Re: [sleuthkit-users] Tsk_recover failure with ewf file
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Tsk_recover failure with ewf file
|
From: Edward D. <eld...@tr...> - 2016-07-22 22:11:10
|
On 7/22/2016 3:03 PM, Grundy Barry J TIGTA wrote: > Eddie, > > Are you providing tsk_recover with an offset to the filesysytem? No I am not. I thought it could recover files from all partitions ( filesystems ) in the image automatically. Are you saying TSK can only recover one partition at a time from the ewf image, and that I tell it which partition to recover by passing an '-o sector offset' parameter to tell it where in the image the partition I want it to recover begins ? That's not what I thought from the --help output for tsk_recover or from the man page. > You have to tell the tool which partition (filesystem) you are interested in. Have a look at the '--help' output for more info on the syntax. > > If you run mmls from TSK on the ewf first, it will show you the partitions in the image and the offset (in sectors) to the partition within the physical image. Use this in your tsk_recover command. Thanks ! I am testing that now. But the doc for tsk_recover implies that it can recover files from all partitions in an image instead of just a single partition at a time in the image via the '-o sector offset' parameter. Hopefully you or someone else can clarify this for me. Eddie Diener > > /******************************************* > Barry J. Grundy > Assistant Special Agent in Charge > Digital Forensic Support Group > Treasury Inspector General for Tax Administration > (301) 210-8741 (desk) > (202) 527-5778 (cell) > Bar...@ti... > ********************************************\ > > >> -----Original Message----- >> From: Edward Diener [mailto:eld...@tr...] >> Sent: Friday, July 22, 2016 11:54 AM >> To: sle...@li... >> Subject: [sleuthkit-users] Tsk_recover failure with ewf file >> >> The failure I am about to describe occurs on both TSK 4.2.0 and the recently >> released TSK 4.3.0 on Windows 8.1 using the binaries provided. >> >> I use a program called FTK Imager Lite 3.1.1.8 from AccessData to create ewf >> images. If I create ewf images from a single logical drive, which naturally has a >> single file system, TSK and tsk_recover work fine. >> Instead my problem with TSK is when creating ewf images from a physical >> drive, which has a number of different file systems. In my example I create >> ewf images from a physical drive which has separate FAT32, NTFS, EXT3, and >> EXT4 with files in each logical partition. The FTK Imager Lite program creates >> the ewf image for me in the directory of my choice from the physical drive >> without any problems. I then run tsk_recover with the -v verbose option, >> passing the full path to the ewf image and the directory where I want the >> files to be put. The results of running tsk_recover are: >> >> ---------------------------------------------------------------------------------------------- >> -------------------------- >> >> E:\Utilities\sleuthkit-4.3.0-win32\bin>tsk_recover -v >> C:\Utilities\FTImages\PhysDrive\MyPhys.E01 >> C:\Utilities\TSKDirs\Rec1\Unallocated >> tsk_img_open: Type: 0 NumImg: 1 Img1: >> C:\Utilities\FTImages\PhysDrive\MyPhys.E01 >> ewf_open: found 1 segment files via libewf_glob Error opening vmdk file >> Error checking file signature for vhd file >> fsopen: Auto detection mode at offset 0 >> ewf_image_read: byte offset: 0 len: 65536 >> ntfs_open: invalid cluster size: 0 >> fatxxfs_open: Invalid sector size (23552) >> exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (23552), not >> in >> range (9 - 12) >> fatxxfs_open: Invalid sector size (23552) >> ext2fs_open: invalid magic >> ewf_image_read: byte offset: 65536 len: 65536 >> ufs_open: Trying 256KB UFS2 location >> ewf_image_read: byte offset: 262144 len: 65536 >> ufs_open: Trying UFS1 location >> ufs_open: No UFS magic found >> ewf_image_read: byte offset: 156160 len: 65536 >> ewf_image_read: byte offset: 426496 len: 65536 >> ewf_image_read: byte offset: 561664 len: 65536 >> ewf_image_read: byte