Re: [sleuthkit-users] tsk_loaddb: Cannot determine file system type (Sector offset: 64, Partition T
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] tsk_loaddb: Cannot determine file system type (Sector offset: 64, Partition Type: NTFS / exFAT (0x07))
|
From: PCF R. R. C. <ron...@dp...> - 2016-06-08 14:17:49
|
Hi Brian, I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive). Dump of sector 64 is attached too. Thanks, -- Ronaldo Rosenau da Costa Perito Criminal Federal Setor Técnico Científico (SETEC) Departamento de Polícia Federal - Paraná Tel: (41) 3251-7651 Voip: 4 4100-7651 On 07/06/2016 15:56, Brian Carrier wrote: > From the verbose log, these seem to be the relevant lines: > > fsopen: Auto detection mode at offset 32768 > ntfs_open: invalid sector size: 0 > fatxxfs_open: Invalid sector size (0) > exfatfs_get_fs_layout: Invalid root directory sector address (122880) > …. > > So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. > > thanks > brian > > > > > > > >> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >> >> Hi, >> >> tsk_loaddb.exe aborted with message below: >> Error: Cannot determine file system type (Sector offset: 64, Partition >> Type: NTFS / exFAT (0x07)) >> >> I can open this image with FTK and Encase, without any problem. >> >> Full verbose log is attached. >> >> Any suggestion? >> >> Regards, >> >> -- >> Ronaldo Rosenau da Costa >> Perito Criminal Federal >> Setor Técnico Científico (SETEC) >> Departamento de Polícia Federal - Paraná >> Tel: (41) 3251-7651 >> Voip: 4 4100-7651 >> >> <report_item0906.txt>------------------------------------------------------------------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >> patterns at an interface-level. Reveals which users, apps, and protocols are >> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >> J-Flow, sFlow and other flows. Make informed decisions using capacity >> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > |
