Thread: Re: [sleuthkit-users] (no subject)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Angus M. <an...@n-...> - 2006-03-28 13:16:07
|
The physical/logical issue sounds fairly typical of a lot of disks that I've examined. Could you post the results from sleuthkit's "mmls -t dos -i raw <imagefile>" here ? We might be able to give some more specific help. On Tue Mar 28 14:00 , gim...@we... sent: >On Mon, 27 Mar 2006 10:14:23 -0500 >Carlton Foster c.a...@LA...> wrote: > >> I was asked to create an image of a system a couple of weeks ago but >> told not to investigate it. I used dcfldd over netcat on a crossover >> cable to image the system. I created MD5's of the source and image, >> and both matched. >> >> I did a physical image, not logical. >> >> Today, I have been asked to investigate the image. However, the >> partition table appears bad. >> >> I am getting warnings from fdisk saying Partition 1 has different >> logical/physical endings. Then Partition 2 has different beginnings >> and endings. I can't figure out how to get the logical images >> extracted, and we no longer have access to the source system. >> >> Can anyone provide any help? >> -- > >Try out this one: http://www.cgsecurity.org/wiki/TestDisk > >From the summary: > >"If you have missing partitions or a completely empty Partition Table, >TestDisk can search for partitions and create a new Table or even a new >MBR if necessary." > >regards > > >------------------------------------------------------- >This SF.Net email is sponsored by xPML, a groundbreaking scripting language >that extends applications into web and mobile media. Attend the live webcast >and join the prime developer group breaking into this new coding territory! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >_______________________________________________ >sleuthkit-users mailing list >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >http://www.sleuthkit.org |
|
From: Stefan K. <sk...@bf...> - 2012-03-20 18:18:58
|
|
From: Carlton F. <c.a...@la...> - 2006-03-28 21:01:00
|
mmls -V
The Sleuthkit ver 2.01
mmls -t dos -i raw <host>.img
mmls: Invalid extended partition table magic in sector 18201645
file <host>.img
<host>.img: x86 boot sector
fdisk -lu <host>.img
You must set cylinders.
You can do this from the extra functions menu.
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: invalid flag 0xffffd366 of partition table 5 will be
corrected by w(rite)
Disk <host>.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Device Boot Start End Blocks Id System
54_21.img1 * 63 18201644 9100791 7 HPFS/NTFS
Partition 1 has different physical/logical endings:
phys=(1023, 254, 63) logical=(1132, 254, 63)
54_21.img2 18201645 58605119 20201737+ f W95 Ext'd (LBA)
Partition 2 has different physical/logical beginnings (non-Linux?):
phys=(1023, 0, 1) logical=(1133, 0, 1)
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(3647, 254, 63)
54_21.img5 ? 1358216596 4227304473 1434543939 6b Unknown
You must set cylinders.
You can do this from the extra functions menu.
At 2:29 PM +0100 3/28/06, Angus Marshall wrote:
>The physical/logical issue sounds fairly typical of a lot of disks that I've
>examined.
>
>Could you post the results from sleuthkit's "mmls -t dos -i raw
><imagefile>" here ?
>
>We might be able to give some more specific help.
>
>On Tue Mar 28 14:00 , gim...@we... sent:
>
>>On Mon, 27 Mar 2006 10:14:23 -0500
>>Carlton Foster c.a...@LA...> wrote:
>>
>>> I was asked to create an image of a system a couple of weeks ago but
>>> told not to investigate it. I used dcfldd over netcat on a crossover
>>> cable to image the system. I created MD5's of the source and image,
>>> and both matched.
>>>
>>> I did a physical image, not logical.
>>>
>>> Today, I have been asked to investigate the image. However, the
>>> partition table appears bad.
>>>
>>> I am getting warnings from fdisk saying Partition 1 has different
>>> logical/physical endings. Then Partition 2 has different beginnings
>>> and endings. I can't figure out how to get the logical images
>>> extracted, and we no longer have access to the source system.
>>>
>>> Can anyone provide any help?
>>> --
>>
>>Try out this one: http://www.cgsecurity.org/wiki/TestDisk
>>
>>From the summary:
>>
>>"If you have missing partitions or a completely empty Partition Table,
>>TestDisk can search for partitions and create a new Table or even a new
>>MBR if necessary."
>>
>>regards
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>>that extends applications into web and mobile media. Attend the live webcast
>>and join the prime developer group breaking into this new coding territory!
>>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>>_______________________________________________
>>sleuthkit-users mailing list
>>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>http://www.sleuthkit.org
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by xPML, a groundbreaking scripting language
>that extends applications into web and mobile media. Attend the live webcast
>and join the prime developer group breaking into this new coding territory!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>_______________________________________________
>sleuthkit-users mailing list
>https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>http://www.sleuthkit.org
--
|
|
From: <gim...@we...> - 2006-03-29 14:38:14
|
On Tue, 28 Mar 2006 16:00:22 -0500 Carlton Foster <c.a...@la...> wrote: > mmls -V > The Sleuthkit ver 2.01 > > mmls -t dos -i raw <host>.img > mmls: Invalid extended partition table magic in sector 18201645 > > file <host>.img > <host>.img: x86 boot sector > > fdisk -lu <host>.img > You must set cylinders. > You can do this from the extra functions menu. > Warning: ignoring extra data in partition table 5 > Warning: ignoring extra data in partition table 5 > Warning: ignoring extra data in partition table 5 > Warning: invalid flag 0xffffd366 of partition table 5 will be > corrected by w(rite) > > Disk <host>.img: 0 MB, 0 bytes > 255 heads, 63 sectors/track, 0 cylinders, total 0 sectors > Units = sectors of 1 * 512 = 512 bytes > > Device Boot Start End Blocks Id System > 54_21.img1 * 63 18201644 9100791 7 HPFS/NTFS > Partition 1 has different physical/logical endings: > phys=(1023, 254, 63) logical=(1132, 254, 63) > 54_21.img2 18201645 58605119 20201737+ f W95 Ext'd > (LBA) Partition 2 has different physical/logical beginnings > (non-Linux?): phys=(1023, 0, 1) logical=(1133, 0, 1) > Partition 2 has different physical/logical endings: > phys=(1023, 254, 63) logical=(3647, 254, 63) > 54_21.img5 ? 1358216596 4227304473 1434543939 6b Unknown > You must set cylinders. What would be result setting logical geometry to (1023, 254, 63) for partition 1? Something you might try out. |
Thanks for helping keep SourceForge clean.
X