Hey guys it's been a while. I've stumbled across a weird problem. While I've done many dd images, I have never had an issue opening them up with autopsy. I use the Helix CD in windows to make an image of my investigation drives using the GUI interface for dd. Then, boot the Helix cd to linux and run autopsy.
The drive I am currently working on is a 2.5" SATA drive from a Thinkpad T61. It appears to have a hidden utility partition (part of Lenovo utils). The dd image completes successfully, but I get an interesting error when attempting to open the image in Autopsy. I have tried both logical and the entire disk… The error that I get in Autopsy is
Warning file system of the volume image file could not be determined. If this is a disk image file, return to the previous page and change the type.
I'm tending to think it has something to do with the hidden utility partition, but I don't know how to work around this. I can easily browse the NTFS partition while in Linux so I know everything is intact.
Any ideas?
Have you tried any other tools to open the image? FTK Imager is free, as is ProDiscover Basic…both open dd images just fine.
Hmm.. sounds like your offsets are off, perhaps the first volume on that dd image is a utility volume (DELL/IBM/ETC), those don't always follow all the rules..
Try using the Sleuthkit/TASK tool mmls and mmstat to figure out where the ntfs partition starts.
Thanks guys, I thought about trying to open the image in another program during my lunch break. Funny how the OBVIOUS doesn't come out so easy when you are thinking waaaaay too deep! If that doesn't work I think fresponse may be onto something… I'll let you guys know how I make out.
OK here's my output an observations…
C\sleuthkit-win32-2.52\bin>mmls G\Investigation_Images\filename.dd
Cannot determine partition type
C\sleuthkit-win32-2.52\bin>mmls -i raw G\Investigation_Images\filename.dd
Cannot determine partition type
C\sleuthkit-win32-2.52\bin>mmls -i raw -t dos G\Investigation_Images\filename.dd
Invalid sector address (dos_load_prim_table Starting sector too large for image)
C\sleuthkit-win32-2.52\bin>mmstat -t dos -v G\Investigation_Images\filename.dd
tsk_img_open Type n/a NumImg 1 Img1 G\Investigation_Images\filename.dd
dos_load_prim Table Sector 0
raw_read_random byte offset 0 len 14983697786733056
load_pri00 Start 218129509 Size 1701990410 Type 114
Starting sector 218129509 too large for image
Invalid sector address (dos_load_prim_table Starting sector too large for image)
I tried my own dd command below
dd.exe if=\\.\F of="G\Investigation_Images\filename2.dd" –log="G\Investigation_Images\filename2.dd_audit.log"
C\>dd.exe if=\\.\F of="G\Investigation_Images\filename2.dd"
dd.exe G\Investigation_Images\filename2.dd No space left on device
8388608+0 records in
8388607+0 records out
I notice both the GUI created dd image and the one I attempted above both cut off at about 4.1GB…The volume is around 180GB. The target is a WD Mybook 1TB external USB drive…PLENTY of space left. How can I determine where the NTFS partition begins to specify in my dd command? Am I able to run mmls and mmstat on the actual drive to get this info?
What is the file system that the WD MyBook is formatted with?
NTFS
Have you tried imaging the system with FTK Imager?
Couple of things …
1) Why don't you post this on the Helix forum? You may get a faster or more spot on reply, since it involves that environment.
2) Why don't you use the Linux boot CD to perform the acquisition process? Is there a requirement for using the Windows side for your acquisition?
3) Have you verified the output acquisition file? By this I mean; you authenticated your target first, then you acquired the target, and then you authenticated your output image file against the original. Do the authentication values match? Does the byte size match?
4) Have you looked at the filename.dd file in a raw data viewer, to identify for yourself a signature of value (be it partition table and records, file system magic number, etc.)?
5) Have you run any common Linux utilities against your image file to attempt to identify it? (Such as file, sfdisk, etc.)
6) I don't use the windows dd.exe application, so this is pure speculation. But, is the F drive the utilities partition for the laptop, and if it is, what is the size of that utility partition? Many of them I have seen are small in size, between 2-4GB. _Perhaps_ this is why the acquisition process completes at 4.1GB, because it's acquired the complete partition?
Maybe something here is helpful!
farmerdude
http//
http//
NTFS
I don't mean to sound facetious but are you sure it's NTFS and not FAT? If it's FAT it'd explain why the images are cutting out at 4gig. This would in turn explain the "Cannot determine partition type" errors.
If you can try
- Reformatting the WD HD to ensure it's NTFS
or
- dd to a different hard drive.
Let us know how you get on.