Cannot Determine File System

A place to ask the community for help with using Autopsy.

Moderator: carrier

Cannot Determine File System

Postby peace » Mon May 02, 2016 9:57 pm

I added an e01 file containing an image of a 3TB drive with a single volume formatted NTFS. Autopsy 4.0.0 reported an error "cannot determine file system type (sector offset:2048, partition type: NTFS / exFAT (0x07)." I am able to open the same image with FTK, Encase, and X-Ways without any issue. I also inspected sector 2048 (see the link). Do you have a suggested fix?

https://onedrive.live.com/redir?resid=F4C063607C712F84!131&authkey=!ANTr3KbrtyZv_Tk&v=3&ithint=photo%2cPNG
peace
 
Posts: 1
Joined: Mon May 02, 2016 9:47 pm

Re: Cannot Determine File System

Postby lfcnassif » Mon Jun 13, 2016 7:03 pm

Hi,

That issue used to happen with NTFS volumes larger than 2TB. It was resolved recently on develop branch of sleuthkit.

Luis Nassif
lfcnassif
 
Posts: 1
Joined: Mon Jun 13, 2016 6:50 pm

Re: Cannot Determine File System

Postby jdittamo » Mon Jan 16, 2017 1:04 pm

I have the same problem on a 2TB volume. Where is this develop branch so that I may get past this problem?
jdittamo
 
Posts: 2
Joined: Mon Jan 16, 2017 12:30 pm

Re: Cannot Determine File System

Postby luma142 » Sat Mar 11, 2017 12:58 pm

Hello,

I am dealing with a system with the following drive setup:

2 drives - RAID 0 holding the OS ("OS drive")
2 drives - RAID 0 holding data ("data drive")

I am having a similar issue as the OP. The only twist is that, the E01 I am adding to Autopsy, is the result of rebuilding a RAID 0 configuration out of two 1TB E01 files (listed above). I used OSForensics to create the E01. This particular configuration represents the "data" drive from a machine.

The interesting thing is I successfully added an E01 of the OS drive, from the same machine reference above. As you can see, there are two drives configured as RAID 0, holding the OS. I used OSForensics to create the rebuilt E01 file. Autopsy is the only tool that will detect the file system for this E01. I used OSForensics to rebuild the OS drive, as well - that one loads into Autopsy.

Back to my original problem above, Autopsy won't detect the filesystem when I add the E01 of the data drive. Anyone with thoughts? FTK Imager sees the data drive with no tree displayed, and labels the format of the volume HPNTFS. EnCase won't recognize the drive, at all. Thanks in advance for the help.
luma142
 
Posts: 3
Joined: Sat Mar 11, 2017 12:32 pm

Re: Cannot Determine File System

Postby Hoyt » Sat Mar 11, 2017 3:39 pm

Which file system(s) were those arrays formatted with? Also, what created those arrays and was the same method used both times? In other words, are either of these Linux md volumes, hardware, or something else? If something else, what? Further, how did the original machine mount/use the Data array? Was LVM used? Do you know for sure what was included in the LVM or how it was divided? How "forensic" do you need your solution to be? Will it matter if LVM updates initialization records, etc.?

I'm asking a lot of questions, but these circumstances can become non-trivial really quick. I'd abandon expectation that you'll find a tool that will "just work" in this situation. One thing I'd suggest right away is that if you're not currently in the habit of keeping a journal, this is a good time to start. You'll want to remember how you did all this if you ever have to go down this rabbit hole again. Murphy's always watching.

Hoyt
Hoyt
 
Posts: 61
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR

Re: Cannot Determine File System

Postby luma142 » Sun Mar 12, 2017 12:42 pm

Hi Hoyt,

Thank you for taking a look at my post.

Let me start by saying that the BIOS has the SATA configuration set to "RAID". I did not set the configuration, nor did I build the system. The system was acquired from the owner, and I am not able to obtain information from the owner, about the system. The only thing I was told was that the OS is made up of two drives, in RAID 0 configuration; and, the data drive is made up of two drives in RAID 0 configuration.

If I use the OS raid, as a basis for the rest of problem solving, I can say that OSForensics reports the OS volume as NTFS, and Intel rapid storage matrix is associated with the configuration. The striping is in the six-thousand range (I do not have the exact number in front of me at the moment).

As I mentioned before, each disk was imaged to an E01 format. Let me add that I used Tableau imager software 1.2.0 to create the E01. If I use EWFINFO against any of the images, EWF version 3 is returned.

With respect to the "data drive", OSForensics detects one volume for each of the E01s, when I load it into the software, to attempt a raid rebuild. I even tried loading each of the data drive E01s in different orders, to see if that makes a difference (silly though, but had to try it nevertheless).

I have to be VERY forensic with solving my issue. I have even attempted to use a boot disk (Paladin), to try imaging the data drive raid, after it is detected by the system as a raid volume. This hasn't worked either - unless I have to put all four disks (both sets of raid volumes), back into the computer, and boot up that way. Not sure if the motherboard needs all four disks to detect the data drive for what it is.

I am very close to trying X Ways on the off-chance it will allow me to configure the E01s to a successful raid rebuild.

I am keeping very close track of my steps to date.

Please let me know if you have any thoughts. I originally posted here, because I thought I may have to add something to Autopsy to detect the raid rebuild (or something of that nature).

Thanks again Hoyt.

-Luis
luma142
 
Posts: 3
Joined: Sat Mar 11, 2017 12:32 pm

Re: Cannot Determine File System

Postby Hoyt » Mon Mar 13, 2017 5:48 pm

Ok, let's go a bit further then. What was the OS installed on the suspect machine? While you're at it, can you post as much information as you can about the hardware, i.e. make, model, BIOS version, etc.? You mentioned RAID settings in BIOS... is that motherboard BIOS or RAID card BIOS? That will help myself and others determine what was possible/probable on the system to begin with.

Also, have you tried duplicating all four individual disks in an attempt to boot the rest of the hardware? Replacing the original evidence drives with working duplicates, then attempting to boot might be informative and worth the effort.

Hoyt
Hoyt
 
Posts: 61
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR

Re: Cannot Determine File System

Postby luma142 » Fri Mar 24, 2017 3:08 am

Good morning Hoyt,

I ultimately placed the original drives back into the machine, and booted from Paladin. I received no errors with respect to the member disks. Thank you for your help.
luma142
 
Posts: 3
Joined: Sat Mar 11, 2017 12:32 pm


Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 1 guest

cron