Re: [sleuthkit-users] (no subject)
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] (no subject)
|
From: Carlton F. <c.a...@la...> - 2006-03-28 21:01:00
|
mmls -V
The Sleuthkit ver 2.01
mmls -t dos -i raw <host>.img
mmls: Invalid extended partition table magic in sector 18201645
file <host>.img
<host>.img: x86 boot sector
fdisk -lu <host>.img
You must set cylinders.
You can do this from the extra functions menu.
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: invalid flag 0xffffd366 of partition table 5 will be
corrected by w(rite)
Disk <host>.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
54_21.img1 * 63 18201644 9100791 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(1132, 254, 63)
54_21.img2 18201645 58605119 20201737+ f W95 Ext'd (LBA)
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(1133, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(3647, 254, 63)
54_21.img5 ? 1358216596 4227304473 1434543939 6b Unknown
You must set cylinders.
You can do this from the extra functions menu.
At 2:29 PM +0100 3/28/06, Angus Marshall wrote:
>The physical/logical issue sounds fairly typical of a lot of disks that I've
>examined.
>
>Could you post the results from sleuthkit's "mmls -t dos -i raw
><imagefile>" here ?
>
>We might be able to give some more specific help.
>
>On Tue Mar 28 14:00 , gim...@we... sent:
>
>>On Mon, 27 Mar 2006 10:14:23 -0500
>>Carlton Foster c.a...@LA...> wrote:
>>
>>> I was asked to create an image of a system a couple of weeks ago but
>>> told not to investigate it. I used dcfldd over netcat on a crossover
>>> cable to image the system. I created MD5's of the source and image,
>>> and both matched.
>>>
>>> I did a physical image, not logical.
>>>
>>> Today, I have been asked to investigate the image. However, the
>>> partition table appears bad.
>>>
>>> I am getting warnings from fdisk saying Partition 1 has different
>>> logical/physical endings. Then Partition 2 has different beginnings
>>> and endings. I can't figure out how to get the logical images
>>> extracted, and we no longer have access to the source system.
>>>
>>> Can anyone provide any help?
>>> --
>>
>>Try out this one: http://www.cgsecurity.org/wiki/TestDisk
>>
>>From the summary:
>>
>>"If you have missing partitions or a completely empty Partition Table,
>>TestDisk can search for partitions and create a new Table or even a new
>>MBR if necessary."
>>
>>regards
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>>that extends applications into web and mobile media. Attend the live webcast
>>and join the prime developer group breaking into this new coding territory!
>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>_______________________________________________
>>sleuthkit-users mailing list
>>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>http://www.sleuthkit.org
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org
--
|
