search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.41k stars 597 forks source link

Autopsy | Failed to add data source (critical error encountered) #5955

Closed yassoudsec closed 4 years ago

yassoudsec commented 4 years ago

this is the errors that i met when i tried to add data source on autopsy 4.14.0. Errors occurred while ingesting image

  1. Cannot determine file system type (Sector offset: 0)

Anyone has an idea to fixe this error on autopsy

esaunders commented 4 years ago

What type of data source are you trying to add? Is it a disk image? If so, how was it acquired? What format is it in (raw, ewf)?

Normally, the "Cannot determine file system type" message is a non-critical error (see screenshot below). The fact that your message has a sector offset of 0 suggests to me that there is either an issue with your data source or how you are attempting to add it to Autopsy.

image

yassoudsec commented 4 years ago

Hello

Thanks for your reply I’m using a vmdk disque image I saw a blog where they say to convert the image file with qemu-img and I converted to img when i imported into autopsy I saw 3 disque images with only one is allocated. But I don’t if this the good way

On Tue 9 Jun 2020 at 18:45, esaunders notifications@github.com wrote:

What type of data source are you trying to add? Is it a disk image? If so, how was it acquired? What format is it in (raw, ewf)?

Normally, the "Cannot determine file system type" message is a non-critical error (see screenshot below). The fact that your message has a sector offset of 0 suggests to me that there is either an issue with your data source or how you are attempting to add it to Autopsy.

[image: image] https://user-images.githubusercontent.com/1292764/84187231-bf84fc00-aa5f-11ea-9980-9da4c6d3e1a7.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/5955#issuecomment-641501465, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANGKUXPVKSKD4VXWQ3IEWDLRVZ7KZANCNFSM4NZLWCJA .

--

Cordialement.

Iliassou DIALLO

Ingénieur Sécurité Système d'Information & Monétique

Direction Réseau & Système d'Information (DRSI/DSRS)

Division Sécurité des Réseaux et Services Orange Guinée.

Mobile : +224 625 72 00 78

@perso: yassoukoin@gmail.com

@professionnel: iliassou.diallo2@orange-sonatel.com iliassou.diallo2@orange-sonatel.com

esaunders commented 4 years ago

Autopsy supports VMDK data sources. Have you tried adding the VMDK?

image

yassoudsec commented 4 years ago

Yes tried that’s why I got this error

On Tue 9 Jun 2020 at 22:00, esaunders notifications@github.com wrote:

Autopsy supports VMDK data sources. Have you tried adding the VMDK?

[image: image] https://user-images.githubusercontent.com/1292764/84205415-15b36880-aa7b-11ea-99be-9cd75a4f48cd.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/5955#issuecomment-641604558, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANGKUXOHQWMOBB36HSL7RN3RV2WILANCNFSM4NZLWCJA .

--

Cordialement.

Iliassou DIALLO

Ingénieur Sécurité Système d'Information & Monétique

Direction Réseau & Système d'Information (DRSI/DSRS)

Division Sécurité des Réseaux et Services Orange Guinée.

Mobile : +224 625 72 00 78

@perso: yassoukoin@gmail.com

@professionnel: iliassou.diallo2@orange-sonatel.com iliassou.diallo2@orange-sonatel.com

esaunders commented 4 years ago

Sounds like you are experiencing the same issue discussed here: https://sleuthkit.discourse.group/t/adding-a-disk-image-vmdk-format-failed/283

Does your VMDK consist of multiple segments?

Is this the blog post you are referring to? https://www.andreafortuna.org/2016/09/08/open-a-vmware-disk-image-vmdk-with-autopsy-for-forensics-analisys/

What happens if you follow those instructions and attempt to add it as a raw image?

yassoudsec commented 4 years ago

hello,

i did the conversion and i imported the image.raw in autopsy and i saw 3 volumes with one is allocated so i can see disque information i think that's good i'm going to do my investigation on this in order to find IOC.

Thanks

Le mer. 10 juin 2020 à 00:17, esaunders notifications@github.com a écrit :

Sounds like you are experiencing the same issue discussed here:

https://sleuthkit.discourse.group/t/adding-a-disk-image-vmdk-format-failed/283

Does your VMDK consist of multiple segments?

Is this the blog post you are referring to?

https://www.andreafortuna.org/2016/09/08/open-a-vmware-disk-image-vmdk-with-autopsy-for-forensics-analisys/

What happens if you follow those instructions and attempt to add it as a raw image?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/5955#issuecomment-641646217, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANGKUXPTG5IFAMCTZP7VCK3RV3GKPANCNFSM4NZLWCJA .

--

Cordialement.

Iliassou DIALLO

Ingénieur Sécurité Système d'Information & Monétique

Direction Réseau & Système d'Information (DRSI/DSRS)

Division Sécurité des Réseaux et Services Orange Guinée.

Mobile : +224 625 72 00 78

@perso: yassoukoin@gmail.com

@professionnel: iliassou.diallo2@orange-sonatel.com iliassou.diallo2@orange-sonatel.com

Queyul commented 4 years ago

I have the same problem, VMDK files (3 different). But i think i've found what's wrong. When i store the vmdk file on an USB drive, i can open it with Autopsy 4.15 without problem.

But when i store the files on a Bitlocker protected external usb drive, the files doesn't open anymore, i have the same error message Cannot determine file system type (Sector offset: 0).

Note that the same file on the bitlocker external drive can be opened without problem with another forensic tool.

bcarrier commented 4 years ago

@Queyul : In your case, what did you add as the data source? The USB device?

With something like BitLocker and a live device (i.e. a USB), you need to specify the drive letter (i.e. E:) since that is post-BitLocker decryption.

yassoudsec commented 4 years ago

Hello, i come back with another problem thas is how to find IOC (Indicator Of Compromission) on Autopsy and Volatility investigation.

thanks for your Help.

Le ven. 19 juin 2020 à 20:31, Brian Carrier notifications@github.com a écrit :

@Queyul https://github.com/Queyul : In your case, what did you add as the data source? The USB device?

With something like BitLocker and a live device (i.e. a USB), you need to specify the drive letter (i.e. E:) since that is post-BitLocker decryption.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sleuthkit/autopsy/issues/5955#issuecomment-646849830, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANGKUXNKTGOIQNVMQRWYD4DRXPDLBANCNFSM4NZLWCJA .

--

Cordialement.

Iliassou DIALLO

Ingénieur Sécurité Système d'Information & Monétique

Direction Réseau & Système d'Information (DRSI/DSRS)

Division Sécurité des Réseaux et Services Orange Guinée.

Mobile : +224 625 72 00 78

@perso: yassoukoin@gmail.com

@professionnel: iliassou.diallo2@orange-sonatel.com iliassou.diallo2@orange-sonatel.com