|

»

»

»

sleuthkit-users

FAT read error?

View: New views

4 Messages — Rating Filter: Alert me

	FAT read error? by Lehr, John :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message FAT read error? Hi Everyone, I have an unusual issue: fls displays a different root file tree than the mounted file tree reveals. Background: I have a Garmin Nuvi gps device collected from a car used in a kidnapping. Garmin devices have the ability to keep tracks in xml format in the /Garmin/GPX/Current.gpx file, and often do so outside of the users knowledge (in my experience). I imaged the 2gb memory with dd, and found a partition single partition at offset 0. A directory list created with fls shows the following: #fls -rD garmin.dd d/d 5: Garmin + d/d 147: Voice + d/d 161: Diag + d/d 173: GPX d/d 9: Reports d/d 62164870: $OrphanFiles However, mounting the filesystem with "# mount -o loop,ro garmin.dd /media/garmin" and running a recursive directory list: # tree -d --inode /media/garmin /media/garmin/ \|-- [ 6768] Garmin \| \|-- [ 6807] Diag \| \|-- [ 6803] ExtData \| \|-- [ 6812] GPX \| \|-- [ 6799] Help \| \| \|-- [ 7323] Afrikaans \| \| \|-- [ 7324] American_English \| \| \|-- [ 7325] Arabic \| \| \|-- [ 7326] British_English \| \| \|-- [ 7327] Bulgarian \| \| \|-- [ 7328] Chinese \| \| \|-- [ 7329] Croatian \| \| \|-- [ 7330] Czech \| \| \|-- [ 7331] Danish \| \| \|-- [ 7332] Dutch \| \| \|-- [ 7333] Estonian \| \| \|-- [ 7334] Finnish \| \| \|-- [ 7335] French \| \| \|-- [ 7336] German \| \| \|-- [ 7337] Greek \| \| \|-- [ 7338] Hebrew \| \| \|-- [ 7339] Hungarian \| \| \|-- [ 7340] Italian \| \| \|-- [ 7341] Japanese \| \| \|-- [ 7342] Korean \| \| \|-- [ 7343] Latvian \| \| \|-- [ 7344] Lithuanian \| \| \|-- [ 7345] Norwegian \| \| \|-- [ 7346] Polish \| \| \|-- [ 7347] Portuguese \| \| \|-- [ 7348] Romanian \| \| \|-- [ 7349] Russian \| \| \|-- [ 7350] Slovakian \| \| \|-- [ 7351] Slovenian \| \| \|-- [ 7352] Spanish \| \| \|-- [ 7353] Swedish \| \| \|-- [ 7354] Taiwanese \| \| `-- [ 7355] Turkish \| \|-- [ 6794] RemoteSW \| \|-- [ 6801] Text \| \|-- [ 6802] Vehicle \| \|-- [ 6800] Voice \| \|-- [ 6795] jpeg \| `-- [ 6798] poi \| `-- [ 7359] ddb `-- [ 6770] Reports Counting all file/directory entries, here is the difference between fls and the mounted partition: # fls -r garmin.dd \| wc -l 19 # # find /media/garmin/ \| wc -l 3053 I checked for other fat partitions with "sigfind -t fat garmin.dd" and found numerous possible partitions which I dumped to "fat.list". I checked the validity of the hits with: # cat fat.list \| cut -d ' ' -f2 \| while read OFFSET; do fls -o $OFFSET garmin.dd > tee /dev/null 2>/dev/null; if [ $? = 0 ]; then echo "Offset $OFFSET was successful."; fi; done Offset 0 was successful. Only offset 0 yielded a true FAT32 partition. Does anyone have suggestions for me, or is this a possible bug? TSK inode layer tools (i.e. ils) yeild the same basic results as file layer tools. I no longer have the physical device, but I do have the image to work with. ______________________________________ John Lehr Evidence Technician San Luis Obispo Police Department ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: FAT read error? by Theodore Pham :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message What version of TSK are you using? I seem to recall running into a similar situation with an NTFS file system and TSK 2.x, but TSK 3.x showed me more of what I was expecting. On Fri, Nov 6, 2009 at 12:04 PM, Lehr, John <jlehr@...> wrote: > > Hi Everyone, > > I have an unusual issue: fls displays a different root file tree than the > mounted file tree reveals. > > Background: I have a Garmin Nuvi gps device collected from a car used in a > kidnapping. Garmin devices have the ability to keep tracks in xml format in > the /Garmin/GPX/Current.gpx file, and often do so outside of the users > knowledge (in my experience). > > I imaged the 2gb memory with dd, and found a partition single partition at > offset 0. A directory list created with fls shows the following: > > #fls -rD garmin.dd > d/d 5: Garmin > + d/d 147: Voice > + d/d 161: Diag > + d/d 173: GPX > d/d 9: Reports > d/d 62164870: $OrphanFiles > > However, mounting the filesystem with "# mount -o loop,ro garmin.dd > /media/garmin" and running a recursive directory list: > > # tree -d --inode /media/garmin > /media/garmin/ > \|-- [ 6768] Garmin > \| \|-- [ 6807] Diag > \| \|-- [ 6803] ExtData > \| \|-- [ 6812] GPX > \| \|-- [ 6799] Help ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: FAT read error? by Lehr, John :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Re: [sleuthkit-users] FAT read error? Sorry, should have mentioned the TSK version: 3.01 ______________________________________ John Lehr Evidence Technician San Luis Obispo Police Department From: Theodore Pham [mailto:telamon@...] Sent: Fri 11/6/2009 9:30 AM To: Lehr, John Cc: sleuthkit-users@... Subject: Re: [sleuthkit-users] FAT read error? What version of TSK are you using? I seem to recall running into a similar situation with an NTFS file system and TSK 2.x, but TSK 3.x showed me more of what I was expecting. On Fri, Nov 6, 2009 at 12:04 PM, Lehr, John <jlehr@...