Greetings
A successful completion and verified image shows negative number for sector count. I have never encountered this issue. What does it mean? Does a negative number mean some of the sectors did not get copied or bad sectors?
Any help will be sincerely appreciated.
Physical Evidentiary Item (Source) Information
[Drive Geometry]
Bytes per Sector 512
Sector Count 3,906,959,360
Source data size 1907695 MB
Sector count -388007936
[Computed Hashes]
MD5 checksum 9aec7e93188f4d6290e38ca303349c0b
SHA1 checksum 6ac569abc89c511f9ed15e35dd33fbe0c34eff19
Looks like bug. 388007936 + 3,906959360 = 0x100000000.
ie the second Sector count is a signed long, and not an Unsigned long.
(When programming, 99.5% of numbers are far better unsigned - I hate signed numbers)
A successful completion and verified image shows negative number for sector count. I have never encountered this issue. What does it mean? Does a negative number mean some of the sectors did not get copied or bad sectors?
There's almost certainly a problem involving signed integers where unsigned should have been used (or even 32-bit numbers where 64-bit should have been used), but what effect that has on the functionality is not easy to say. I'd report it to Access Data as a bug, and ask them for advice you really have to check the source code to discover all things that may go wrong.
I would not trust the image you've got. I'd use another tool and do a new acquiry.
On the other hand, I'm not sure I trust any tool enough to recommend it in this situation. Failure to get signedness right is an error you find in just about all code. Only thing is to be aware that there's a 'magical' limit at 2,147,483,647 (and the next at 4,294,967,295). If you are dealing with quantities (mainly sectors, for acquiry situations) above those, you need to be careful, and test your way through it.
Thank you for your responses. This negative number has shown in several of my images. There is nothing in common between my images, i.e. servers, write blocker, drives, etc. Thinking that perhaps a certain hardware is causing this issue. All different servers and all different hardware.
Also, all of the images have mounted successfully and I have been able to export files and folders.
I will contact Accessdata and see what they have to say.
Regards,
Rizwan
Have you created identical image with different tool? Do the hashes match?
Would you please share, for our reference, the exact version of FTK Imager you are using?
I am using FTK version 2.9.0.1385. I think this the most current version of FTK Imager on the AD website.
No, I have not recreated the images. The drives are large capacity drives and it not feasible at this time of recreate them. If these images are deemed unreliable, I guess I will have to recreate them. As I have previously stated, these images mount fine back in the imager and I have been to export files and folders from them.
Regards,
Rizwan
I'm using v3.1.0.1514 and I don't think that is even the most up to date version, perhaps using a more recent version will eliminate the problem, as this bug may have already been found and fixed.
HTH
Simon
Good call. I am using FTK lite version 2.9.0.1385. I will try the full imager version and see what kind of results I get.
Regards,
Rizwan
Can you tell us if you ran the full version and if so, what were your results? Thanks