Hi all, a coadmin and I are attempting to audit a WinXP drive, and having no luck. We used dd to backup the two partitions: small FAT32 and a 40G NTFS one. We can see everything on the FAT32 partition, but only one file is displayed for the NTFS partition. Actually, here is the specific information: Only file displayed is: DELL.SDR The partition size is: 39991311360 bytes We also get the following error when attempting to use the filesystem tools: /usr/local/task/bin/fls: entry 29286 has an invalid MFT magic: 88000000 If the INODE or Data browser is used, other files can be accessed but only by guessing the INODE or cluster number. The names are displayed. Also, this is on a Linux 2.4.19 system, and the kernel will happily mount the drive image as a loopback device. This is a gentoo-xfs-sources-2.4.19-r2 which does include the new ntfs patches. So, we know for certain that there are no problems with the drive image. Can anyone tell us what we need to do in order to be able to look over the drive contents for the NTFS partition using autopsy? Thanks. geoffrey -- ++++++++++++++++++++++++++ This space intentionally left non-blank ++++++++++++++++++++++++++ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 05:35:12 PST