offset: 696832 len: 65536 >> ewf_image_read: byte offset: 832000 len: 65536 >> ewf_image_read: byte offset: 967168 len: 65536 >> ewf_image_read: byte offset: 1102336 len: 65536 >> ewf_image_read: byte offset: 1237504 len: 65536 >> ewf_image_read: byte offset: 1372672 len: 65536 >> ewf_image_read: byte offset: 1507840 len: 65536 >> ewf_image_read: byte offset: 1643008 len: 65536 >> ewf_image_read: byte offset: 1778176 len: 65536 >> ewf_image_read: byte offset: 1913344 len: 65536 >> ewf_image_read: byte offset: 2048512 len: 65536 >> ewf_image_read: byte offset: 2183680 len: 65536 >> ewf_image_read: byte offset: 2318848 len: 65536 >> ewf_image_read: byte offset: 2454016 len: 65536 >> ewf_image_read: byte offset: 2589184 len: 65536 >> ewf_image_read: byte offset: 2724352 len: 65536 >> ewf_image_read: byte offset: 2859520 len: 65536 >> ewf_image_read: byte offset: 2994688 len: 65536 >> ewf_image_read: byte offset: 3129856 len: 65536 >> ewf_image_read: byte offset: 3265024 len: 65536 >> ewf_image_read: byte offset: 3400192 len: 65536 >> ewf_image_read: byte offset: 3535360 len: 65536 >> ewf_image_read: byte offset: 3670528 len: 65536 >> ewf_image_read: byte offset: 3805696 len: 65536 >> ewf_image_read: byte offset: 3940864 len: 65536 >> ewf_image_read: byte offset: 4076032 len: 65536 >> ewf_image_read: byte offset: 4211200 len: 65536 >> ewf_image_read: byte offset: 4346368 len: 65536 >> ewf_image_read: byte offset: 4481536 len: 65536 >> ewf_image_read: byte offset: 4616704 len: 65536 >> ewf_image_read: byte offset: 4751872 len: 65536 >> ewf_image_read: byte offset: 4732928 len: 65536 >> ewf_image_read: byte offset: 4887040 len: 65536 >> ewf_image_read: byte offset: 5022208 len: 65536 >> ewf_image_read: byte offset: 5157376 len: 65536 >> ewf_image_read: byte offset: 5292544 len: 65536 >> ewf_image_read: byte offset: 5427712 len: 65536 >> ewf_image_read: byte offset: 5562880 len: 65536 >> ewf_image_read: byte offset: 5698048 len: 65536 >> ewf_image_read: byte offset: 5833216 len: 65536 >> ewf_image_read: byte offset: 5968384 len: 65536 >> ewf_image_read: byte offset: 6103552 len: 65536 >> ewf_image_read: byte offset: 6238720 len: 65536 >> ewf_image_read: byte offset: 6373888 len: 65536 >> ewf_image_read: byte offset: 6509056 len: 65536 >> ewf_image_read: byte offset: 6644224 len: 65536 >> ewf_image_read: byte offset: 6779392 len: 65536 >> ewf_image_read: byte offset: 6914560 len: 65536 >> ewf_image_read: byte offset: 7049728 len: 65536 >> ewf_image_read: byte offset: 7184896 len: 65536 >> ewf_image_read: byte offset: 7320064 len: 65536 >> ewf_image_read: byte offset: 7455232 len: 65536 >> ewf_image_read: byte offset: 7590400 len: 65536 >> ewf_image_read: byte offset: 7725568 len: 65536 >> ewf_image_read: byte offset: 7860736 len: 65536 >> ewf_image_read: byte offset: 7995904 len: 65536 >> ewf_image_read: byte offset: 8131072 len: 65536 >> ewf_image_read: byte offset: 8266240 len: 65536 >> ewf_image_read: byte offset: 8401408 len: 65536 >> ewf_image_read: byte offset: 8536576 len: 65536 >> ewf_image_read: byte offset: 8671744 len: 65536 >> ewf_image_read: byte offset: 8806912 len: 65536 >> ewf_image_read: byte offset: 8942080 len: 65536 >> ewf_image_read: byte offset: 9077248 len: 65536 >> ewf_image_read: byte offset: 9212416 len: 65536 >> ewf_image_read: byte offset: 9347584 len: 65536 >> ewf_image_read: byte offset: 9482752 len: 65536 >> ewf_image_read: byte offset: 9617920 len: 65536 >> ewf_image_read: byte offset: 9753088 len: 65536 >> ewf_image_read: byte offset: 9888256 len: 65536 >> ewf_image_read: byte offset: 10023424 len: 65536 >> ewf_image_read: byte offset: 10158592 len: 65536 >> ewf_image_read: byte offset: 10293760 len: 65536 >> ewf_image_read: byte offset: 10428928 len: 65536 >> ewf_image_read: byte offset: 10564096 len: 65536 >> ewf_image_read: byte offset: 10699264 len: 65536 >> ewf_image_read: byte offset: 10834432 len: 65536 >> ewf_image_read: byte offset: 10969600 len: 65536 >> ewf_image_read: byte offset: 11104768 len: 65536 >> ewf_image_read: byte offset: 11239936 len: 65536 >> ewf_image_read: byte offset: 11375104 len: 65536 >> ewf_image_read: byte offset: 11510272 len: 65536 >> ewf_image_read: byte offset: 11645440 len: 65536 >> ewf_image_read: byte offset: 11780608 len: 65536 >> ewf_image_read: byte offset: 11915776 len: 65536 >> ewf_image_read: byte offset: 12050944 len: 65536 >> ewf_image_read: byte offset: 12186112 len: 65536 >> ewf_image_read: byte offset: 12321280 len: 65536 >> ewf_image_read: byte offset: 12456448 len: 65536 >> ewf_image_read: byte offset: 12591616 len: 65536 >> ewf_image_read: byte offset: 12726784 len: 65536 >> ewf_image_read: byte offset: 12861952 len: 65536 >> ewf_image_read: byte offset: 12997120 len: 65536 >> ewf_image_read: byte offset: 13132288 len: 65536 >> ewf_image_read: byte offset: 13267456 len: 65536 >> ewf_image_read: byte offset: 13402624 len: 65536 >> ewf_image_read: byte offset: 13537792 len: 65536 >> ewf_image_read: byte offset: 13672960 len: 65536 >> ewf_image_read: byte offset: 13808128 len: 65536 >> ewf_image_read: byte offset: 13943296 len: 65536 >> ewf_image_read: byte offset: 14078464 len: 65536 >> ewf_image_read: byte offset: 14213632 len: 65536 >> ewf_image_read: byte offset: 14348800 len: 65536 >> ewf_image_read: byte offset: 14483968 len: 65536 >> ewf_image_read: byte offset: 14619136 len: 65536 >> ewf_image_read: byte offset: 14754304 len: 65536 >> ewf_image_read: byte offset: 14889472 len: 65536 >> ewf_image_read: byte offset: 15024640 len: 65536 >> ewf_image_read: byte offset: 15159808 len: 65536 >> ewf_image_read: byte offset: 15294976 len: 65536 >> ewf_image_read: byte offset: 15276032 len: 65536 >> ewf_image_read: byte offset: 15430144 len: 65536 >> ewf_image_read: byte offset: 15411200 len: 65536 >> ewf_image_read: byte offset: 15565312 len: 65536 >> ewf_image_read: byte offset: 15546368 len: 65536 >> ewf_image_read: byte offset: 15700480 len: 65536 >> ewf_image_read: byte offset: 15681536 len: 65536 >> ewf_image_read: byte offset: 15835648 len: 65536 >> ewf_image_read: byte offset: 15816704 len: 65536 >> ewf_image_read: byte offset: 15970816 len: 65536 >> ewf_image_read: byte offset: 15951872 len: 65536 >> ewf_image_read: byte offset: 16105984 len: 65536 >> ewf_image_read: byte offset: 16087040 len: 65536 >> ewf_image_read: byte offset: 16241152 len: 65536 >> ewf_image_read: byte offset: 16222208 len: 65536 >> ewf_image_read: byte offset: 16376320 len: 65536 >> ewf_image_read: byte offset: 16357376 len: 65536 >> yaffsfs_open: could not find valid spare area format See >> http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 >> configuration >> ewf_image_read: byte offset: 1024 len: 65536 iso9660_open img_info: >> 34734152 ftype: 2048 test: 1 >> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying >> RAW ISO9660 with 16-byte pre-block size >> fs_prepost_read: Mapped 32768 to 37648 >> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 Trying >> RAW ISO9660 with 24-byte pre-block size >> fs_prepost_read: Mapped 32768 to 37656 >> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001 >> iso9660_open: Error loading volume descriptor Cannot determine file system >> type (Sector offset: 0)Files Recovered: 0 >> >> ---------------------------------------------------------------------------------------------- >> ---------------------------------- >> >> Yet if I ask FTK Imager to show me the file in the ewf image, using its Add >> Evidence Item... >> functionality it does indeed show me the files in the image without any >> errors. >> >> Is TSK supposed to work with physical drives containin different file systems >> ? If so can anyone suggest how I can get TSK to work properly ? >> >> Eddie Diener >> >> ------------------------------------------------------------------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth and >> traffic patterns at an interface-level. Reveals which users, apps, and >> protocols are consuming the most bandwidth. Provides multi-vendor support >> for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using >> capacity planning reports.http://sdm.link/zohodev2dev >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org |
