Thread: Re: [sleuthkit-users] NTFS problems.
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Brian C. <ca...@sl...> - 2003-06-26 15:13:05
|
On 26 Jun 2003 07:12 PDT you wrote: > I made an image "image.img" with dd from a hard disk wich contained a WindowsXP partition (NTFS) and now Autopsy says: > > " offset read random seek error... image.img not NTFS File System" (more or less) Domingo, I'm going to need some more data. When do you get the message? Do any of the "modes" work? The file system imported with no errors though correct? How big is the file system image? Did you copy, move, or symlink into the evidence locker? The seek error comes when the tools try to read past the end of the file system image. The "img is not a NTFS file system" error message though comes from a much different place and you should not get the seek error before the NTFS magic check. So, there are two tools that are being run by Autopsy and giving different errors. thanks, brian |
|
From: Brian C. <ca...@sl...> - 2003-06-26 16:58:50
|
On 26 Jun 2003 08:48 PDT you wrote: > When do you get the message? > - When trying to make a symlink to Evidence Locker. Ok, then that is where the "not an NTFS image" error came from. The seek error came from testing the image to verify it was indeed the correct file system type. Can you send me the exact seek error message? > Do any of the "modes" work? > -Sorry, I don't eactly know what you mean. The "modes" are once the image has been imported you can view it from different "modes" such as files or data units. But, I guess it never got that far. > The file system imported with no errors though correct? > - Sorry, I don't exactly know what you mean. I made a bit to bit copy > with "dd". Did you 'dd' the entire disk or the individual partitions? Autopsy and The Sleuth Kit both require a partition and not a disk. In other words, if you used Linux, did you 'dd' /dev/hda or /dev/hda1? brian |
|
From: Domingo C. <do...@es...> - 2003-06-26 17:44:16
|
----- Original Message ----- From: "Brian Carrier" <ca...@sl...> To: "Domingo Cardona" <do...@es...>; <sle...@li...> Sent: Thursday, June 26, 2003 6:58 PM Subject: Re: [sleuthkit-users] NTFS problems. > > > On 26 Jun 2003 08:48 PDT you wrote: > > > When do you get the message? > > - When trying to make a symlink to Evidence Locker. > > Ok, then that is where the "not an NTFS image" error came from. > The seek error came from testing the image to verify it was > indeed the correct file system type. Can you send me the exact > seek error message? > > > Do any of the "modes" work? > > -Sorry, I don't eactly know what you mean. > > The "modes" are once the image has been imported you can view > it from different "modes" such as files or data units. But, I guess > it never got that far. > > > The file system imported with no errors though correct? > > - Sorry, I don't exactly know what you mean. I made a bit to bit copy > > with "dd". > > Did you 'dd' the entire disk or the individual partitions? Autopsy and > The Sleuth Kit both require a partition and not a disk. In other words, > if you used Linux, did you 'dd' /dev/hda or /dev/hda1? > > brian > I dd'ed /dev/hda... any solution to get /dev/hda1 from the image file? Domingo. |
|
From: Brian C. <ca...@sl...> - 2003-06-26 17:37:26
|
On 26 Jun 2003 10:21 PDT you wrote: > > > > I dd'ed /dev/hda... any solution to get /dev/hda1 from the image file? check out: http://www.sleuthkit.org/informer/sleuthkit-informer-2.html#split I'm confused about what you got a seek error though. The Sleuth kit should have returned an error about an invalid file system before the seek error occured. I'll have to look into that more. Can you send me the output of the following: dd if=image.img count=1 | xxd That will put the first sector of the image you collected in a hexdump format. I want to find out why the sanity check did not work. No sensitive data is located in there. brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-18 19:53:31
|
I revisited this thread after having tried unsuccessfully to add a NTFS image host to Sleuthkit. The resulting image file, which Autopsy uses, MUST have a ".dd" extension. Without that, it won't recognize the file system as being NTFS. At least, that was my finding. In my case, I simply renamed the file to image.dd and it symlinked just fine. Regards, Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Thursday, June 26, 2003 1:37 PM To: Domingo Cardona; sle...@li... Subject: Re: [sleuthkit-users] NTFS problems. On 26 Jun 2003 10:21 PDT you wrote: > > > > I dd'ed /dev/hda... any solution to get /dev/hda1 from the image file? check out: http://www.sleuthkit.org/informer/sleuthkit-informer-2.html#split I'm confused about what you got a seek error though. The Sleuth kit should have returned an error about an invalid file system before the seek error occured. I'll have to look into that more. Can you send me the output of the following: dd if=image.img count=1 | xxd That will put the first sector of the image you collected in a hexdump format. I want to find out why the sanity check did not work. No sensitive data is located in there. brian ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2003-08-18 20:07:07
|
