tsk_recover whole dd image

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

tsk_recover whole dd image

sleuthkit
Hi,
I am using version 4.2.0 of TSK and I am trying to recover all files from an image. For testing purposes I am using the image from http://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html
Unfortunately it is not working. I run "tsk_recover -v -e -i raw wip/image.dd recovered/" and get the following output:

tsk_img_open: Type: 1   NumImg: 1  Img1: wip/image.dd
tsk_img_findFiles: wip/image.dd found
tsk_img_findFiles: 1 total segments found
raw_open: segment: 0  size: 21474836480  max offset: 21474836480  path: wip/image.dd
fsopen: Auto detection mode at offset 0
raw_read: byte offset: 0 len: 65536
raw_read: found in image 0 relative offset: 0 len: 65536
raw_read_segment: opening file into slot 0: wip/image.dd
ntfs_open: invalid sector size: 190
fatxxfs_open: Invalid sector size (190)
exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (190), not in range (9 - 12)
fatxxfs_open: Invalid sector size (190)
ext2fs_open: invalid magic
raw_read: byte offset: 65536 len: 65536
raw_read: found in image 0 relative offset: 65536 len: 65536
ufs_open: Trying 256KB UFS2 location
raw_read: byte offset: 262144 len: 65536
raw_read: found in image 0 relative offset: 262144 len: 65536
ufs_open: Trying UFS1 location
ufs_open: No UFS magic found
raw_read: byte offset: 156160 len: 65536
raw_read: found in image 0 relative offset: 156160 len: 65536
raw_read: byte offset: 426496 len: 65536
raw_read: found in image 0 relative offset: 426496 len: 65536
raw_read: byte offset: 561664 len: 65536
raw_read: found in image 0 relative offset: 561664 len: 65536
raw_read: byte offset: 696832 len: 65536
raw_read: found in image 0 relative offset: 696832 len: 65536
raw_read: byte offset: 832000 len: 65536
raw_read: found in image 0 relative offset: 832000 len: 65536
raw_read: byte offset: 967168 len: 65536
raw_read: found in image 0 relative offset: 967168 len: 65536
raw_read: byte offset: 1102336 len: 65536
raw_read: found in image 0 relative offset: 1102336 len: 65536
raw_read: byte offset: 1083392 len: 65536
raw_read: found in image 0 relative offset: 1083392 len: 65536
raw_read: byte offset: 1237504 len: 65536
raw_read: found in image 0 relative offset: 1237504 len: 65536
raw_read: byte offset: 1218560 len: 65536
raw_read: found in image 0 relative offset: 1218560 len: 65536
raw_read: byte offset: 1372672 len: 65536
raw_read: found in image 0 relative offset: 1372672 len: 65536
raw_read: byte offset: 1507840 len: 65536
raw_read: found in image 0 relative offset: 1507840 len: 65536
raw_read: byte offset: 1643008 len: 65536
raw_read: found in image 0 relative offset: 1643008 len: 65536
raw_read: byte offset: 1778176 len: 65536
raw_read: found in image 0 relative offset: 1778176 len: 65536
raw_read: byte offset: 1913344 len: 65536
raw_read: found in image 0 relative offset: 1913344 len: 65536
raw_read: byte offset: 2048512 len: 65536
raw_read: found in image 0 relative offset: 2048512 len: 65536
raw_read: byte offset: 2183680 len: 65536
raw_read: found in image 0 relative offset: 2183680 len: 65536
raw_read: byte offset: 2318848 len: 65536
raw_read: found in image 0 relative offset: 2318848 len: 65536
raw_read: byte offset: 2454016 len: 65536
raw_read: found in image 0 relative offset: 2454016 len: 65536
raw_read: byte offset: 2589184 len: 65536
raw_read: found in image 0 relative offset: 2589184 len: 65536
raw_read: byte offset: 2724352 len: 65536
raw_read: found in image 0 relative offset: 2724352 len: 65536
raw_read: byte offset: 2859520 len: 65536
raw_read: found in image 0 relative offset: 2859520 len: 65536
raw_read: byte offset: 2994688 len: 65536
raw_read: found in image 0 relative offset: 2994688 len: 65536
raw_read: byte offset: 3129856 len: 65536
raw_read: found in image 0 relative offset: 3129856 len: 65536
raw_read: byte offset: 3265024 len: 65536
raw_read: found in image 0 relative offset: 3265024 len: 65536
raw_read: byte offset: 3400192 len: 65536
raw_read: found in image 0 relative offset: 3400192 len: 65536
raw_read: byte offset: 3535360 len: 65536
raw_read: found in image 0 relative offset: 3535360 len: 65536
raw_read: byte offset: 3670528 len: 65536
raw_read: found in image 0 relative offset: 3670528 len: 65536
raw_read: byte offset: 3805696 len: 65536
raw_read: found in image 0 relative offset: 3805696 len: 65536
raw_read: byte offset: 3940864 len: 65536
raw_read: found in image 0 relative offset: 3940864 len: 65536
raw_read: byte offset: 4076032 len: 65536
raw_read: found in image 0 relative offset: 4076032 len: 65536
raw_read: byte offset: 4211200 len: 65536
raw_read: found in image 0 relative offset: 4211200 len: 65536
raw_read: byte offset: 4346368 len: 65536
raw_read: found in image 0 relative offset: 4346368 len: 65536
