Geoffrey, Which version of TASK are you running? 1.52 fixed a Magic error that occurred with attribute lists. If you are running 1.52, can you send me the output of using the 'inode' browsing output of entry 0 (which is for the MFT) and your cluster size (you can send it offline). thanks, brian On Friday, November 15, 2002, at 05:33 PM, geoffrey wrote: > Hi all, > a coadmin and I are attempting to audit a WinXP drive, and > having no luck. We used dd to backup the two partitions: small FAT32 > and > a 40G NTFS one. We can see everything on the FAT32 partition, but only > one file is displayed for the NTFS partition. Actually, here is the > specific information: > > Only file displayed is: DELL.SDR > > The partition size is: 39991311360 bytes > > We also get the following error when attempting to use the filesystem > tools: > > /usr/local/task/bin/fls: entry 29286 has an invalid MFT magic: 88000000 > > If the INODE or Data browser is used, other files can be accessed but > only by guessing the INODE or cluster number. The names are displayed. > Also, this is on a Linux 2.4.19 system, and the kernel will happily > mount the drive image as a loopback device. This is a > gentoo-xfs-sources-2.4.19-r2 which does include the new ntfs patches. > So, we know for certain that there are no problems with the drive > image. > Can anyone tell us what we need to do in order to be able to look over > the drive contents for the NTFS partition using autopsy? Thanks. > > geoffrey > -- > ++++++++++++++++++++++++++ > > This space intentionally > left non-blank > > ++++++++++++++++++++++++++ > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 06:51:00 PST