Thread: [sleuthkit-users] problem analysing apple hard disk
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Alessandro F. <at...@gm...> - 2014-08-14 09:42:55
|
Hi I'm analysing an image (EWF) extracted from an IMAC. The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). I'm using Autopsy 3.0.10 on Window 7 SP1. From the partition browser I can't access to one of the HFS+ partition. The image file is ok, infact I can mount and browse all the partition in linux (via ewfmount) without any problem. The same happens if I access the image via ftk mounter on windows. I think there is some sort of problem with Autopsy and I would like to help whith analysis and debug. I can't send to many info on the contents because is part of an ongoing investigation, but I think I can share info on disk and partition structure. Any help will be very appreciated. Thanks in advance Alessandro |
|
From: Brian C. <ca...@sl...> - 2014-08-21 02:09:33
|
So the image has four partitions, but one of them isn't showing any files? On Aug 14, 2014, at 5:42 AM, Alessandro Farina <at...@gm...> wrote: > Hi > I'm analysing an image (EWF) extracted from an IMAC. > The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). > I'm using Autopsy 3.0.10 on Window 7 SP1. > From the partition browser I can't access to one of the HFS+ partition. > The image file is ok, infact I can mount and browse all the partition in > linux (via ewfmount) without any problem. The same happens if I access > the image via ftk mounter on windows. > I think there is some sort of problem with Autopsy and I would like to > help whith analysis and debug. > I can't send to many info on the contents because is part of an ongoing > investigation, but I think I can share info on disk and partition structure. > Any help will be very appreciated. > > Thanks in advance > Alessandro > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Alessandro F. <at...@gm...> - 2014-09-02 16:14:51
|
Yes. If I select the partition in the partitions tree, nothing is show in the detail window. 2014-08-21 4:09 GMT+02:00 Brian Carrier <ca...@sl...>: > So the image has four partitions, but one of them isn't showing any files? > > > On Aug 14, 2014, at 5:42 AM, Alessandro Farina <at...@gm...> wrote: > > > Hi > > I'm analysing an image (EWF) extracted from an IMAC. > > The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). > > I'm using Autopsy 3.0.10 on Window 7 SP1. > > From the partition browser I can't access to one of the HFS+ partition. > > The image file is ok, infact I can mount and browse all the partition in > > linux (via ewfmount) without any problem. The same happens if I access > > the image via ftk mounter on windows. > > I think there is some sort of problem with Autopsy and I would like to > > help whith analysis and debug. > > I can't send to many info on the contents because is part of an ongoing > > investigation, but I think I can share info on disk and partition > structure. > > Any help will be very appreciated. > > > > Thanks in advance > > Alessandro > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
|
From: Brian C. <ca...@sl...> - 2014-09-10 01:39:17
|
Hi Alessandro, Sorry for the delayed response. I had a bit of travel going on. Can you add the image to a case again and notice if in the final panel of the "Add Data Source" wizard if there is a button that says that there were errors ingesting the image? If so, can you click on the button and send the messages? We should review that panel because there have been several cases where people don't notice that some errors occurred... thanks, brian On Sep 2, 2014, at 12:14 PM, Alessandro Farina <at...@gm...> wrote: > Yes. > If I select the partition in the partitions tree, nothing is show in the detail window. > > > 2014-08-21 4:09 GMT+02:00 Brian Carrier <ca...@sl...>: > So the image has four partitions, but one of them isn't showing any files? > > > On Aug 14, 2014, at 5:42 AM, Alessandro Farina <at...@gm...> wrote: > > > Hi > > I'm analysing an image (EWF) extracted from an IMAC. > > The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). > > I'm using Autopsy 3.0.10 on Window 7 SP1. > > From the partition browser I can't access to one of the HFS+ partition. > > The image file is ok, infact I can mount and browse all the partition in > > linux (via ewfmount) without any problem. The same happens if I access > > the image via ftk mounter on windows. > > I think there is some sort of problem with Autopsy and I would like to > > help whith analysis and debug. > > I can't send to many info on the contents because is part of an ongoing > > investigation, but I think I can share info on disk and partition structure. > > Any help will be very appreciated. > > > > Thanks in advance > > Alessandro > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > Slashdot TV. > Video for Nerds. Stuff that matters. > http://tv.slashdot.org/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
|
From: Alessandro F. <at...@gm...> - 2014-09-10 16:54:21
|
Hi Brian don't worry for the delay...I'm very grateful for your answers ;) I've started another time Autopsy, new case, same image, file ingestion. In the log I've find these "non critical" errors: ******************* Errors occured while ingesting image 1. Database Error (TskDbSqlite::findParObjId: Error selecting file id by meta_addr: unknown error (result code 101) ) 2. 3. Database Error (TskDbSqlite::findParObjId: Error selecting file id by meta_addr: unknown error (result code 101) ) 4. ) ...... 550485. Database Error (TskDbSqlite::findParObjId: Error selecting file id by meta_addr: unknown error (result code 101) ) 550486. Cannot determine file system type (Sector offset: 235708600, Partition Type: Recovery HD) 550487. Error reading image file (ewf_image_read - offset: 20480 - len: 65536 - Result too large) (TskAutoDb::addFsInfoUnalloc: error opening fs at offset 20480) 550488. Error reading image file (ewf_image_read - offset: 209736704 - len: 65536 - Result too large) (TskAutoDb::addFsInfoUnalloc: error opening fs at offset 209735680) ******************** The first errors are repeated a lot of times. The the error about the image. I assure you that the image is ok, I manage to mount and browse with ftk (in Windows) and ewfmount (in linux). If you think can be useful, I could send in private a cople of screenshot whit Autopsy and FTK. Thanks in advance for your help Alessandro 2014-09-10 3:39 GMT+02:00 Brian Carrier <ca...@sl...>: > Hi Alessandro, > > Sorry for the delayed response. I had a bit of travel going on. > > Can you add the image to a case again and notice if in the final panel of > the "Add Data Source" wizard if there is a button that says that there were > errors ingesting the image? If so, can you click on the button and send the > messages? > > We should review that panel because there have been several cases where > people don't notice that some errors occurred... > > thanks, > brian > > > > On Sep 2, 2014, at 12:14 PM, Alessandro Farina <at...@gm...> wrote: > > > Yes. > > If I select the partition in the partitions tree, nothing is show in the > detail window. > > > > > > 2014-08-21 4:09 GMT+02:00 Brian Carrier <ca...@sl...>: > > So the image has four partitions, but one of them isn't showing any > files? > > > > > > On Aug 14, 2014, at 5:42 AM, Alessandro Farina <at...@gm...> > wrote: > > > > > Hi > > > I'm analysing an image (EWF) extracted from an IMAC. > > > The disk (image) has 4 partition: 2 HFS+ and 2 NTFS (BOOTCAMP). > > > I'm using Autopsy 3.0.10 on Window 7 SP1. > > > From the partition browser I can't access to one of the HFS+ partition. > > > The image file is ok, infact I can mount and browse all the partition > in > > > linux (via ewfmount) without any problem. The same happens if I access > > > the image via ftk mounter on windows. > > > I think there is some sort of problem with Autopsy and I would like to > > > help whith analysis and debug. > > > I can't send to many info on the contents because is part of an ongoing > > > investigation, but I think I can share info on disk and partition > structure. > > > Any help will be very appreciated. > > > > > > Thanks in advance > > > Alessandro > > > > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > > http://www.sleuthkit.org > > > > > > > ------------------------------------------------------------------------------ > > Slashdot TV. > > Video for Nerds. Stuff that matters. > > http://tv.slashdot.org/_______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X