Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: Brian C. <ca...@sl...> - 2006-11-21 17:33:26
|
DePriest, Jason R. wrote: > Active File Recovery 7.1 build 333 (commercial program) found an NTFS > partition on the drive. > > It starts at sector 1120 and is 35544920 sectors long. It has the > default NTFS cluster size of 4096. > > It seems to have an full Windows file system on it with enough > directories to actually boot and run. > > According to AFR, there are exactly 0 (zero) deleted files on it. > > I am disturbed by that result. I can't seem to get the partition > recognized by any of the autopsy tools to verify that number. Currently, Autopsy does not allow you to specify the location of arbitrary partitions (it requires 'mmls' to find them from a partition table). Since you know the offset, you can run 'fls -o 1120 IMG.img' on the image and see what it comes back with. Is this from the RAID array or the other stand-alone drive? If it is one of the RAID drives, then I assume you'll get a bunch of errors since data will be missing. brian |
