Ok When in autopsy 2.24 I create a case then go to add my EWF (E01, E02….) It gives me the below analysis of the image file.
For your reference, the mmls output was the following
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors
Slot Start End Length Description
02 0000 0000000063 0461434994 0461434932 NTFS (0x07)
03 0001 0461434995 0488392064 0026957070 NTFS (0x07)
But when I run mmls via command line via the below command
/media/HardDriveImage/mmls myimage.E??
I get the results below
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors
Slot Start End Length Description
00 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01 —– 0000000000 0000000062 0000000063 Unallocated
02 0000 0000000063 0461434994 0461434932 NTFS (0x07)
03 0001 0461434995 0488392064 0026957070 NTFS (0x07)
04 —– 0488392065 0488397167 0000005103 Unallocated
So my question is this When working in Autopsy and pulling in and Expert Witness File Format (E01, E02,…) is it not pulling in all the data? Am I actually missing slot 01 and 04 ? Just curious whats the difference is there a bug in Autopsy?
Thanks,
Pete
Pete,
Autopsy is giving you the output of mmls when run with the '-a' option. This shows allocated partitions only, not unallocated space and metadata. Try running your example as/media/HardDriveImage/mmls -a myimage.E??
In the example output you gave, this is how the slots break down
00 This is the DOS type partition table in sector 0 - as this is interpreted data it is referred to by mmls as a Meta data entry (i.e. data about data) that is embedded in sector 0.
01 This is the unallocated space that is not part of any partition between sector 0 and sector 62 (inclusive).
02 A real partition between sector 63 and sector 461434994 (inclusive) that is labelled as being NTFS (type 07). You could confirm the partition format and details by using the fsstat tool (It is easily possible to format a partition in a different format to that of it's labelled type).
03 Another real partition between sector 461434995 and sector 488392064 that is also labelled as being NTFS
04 Unallocated disk space between sector 488392065 and 488397167.
It is worth having a look in the unallocated space at the start of the drive and the end but this would appear to be a fairly standard configuration and I'm willing to bet that apart from sector 0 you won't find any strange data in there.
Autopsy is really only interested in the real partitions and not the meta or unallocated areas, it therefore runs mmls with the '-a' option. To check this, look at the exec log file in your autopsy output directory which lists all the TSK (and other) commands that have been executed.
As always 'man mmls' provides some information (if you are in Windows then try
Paul
binarybod thanks for that explanation that really helps. Now that I know I can check the exec.log and see exactly what Autopsy is doing that will help me learn more. On a side note I'm running Kali linux.
Thanks,
Pete