Re: Large file support in TASK

From: Brian Carrier (carrierat_private)
Date: Mon Nov 18 2002 - 06:40:31 PST

Next message: KEVEN M MURPHY: "Re: Large file support in TASK"

Previous message: Craig Earnshaw: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
In reply to: geoffrey: "Large file support in TASK"
Next in thread: KEVEN M MURPHY: "Re: Large file support in TASK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Geoffrey,

Which version of TASK are you running?  1.52 fixed a Magic error that 
occurred with attribute lists.  If you are running 1.52, can you send 
me the output of using the 'inode' browsing output of entry 0 (which is 
for the MFT) and your cluster size (you can send it offline).

thanks,
brian


On Friday, November 15, 2002, at 05:33  PM, geoffrey wrote:

> Hi all,
> 	a coadmin and I are attempting to audit a WinXP drive, and
> having no luck. We used dd to backup the two partitions: small FAT32 
> and
> a 40G NTFS one. We can see everything on the FAT32 partition, but only
> one file is displayed for the NTFS partition. Actually, here is the
> specific information:
>
> Only file displayed is: DELL.SDR
>
> The partition size is: 39991311360 bytes
>
> We also get the following error when attempting to use the filesystem
> tools:
>
> /usr/local/task/bin/fls: entry 29286 has an invalid MFT magic: 88000000
>
> If the INODE or Data browser is used, other files can be accessed but
> only by guessing the INODE or cluster number. The names are displayed.
> Also, this is on a Linux 2.4.19 system, and the kernel will happily
> mount the drive image as a loopback device. This is a
> gentoo-xfs-sources-2.4.19-r2 which does include the new ntfs patches.
> So, we know for certain that there are no problems with the drive 
> image.
> Can anyone tell us what we need to do in order to be able to look over
> the drive contents for the NTFS partition using autopsy? Thanks.
>
> geoffrey
> -- 
> ++++++++++++++++++++++++++
>
> This space intentionally
> left non-blank
>
> ++++++++++++++++++++++++++
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: KEVEN M MURPHY: "Re: Large file support in TASK"
Previous message: Craig Earnshaw: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
In reply to: geoffrey: "Large file support in TASK"
Next in thread: KEVEN M MURPHY: "Re: Large file support in TASK"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 06:51:00 PST