Notifications
Clear all

Error Message "Can't determine file system type".

5 Posts
4 Users
0 Likes
8,534 Views
(@mwade)
Posts: 77
Trusted Member
Topic starter
 

I have a laptop that was once a ext2, now is NTFS. I have just imaged the hard drive using dd. If I run file against the system I get x86 boot sector, Microsoft Windows XP MBR Serial 0xa42eaad.

My problem is that if I run fsstat against I get the message "Can't determine file system type".

The same holds true if I run the dstat or dls against the image.

I can execute mmls against the image and see that its partition table NTFS (0x07)

When I was imaging the drive (dd through USB to external HD) I was getting write error messages, but the imaging kept happening. I am able to run strings on the image and get recognizable data.

Does anyone know why?

Thanks,

Mark

 
Posted : 16/01/2008 9:14 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Mark,

What switches are you using when you run fsstat? What platform are you running TSK on?

http//www.sleuthkit.org/sleuthkit/man/fsstat.html

You might try "-f fstype".

As far as dstat and dls are concerned, I would suggest with reading the man pages or contacting the author(s) of the tool(s).

 
Posted : 17/01/2008 2:36 am
(@mwade)
Posts: 77
Trusted Member
Topic starter
 

Harlan,

I realized why it was not working. I was running dls, and fsstat against the initially careved out /dev/hda. I ran mmls and then proceeded to carve out just the NFTS partition. Once I did that I was able to use fsstat to read the file. Not sure if that is normal, but it worked. )

Thanks for helping me use my brian and think more.

Do you (or anyone) know if the sleuth kit tools can be run against MAC HFS+ partitions?

I know that TCT run off the below.
Solaris 2.4, 2.5.1, 2.6, 7.0, 8
FreeBSD 2.2.1, 3.4, 4.4
RedHat 5.2, 6.1, 7.3
BSD/OS 2.1, 4.1
OpenBSD 2.5, 3.0, 3.1
SunOS 4.1.3_U1, 4.1.4

 
Posted : 18/01/2008 1:37 am
(@farmerdude)
Posts: 242
Estimable Member
 

Hi Mark,

Before the most recent release of The Sleuth Kit, you had to enable HFS/HFS+ support in the source before compiling it. I have not tested the most recent release to see if this still holds true. Brian has mentioned something about HFS/HFS+ support recently on TSK list, so I would check his post in an archive or grab the source and see.

regards,

farmerdude

 
Posted : 15/02/2008 6:11 pm
(@bgrundy)
Posts: 70
Trusted Member
 

I realized why it was not working. I was running dls, and fsstat against the initially careved out /dev/hda. I ran mmls and then proceeded to carve out just the NFTS partition. Once I did that I was able to use fsstat to read the file. Not sure if that is normal, but it worked. )

A quick note on this…Were you using the -o (offset) option to the Sleuthkit tools? You should not have to carve the partitions out to use the tools. Using mmls will give you the offsets (in sectors) to the partitions, you then use those offsets in the TSK commands to access the partition you are seeking info from.

Carving is not needed.

 
Posted : 15/02/2008 7:58 pm
Share: