FTK 1.71 error opening file system

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.

FTK 1.71 error opening file system

Post Posted: Thu Dec 28, 2017 5:19 am

Hi,
I have succesfully created a file image called "HD01.001" of an external USB Hard Disk with FKT Imager (ver.3.0.1.1467) using the option "Create Disk Image/Physical Drive".
When I try to open the image file "HD01.001" with FTK (Forensic Toolkit-FTK Version 1.71 build 07.06.22) during the "Add Evidence" phase I have the messages "Add Evidence Error - Error opening file system!" and, after one clic, "Add Evidence Error - Could not add HD01\Part_1".
Why?
Someone may help me?
Thank you in advance.

Gian Piero Pasquali

PS: see my attachments on Dropbox:

HD01.001.txt (FTK Imager log file) - www.dropbox.com/s/eil8...1.txt?dl=0

Error1-ErrorOpening.jpg (screenshot 1st error message) - www.dropbox.com/s/msvs...g.jpg?dl=0

Error2-CouldNotAdd.jpg (screenshot 2nd error message) - www.dropbox.com/s/ixv7...d.jpg?dl=0

peoforum
Newbie

    Re: FTK 1.71 error opening file system

    Post Posted: Thu Dec 28, 2017 6:45 am

    - peoforum
    Could not add HD01\Part_1".


    That is the issue.

    For *some reasons* the FTK imager cannot parse the actual partition or the partition (actually filesystem) data.

    As a side note, at first sight that disk seems like having some malfunctioning, from your HD01.001.txt:
    2.930.272.256x512=1,500,299,395,072
    it is a 1.5 Tb (roughly) drive, yet it took:
    Acquisition started: Sat Dec 23 08:49:58 2017
    Acquisition finished: Wed Dec 27 11:17:44 2017
    almost 100 hours to acquire, 5907 minutes, that make 1,500,000/5,907=253 MB/min, or 4 MB/sec which is very slow, even if you were on a USB 2.0 bus.

    Try having a look at the image with a tool more oriented to data recovery, such as DMDE:
    dmde.com/

    jaclaz


    - In theory there is no difference between theory and practice, but in practice there is. - 

    jaclaz
    Senior Member

      Re: FTK 1.71 error opening file system

      Post Posted: Fri Dec 29, 2017 8:33 am

      I would look at your first sentence, that you have successfully created an image. You may have created the file but there are no verification hashes to show that you have successfully created the image.

      Your FTK Imager report only shows one segment in the list, when many would be expected. If you have created it and verified, you should be able to load it back into FTK Imager to view the structure. If that works but not FTK itself then there is a problem there, which may be down to an unsupported file system, especially as you are using a very old version (currently on 6.3).

      JerryW
      Member

        Re: FTK 1.71 error opening file system

        Post Posted: Sat Dec 30, 2017 12:22 am

        Can you open the image with FTK Imager and view the file system?

        JDCoulthard
        Senior Member

        Re: FTK 1.71 error opening file system

        Post Posted: Fri Jan 12, 2018 7:43 am

        Given the fairly large drive I’m going to assume it is relatively modern and therefore has a relatively modern filesystem such as a recent NTFS flavour or OS X Extended. I would have been more surprised if that version of FTK parsed it successfully, given you are running software that is probably 10-15 years old. There’s absolutely no need to be doing so as the up to date versions are freely available at accessdata.com/product-download

        redcat
        Senior Member

          Re: FTK 1.71 error opening file system

          Post Posted: Wed Jan 17, 2018 5:38 pm

          - peoforum
          Hi,
          I have succesfully created a file image called "HD01.001" of an external USB Hard Disk


          The log file you provided indicates that some errors were encountered during imaging:

          Code:
          ATTENTION:
          The following sector(s) on the source drive could not be read:
          	140591432 through 140591447
          	140593480 through 140593495
          	140595528 through 140595535
          	140599624 through 140599631
          	140601672 through 140601679
          The contents of these sectors were replaced with zeros in the image.

          As others have mentioned, I think it is important to determine if this is an FTK 1.71 issue, or a problem with the image itself. You can load the image into a number of freely available tools to see if they can parse the file system.


          Arman Gungor

          Metaspike
          Developers of Forensic Email Collector
          www.metaspike.com

          gungora
          Member
          Page 1 of 1




          ± Forensic Focus Partners

          ± Your Account



          Site Members:

          New Today: 3 Overall: 33332
          New Yesterday: 3 Visitors: 210

          ± Follow Forensic Focus

          Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

          RSS feeds: News Forums Articles

          ± Latest Articles

          ± Latest Webinars


          Build a Mobile Site
          View Site in Mobile | Classic
          Share by: