Re: [sleuthkit-users] tsk_loaddb: Cannot determine file system type (Sector offset: 64, Partition T
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] tsk_loaddb: Cannot determine file system type (Sector offset: 64, Partition Type: NTFS / exFAT (0x07))
|
From: Brian C. <ca...@sl...> - 2016-06-10 03:33:21
|
hi Ronaldo, I think you are seeing the same bug that “SuperGod” reported (https://github.com/sleuthkit/sleuthkit/issues/651) and gave a patch for. The fix is in the release-4.3.0 branch. If you are not compiling from source, I can send you a windows binary to test it out to make sure it fixes your problems. Please let me know. thanks, brian > On Jun 8, 2016, at 10:17 AM, PCF Ronaldo R. Costa <ron...@dp...> wrote: > > Hi Brian, > > I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive). > > Dump of sector 64 is attached too. > > Thanks, > > -- > Ronaldo Rosenau da Costa > Perito Criminal Federal > Setor Técnico Científico (SETEC) > Departamento de Polícia Federal - Paraná > Tel: (41) 3251-7651 > Voip: 4 4100-7651 > > On 07/06/2016 15:56, Brian Carrier wrote: >> From the verbose log, these seem to be the relevant lines: >> >> fsopen: Auto detection mode at offset 32768 >> ntfs_open: invalid sector size: 0 >> fatxxfs_open: Invalid sector size (0) >> exfatfs_get_fs_layout: Invalid root directory sector address (122880) >> …. >> >> So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. >> >> thanks >> brian >> >> >> >> >> >> >> >>> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >>> >>> Hi, >>> >>> tsk_loaddb.exe aborted with message below: >>> Error: Cannot determine file system type (Sector offset: 64, Partition >>> Type: NTFS / exFAT (0x07)) >>> >>> I can open this image with FTK and Encase, without any problem. >>> >>> Full verbose log is attached. >>> >>> Any suggestion? >>> >>> Regards, >>> >>> -- >>> Ronaldo Rosenau da Costa >>> Perito Criminal Federal >>> Setor Técnico Científico (SETEC) >>> Departamento de Polícia Federal - Paraná >>> Tel: (41) 3251-7651 >>> Voip: 4 4100-7651 >>> >>> <report_item0906.txt>------------------------------------------------------------------------------ >>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >>> patterns at an interface-level. Reveals which users, apps, and protocols are >>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> > > <dump_sector_64><file_system.jpg><file_system2.jpg> |
