[sleuthkit-users] Analyzing FreeBSD Partition

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hey All,
    I need some help trying to get sleuthkit to read an image pulled
from a (reportedly) FreeBSD system.  The image was taken using dd of
/dev/hda1.  Attempts to point autopsy at the image file using ufs,
freebsd, and openbsd, all fail reporting that the image is not those
filesystem types.  After reading volume 12 of the informer, I decided to
try ripping the 4.2BSD image out:
=20
mmls output of the resulting image file:
=20
 /usr/local/sleuthkit/bin/mmls -t bsd hda1.img          BSD Disk Label
Sector: 1
Units are in 512-byte sectors
=20
     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000062   0000000063   Unallocated
01:  01      0000000063   0000262206   0000262144   Swap (0x01)
02:  02      0000000063   0019535039   0019534977   Unused (0x00)
03:  00      0000262207   0019535039   0019272833   4.2BSD (0x07)
=20
=20
Using the following dd command: dd if=3Dhda1.img bs=3D512 =
of=3Dfreebsd.dd
skip=3D262207 count=3D19272833
=20
however, the resulting freebsd.dd image has the same failures as the
previous.  I have looked for any other references to the 4.2BSD but
haven't found anything in particular about it.  Am I missing something?
Any help will be greatly appreciated.
=20
Prentis Brooks
Enterprise Security Technical Manager
office: 704-731-3408=20
AIM: TWCPaladin=20
email: pre...@tw...
=20