Join Us!

Autopsy error when ...
 
Notifications
Clear all

Autopsy error when Creating Data File  

  RSS
kaorin23
(@kaorin23)
New Member

Hello all,

I'm quite new to forensics and am struggling with an error in Autopsy, hopefully someone can help? )
I need to conduct a timeline analysis of a laptop harddrive. I started by running a Live usb of BackTrack5r2 in forensics boot and used dcfldd to obtain an image of the entire attached harddrive. The image is split into 12 separate files (image.dd.aa, image.dd.ab, etc.) and was stored on an external harddrive with plenty of space.
I then rebooted the examining machine out of the live usb and into BackTrack5r3 (installed on the machine) and ran Autopsy. I set up a case etc, added the image and copied it to the EvidenceLocker. A "Split Confirmation" screen was displayed, and all looked correct.
Autopsy then showed me the "File System Details" section where it identifies two NTFS partitions. All is fine and I continue until the point where I can analyse the image. Autopsy tells me to create a Data File so that I may conduct the Timeline Analysis, however, when it instructs me to select a partition, there is no drop-down box - I can't select anything.
I opened the Terminal where Autopsy is running, and I noticed it says "Cannot determine file system type" twice. I never received any error warning while in the GUI, and there is no timestamp to verify when these errors were generated.

I'm at a loss to what to do. I've re-imaged the drive and am now adding that to the case, but I very much doubt it'll make any difference.

If anyone can help, I'd greatly appreciate it )

Quote
Posted : 06/09/2013 4:48 pm
carrier
(@carrier)
New Member

Sounds like this is Autopsy 2 and not version 3, right?

If you go into the non-timeline views, does it allow you to see the partitions?

ReplyQuote
Posted : 18/09/2013 8:07 am
Share: