Re: [sleuthkit-users] Autopsy and TSK Releases
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy and TSK Releases
|
From: Ketil F. <ke...@fr...> - 2017-01-23 15:56:13
|
Hi Brian, On 18 January 2017 at 22:47, Brian Carrier <ca...@sl...> wrote: > There are new releases of both The Sleuth Kit and Autopsy. > > New things in Autopsy 4.3.0 are: [snip] > * Support for images with no file systems (all data is added as unallocated space This doesn't seem to work for all cases, are there any limitations? The test image linked below doesn't add to Autopsy 4.3.0, I get the usual error message: ------------------------- Add Image Log Errors occured while ingesting image 1. Cannot determine file system type (Sector offset: 0) ------------------------- Image link: https://www.dropbox.com/s/ywmfpwgtznqzam8/add-fail.img.gz?dl=0 This is a small test image (100MB), which originally had a DOS partition table and two (empty) file systems (FAT and EXT4). After creating the file systems, most data before the first file system was overwritten with random bytes, so the partition table is gone. I was hoping to test if it's possible to add an image that has no (recognized) partition table, and then find and add the file systems within autopsy. I'd be interested to learn how this can be done, if it's possible. The file systems start at sector 2048 and 104448: $ file - < <(dd if=add-fail.img bs=512 count=4) /dev/stdin: data $ file - < <(dd if=add-fail.img bs=512 count=4 skip=2048) /dev/stdin: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", Media descriptor 0xf8, sectors/track 63, heads 255, sectors 100353 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 772, serial number 0xb3e93cf7, unlabeled $ file - < <(dd if=add-fail.img bs=512 count=4 skip=104448) /dev/stdin: Linux rev 1.0 ext4 filesystem data, UUID=d86165df-56d5-43a1-b1ea-3d28ebba8c47 (extents) (large files) (huge files) Regards, Ketil |
