Re: [sleuthkit-users] tsk_loaddb: Cannot determine file system type (Sector offset: 64, Partition Type: NTFS / exFAT (0x07))

[PCF R. R. C. <ron...@dp...>]

Hi Brian,

Release-4.3.0 solved this problem.

Thank you very much,

-- 
Ronaldo Rosenau da Costa
Perito Criminal Federal
Setor Técnico Científico (SETEC)
Departamento de Polícia Federal - Paraná
Tel: (41) 3251-7651
Voip: 4 4100-7651

On 10/06/2016 00:33, Brian Carrier wrote:
> hi Ronaldo,
>
> I think you are seeing the same bug that “SuperGod” reported (https://github.com/sleuthkit/sleuthkit/issues/651) and gave a patch for. The fix is in the release-4.3.0 branch.  If you are not compiling from source, I can send you a windows binary to test it out to make sure it fixes your problems.  Please let me know.
>
> thanks,
> brian
>
>> On Jun 8, 2016, at 10:17 AM, PCF Ronaldo R. Costa <ron...@dp...> wrote:
>>
>> Hi Brian,
>>
>> I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive).
>>
>> Dump of sector 64 is attached too.
>>
>> Thanks,
>>
>> -- 
>> Ronaldo Rosenau da Costa
>> Perito Criminal Federal
>> Setor Técnico Científico (SETEC)
>> Departamento de Polícia Federal - Paraná
>> Tel: (41) 3251-7651
>> Voip: 4 4100-7651
>>
>> On 07/06/2016 15:56, Brian Carrier wrote:
>>>  From the verbose log, these seem to be the relevant lines:
>>>
>>> fsopen: Auto detection mode at offset 32768
>>> ntfs_open: invalid sector size: 0
>>> fatxxfs_open: Invalid sector size (0)
>>> exfatfs_get_fs_layout: Invalid root directory sector address (122880)
>>> ….
>>>
>>> So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is?  Usually NTFS has more $ files in the root folder.   If you could send me the raw contents of sector 64 (or a picture of the  hex dump) that would be useful too to debug this.
>>>
>>> thanks
>>> brian
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote:
>>>>
>>>> Hi,
>>>>
>>>> tsk_loaddb.exe aborted with message below:
>>>> Error: Cannot determine file system type (Sector offset: 64, Partition
>>>> Type: NTFS / exFAT (0x07))
>>>>
>>>> I can open this image with FTK and Encase, without any problem.
>>>>
>>>> Full verbose log is attached.
>>>>
>>>> Any suggestion?
>>>>
>>>> Regards,
>>>>
>>>> --
>>>> Ronaldo Rosenau da Costa
>>>> Perito Criminal Federal
>>>> Setor Técnico Científico (SETEC)
>>>> Departamento de Polícia Federal - Paraná
>>>> Tel: (41) 3251-7651
>>>> Voip: 4 4100-7651
>>>>
>>>> <report_item0906.txt>------------------------------------------------------------------------------
>>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
>>>> patterns at an interface-level. Reveals which users, apps, and protocols are
>>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>>
>> <dump_sector_64><file_system.jpg><file_system2.jpg>
>
>