Re: [sleuthkit-users] tsk_recover whole dd image
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] tsk_recover whole dd image
|
From: Derrick K. <dk...@gm...> - 2015-11-24 13:34:11
|
Hello. What happens if you run it against a single partition with an offset, and force the sector size like this? `tsk_recover -v -e -i raw -o 206848 -b 512 wip/image.dd recovered' Derrick On Tue, Nov 24, 2015 at 2:05 AM, <sle...@fa...> wrote: > Hi, > I am using version 4.2.0 of TSK and I am trying to recover all files from an image. For testing purposes I am using the image from http://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html > Unfortunately it is not working. I run "tsk_recover -v -e -i raw wip/image.dd recovered/" and get the following output: > > tsk_img_open: Type: 1 NumImg: 1 Img1: wip/image.dd > tsk_img_findFiles: wip/image.dd found > tsk_img_findFiles: 1 total segments found > raw_open: segment: 0 size: 21474836480 max offset: 21474836480 path: wip/image.dd > fsopen: Auto detection mode at offset 0 > raw_read: byte offset: 0 len: 65536 > raw_read: found in image 0 relative offset: 0 len: 65536 > raw_read_segment: opening file into slot 0: wip/image.dd > ntfs_open: invalid sector size: 190 > fatxxfs_open: Invalid sector size (190) > exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (190), not in range (9 - 12) > fatxxfs_open: Invalid sector size (190) > ext2fs_open: invalid magic > raw_read: byte offset: 65536 len: 65536 > raw_read: found in image 0 relative offset: 65536 len: 65536 > ufs_open: Trying 256KB UFS2 location > raw_read: byte offset: 262144 len: 65536 > raw_read: found in image 0 relative offset: 262144 len: 65536 > ufs_open: Trying UFS1 location > ufs_open: No UFS magic found > raw_read: byte offset: 156160 len: 65536 > raw_read: found in image 0 relative offset: 156160 len: 65536 > raw_read: byte offset: 426496 len: 65536 > raw_read: found in image 0 relative offset: 426496 len: 65536 > raw_read: byte offset: 561664 len: 65536 > raw_read: found in image 0 relative offset: 561664 len: 65536 > raw_read: byte offset: 696832 len: 65536 > raw_read: found in image 0 relative offset: 696832 len: 65536 > raw_read: byte offset: 832000 len: 65536 > raw_read: found in image 0 relative offset: 832000 len: 65536 > raw_read: byte offset: 967168 len: 65536 > raw_read: found in image 0 relative offset: 967168 len: 65536 > raw_read: byte offset: 1102336 len: 65536 > raw_read: found in image 0 relative offset: 1102336 len: 65536 > raw_read: byte offset: 1083392 len: 65536 > raw_read: found in image 0 relative offset: 1083392 len: 65536 > raw_read: byte offset: 1237504 len: 65536 > raw_read: found in image 0 relative offset: 1237504 len: 65536 > raw_read: byte offset: 1218560 len: 65536 > raw_read: found in image 0 relative offset: 1218560 len: 65536 > raw_read: byte offset: 1372672 len: 65536 > raw_read: found in image 0 relative offset: 1372672 len: 65536 > raw_read: byte offset: 1507840 len: 65536 > raw_read: found in image 0 relative offset: 1507840 len: 65536 > raw_read: byte offset: 1643008 len: 65536 > raw_read: found in image 0 relative offset: 1643008 len: 65536 > raw_read: byte offset: 1778176 len: 65536 > raw_read: found in image 0 relative offset: 1778176 len: 65536 > raw_read: byte offset: 1913344 len: 65536 > raw_read: found in image 0 relative offset: 1913344 len: 65536 > raw_read: byte offset: 2048512 len: 65536 > raw_read: found in image 0 relative offset: 2048512 len: 65536 > raw_read: byte offset: 2183680 len: 65536 > raw_read: found in image 0 relative offset: 2183680 len: 65536 > raw_read: byte offset: 2318848 len: 65536 > raw_read: found in image 0 relative offset: 2318848 len: 65536 > raw_read: byte offset: 2454016 len: 