> wrote: > > Hi Everyone, > > I have an unusual issue: fls displays a different root file tree than the > mounted file tree reveals. > > Background: I have a Garmin Nuvi gps device collected from a car used in a > kidnapping. Garmin devices have the ability to keep tracks in xml format in > the /Garmin/GPX/Current.gpx file, and often do so outside of the users > knowledge (in my experience). > > I imaged the 2gb memory with dd, and found a partition single partition at > offset 0. A directory list created with fls shows the following: > > #fls -rD garmin.dd > d/d 5: Garmin > + d/d 147: Voice > + d/d 161: Diag > + d/d 173: GPX > d/d 9: Reports > d/d 62164870: $OrphanFiles > > However, mounting the filesystem with "# mount -o loop,ro garmin.dd > /media/garmin" and running a recursive directory list: > > # tree -d --inode /media/garmin > /media/garmin/ > \|-- [ 6768] Garmin > \| \|-- [ 6807] Diag > \| \|-- [ 6803] ExtData > \| \|-- [ 6812] GPX > \| \|-- [ 6799] Help ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: FAT read error? by Brian Carrier-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Can you send me the output from running: # icat garmin.dd 5 \| xxd Also, can you run: # fls -v garmin.dd 5 2> verbose.txt and send me the verbose.txt output? thanks, brian On Nov 6, 2009, at 12:04 PM, Lehr, John wrote: > > Hi Everyone, > > I have an unusual issue: fls displays a different root file tree > than the mounted file tree reveals. > > Background: I have a Garmin Nuvi gps device collected from a car > used in a kidnapping. Garmin devices have the ability to keep > tracks in xml format in the /Garmin/GPX/Current.gpx file, and often > do so outside of the users knowledge (in my experience). > > I imaged the 2gb memory with dd, and found a partition single > partition at offset 0. A directory list created with fls shows the > following: > > #fls -rD garmin.dd > d/d 5: Garmin > + d/d 147: Voice > + d/d 161: Diag > + d/d 173: GPX > d/d 9: Reports > d/d 62164870: $OrphanFiles > > However, mounting the filesystem with "# mount -o loop,ro garmin.dd / > media/garmin" and running a recursive directory list: > > # tree -d --inode /media/garmin > /media/garmin/ > \|-- [ 6768] Garmin > \| \|-- [ 6807] Diag > \| \|-- [ 6803] ExtData > \| \|-- [ 6812] GPX > \| \|-- [ 6799] Help > \| \| \|-- [ 7323] Afrikaans > \| \| \|-- [ 7324] American_English > \| \| \|-- [ 7325] Arabic > \| \| \|-- [ 7326] British_English > \| \| \|-- [ 7327] Bulgarian > \| \| \|-- [ 7328] Chinese > \| \| \|-- [ 7329] Croatian > \| \| \|-- [ 7330] Czech > \| \| \|-- [ 7331] Danish > \| \| \|-- [ 7332] Dutch > \| \| \|-- [ 7333] Estonian > \| \| \|-- [ 7334] Finnish > \| \| \|-- [ 7335] French > \| \| \|-- [ 7336] German > \| \| \|-- [ 7337] Greek > \| \| \|-- [ 7338] Hebrew > \| \| \|-- [ 7339] Hungarian > \| \| \|-- [ 7340] Italian > \| \| \|-- [ 7341] Japanese > \| \| \|-- [ 7342] Korean > \| \| \|-- [ 7343] Latvian > \| \| \|-- [ 7344] Lithuanian > \| \| \|-- [ 7345] Norwegian > \| \| \|-- [ 7346] Polish > \| \| \|-- [ 7347] Portuguese > \| \| \|-- [ 7348] Romanian > \| \| \|-- [ 7349] Russian > \| \| \|-- [ 7350] Slovakian > \| \| \|-- [ 7351] Slovenian > \| \| \|-- [ 7352] Spanish > \| \| \|-- [ 7353] Swedish > \| \| \|-- [ 7354] Taiwanese > \| \| `-- [ 7355] Turkish > \| \|-- [ 6794] RemoteSW > \| \|-- [ 6801] Text > \| \|-- [ 6802] Vehicle > \| \|-- [ 6800] Voice > \| \|-- [ 6795] jpeg > \| `-- [ 6798] poi > \| `-- [ 7359] ddb > `-- [ 6770] Reports > > Counting all file/directory entries, here is the difference between > fls and the mounted partition: > > # fls -r garmin.dd \| wc -l > 19 > > # # find /media/garmin/ \| wc -l > 3053 > > I checked for other fat partitions with "sigfind -t fat garmin.dd" > and found numerous possible partitions which I dumped to > "fat.list". I checked the validity of the hits with: > > # cat fat.list \| cut -d ' ' -f2 \| while read OFFSET; do fls -o > $OFFSET garmin.dd > tee /dev/null 2>/dev/null; if [ $? = 0 ]; then > echo "Offset $OFFSET was successful."; fi; done > Offset 0 was successful. > > Only offset 0 yielded a true FAT32 partition. Does anyone have > suggestions for me, or is this a possible bug? TSK inode layer > tools (i.e. ils) yeild the same basic results as file layer tools. > > I no longer have the physical device, but I do have the image to > work with. > > ______________________________________ > John Lehr > > Evidence Technician > San Luis Obispo Police Department > > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org