end result is something like this (only part of the content): >>> >>> >>> >>> http://i.imgur.com/CHiyGZr.png >>> >>> >>> >>> And I can't seem to add it as a data source, since I get the error: >>> >>> >>> >>> "Errors occured while ingesting image >>> >>> 1. Cannot determine file system type (Sector offset: 0)" >>> >>> >>> >>> Any tips? I'm really worried since this is all I got and I won't have >>> >>> access to the computer again. >>> >>> >>> >>> Thank you in advance! >>> >>> >>> >>> P.S.: Adding all parts of the archive as logical files seems to be >>> >>> accepted, but nothing useful is gathered (not even time stamps are >>> >>> displayed). >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Don't Limit Your Business. Reach for the Cloud. >>> >>> GigeNET's Cloud Solutions provide you with the tools and support that >>> >>> you need to offload your IT needs and focus on growing your business. >>> >>> Configured For All Businesses. Start Your Cloud Today. >>> >>> https://www.gigenetcloud.com/ >>> >>> _______________________________________________ >>> >>> sleuthkit-users mailing list >>> >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> >>> http://www.sleuthkit.org |