raw_read: byte offset: 4481536 len: 65536
raw_read: found in image 0 relative offset: 4481536 len: 65536
raw_read: byte offset: 4616704 len: 65536
raw_read: found in image 0 relative offset: 4616704 len: 65536
raw_read: byte offset: 4751872 len: 65536
raw_read: found in image 0 relative offset: 4751872 len: 65536
raw_read: byte offset: 4887040 len: 65536
raw_read: found in image 0 relative offset: 4887040 len: 65536
raw_read: byte offset: 5022208 len: 65536
raw_read: found in image 0 relative offset: 5022208 len: 65536
raw_read: byte offset: 5157376 len: 65536
raw_read: found in image 0 relative offset: 5157376 len: 65536
raw_read: byte offset: 5292544 len: 65536
raw_read: found in image 0 relative offset: 5292544 len: 65536
raw_read: byte offset: 5427712 len: 65536
raw_read: found in image 0 relative offset: 5427712 len: 65536
raw_read: byte offset: 5562880 len: 65536
raw_read: found in image 0 relative offset: 5562880 len: 65536
raw_read: byte offset: 5698048 len: 65536
raw_read: found in image 0 relative offset: 5698048 len: 65536
raw_read: byte offset: 5833216 len: 65536
raw_read: found in image 0 relative offset: 5833216 len: 65536
raw_read: byte offset: 5968384 len: 65536
raw_read: found in image 0 relative offset: 5968384 len: 65536
raw_read: byte offset: 6103552 len: 65536
raw_read: found in image 0 relative offset: 6103552 len: 65536
raw_read: byte offset: 6238720 len: 65536
raw_read: found in image 0 relative offset: 6238720 len: 65536
raw_read: byte offset: 6373888 len: 65536
raw_read: found in image 0 relative offset: 6373888 len: 65536
raw_read: byte offset: 6509056 len: 65536
raw_read: found in image 0 relative offset: 6509056 len: 65536
raw_read: byte offset: 6644224 len: 65536
raw_read: found in image 0 relative offset: 6644224 len: 65536
raw_read: byte offset: 6779392 len: 65536
raw_read: found in image 0 relative offset: 6779392 len: 65536
raw_read: byte offset: 6914560 len: 65536
raw_read: found in image 0 relative offset: 6914560 len: 65536
raw_read: byte offset: 7049728 len: 65536
raw_read: found in image 0 relative offset: 7049728 len: 65536
raw_read: byte offset: 7184896 len: 65536
raw_read: found in image 0 relative offset: 7184896 len: 65536
raw_read: byte offset: 7320064 len: 65536
raw_read: found in image 0 relative offset: 7320064 len: 65536
raw_read: byte offset: 7455232 len: 65536
raw_read: found in image 0 relative offset: 7455232 len: 65536
raw_read: byte offset: 7590400 len: 65536
raw_read: found in image 0 relative offset: 7590400 len: 65536
raw_read: byte offset: 7571456 len: 65536
raw_read: found in image 0 relative offset: 7571456 len: 65536
raw_read: byte offset: 7725568 len: 65536
raw_read: found in image 0 relative offset: 7725568 len: 65536
raw_read: byte offset: 7706624 len: 65536
raw_read: found in image 0 relative offset: 7706624 len: 65536
raw_read: byte offset: 7860736 len: 65536
raw_read: found in image 0 relative offset: 7860736 len: 65536
raw_read: byte offset: 7841792 len: 65536
raw_read: found in image 0 relative offset: 7841792 len: 65536
raw_read: byte offset: 7995904 len: 65536
raw_read: found in image 0 relative offset: 7995904 len: 65536
raw_read: byte offset: 7976960 len: 65536
raw_read: found in image 0 relative offset: 7976960 len: 65536
raw_read: byte offset: 8131072 len: 65536
raw_read: found in image 0 relative offset: 8131072 len: 65536
raw_read: byte offset: 8112128 len: 65536
raw_read: found in image 0 relative offset: 8112128 len: 65536
raw_read: byte offset: 8266240 len: 65536
raw_read: found in image 0 relative offset: 8266240 len: 65536
raw_read: byte offset: 8247296 len: 65536
raw_read: found in image 0 relative offset: 8247296 len: 65536
raw_read: byte offset: 8401408 len: 65536
raw_read: found in image 0 relative offset: 8401408 len: 65536
raw_read: byte offset: 8382464 len: 65536
raw_read: found in image 0 relative offset: 8382464 len: 65536
raw_read: byte offset: 8536576 len: 65536
raw_read: found in image 0 relative offset: 8536576 len: 65536
raw_read: byte offset: 8517632 len: 65536
raw_read: found in image 0 relative offset: 8517632 len: 65536
yaffsfs_open: could not find valid spare area format
See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configuration
raw_read: byte offset: 1024 len: 65536
raw_read: found in image 0 relative offset: 1024 len: 65536
iso9660_open img_info: 139756571050000 ftype: 2048 test: 1
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
Trying RAW ISO9660 with 16-byte pre-block size
fs_prepost_read: Mapped 32768 to 37648
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
Trying RAW ISO9660 with 24-byte pre-block size
fs_prepost_read: Mapped 32768 to 37656
iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
iso9660_open: Error loading volume descriptor
Cannot determine file system type (Sector offset: 0)Files Recovered: 0

mmls gave me:

DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000206847   0000204800   NTFS / exFAT (0x07)
003:  000:001   0000206848   0041940991   0041734144   NTFS / exFAT (0x07)
004:  -------   0041940992   0041943039   0000002048   Unallocated

So can you help me please how to get it working?

Kind regards

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: tsk_recover whole dd image

Derrick Karpo
Hello.

What happens if you run it against a single partition with an offset,
and force the sector size like this?

  `tsk_recover -v -e -i raw -o 206848 -b 512 wip/image.dd recovered'

Derrick


On Tue, Nov 24, 2015 at 2:05 AM,  <[hidden email]> wrote:

> Hi,
> I am using version 4.2.0 of TSK and I am trying to recover all files from an image. For testing purposes I am using the image from http://www.cfreds.nist.gov/data_leakage_case/data-leakage-case.html
> Unfortunately it is not working. I run "tsk_recover -v -e -i raw wip/image.dd recovered/" and get the following output:
>
> tsk_img_open: Type: 1   NumImg: 1  Img1: wip/image.dd
> tsk_img_findFiles: wip/image.dd found
> tsk_img_findFiles: 1 total segments found
> raw_open: segment: 0  size: 21474836480  max offset: 21474836480  path: wip/image.dd
> fsopen: Auto detection mode at offset 0
> raw_read: byte offset: 0 len: 65536
> raw_read: found in image 0 relative offset: 0 len: 65536
> raw_read_segment: opening file into slot 0: wip/image.dd
> ntfs_open: invalid sector size: 190
> fatxxfs_open: Invalid sector size (190)
> exfatfs_get_fs_size_params: Invalid sector size base 2 logarithm (190), not in range (9 - 12)
> fatxxfs_open: Invalid sector size (190)
> ext2fs_open: invalid magic
> raw_read: byte offset: 65536 len: 65536
> raw_read: found in image 0 relative offset: 65536 len: 65536
> ufs_open: Trying 256KB UFS2 location
> raw_read: byte offset: 262144 len: 65536
> raw_read: found in image 0 relative offset: 262144 len: 65536
> ufs_open: Trying UFS1 location
> ufs_open: No UFS magic found
> raw_read: byte offset: 156160 len: 65536
> raw_read: found in image 0 relative offset: 156160 len: 65536
> raw_read: byte offset: 426496 len: 65536
> raw_read: found in image 0 relative offset: 426496 len: 65536
> raw_read: byte offset: 561664 len: 65536
> raw_read: found in image 0 relative offset: 561664 len: 65536
> raw_read: byte offset: 696832 len: 65536
> raw_read: found in image 0 relative offset: 696832 len: 65536
> raw_read: byte offset: 832000 len: 65536
> raw_read: found in image 0 relative offset: 832000 len: 65536
> raw_read: byte offset: 967168 len: 65536
> raw_read: found in image 0 relative offset: 967168 len: 65536
> raw_read: byte offset: 1102336 len: 65536
> raw_read: found in image 0 relative offset: 1102336 len: 65536
> raw_read: byte offset: 1083392 len: 65536
> raw_read: found in image 0 relative offset: 1083392 len: 65536
> raw_read: byte offset: 1237504 len: 65536
> raw_read: found in image 0 relative offset: 1237504 len: 65536
> raw_read: byte offset: 1218560 len: 65536
> raw_read: found in image 0 relative offset: 1218560 len: 65536
> raw_read: byte offset: 1372672 len: 65536
> raw_read: found in image 0 relative offset: 1372672 len: 65536
> raw_read: byte offset: 1507840 len: 65536
> raw_read: found in image 0 relative offset: 1507840 len: 65536
> raw_read: byte offset: 1643008 len: 65536
> raw_read: found in image 0 relative offset: 1643008 len: 65536
> raw_read: byte offset: 1778176 len: 65536
> raw_read: found in image 0 relative offset: 1778176 len: 65536
> raw_read: byte offset: 1913344 len: 65536
> raw_read: found in image 0 relative offset: 1913344 len: 65536
> raw_read: byte offset: 2048512 len: 65536
> raw_read: found in image 0 relative offset: 2048512 len: 65536
> raw_read: byte offset: 2183680 len: 65536
> raw_read: found in image 0 relative offset: 2183680 len: 65536
> raw_read: byte offset: 2318848 len: 65536
> raw_read: found in image 0 relative offset: 2318848 len: 65536
> raw_read: byte offset: 2454016 len: 65536
> raw_read: found in image 0 relative offset: 2454016 len: 65536
> raw_read: byte offset: 2589184 len: 65536
> raw_read: found in image 0 relative offset: 2589184 len: 65536
> raw_read: byte offset: 2724352 len: 65536
> raw_read: found in image 0 relative offset: 2724352 len: 65536
> raw_read: byte offset: 2859520 len: 65536
> raw_read: found in image 0 relative offset: 2859520 len: 65536
> raw_read: byte offset: 2994688 len: 65536
> raw_read: found in image 0 relative offset: 2994688 len: 65536
> raw_read: byte offset: 3129856 len: 65536
> raw_read: found in image 0 relative offset: 3129856 len: 65536
> raw_read: byte offset: 3265024 len: 65536
> raw_read: found in image 0 relative offset: 3265024 len: 65536
> raw_read: byte offset: 3400192 len: 65536
> raw_read: found in image 0 relative offset: 3400192 len: 65536
> raw_read: byte offset: 3535360 len: 65536
> raw_read: found in image 0 relative offset: 3535360 len: 65536
> raw_read: byte offset: 3670528 len: 65536
> raw_read: found in image 0 relative offset: 3670528 len: 65536
> raw_read: byte offset: 3805696 len: 65536
> raw_read: found in image 0 relative offset: 3805696 len: 65536
> raw_read: byte offset: 3940864 len: 65536
> raw_read: found in image 0 relative offset: 3940864 len: 65536
> raw_read: byte offset: 4076032 len: 65536
> raw_read: found in image 0 relative offset: 4076032 len: 65536
> raw_read: byte offset: 4211200 len: 65536
> raw_read: found in image 0 relative offset: 4211200 len: 65536
> raw_read: byte offset: 4346368 len: 65536
> raw_read: found in image 0 relative offset: 4346368 len: 65536
> raw_read: byte offset: 4481536 len: 65536
> raw_read: found in image 0 relative offset: 4481536 len: 65536
> raw_read: byte offset: 4616704 len: 65536
> raw_read: found in image 0 relative offset: 4616704 len: 65536
> raw_read: byte offset: 4751872 len: 65536
> raw_read: found in image 0 relative offset: 4751872 len: 65536
> raw_read: byte offset: 4887040 len: 65536
> raw_read: found in image 0 relative offset: 4887040 len: 65536
> raw_read: byte offset: 5022208 len: 65536
> raw_read: found in image 0 relative offset: 5022208 len: 65536
> raw_read: byte offset: 5157376 len: 65536
> raw_read: found in image 0 relative offset: 5157376 len: 65536
> raw_read: byte offset: 5292544 len: 65536
> raw_read: found in image 0 relative offset: 5292544 len: 65536
> raw_read: byte offset: 5427712 len: 65536
> raw_read: found in image 0 relative offset: 5427712 len: 65536
> raw_read: byte offset: 5562880 len: 65536
> raw_read: found in image 0 relative offset: 5562880 len: 65536
> raw_read: byte offset: 5698048 len: 65536
> raw_read: found in image 0 relative offset: 5698048 len: 65536
> raw_read: byte offset: 5833216 len: 65536
> raw_read: found in image 0 relative offset: 5833216 len: 65536
> raw_read: byte offset: 5968384 len: 65536
> raw_read: found in image 0 relative offset: 5968384 len: 65536
> raw_read: byte offset: 6103552 len: 65536
> raw_read: found in image 0 relative offset: 6103552 len: 65536
> raw_read: byte offset: 6238720 len: 65536
> raw_read: found in image 0 relative offset: 6238720 len: 65536
> raw_read: byte offset: 6373888 len: 65536
> raw_read: found in image 0 relative offset: 6373888 len: 65536
> raw_read: byte offset: 6509056 len: 65536
> raw_read: found in image 0 relative offset: 6509056 len: 65536
> raw_read: byte offset: 6644224 len: 65536
> raw_read: found in image 0 relative offset: 6644224 len: 65536
> raw_read: byte offset: 6779392 len: 65536
> raw_read: found in image 0 relative offset: 6779392 len: 65536
> raw_read: byte offset: 6914560 len: 65536
> raw_read: found in image 0 relative offset: 6914560 len: 65536
> raw_read: byte offset: 7049728 len: 65536
> raw_read: found in image 0 relative offset: 7049728 len: 65536
> raw_read: byte offset: 7184896 len: 65536
> raw_read: found in image 0 relative offset: 7184896 len: 65536
> raw_read: byte offset: 7320064 len: 65536
> raw_read: found in image 0 relative offset: 7320064 len: 65536
> raw_read: byte offset: 7455232 len: 65536
> raw_read: found in image 0 relative offset: 7455232 len: 65536
> raw_read: byte offset: 7590400 len: 65536
> raw_read: found in image 0 relative offset: 7590400 len: 65536
> raw_read: byte offset: 7571456 len: 65536
> raw_read: found in image 0 relative offset: 7571456 len: 65536
> raw_read: byte offset: 7725568 len: 65536
> raw_read: found in image 0 relative offset: 7725568 len: 65536
> raw_read: byte offset: 7706624 len: 65536
> raw_read: found in image 0 relative offset: 7706624 len: 65536
> raw_read: byte offset: 7860736 len: 65536
> raw_read: found in image 0 relative offset: 7860736 len: 65536
> raw_read: byte offset: 7841792 len: 65536
> raw_read: found in image 0 relative offset: 7841792 len: 65536
> raw_read: byte offset: 7995904 len: 65536
> raw_read: found in image 0 relative offset: 7995904 len: 65536
> raw_read: byte offset: 7976960 len: 65536
> raw_read: found in image 0 relative offset: 7976960 len: 65536
> raw_read: byte offset: 8131072 len: 65536
> raw_read: found in image 0 relative offset: 8131072 len: 65536
> raw_read: byte offset: 8112128 len: 65536
> raw_read: found in image 0 relative offset: 8112128 len: 65536
> raw_read: byte offset: 8266240 len: 65536
> raw_read: found in image 0 relative offset: 8266240 len: 65536
> raw_read: byte offset: 8247296 len: 65536
> raw_read: found in image 0 relative offset: 8247296 len: 65536
> raw_read: byte offset: 8401408 len: 65536
> raw_read: found in image 0 relative offset: 8401408 len: 65536
> raw_read: byte offset: 8382464 len: 65536
> raw_read: found in image 0 relative offset: 8382464 len: 65536
> raw_read: byte offset: 8536576 len: 65536
> raw_read: found in image 0 relative offset: 8536576 len: 65536
> raw_read: byte offset: 8517632 len: 65536
> raw_read: found in image 0 relative offset: 8517632 len: 65536
> yaffsfs_open: could not find valid spare area format
> See http://wiki.sleuthkit.org/index.php?title=YAFFS2 for help on Yaffs2 configuration
> raw_read: byte offset: 1024 len: 65536
> raw_read: found in image 0 relative offset: 1024 len: 65536
> iso9660_open img_info: 139756571050000 ftype: 2048 test: 1
> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
> Trying RAW ISO9660 with 16-byte pre-block size
> fs_prepost_read: Mapped 32768 to 37648
> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
> Trying RAW ISO9660 with 24-byte pre-block size
> fs_prepost_read: Mapped 32768 to 37656
> iso_load_vol_desc: Bad volume descriptor: Magic number is not CD001
> iso9660_open: Error loading volume descriptor
> Cannot determine file system type (Sector offset: 0)Files Recovered: 0
>
> mmls gave me:
>
> DOS Partition Table
> Offset Sector: 0
> Units are in 512-byte sectors
>
>       Slot      Start        End          Length       Description
> 000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
> 001:  -------   0000000000   0000002047   0000002048   Unallocated
> 002:  000:000   0000002048   0000206847   0000204800   NTFS / exFAT (0x07)
> 003:  000:001   0000206848   0041940991   0041734144   NTFS / exFAT (0x07)
> 004:  -------   0041940992   0041943039   0000002048   Unallocated
>
> So can you help me please how to get it working?
>
> Kind regards
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: tsk_recover whole dd image

sleuthkit
In reply to this post by sleuthkit
This command runs fine. Good so far, but I want to automate the whole process, so just giving the image as argument should be enough so that all partitions are processed.

-----Original message-----
Sent: Tuesday, 24 November 2015 at 14:34:04
From: "Derrick Karpo" <[hidden email]>
To: [hidden email]
Subject: Re: [sleuthkit-users] tsk_recover whole dd image
Hello.

What happens if you run it against a single partition with an offset,
and force the sector size like this?

  `tsk_recover -v -e -i raw -o 206848 -b 512 wip/image.dd recovered'

Derrick

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: tsk_recover whole dd image

Derrick Karpo
Hello.

What happens when you run it without the offset, but leave the sector size?

Derrick


On Tue, Nov 24, 2015 at 7:03 AM,  <[hidden email]> wrote:

> This command runs fine. Good so far, but I want to automate the whole process, so just giving the image as argument should be enough so that all partitions are processed.
>
> -----Original message-----
> Sent: Tuesday, 24 November 2015 at 14:34:04
> From: "Derrick Karpo" <[hidden email]>
> To: [hidden email]
> Subject: Re: [sleuthkit-users] tsk_recover whole dd image
> Hello.
>
> What happens if you run it against a single partition with an offset,
> and force the sector size like this?
>
>   `tsk_recover -v -e -i raw -o 206848 -b 512 wip/image.dd recovered'
>
> Derrick
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: tsk_recover whole dd image

sleuthkit
In reply to this post by sleuthkit
Without specifying the offset I get the same output as before.
Thanks Nanni, I will have a look at this.

>-----Original message-----
>Sent: Tuesday, 24 November 2015 at 17:15:14
>From: "Derrick Karpo" <[hidden email]>
>To: [hidden email]
>Subject: Re: [sleuthkit-users] tsk_recover whole dd image
>Hello.
>
>What happens when you run it without the offset, but leave the sector size?
>
>Derrick
>

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org