Re: [sleuthkit-users] Analyzing FreeBSD Partition
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Analyzing FreeBSD Partition
|
From: Barry J. G. <bg...@im...> - 2006-02-24 21:54:19
|
On Fri, 2006-02-24 at 10:07 -0500, Brooks, Prentis wrote: > however, the resulting freebsd.dd image has the same failures as the > previous. I have looked for any other references to the 4.2BSD but > haven't found anything in particular about it. Am I missing > something? Any help will be greatly appreciated. Hi Prentis, I'm going to hazard a guess here... It looks like the file hda1.img is an image created via dd of a "freebsd partition", perhaps identified by linux fdisk (or sfdisk, etc.) In other words "not the whole disk". Your mmls command shows you the disk label found in that partition, but the offsets given to the freebsd filesystem are relative to the *disk* (hda) not the partition (hda1). So in trying to carve out the filesystem, you are passing an offset that is wrong. That is a *guess*. Have you used xxd (or other viewer) to look at the image and the results of your attempted carve? Any "unix labelufs" strings? -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes Division Goddard Space Flight Center Code 190 Greenbelt Rd. Greenbelt, MD 20771 (301)286-3358 **************************************/ |
