FLS errors with NTFS filesystem
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
FLS errors with NTFS filesystem
by Sam Eaton
::
Rate this Message:
I'm having trouble trying to get FLS to read an NTFS filesystem image
that I'm working on. I've got a raw DD of the entire disk, and I can successfully mount the NTFS partition within it using a loopback device, and the filesystem appears fine when navigating around this loopback mount. mmls lists the partitions fine, and the offsets seem to be correct, as evidenced by the successful mount via loopback. When trying to read the root inode with fls (version 3.0.1, built from source, on Ubuntu 8.04.1), I call fls like this : fls -v -o 80325 -f ntfs /media/sdb1/forensics/sda-img.dd And get the following error : Invalid API argument (fs_attr_run: error adding aditional run: 0, Previous 231823 -> 1 Current 972940 -> 1 ) ( - proc_attrseq: put run- proc_attrlist - ntfs_dir_open_meta) Having searched the bug tracker, I thought it might be bug 2568528, so I tried one of the 3.0 nightly snapshots, 20099-08-07, but this returned an identical error. I finally tried building the latest trunk code, which does produce a different error : General file system error (fs_attr_add_run: error adding additional run (5): No filler entry for 0. Final: 1) ( - proc_attrseq: put run- proc_attrlist - ntfs_dir_open_meta) If I start from a specific inode number on the end of the command (by starting at 1 and then incrementing till something works), then I can successfully get parts of the filesystem to list in fls. Can anyone shed any light on this? I have verbose output from fls for all 3 versions of the code I've tried if that would be useful. Thanks, Sam. -- "Fortified with Essential Bitterness and Sarcasm" Matt Groening, "Binky's Guide to Love". ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
|
|
|
|
|
Re: Fwd: FLS errors with NTFS filesystem
by Sam Eaton
::
Rate this Message:
On Mon, Aug 10, 2009 at 01:38:11PM -0400, Theodore Pham wrote:
> Forgot to reply to the whole group. I thought I'd wait and see before I replied direct to you :) > Is 80325 the byte offset into the dd file of the start of the NTFS > partition? ?Or is it the sector offset? 80325 is the sector offset as reported by mmls etc. > fls expects a sector offset (i.e. the output of mmls in 512 byte > sector mode by default). Yup, fls is getting the sector offset, not the byte offset. > Mounting a file on loopback often requires the byte offset so you end > up multiplying the sector offset by 512 got get the byte offset. Indeed, the offset in losetup is 41126400, and that works fine. Thanks, Sam. -- "Fortified with Essential Bitterness and Sarcasm" Matt Groening, "Binky's Guide to Love". ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
| Free embeddable forum powered by Nabble | Forum Help |
