mmls Cannot determine partition type

I suspect that you only have the volumes mounted, and mmls works at disk level to show the volumes.

Try remounting the image files using mount_ewf.py then point mmls at the mounted raw image that mount-ewf.py creates. Something like


#mount_ewf.py <image_file>.E* /mnt/ewf/

#mmls <image_file>

You will see better results if you run all this as root.

There is more reading on the subject here.

Stu

I suspect that you only have the volumes mounted, and mmls works at disk level to show the volumes.

Try remounting the image files using mount_ewf.py then point mmls at the mounted raw image that mount-ewf.py creates. Something like


#mount_ewf.py <image_file>.E* /mnt/ewf/

#cd /mnt/ewf/

#mmls <image_file>

You will see better results if you run all this as root.

There is more reading on the subject here.

Stu

I tried in this mode


root@rti-ubuntu-specchio/usr/local/bin# pwd
/usr/local/bin
root@rti-ubuntu-specchio/usr/local/bin# mount_ewf.py /media/AGRIGENTO2/HD01/HD01.E01 /mnt/ewf/
Using libewf-20111015. Tested with libewf-20080501.

root@rti-ubuntu-specchio/mnt/ewf# mmls HD01
Cannot determine partition type


In that case, a couple of questions

1) Do you only have one image file (E01)?

If not, try E* instead of E01.

2) Do you know what the image is of i.e. hard drive, thumb drive, DVD etc?

3) What is your end goal, what are you trying to do with the image?

Stu

In that case, a couple of questions

1) Do you only have one image file (E01)?

No


root@rti-ubuntu-specchio/mnt# ls /media/AGRIGENTO2/HD01/
AnalisiHD01.txt HD01.E12 HD01.E25 HD01.E38 HD01.E51 HD01.E64
AnalisiHD01.txt~ HD01.E13 HD01.E26 HD01.E39 HD01.E52 HD01.E65
HD01.E01 HD01.E14 HD01.E27 HD01.E40 HD01.E53 HD01.E66
HD01.E02 HD01.E15 HD01.E28 HD01.E41 HD01.E54 HD01.E67
HD01.E03 HD01.E16 HD01.E29 HD01.E42 HD01.E55 HD01.E68
HD01.E04 HD01.E17 HD01.E30 HD01.E43 HD01.E56 HD01.E69
HD01.E05 HD01.E18 HD01.E31 HD01.E44 HD01.E57 HD01.E70
HD01.E06 HD01.E19 HD01.E32 HD01.E45 HD01.E58 HD01.log.txt
HD01.E07 HD01.E20 HD01.E33 HD01.E46 HD01.E59
HD01.E08 HD01.E21 HD01.E34 HD01.E47 HD01.E60
HD01.E09 HD01.E22 HD01.E35 HD01.E48 HD01.E61
HD01.E10 HD01.E23 HD01.E36 HD01.E49 HD01.E62
HD01.E11 HD01.E24 HD01.E37 HD01.E50 HD01.E63


If not, try E* instead of E01.


root@rti-ubuntu-specchio/mnt# mount_ewf.py /media/AGRIGENTO2/HD01/HD01.E?? /mnt/ewf/
Using libewf-20111015. Tested with libewf-20080501.
root@rti-ubuntu-specchio/mnt# cd ewf/
root@rti-ubuntu-specchio/mnt/ewf# ls
HD01 HD01.txt
root@rti-ubuntu-specchio/mnt/ewf# file HD01
HD01 x86 boot sector, code offset 0x5a, OEM-ID "MSWIN4.1", sectors/cluster 64, Media descriptor 0xf8, heads 255, hidden sectors 63, sectors 488391944 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 59604, reserved3 0x800000, serial number 0x19071e42, label " Verbatim"
root@rti-ubuntu-specchio/mnt/ewf# mmls HD01
Cannot determine partition type


2) Do you know what the image is of i.e. hard drive, thumb drive, DVD etc?

It's an external HD.

3) What is your end goal, what are you trying to do with the image?

Stu

I must serach any evidence of interest for my investigation, such es images, documents, audio files etc.

If I am reading your file command output correctly, the image is a partition image, is it not? (or, maybe mount_ewf.py is only mounting the partition, which is what you are running mmls against)

mmls only works against disk images. 'Cannot determine partition type' is the error you would get when running it against a partition image.

If you want more information about a partrition, fsstat is more appropriate.

Run mmls against the unmounted image, or run fsstat against the mounted image.

I have a similar situation. I have a raw image splited in xx parts and when I run the mmls, it gives me the message that It cannot determine partition type. The machine I am using is a Win 7 64 bits. I ran the mmls –v and I got the following result
D\sleuthkit-win32-3.2.3\bin>mmls -v J\IMAGE.001
tsk_img_open Type 0 NumImg 1 Img1 J\IMAGE.001
dos_load_prim Table Sector 0
raw_read byte offset 0 len 65536
dos_load_prim_table Testing FAT/NTFS conditions
load_pri00 Start 63 Size 10104822 Type 39
load_pri01 Start 10104885 Size 966663180 Type 7
Starting sector 10104885 too large for image
bsd_load_table Table Sector 1
gpt_load_table Sector 0
sun_load_table Trying sector 0
sun_load_table Trying sector 1
mac_load_table Sector 1
mac_load Missing initial magic value
mac_open Trying 4096-byte sector size instead of 512-byte
mac_load_table Sector 1
mac_load Missing initial magic value
Cannot determine partition type

Can somebody point me out what I could do?

Regards,
Esteban

If the image is split, you need to change the file reference to something more like

mmls J\IMAGE.0??

Otherwise mmls will only try and read the first chunk, and not the remaining (which might have extended partition tables).

Thanks for your answer. I tried what you suggested, and even tried to list the different parts of the image and nothing. It did not work.

Regards,
Esteban

The only other time mmls has failed for me was when the image was of a single partition.

If you don't know whether it is or isn't, running fls or fsstat will tell you.