Thread: [sleuthkit-users] tsk_loaddb: Cannot determine file system type (Sector offset: 64, Partition Type:
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: PCF R. R. C. <ron...@dp...> - 2016-06-06 20:04:14
Attachments:
report_item0906.txt
|
Hi, tsk_loaddb.exe aborted with message below: Error: Cannot determine file system type (Sector offset: 64, Partition Type: NTFS / exFAT (0x07)) I can open this image with FTK and Encase, without any problem. Full verbose log is attached. Any suggestion? Regards, -- Ronaldo Rosenau da Costa Perito Criminal Federal Setor Técnico Científico (SETEC) Departamento de Polícia Federal - Paraná Tel: (41) 3251-7651 Voip: 4 4100-7651 |
|
From: Luís F. N. <lfc...@gm...> - 2016-06-06 20:26:46
|
Hi Ronaldo, Do you know what is the true file system type? Regards, Luis Nassif 2016-06-06 16:48 GMT-03:00 PCF Ronaldo R. Costa <ron...@dp...>: > Hi, > > tsk_loaddb.exe aborted with message below: > Error: Cannot determine file system type (Sector offset: 64, Partition > Type: NTFS / exFAT (0x07)) > > I can open this image with FTK and Encase, without any problem. > > Full verbose log is attached. > > Any suggestion? > > Regards, > > -- > Ronaldo Rosenau da Costa > Perito Criminal Federal > Setor Técnico Científico (SETEC) > Departamento de Polícia Federal - Paraná > Tel: (41) 3251-7651 > Voip: 4 4100-7651 > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: PCF R. R. C. <ron...@dp...> - 2016-06-06 21:28:52
|
Hi Nassif,
It seems to be what tsk_loaddb detected, a partition NTFS with a volume
exFat.
Follow mmls result and encase details about the problematic partition:
=== mmls ===
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000000063 0000000064 Unallocated
002: 000:000 0000000064 3907024128 3907024065 NTFS / exFAT (0x07)
003: ------- 3907024129 3907029167 0000005039 Unallocated
===== Encase ==========
Serial Number 56D4-47DC
Driver Information exFAT 1.0 Used: 10%
Volume
File System exFat
Sectors per cluster 256
Bytes per sector 512
Total Sectors 3.907.024.065
Total Capacity 2.000.396.222.464 Bytes (1,8 TB)
Total Clusters 15.261.812
Unallocated 1.794.455.240.704 Bytes (1,6 TB)
Free Clusters 13.690.607
Allocated 205.940.981.760 Bytes (191,8 GB)
Volume Offset 64
Drive Type Fixed
Partition
Id 07
Type NTFS
Start Sector 64
Total Sectors 3.907.024.065
--
Ronaldo Rosenau da Costa
Perito Criminal Federal
Setor Técnico Científico (SETEC)
Departamento de Polícia Federal - Paraná
Tel: (41) 3251-7651
Voip: 4 4100-7651
--
Ronaldo Rosenau da Costa
Perito Criminal Federal
Setor Técnico Científico (SETEC)
Departamento de Polícia Federal - Paraná
Tel: (41) 3251-7651
Voip: 4 4100-7651
On 06/06/2016 17:26, Luís Filipe Nassif wrote:
> Hi Ronaldo,
>
> Do you know what is the true file system type?
>
> Regards,
> Luis Nassif
>
> 2016-06-06 16:48 GMT-03:00 PCF Ronaldo R. Costa
> <ron...@dp... <mailto:ron...@dp...>>:
>
> Hi,
>
> tsk_loaddb.exe aborted with message below:
> Error: Cannot determine file system type (Sector offset: 64,
> Partition Type: NTFS / exFAT (0x07))
>
> I can open this image with FTK and Encase, without any problem.
>
> Full verbose log is attached.
>
> Any suggestion?
