Hi,
I was testing the dc3dd tool for acquiring and came across a strange issue.
After acquiring in 4GB blocks, I could mount the acquired images in Linux without any issues.
But subsequently when I use Windows Image Mounter like OSFMount etc, the image could not be mounted and shows as unrecognized file system.
The file system is actually NTFS.
During acquisition no bad sectors are reported too.
Not sure how Linux is able to mount without any issues but Windows Image Mount software are having issues.
Is it possible to check the integrity of the acquired images in Linux to check for corrupted images etc?
Thanks
After acquisition, did the hash values of the forensic evidence file match the original evidence?
Yes, the hash values matched.
One more thing I noticed, when mounting the images in Linux it mounts successfully but shows the following message
"Alternate GPT is invalid, using primary GPT."
Not sure whether this is what causing the image to not be mounted properly in Windows environment.
Then the problem lies with Windows.
My first thought was an older version of Windows. I am not sure if XP or Vista has support for GPT.
My second thought is 4k sector drives. For that you need newer versions of Windows (8 or later, typically).
Then the problem lies with Windows.
My first thought was an older version of Windows. I am not sure if XP or Vista has support for GPT.
My second thought is 4k sector drives. For that you need newer versions of Windows (8 or later, typically).
Jist to clear things, there is no support for GPT style partitioning in XP 32 bit, but there is in XP 64 for "data" disks, while there is support in Vista (and later) on both "data" and BOOT/OS disks (booting limited to 64 bit/UEFI).
https://
Drivers like OSforensics (originated by IMDISK) are however actually "volume drivers" so by giving manually the offset to the beginning of the volume you can access normally any volume on a GPT disk.
The sector size is instead a more problematic issue, some drivers/tools on older Windows systems that simply do not accept the 4kb sector size (independently from it being on a MBR or GPT disk)
https://
In a nutshell, XP is "Border line" on AF disks, and all OS up to 7 will not work "fully" or properly on 4 Kb "native" disks unless updated
https://
But this applies to physical disks only - just as an example - MS original VSS driver has no issues whatever with (virtual) 4 Kb sectored disks, even on XP (on MBR style disks, of course).
OT, but JFYI
http//
http//
The error reported seems however related to having the Primary and "backup" GPT "out of sync", as said "volume driver" like OsForensics or IMDISK may well fail in the automatic parsing of partitions (in either MBR or GPT) but once the right offset is given to them they won't have any problem.
jaclaz