search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.36k stars 591 forks source link

Can't open unrecognized image in autopsy #900

Open kefir- opened 9 years ago

kefir- commented 9 years ago

If I have an image that isn't recognised at offset 0, autopsy refuses adding the image to my case. To reproduce I create 3 quick sample images:

dd if=/dev/zero of=fs.dd bs=1MB count=2 mkfs -t ext4 fs.dd dd if=/dev/zero of=blank.dd bs=1MB count=2 cat blank.dd fs.dd > mixed.dd

Now I can add fs.dd to my case, but none of the other images. Both blank.dd and mixed.dd give the error:

  • Failed to add data source (critical errors encountered). Click below to view the log.

and the log:

Errors occurred while ingesting image

  1. Cannot determine file system type (Sector offset: 0)

I would prefer for an image like this to be processed as an unallocated disk block, so that I can search it for strings, partitions, filesystems or files.

BitSniffing commented 9 years ago

This happened to me as well but I was able to load the forensic image as a logical file and then able to perform the searches that you state.

kefir- commented 9 years ago

That's true, but it gets cumbersome for split images and ewf images.

BitSniffing commented 9 years ago

I can see how that would be.