>
> Regards,
>
> --
> Ronaldo Rosenau da Costa
> Perito Criminal Federal
> Setor Técnico Científico (SETEC)
> Departamento de Polícia Federal - Paraná
> Tel: (41) 3251-7651 <tel:%2841%29%203251-7651>
> Voip: 4 4100-7651
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth
> and traffic
> patterns at an interface-level. Reveals which users, apps, and
> protocols are
> consuming the most bandwidth. Provides multi-vendor support for
> NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning reports.
> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
|
|
From: Luís F. N. <lfc...@gm...> - 2016-06-06 21:44:51
|
Thank you, Ronaldo. I asked it to try to help tsk developers with deeper tsk knowledge (not me unfortunatelly) to solve the problem. Luis Nassif 2016-06-06 18:28 GMT-03:00 PCF Ronaldo R. Costa <ron...@dp...>: > Hi Nassif, > > It seems to be what tsk_loaddb detected, a partition NTFS with a volume > exFat. > > Follow mmls result and encase details about the problematic partition: > > === mmls === > DOS Partition Table > Offset Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) > 001: ------- 0000000000 0000000063 0000000064 Unallocated > 002: 000:000 0000000064 3907024128 3907024065 NTFS / exFAT (0x07) > 003: ------- 3907024129 3907029167 0000005039 Unallocated > > > ===== Encase ========== > Serial Number 56D4-47DC > Driver Information exFAT 1.0 Used: 10% > Volume > File System exFat > Sectors per cluster 256 > Bytes per sector 512 > Total Sectors 3.907.024.065 > Total Capacity 2.000.396.222.464 Bytes (1,8 TB) > Total Clusters 15.261.812 > Unallocated 1.794.455.240.704 Bytes (1,6 TB) > Free Clusters 13.690.607 > Allocated 205.940.981.760 Bytes (191,8 GB) > Volume Offset 64 > Drive Type Fixed > Partition > Id 07 > Type NTFS > Start Sector 64 > Total Sectors 3.907.024.065 > > -- > Ronaldo Rosenau da Costa > Perito Criminal Federal > Setor Técnico Científico (SETEC) > Departamento de Polícia Federal - Paraná > Tel: (41) 3251-7651 > Voip: 4 4100-7651 > > -- > Ronaldo Rosenau da Costa > Perito Criminal Federal > Setor Técnico Científico (SETEC) > Departamento de Polícia Federal - Paraná > Tel: (41) 3251-7651 > Voip: 4 4100-7651 > > On 06/06/2016 17:26, Luís Filipe Nassif wrote: > > Hi Ronaldo, > > Do you know what is the true file system type? > > Regards, > Luis Nassif > > 2016-06-06 16:48 GMT-03:00 PCF Ronaldo R. Costa <ron...@dp...>: > >> Hi, >> >> tsk_loaddb.exe aborted with message below: >> Error: Cannot determine file system type (Sector offset: 64, Partition >> Type: NTFS / exFAT (0x07)) >> >> I can open this image with FTK and Encase, without any problem. >> >> Full verbose log is attached. >> >> Any suggestion? >> >> Regards, >> >> -- >> Ronaldo Rosenau da Costa >> Perito Criminal Federal >> Setor Técnico Científico (SETEC) >> Departamento de Polícia Federal - Paraná >> Tel: (41) 3251-7651 >> Voip: 4 4100-7651 >> >> >> >> ------------------------------------------------------------------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth and >> traffic >> patterns at an interface-level. Reveals which users, apps, and protocols >> are >> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >> J-Flow, sFlow and other flows. Make informed decisions using capacity >> planning reports. >> https://ad.doubleclick.net/ddm/clk/305295220;132659582;e >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
|
From: Brian C. <ca...@sl...> - 2016-06-07 18:56:38
|
