±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34193
New Yesterday: 0 Visitors: 158

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

FTK 1.71 error opening file system

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

FTK 1.71 error opening file system

Post Posted: Thu Dec 28, 2017 6:19 am

Hi,
I have succesfully created a file image called "HD01.001" of an external USB Hard Disk with FKT Imager (ver.3.0.1.1467) using the option "Create Disk Image/Physical Drive".
When I try to open the image file "HD01.001" with FTK (Forensic Toolkit-FTK Version 1.71 build 07.06.22) during the "Add Evidence" phase I have the messages "Add Evidence Error - Error opening file system!" and, after one clic, "Add Evidence Error - Could not add HD01\Part_1".
Why?
Someone may help me?
Thank you in advance.

Gian Piero Pasquali

PS: see my attachments on Dropbox:

HD01.001.txt (FTK Imager log file) - www.dropbox.com/s/eil8...1.txt?dl=0

Error1-ErrorOpening.jpg (screenshot 1st error message) - www.dropbox.com/s/msvs...g.jpg?dl=0

Error2-CouldNotAdd.jpg (screenshot 2nd error message) - www.dropbox.com/s/ixv7...d.jpg?dl=0  

peoforum
Newbie
 
 
  

Re: FTK 1.71 error opening file system

Post Posted: Thu Dec 28, 2017 7:45 am

- peoforum
Could not add HD01\Part_1".


That is the issue.

For *some reasons* the FTK imager cannot parse the actual partition or the partition (actually filesystem) data.

As a side note, at first sight that disk seems like having some malfunctioning, from your HD01.001.txt:
2.930.272.256x512=1,500,299,395,072
it is a 1.5 Tb (roughly) drive, yet it took:
Acquisition started: Sat Dec 23 08:49:58 2017
Acquisition finished: Wed Dec 27 11:17:44 2017
almost 100 hours to acquire, 5907 minutes, that make 1,500,000/5,907=253 MB/min, or 4 MB/sec which is very slow, even if you were on a USB 2.0 bus.

Try having a look at the image with a tool more oriented to data recovery, such as DMDE:
dmde.com/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: FTK 1.71 error opening file system

Post Posted: Fri Dec 29, 2017 9:33 am

I would look at your first sentence, that you have successfully created an image. You may have created the file but there are no verification hashes to show that you have successfully created the image.

Your FTK Imager report only shows one segment in the list, when many would be expected. If you have created it and verified, you should be able to load it back into FTK Imager to view the structure. If that works but not FTK itself then there is a problem there, which may be down to an unsupported file system, especially as you are using a very old version (currently on 6.3).  

JerryW
Member
 
 
  

Re: FTK 1.71 error opening file system

Post Posted: Sat Dec 30, 2017 1:22 am

Can you open the image with FTK Imager and view the file system?  

JDCoulthard
Senior Member
 
 
  

Re: FTK 1.71 error opening file system

Post Posted: Fri Jan 12, 2018 8:43 am

Given the fairly large drive I’m going to assume it is relatively modern and therefore has a relatively modern filesystem such as a recent NTFS flavour or OS X Extended. I would have been more surprised if that version of FTK parsed it successfully, given you are running software that is probably 10-15 years old. There’s absolutely no need to be doing so as the up to date versions are freely available at accessdata.com/product-download  

redcat
Senior Member
 
 
  

Re: FTK 1.71 error opening file system

Post Posted: Wed Jan 17, 2018 6:38 pm

- peoforum
Hi,
I have succesfully created a file image called "HD01.001" of an external USB Hard Disk


The log file you provided indicates that some errors were encountered during imaging:

Code:
ATTENTION:
The following sector(s) on the source drive could not be read:
	140591432 through 140591447
	140593480 through 140593495
	140595528 through 140595535
	140599624 through 140599631
	140601672 through 140601679
The contents of these sectors were replaced with zeros in the image.

As others have mentioned, I think it is important to determine if this is an FTK 1.71 issue, or a problem with the image itself. You can load the image into a number of freely available tools to see if they can parse the file system.
_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com 

gungora
Member
 
 

Page 1 of 1