On 18 Aug 2003 12:54 PDT you wrote: > I revisited this thread after having tried unsuccessfully to add > a NTFS image host to Sleuthkit. > > The resulting image file, which Autopsy uses, MUST have a ".dd" > extension. Without that, it won't recognize the file system as > being NTFS. At least, that was my finding. > > In my case, I simply renamed the file to image.dd and it symlinked just > fine. It shouldn't behave that way. I just added a file called fat-test.img and it was fine: Linking /users/bcarrier/fat-test.img to /users/bcarrier/ev_lock/debug/test/images/fat-test.img Image: /users/bcarrier/fat-test.img added to config file as images/fat-test.img There are two things that I can suggest. I have noticed that when I upgraded my Perl to 5.8 that the output of some of the commands was not being displayed in Autopsy. For example, the file listing would be empty. I changed back to 5.6 and it works fine. I need to investigate this further, but that could be the problem if you are using 5.8. The other is that the original file name had characters that Autopsy did not like (not just the extension). Autopsy allows words, numbers, _, -, ., and /. What file name did you have that did not work? brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-18 20:11:06
|
Brian, I had the file named, simple imghdf1 with no extension. When I renamed it to imghdf1.dd it worked fine. I did not test with imghdf1.img or any other extensions. Regards, Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Monday, August 18, 2003 4:06 PM To: in...@ea...; do...@es...; sle...@li... Subject: RE: [sleuthkit-users] NTFS problems. On 18 Aug 2003 12:54 PDT you wrote: > I revisited this thread after having tried unsuccessfully to add > a NTFS image host to Sleuthkit. > > The resulting image file, which Autopsy uses, MUST have a ".dd" > extension. Without that, it won't recognize the file system as > being NTFS. At least, that was my finding. > > In my case, I simply renamed the file to image.dd and it symlinked just > fine. It shouldn't behave that way. I just added a file called fat-test.img and it was fine: Linking /users/bcarrier/fat-test.img to /users/bcarrier/ev_lock/debug/test/images/fat-test.img Image: /users/bcarrier/fat-test.img added to config file as images/fat-test.img There are two things that I can suggest. I have noticed that when I upgraded my Perl to 5.8 that the output of some of the commands was not being displayed in Autopsy. For example, the file listing would be empty. I changed back to 5.6 and it works fine. I need to investigate this further, but that could be the problem if you are using 5.8. The other is that the original file name had characters that Autopsy did not like (not just the extension). Autopsy allows words, numbers, _, -, ., and /. What file name did you have that did not work? brian ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2003-08-18 20:21:27
|
On 18 Aug 2003 13:16 PDT you wrote: > Brian, > > I had the file named, simple imghdf1 with no extension. > > When I renamed it to imghdf1.dd it worked fine. > > I did not test with imghdf1.img or any other extensions. > Hmmm, I can import an image with that name: Linking /users/bcarrier/imghdf1 to /users/bcarrier//ev_lock//debug/test//images/imghdf1 Image: /users/bcarrier//imghdf1 added to config file as images/imghdf1 What version of Perl are you using? You can do 'perl -v' to find out. What was the exact error message that you got? thanks, brian |
|
From: Eagle I. S. Inc. <in...@ea...> - 2003-08-18 20:27:24
|
Brian, Perl version is 5.8. The exact message came after I hit OK to add the host, and it said (as far as I can remember) The image is not a valid ntfs file system. Thanks Niall. -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Brian Carrier Sent: Monday, August 18, 2003 4:20 PM To: in...@ea...; do...@es...; sle...@li... Subject: RE: [sleuthkit-users] NTFS problems. On 18 Aug 2003 13:16 PDT you wrote: > Brian, > > I had the file named, simple imghdf1 with no extension. > > When I renamed it to imghdf1.dd it worked fine. > > I did not test with imghdf1.img or any other extensions. > Hmmm, I can import an image with that name: Linking /users/bcarrier/imghdf1 to /users/bcarrier//ev_lock//debug/test//images/imghdf1 Image: /users/bcarrier//imghdf1 added to config file as images/imghdf1 What version of Perl are you using? You can do 'perl -v' to find out. What was the exact error message that you got? thanks, brian ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
From: Brian C. <ca...@sl...> - 2003-08-18 20:39:19
|
On 18 Aug 2003 13:27 PDT you wrote: > Perl version is 5.8. I would suggest using 5.6 if you have it on your system (/usr/bin/perl5.6 sometimes). You can change it by editing the first line in 'autopsy'. I'm going to look into how to fix the 5.8 problems. thanks, brian |
|
From: Domingo C. <do...@es...> - 2003-06-26 15:48:06
|
>
>
> On 26 Jun 2003 07:12 PDT you wrote:
> > I made an image "image.img" with dd from a hard disk wich contained a
WindowsXP partition (NTFS) and now Autopsy says:
> >
> > " offset read random seek error... image.img not NTFS File System" (more
or less)
>
> Domingo, I'm going to need some more data.
>
> When do you get the message? Do any of the "modes" work? The
> file system imported with no errors though correct? How big is the
> file system image? Did you copy, move, or symlink into the evidence
> locker?
>
> The seek error comes when the tools try to read past the end of the
> file system image. The "img is not a NTFS file system" error message
> though comes from a much different place and you should not get
> the seek error before the NTFS magic check. So, there are two tools
> that are being run by Autopsy and giving different errors.
>
> thanks,
> brian
>
When do you get the message?
- When trying to make a symlink to Evidence Locker.
Do any of the "modes" work?
-Sorry, I don't eactly know what you mean.
The file system imported with no errors though correct?
- Sorry, I don't exactly know what you mean. I made a bit to bit copy
with "dd".
How big is the file system image?
- 20 Gbytes.
Did you copy, move, or symlink into the evidence locker?
- Already answered. I tried to symlink...
Thanks Brian.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X