65536 > raw_read: found in image 0 relative offset: 2454016 len: 65536 > raw_read: byte offset: 2589184 len: 65536 > raw_read: found in image 0 relative offset: 2589184 len: 65536 > raw_read: byte offset: 2724352 len: 65536 > raw_read: found in image 0 relative offset: 2724352 len: 65536 > raw_read: byte offset: 2859520 len: 65536 > raw_read: found in image 0 relative offset: 2859520 len: 65536 > raw_read: byte offset: 2994688 len: 65536 > raw_read: found in image 0 relative offset: 2994688 len: 65536 > raw_read: byte offset: 3129856 len: 65536 > raw_read: found in image 0 relative offset: 3129856 len: 65536 > raw_read: byte offset: 3265024 len: 65536 > raw_read: found in image 0 relative offset: 3265024 len: 65536 > raw_read: byte offset: 3400192 len: 65536 > raw_read: found in image 0 relative offset: 3400192 len: 65536 > raw_read: byte offset: 3535360 len: 65536 > raw_read: found in image 0 relative offset: 3535360 len: 65536 > raw_read: byte offset: 3670528 len: 65536 > raw_read: found in image 0 relative offset: 3670528 len: 65536 > raw_read: byte offset: 3805696 len: 65536 > raw_read: found in image 0 relative offset: 3805696 len: 65536 > raw_read: byte offset: 3940864 len: 65536 > raw_read: found in image 0 relative offset: 3940864 len: 65536 > raw_read: byte offset: 4076032 len: 65536 > raw_read: found in image 0 relative offset: 4076032 len: 65536 > raw_read: byte offset: 4211200 len: 65536 > raw_read: found in image 0 relative offset: 4211200 len: 65536 > raw_read: byte offset: 4346368 len: 65536 > raw_read: found in image 0 relative offset: 4346368 len: 65536 > raw_read: byte offset: 4481536 len: 65536 > raw_read: found in image 0 relative offset: 4481536 len: 65536 > raw_read: byte offset: 4616704 len: 65536 > raw_read: found in image 0 relative offset: 4616704 len: 65536 > raw_read: byte offset: 4751872 len: 65536 > raw_read: found in image 0 relative offset: 4751872 len: 65536 > raw_read: byte offset: 4887040 len: 65536 > raw_read: found in image 0 relative offset: 4887040 len: 65536 > raw_read: byte offset: 5022208 len: 65536 > raw_read: found in image 0 relative offset: 5022208 len: 65536 > raw_read: byte offset: 5157376 len: 65536 > raw_read: found in image 0 relative offset: 5157376 len: 65536 > raw_read: byte offset: 5292544 len: 65536 > raw_read: found in image 0 relative offset: 5292544 len: 65536 > raw_read: byte offset: 5427712 len: 65536 > raw_read: found in image 0 relative offset: 5427712 len: 65536 > raw_read: byte offset: 5562880 len: 65536 > raw_read: found in image 0 relative offset: 5562880 len: 65536 > raw_read: byte offset: 5698048 len: 65536 > raw_read: found in image 0 relative offset: 5698048 len: 65536 > raw_read: byte offset: 5833216 len: 65536 > raw_read: found in image 0 relative offset: 5833216 len: 65536 > raw_read: byte offset: 5968384 len: 65536 > raw_read: found in image 0 relative offset: 5968384 len: 65536 > raw_read: byte offset: 6103552 len: 65536 > raw_read: found in image 0 relative offset: 6103552 len: 65536 > raw_read: byte offset: 6238720 len: 65536 > raw_read: found in image 0 relative offset: 6238720 len: 65536 > raw_read: byte offset: 6373888 len: 65536 > raw_read: found in image 0 relative offset: 6373888 len: 65536 > raw_read: byte offset: 6509056 len: 65536 > raw_read: found in image 0 relative offset: 6509056 len: 65536 > raw_read: byte offset: 6644224 len: 65536 > raw_read: found in image 0 relative offset: 6644224 len: 65536 > raw_read: byte offset: 6779392 len: 65536 > raw_read: found in image 0 relative offset: 6779392 len: 65536 > raw_read: byte offset: 6914560 len: 65536 > raw_read: found in image 0 relative offset: 6914560 len: 65536 > raw_read: byte offset: 7049728 len: 65536 > raw_read: found in image 0 relative offset: 7049728 len: 65536 > raw_read: byte offset: 7184896 len: 65536 > raw_read: found in image 0 relative offset: 7184896 len: 65536 > raw_read: byte offset: 7320064 len: 65536 > raw_read: found in image 0 relative offset: 7320064 len: 65536 > raw_read: byte offset: 7455232 len: 65536 > raw_read: found in image 0 relative offset: 7455232 len: 65536 > raw_read: byte offset: 7590400 len: 65536 > raw_read: found in image 0 relative offset: 7590400 len: 65536 > raw_read: byte offset: 7571456 len: 65536 > raw_read: found in image 0 relative offset: 7571456 len: 65536 > raw_read: byte offset: 7725568 len: 65536 > raw_read: found in image 0 relative offset: 7725568 len: 65536 > raw_read: byte offset: 7706624 len: 65536 > raw_read: found in image 0 relative offset: 7706624 len: 65536 > raw_read: byte offset: 7860736 len: 65536 > raw_read: found in image 0 relative offset: 7860736 len: 65536 > raw_read: byte offset: 7841792 len: 65536 > raw_read: found in image 0 relative offset: 7841792 len: 65536 > raw_read: byte offset: 7995904 len: 65536 > raw_read: found in image 0 relative offset: 7995904 len: 65536 > raw_read: byte offset: 7976960 len: 65536 > raw_read: found in image 0 relative offset: 7976960 len: 65536 > raw_read: byte offset: 8131072 len: 65536 > raw_read: found in image 0 relative offset: 8131072 len: 65536 > raw_read: byte offset: 8112128 len: 65536 > raw_read: found in image 0 relative offset: 8112128 len: 65536 > raw_read: byte offset: 8266240 len: 65536 > raw_read: found in image 0 relative offset: 8266240 len: 65536 > raw_read: byte offset: 8247296 len: 65536 > raw_read: found in image 0 relative offset: 8247296 len: 65536 > raw_read: byte offset: 8401408 len: 65536 > raw_read: found in image 0 relative offset: 8401408 len: 65536 > raw_read: byte offset: 8382464 len: 65536 > raw_read: found in image 0 relative offset: 8382464 len: 65536 > raw_read: byte offset: 8536576 len: 65536 > raw_read: found in image 0 relative offset: 8536576 len: 65536 > raw_read: byte offset: 8517632 len: 65536 > raw_read: found in image 0 relative offset: 8517632 len: 65536 > yaffsfs_open: could not find valid spare area format > See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configuration > raw_read: byte offset: 1024 len: 65536 > raw_read: found in image 0 relative offset: 1024 len: 65536 > iso9660_open img_info: 139756571050000 ftype: 2048 test: 1 > iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 > Trying RAW ISO9660 with 16-byte pre-block size > fs_prepost_read: Mapped 32768 to 37648 > iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 > Trying RAW ISO9660 with 24-byte pre-block size > fs_prepost_read: Mapped 32768 to 37656 > iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 > iso9660_open: Error loading volume descriptor > Cannot determine file system type (Sector offset: 0)Files Recovered: 0 > > mmls gave me: > > DOS Partition Table > Offset Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) > 001: ------- 0000000000 0000002047 0000002048 Unallocated > 002: 000:000 0000002048 0000206847 0000204800 NTFS / exFAT (0x07) > 003: 000:001 0000206848 0041940991 0041734144 NTFS / exFAT (0x07) > 004: ------- 0041940992 0041943039 0000002048 Unallocated > > So can you help me please how to get it working? > > Kind regards > > ------------------------------------------------------------------------------ > Go from Idea to Many App Stores Faster with Intel(R) XDK > Give your users amazing mobile app experiences with Intel(R) XDK. > Use one codebase in this all-in-one HTML5 development environment. > Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs. > http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
