sleuthkit-users

[sleuthkit-users] Error Adding Disk Image To Host in Autopsy - TSK 2.00, Autopsy 2.04

[Bradley B <br...@de...>]

Hello, I created a case in Autopsy and added a host. I then attempted to =
add
a Disk Image (eg. dd if=3D/dev/had, not /dev/hda1) as now is possible in
Autopsy. It is a disk image of a machine running DOS with a FAT16 =
partition.
The output of mmls is as follows:

$ /usr/local/sleuthkit/bin/mmls -r "/usr/local/images/c.img"
DOS Partition Table
Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0000100799   0000100737   DOS FAT16 (0x06)

In Autopsy I get the message:
Testing partitions
Linking image(s) into evidence locker
Image file added with ID img1
Missing Volume System Type

The output of the command using fsstat is:
$ '/usr/local/sleuthkit/bin/fsstat' -o 63 -i raw -f fat16
"/usr/local/images/c.
img"
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT16

OEM Name: MSDOS5.0
Volume ID: 0x2e471cd7
Volume Label (Boot Sector): MSDOS622
Volume Label (Root Directory):
File System Type Label: FAT16

Sectors before file system: 63

File System Layout (in sectors)
Total Range: 0 - 100736
* Reserved: 0 - 0
** Boot Sector: 0
* FAT 0: 1 - 99
* FAT 1: 100 - 198
* Data Area: 199 - 100736
** Root Directory: 199 - 230
** Cluster Area: 231 - 100734
** Non-clustered: 100735 - 100736

METADATA INFORMATION
--------------------------------------------
Range: 2 - 1608066
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 2048
Total Cluster Range: 2 - 25127

FAT CONTENTS (in sectors)
--------------------------------------------
231-310 (80) -> EOF
311-386 (76) -> EOF
387-518 (132) -> EOF
... More data follows -END

When restarting Autopsy I cannot access the image, it does not seem to =
show
up in the image chooser.

- Bradley Bitzkowski

Re: [sleuthkit-users] Error Adding Disk Image To Host in Autopsy - TSK 2.00, Autopsy 2.04

[Brian C. <ca...@sl...>]

On Apr 4, 2005, at 5:35 AM, Bradley B wrote:

> Hello, I created a case in Autopsy and added a host. I then attempted 
> to add
> a Disk Image (eg. dd if=/dev/had, not /dev/hda1) as now is possible in
> Autopsy. It is a disk image of a machine running DOS with a FAT16 
> partition.
> The output of mmls is as follows:

...

> In Autopsy I get the message:
> Testing partitions
> Linking image(s) into evidence locker
> Image file added with ID img1
> Missing Volume System Type

...

> When restarting Autopsy I cannot access the image, it does not seem to 
> show
> up in the image chooser.

Did autopsy show any errors before the missing volume system  type 
error? Did it say that it could not determine the volume system type or 
did you initially choose volume instead of disk? I can't find a way 
that the type would be missing, so I'm not sure if there is some other 
path that I missed.

Anyway, I changed the code a little to  make sure that the type is 
determined in case there is a situation that I missed.  Replace the 
lib/Caseman.pm file with the one at the below URL and try again.  If 
you haven't added anything to the host, you are probably best off to 
delete the host directory in the case directory of the evidence locker 
and add it again.

http://sleuthkit.sourceforge.net/autopsy/Caseman.pm

thanks,
brian

RE: [sleuthkit-users] Error Adding Disk Image To Host in Autopsy - TSK 2.00, Autopsy 2.04

[Bradley B <br...@de...>]

I put the new Caseman.pm file in the lib directory of autopsy and now I can
add the image and it works fine.
- Bradley Bitzkowski

-----Original Message-----
From: sle...@li...
[mailto:sle...@li...] On Behalf Of Brian
Carrier
Sent: Monday, April 04, 2005 10:57 AM
To: Bradley B
Cc: sle...@li...
Subject: Re: [sleuthkit-users] Error Adding Disk Image To Host in Autopsy -
TSK 2.00, Autopsy 2.04



On Apr 4, 2005, at 5:35 AM, Bradley B wrote:

> Hello, I created a case in Autopsy and added a host. I then attempted 
> to add
> a Disk Image (eg. dd if=/dev/had, not /dev/hda1) as now is possible in
> Autopsy. It is a disk image of a machine running DOS with a FAT16 
> partition.
> The output of mmls is as follows:

...

> In Autopsy I get the message:
> Testing partitions
> Linking image(s) into evidence locker
> Image file added with ID img1
> Missing Volume System Type

...

> When restarting Autopsy I cannot access the image, it does not seem to 
> show
> up in the image chooser.

Did autopsy show any errors before the missing volume system  type 
error? Did it say that it could not determine the volume system type or 
did you initially choose volume instead of disk? I can't find a way 
that the type would be missing, so I'm not sure if there is some other 
path that I missed.

Anyway, I changed the code a little to  make sure that the type is 
determined in case there is a situation that I missed.  Replace the 
lib/Caseman.pm file with the one at the below URL and try again.  If 
you haven't added anything to the host, you are probably best off to 
delete the host directory in the case directory of the evidence locker 
and add it again.

http://sleuthkit.sourceforge.net/autopsy/Caseman.pm

thanks,
brian




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org