From the verbose log, these seem to be the relevant lines: fsopen: Auto detection mode at offset 32768 ntfs_open: invalid sector size: 0 fatxxfs_open: Invalid sector size (0) exfatfs_get_fs_layout: Invalid root directory sector address (122880) …. So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. thanks brian > On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: > > Hi, > > tsk_loaddb.exe aborted with message below: > Error: Cannot determine file system type (Sector offset: 64, Partition > Type: NTFS / exFAT (0x07)) > > I can open this image with FTK and Encase, without any problem. > > Full verbose log is attached. > > Any suggestion? > > Regards, > > -- > Ronaldo Rosenau da Costa > Perito Criminal Federal > Setor Técnico Científico (SETEC) > Departamento de Polícia Federal - Paraná > Tel: (41) 3251-7651 > Voip: 4 4100-7651 > > <report_item0906.txt>------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: PCF R. R. C. <ron...@dp...> - 2016-06-08 14:17:49
|
Hi Brian, I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive). Dump of sector 64 is attached too. Thanks, -- Ronaldo Rosenau da Costa Perito Criminal Federal Setor Técnico Científico (SETEC) Departamento de Polícia Federal - Paraná Tel: (41) 3251-7651 Voip: 4 4100-7651 On 07/06/2016 15:56, Brian Carrier wrote: > From the verbose log, these seem to be the relevant lines: > > fsopen: Auto detection mode at offset 32768 > ntfs_open: invalid sector size: 0 > fatxxfs_open: Invalid sector size (0) > exfatfs_get_fs_layout: Invalid root directory sector address (122880) > …. > > So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. > > thanks > brian > > > > > > > >> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >> >> Hi, >> >> tsk_loaddb.exe aborted with message below: >> Error: Cannot determine file system type (Sector offset: 64, Partition >> Type: NTFS / exFAT (0x07)) >> >> I can open this image with FTK and Encase, without any problem. >> >> Full verbose log is attached. >> >> Any suggestion? >> >> Regards, >> >> -- >> Ronaldo Rosenau da Costa >> Perito Criminal Federal >> Setor Técnico Científico (SETEC) >> Departamento de Polícia Federal - Paraná >> Tel: (41) 3251-7651 >> Voip: 4 4100-7651 >> >> <report_item0906.txt>------------------------------------------------------------------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >> patterns at an interface-level. Reveals which users, apps, and protocols are >> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >> J-Flow, sFlow and other flows. Make informed decisions using capacity >> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org > > |
|
From: Brian C. <ca...@sl...> - 2016-06-10 03:33:21
|
hi Ronaldo, I think you are seeing the same bug that “SuperGod” reported (https://github.com/sleuthkit/sleuthkit/issues/651) and gave a patch for. The fix is in the release-4.3.0 branch. If you are not compiling from source, I can send you a windows binary to test it out to make sure it fixes your problems. Please let me know. thanks, brian > On Jun 8, 2016, at 10:17 AM, PCF Ronaldo R. Costa <ron...@dp...> wrote: > > Hi Brian, > > I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive). > > Dump of sector 64 is attached too. > > Thanks, > > -- > Ronaldo Rosenau da Costa > Perito Criminal Federal > Setor Técnico Científico (SETEC) > Departamento de Polícia Federal - Paraná > Tel: (41) 3251-7651 > Voip: 4 4100-7651 > > On 07/06/2016 15:56, Brian Carrier wrote: >> From the verbose log, these seem to be the relevant lines: >> >> fsopen: Auto detection mode at offset 32768 >> ntfs_open: invalid sector size: 0 >> fatxxfs_open: Invalid sector size (0) >> exfatfs_get_fs_layout: Invalid root directory sector address (122880) >> …. >> >> So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. >> >> thanks >> brian >> >> >> >> >> >> >> >>> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >>> >>> Hi, >>> >>> tsk_loaddb.exe aborted with message below: >>> Error: Cannot determine file system type (Sector offset: 64, Partition >>> Type: NTFS / exFAT (0x07)) >>> >>> I can open this image with FTK and Encase, without any problem. >>> >>> Full verbose log is attached. >>> >>> Any suggestion? >>> >>> Regards, >>> >>> -- >>> Ronaldo Rosenau da Costa >>> Perito Criminal Federal >>> Setor Técnico Científico (SETEC) >>> Departamento de Polícia Federal - Paraná >>> Tel: (41) 3251-7651 >>> Voip: 4 4100-7651 >>> >>> <report_item0906.txt>------------------------------------------------------------------------------ >>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >>> patterns at an interface-level. Reveals which users, apps, and protocols are >>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >> >> > > <dump_sector_64><file_system.jpg><file_system2.jpg> |
