Hello
I am trying to add an image of a NTFS system to Autopsy, but when I get to the part where I add the image I get the following message, "The image format type could not be determined for this image file". Okay, so Autopsy can't determine the file type, but when I run file against the image I get the following image.dd x86 boot sector, Microsoft Windows XP MBR, Serial 0xa424eaad. A terminal error is sent to STDOUT where Autopsy is running, "Error stat(ing) image file (/home/user/source_images/laptop/image.dd Value too large for defined data type)"
When I run fdisk -l against the image I get the following
Disk new_laptop_image.dd 0 MB, 0 bytes
240 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 15120 * 512 = 7741440 bytes
Disk identifier 0xa424eaad
Device Boot Start End Blocks Id System
new_laptop_image.dd1 * 1 776 5866528+ 7 HPFS/NTFS
From the first line of the fdisk you see where it says 0 MB, 0 byte. Not sure why that is so. I ran strings on the image and see all kinds of data. In fact the first part
Invalid partition table
Error loading operating system
Missing operating system
Invalid partition table
Error loading operating system
Missing operating system
During the imaging (actual command dcfldd if=/dev/hda bs=512 conv=noerror,sync | nc xxx.xxx.xxx.xxx port) I got several error messages
dcfldd/dev/hda Input/output error
1929920*29 records in
1929949=0 records out
….
this continued till the end of the imaging.
11732992 blocks (5729Mb) written
Despite these error messages I have imaged the system twice and received the same md5 for each image.
After seeing the message above about Invalid partition table Error loading operating system I ran mmls and got the below table so it appears to be NTFS. I have also tried many of the TSK tools against the image and get similar messages "can't determine the OS".
DOS Partition Table
Sector 0
Units are in 512-byte sectors
Slot Start End Length Description
00 —– 0000000000 0000000000 0000000001 Primary Table (#0)
01 —– 0000000001 0000000062 0000000062 Unallocated
02 0000 0000000063 0011733119 0011733057 NTFS (0x07)
I can boot into the OS and get the Windows OS, but I get an "invalid date error" and I know that the version of Windows has not yet been registered.
Any thoughts?
Thanks,
Mark
Just a quicky … Which version are you using ? There have been two recent updates, Dec 12, 07 and Jan 29, 08 which may have bug fixes …
I note that the Dec 12, 07 release lists
Update inode_walk for NTFS and FAT will not abort if data corruption is found in one entry – instead they will just skip it.
Might this help ? ?
Hello,
I am using version 2.10, released on Jan 8th, 2008.
Mark
Blows that idea then eh ? 😉
yeah, but thanks for the suggestions. I saw that another person had similar problems on another post, but there was not solutions presented.
Mark
How about you post the MBR? Can you also instead of summarizing your commands, post direct input and output from the terminal so we can see the whole thing and not the 'readers digest' version?
All,
I submitted an email to the sleuthkit mailing list and according to Brian Carrier (author of the tool) he forgot to put in the test into the new autoconf/ automake/ system t ocheck if sepcial flags were needed for large files and some Linux distros. He said he would have a new release soon.
Mark