I had the same problem with a "128 Mb USB Token Harddrive". Is this something like that? As already told, you imaged a partition and not a hard drive. Therefore, fdisk will not give back any usefull information. The garbled directories, were corrupted FAT entries in my case. Because somebody did not let (probably Windows) the OS flush its buffers, the partition probably got corrupted. For the client I made a tarball of all the not corrupted folders. This requires quite some handwork to determine which directories were not corrupted and filter these out. Paul Bakker > -----Oorspronkelijk bericht----- > Van: R Andersson [mailto:listbox@pole-position.org] > Verzonden: vrijdag 4 april 2003 10:53 > Aan: forensicsat_private > Onderwerp: Re: Problem with mounted vfat image > > > Parth Galen wrote: > > I have a dd'ed image that fsstat reports as; > > -------- > > [root@localhost morgue]# sfdisk -l disk2.2.2.dd > > Disk disk2.2.2.dd: cannot get size > > Disk disk2.2.2.dd: cannot get geometry > > > > Disk disk2.2.2.dd: 0 cylinders, 0 heads, 0 sectors/track > > Units = megabytes of 1048576 bytes, blocks of 1024 bytes, > counting from 0 > > > > Device Boot Start End MB #blocks Id System > > disk2.2.2.dd1 ? 937476+ 1203314- 265839- 272218546+ 20 Unknown > > disk2.2.2.dd2 ? 649504+ 912676- 263173- 269488144 6b Unknown > > disk2.2.2.dd3 ? 263178+ 945972- 682795- 699181456 53 > OnTrack DM6 Aux3 > > disk2.2.2.dd4 * 680970+ 680980- 11- 10668+ 49 Unknown > > ------ > [snip] > > I can mount if "successfully" with; > > ------ > > # mount disk2.2.2.dd /mnt/vfat -t vfat -r -o > ro,loop,show_sys_files=true > > > > # mount > > /root/practical/morgue/disk2.2.2.dd on /mnt/vfat type vfat > > (ro,loop=/dev/loop0,show_sys_files=true) > > ------ > > So you dumped a partition and not the whole disk. Therefore you can't > look at partition info, but you can mount the file directly. See the > thread "Linux, dd, and image file" which discussed the opposite. > > > The top level directorys appear "good", but as soon as you > drop into a > > folder or two down, I start getting "garbage" from ls, cat, > less, cp... > > The file and folder names look like pieces from the files > themselves > > rather than the FAT. While the content of the top level > files can be > > accessed (less, cat...), the lower level files contain "garbage". > > > > I have tried mounting as fat=12, fat=16, fat=32 (which failed), and > > several other options in mount but keep getting slight > variations on the > > same "corruption" problem. > > > > So my question is, does anyone have any suggestions on what > the problem > > might be, and how I should proceed? > > Was it OK on the original platform? How was the image > created? How was > it transfered? Any risk of transmission errors? Did you use MD5 or > something like that to verify the integrity of the dump? > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Apr 14 2003 - 20:00:22 PDT