|
From: PCF R. R. C. <ron...@dp...> - 2016-06-13 17:44:56
|
Hi Brian, Release-4.3.0 solved this problem. Thank you very much, -- Ronaldo Rosenau da Costa Perito Criminal Federal Setor Técnico Científico (SETEC) Departamento de Polícia Federal - Paraná Tel: (41) 3251-7651 Voip: 4 4100-7651 On 10/06/2016 00:33, Brian Carrier wrote: > hi Ronaldo, > > I think you are seeing the same bug that “SuperGod” reported (https://github.com/sleuthkit/sleuthkit/issues/651) and gave a patch for. The fix is in the release-4.3.0 branch. If you are not compiling from source, I can send you a windows binary to test it out to make sure it fixes your problems. Please let me know. > > thanks, > brian > >> On Jun 8, 2016, at 10:17 AM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >> >> Hi Brian, >> >> I am not sure, but it seems to be a exFat or at least Fat. It doesn´t look like NTFS. Curiously, there are files typical of Mac OS or Apple Timemachine device (Fsevend, spotlight, timemachine). This device is an external drive of 2TB. I have attached some pictures of file system folders/files (I had to blur some parts, because are sensitive). >> >> Dump of sector 64 is attached too. >> >> Thanks, >> >> -- >> Ronaldo Rosenau da Costa >> Perito Criminal Federal >> Setor Técnico Científico (SETEC) >> Departamento de Polícia Federal - Paraná >> Tel: (41) 3251-7651 >> Voip: 4 4100-7651 >> >> On 07/06/2016 15:56, Brian Carrier wrote: >>> From the verbose log, these seem to be the relevant lines: >>> >>> fsopen: Auto detection mode at offset 32768 >>> ntfs_open: invalid sector size: 0 >>> fatxxfs_open: Invalid sector size (0) >>> exfatfs_get_fs_layout: Invalid root directory sector address (122880) >>> …. >>> >>> So, both ExFAT and NTFS are unhappy because sector size is 0 and ExFAT is also unhappy because it doesn’t like the starting root directory address. Can you tell from FTK / EnCase what the file system is? Usually NTFS has more $ files in the root folder. If you could send me the raw contents of sector 64 (or a picture of the hex dump) that would be useful too to debug this. >>> >>> thanks >>> brian >>> >>> >>> >>> >>> >>> >>> >>>> On Jun 6, 2016, at 3:48 PM, PCF Ronaldo R. Costa <ron...@dp...> wrote: >>>> >>>> Hi, >>>> >>>> tsk_loaddb.exe aborted with message below: >>>> Error: Cannot determine file system type (Sector offset: 64, Partition >>>> Type: NTFS / exFAT (0x07)) >>>> >>>> I can open this image with FTK and Encase, without any problem. >>>> >>>> Full verbose log is attached. >>>> >>>> Any suggestion? >>>> >>>> Regards, >>>> >>>> -- >>>> Ronaldo Rosenau da Costa >>>> Perito Criminal Federal >>>> Setor Técnico Científico (SETEC) >>>> Departamento de Polícia Federal - Paraná >>>> Tel: (41) 3251-7651 >>>> Voip: 4 4100-7651 >>>> >>>> <report_item0906.txt>------------------------------------------------------------------------------ >>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic >>>> patterns at an interface-level. Reveals which users, apps, and protocols are >>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>>> planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e_______________________________________________ >>>> sleuthkit-users mailing list >>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>>> http://www.sleuthkit.org >>> >> <dump_sector_64><file_system.jpg><file_system2.jpg> > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X