Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Examining RAID-5 with only 1 drive
|
From: DePriest, J. R. <jrd...@gm...> - 2006-12-02 00:34:29
|
> DePriest, Jason R. wrote: > > > Active File Recovery 7.1 build 333 (commercial program) found an NTFS > > partition on the drive. > > > > It starts at sector 1120 and is 35544920 sectors long. It has the > > default NTFS cluster size of 4096. I'm done with this, I think. It just gets weirder and weirder, though. Active File Recovery let me GUI my way into creating a forensic image of just the partition that it found that looked like a legitimate operating system. Sleuthkit was able to work with the resulting image just fine. Which leads me to unanswered questions, which I will probably never get answers for. Why was the partition started on sector 1120 instead of 63? What was the original server configuration and how did the drive I have relate to "the other two drives" that were mentioned as being discarded? If this was a RAID configuration, what was it so that I could get a valid partition out of just a single disk? My conclusion for the lawyers after looking at this drive and an IDE drive they also sent is: not enough information to provide any meaningful conclusion. All my questions, all my work, and all the inconclusive results have been documented and sent to my manager for approval. Thanks for everyone's suggestions. -Jason |
