FTK 1.71 error open...
 
Notifications
Clear all

FTK 1.71 error opening file system

6 Posts
6 Users
0 Likes
2,303 Views
(@peoforum)
Posts: 1
New Member
Topic starter
 

Hi,
I have succesfully created a file image called "HD01.001" of an external USB Hard Disk with FKT Imager (ver.3.0.1.1467) using the option "Create Disk Image/Physical Drive".
When I try to open the image file "HD01.001" with FTK (Forensic Toolkit-FTK Version 1.71 build 07.06.22) during the "Add Evidence" phase I have the messages "Add Evidence Error - Error opening file system!" and, after one clic, "Add Evidence Error - Could not add HD01\Part_1".
Why?
Someone may help me?
Thank you in advance.

Gian Piero Pasquali

PS see my attachments on Dropbox

HD01.001.txt (FTK Imager log file) - https://www.dropbox.com/s/eil8h25sds0ousm/HD01.001.txt?dl=0

Error1-ErrorOpening.jpg (screenshot 1st error message) - https://www.dropbox.com/s/msvs7oztg2bza0s/Error1-ErrorOpening.jpg?dl=0

Error2-CouldNotAdd.jpg (screenshot 2nd error message) - https://www.dropbox.com/s/ixv7uh72smvxlj1/Error2-CouldNotAdd.jpg?dl=0

 
Posted : 28/12/2017 11:19 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Could not add HD01\Part_1".

That is the issue.

For *some reasons* the FTK imager cannot parse the actual partition or the partition (actually filesystem) data.

As a side note, at first sight that disk seems like having some malfunctioning, from your HD01.001.txt
2.930.272.256x512=1,500,299,395,072
it is a 1.5 Tb (roughly) drive, yet it took
Acquisition started Sat Dec 23 084958 2017
Acquisition finished Wed Dec 27 111744 2017
almost 100 hours to acquire, 5907 minutes, that make 1,500,000/5,907=253 MB/min, or 4 MB/sec which is very slow, even if you were on a USB 2.0 bus.

Try having a look at the image with a tool more oriented to data recovery, such as DMDE
http//dmde.com/

jaclaz

 
Posted : 28/12/2017 12:45 pm
(@jerryw)
Posts: 56
Trusted Member
 

I would look at your first sentence, that you have successfully created an image. You may have created the file but there are no verification hashes to show that you have successfully created the image.

Your FTK Imager report only shows one segment in the list, when many would be expected. If you have created it and verified, you should be able to load it back into FTK Imager to view the structure. If that works but not FTK itself then there is a problem there, which may be down to an unsupported file system, especially as you are using a very old version (currently on 6.3).

 
Posted : 29/12/2017 2:33 pm
(@jdcoulthard)
Posts: 98
Trusted Member
 

Can you open the image with FTK Imager and view the file system?

 
Posted : 30/12/2017 6:22 am
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

Given the fairly large drive I’m going to assume it is relatively modern and therefore has a relatively modern filesystem such as a recent NTFS flavour or OS X Extended. I would have been more surprised if that version of FTK parsed it successfully, given you are running software that is probably 10-15 years old. There’s absolutely no need to be doing so as the up to date versions are freely available at https://accessdata.com/product-download

 
Posted : 12/01/2018 1:43 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

Hi,
I have succesfully created a file image called "HD01.001" of an external USB Hard Disk

The log file you provided indicates that some errors were encountered during imaging


ATTENTION
The following sector(s) on the source drive could not be read
140591432 through 140591447
140593480 through 140593495
140595528 through 140595535
140599624 through 140599631
140601672 through 140601679
The contents of these sectors were replaced with zeros in the image.

As others have mentioned, I think it is important to determine if this is an FTK 1.71 issue, or a problem with the image itself. You can load the image into a number of freely available tools to see if they can parse the file system.

 
Posted : 17/01/2018 11:38 pm
Share: