Error message "Can not Determine File System" when reading..

A place to ask the community for help with using Autopsy.

Moderator: carrier

Error message "Can not Determine File System" when reading..

Postby Exactor » Sat Mar 04, 2017 5:22 pm

Hello,

I have the following problem, I can not a dd created hard disk images not in Autopsy 4.3.0 not read. I keep getting the message "Can not Determine File System".

Something to the facts.

I have wanted to sort out some hard disks and wanted or have deleted the disks with the tool "DBAN - Darik's Boot and Nuke" (live cd). It was indeed very easy to disconnect my "normal" hard disk from the motherboard, but there were so far no problems. But all of a sudden ... I just turned around and the tool has automatically selected the hard disk for some reason and started data destruction. I immediately pulled the plug from the PC, but Windows 7 no longer starts. I then connected the disk via USB to another PC, but the disk is only displayed in RAW mode. For security reasons, I then created a disk image with Linux (dd) and wanted to restore the data using the Testdisk tool. At least I tried. The image can neither mount (mount) nor access it. With foremost, scalpel, photo_rec, etc., certain data, such as pictures, music can be read, but of course only with cryptic names. I have tried various tools and have found that, among other things, the Hetman NTFS recovery and getbackdata can read the hard disk (even) MIT directory structure.

The getbackdata program has been able to determine that an NTFS system is present as of Sector 206.848. - further information can be found in the lower part of the lecture.

The progarms, such as mmls, fls or fsstat, only display the error "Can not determine file system type".

I guess times that the partition table is defective, because otherwise the above Windows programs no data could recognize.

Now to the technical basic data:

It is a 320 GB hard drive from Samsung.


I would be very grateful for an idea or for a guidance on data rescue. I am a more or less a bloody beginner, regarding Linux and data recovery.

Greetings from Germany


-------------------------------------------------- As shown in Fig.

CAPTURE 17.02.2017 19:56:24
File System Properties
File system: NTFS
Size: 298 GB
Location: Sector 206.848
Cluster0: Sector 206.848
Cluster size: 8 sectors
Phys. Sector size: 512 bytes
Total sectors: 624,932,863
Total clusters: 78.116.607
MFT cluster: 786.432
MFTMirr cluster: 2
MFT size: 1024 bytes
INDX size: 4096 bytes
# Mft: 0
Explicit Mft no: True
Bytes / sector: 512
Area: Ambiguous
Created:
Data matches / rel: 47/0
Source details: BB @ 625139711
Source: B1
Recovery tree: Tree NTFS, 866228 entries

As shown in Fig.

CAPTURE 17.02.2017 19:56:38
Recovery tree
Tree: NTFS, 866228 entries
Swap to: Memory
Total directories: 109,323
Total files: 747.941
Total size: 412.294.112.854
NTFS Volume: NTFS Volume at 206,848 (624,932,863 sectors)
RemoveList: nil

----------------------------------------------

CAPTURE 17.02.2017 19:56:56
NTFS volume
Drive: H: \ kali \ image.dat298 GB
Bytes per sector: 512
Sectors / cluster: 8
Cluster0: 206.848
Sectors in volume: 624.932.863
Clusters in volume: 78.116.607
BitMapFree: 0
Mft1stCluster: C0000
MftMirr1stCluster: 2
MftRecSize: 1024
IndexBufferSize: 4096
Area: Ambiguous
Secondaries: 945 secondary items, 0 keys

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

CAPTURE 16.02.2017 19:53:38
File System Properties
File system: NTFS
Size: 60.5 GB
Location: Sector 498.190.688
Cluster0: Sector 498.190.688
Cluster size: 8 sectors
Phys. Sector size: 512 bytes
Total sectors: 126.951.760
Total clusters: 15.868.970
MFT cluster: 786.432
MFTMirr cluster: 2
MFT size: 1024 bytes
INDX size: 4096 bytes
# Mft: 0
Explicit Mft no: True
Bytes / sector: 512
Area: Mft
Created: January 12, 2013 13:20:40
Data matches / rel: 5/0
Source details: M @ 504482144
Source: M1
Recovery tree: Tree NTFS, 53879 entries

As shown in Fig.

CAPTURE 16.02.2017 19:53:48
Recovery tree
Tree: NTFS, 53879 entries
Swap to: Memory
Total directories: 11,717
Total files: 41.472
Total size: 14,790,507,577
NTFS volume: NTFS volume at 498,190,688 (126,951,760 sectors)
RemoveList: nil

-----------------------------------------

CAPTURE 16.02.2017 19:54:03
NTFS volume
Drive: H: \ kali \ image.dat298 GB
Bytes per sector: 512
Sectors / cluster: 8
Cluster0: 498.190.688
Sectors in volume: 126.951.760
Clusters in volume: 15.868.970
BitMapFree: 0
Mft1stCluster: C0000
MftMirr1stCluster: 2
MftRecSize: 1024
IndexBufferSize: 4096
Area: Mft
Secondaries: 372 secondary items, 0 keys
Exactor
 
Posts: 1
Joined: Sat Mar 04, 2017 4:38 pm

Re: Error message "Can not Determine File System" when readi

Postby Hoyt » Thu Mar 09, 2017 2:26 pm

Most likely DBAN starts at the first physical sector and works from there, which is why you don't find NTFS artifacts until after sector 206. Assuming that's true, you've wiped out all structures prior to that point, including your boot sector and structures critical to your file system. Since DBAN is a wiping program instead of one that merely deletes data, TestDisk can't help you. In your case, there is quite literally nothing to recover.

It sounds like you've carved the disk using PhotoRec. If you completed that process, then what you've recovered is all you're going to get. You'll have to start from scratch and re-name those files manually since DBAN wiped your MFT. Once you've gone through the long and arduous task of doing this, I highly recommend regular and consistent backups.

Hoyt
Hoyt Harness, CFCE
Hoyt
 
Posts: 74
Joined: Thu Dec 11, 2014 4:02 am
Location: Little Rock, AR


Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 2 guests

cron