Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sergioramos
New Today: 0
New Yesterday: 3
Overall: 29353

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce
 Computer Forensic as component in Information Security
 Small Business - Do You Prepared?

Computer Forensics World Forums


Pages Served
We received
51199934
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Files accociated with particular sectors (data recovery)
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Files accociated with particular sectors (data recovery)

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals
View previous topic :: View next topic  
Author Message
fivestones
Newbie
Newbie


Joined: Dec 12, 2009
Posts: 1

PostPosted: Sun Dec 13, 2009 7:40 am    Post subject: Files accociated with particular sectors (data recovery) Reply with quote

I have a hard drive going bad. It's NTFS, and windows would mount it, but some folders were unaccessible. I used FTK imager to make a SMART image of the drive, and then Mount Image Pro to mount the image. For the most part this works to retrieve files--in the mounted image I can access folders that were inaccessible from the drive itself. However, when FTK imager finished making the image, it gave me a list of 115 sectors on the source drive that could not be read.

->My question is: how can I use this information about particular sectors to find out which specific files are affected by those unreadable sectors?

I have encountered one folder in the mounted disk image that will not open still; it is a sub-sub-folder of one of the folders that was inaccessible on the drive itself. There is nothing important in this folder, but I'm wondering--does that mean that files inside this folder are some of those with the unreadable sectors?
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 238

PostPosted: Mon Dec 14, 2009 1:13 am    Post subject: Re: Files accociated with particular sectors (data recovery) Reply with quote

fivestones wrote:

->My question is: how can I use this information about particular sectors to find out which specific files are affected by those unreadable sectors?


If you have a professional forensic tool, you won't need to: it will identify the files for you.

Otherwsise, first thing is to see if $BadClus already covers those sectors/clusters -- if it does, it has already worked around the problem.

If not, look over the 'File Allocation Example' on pages 344-5 in Brian Carrier's book File System Forensic Analysis for the forward calculation.
It should not be too difficult to do the reverse. (Yes, that book also describes $BadClus. It's indispensable.)

Quote:

... does that mean that files inside this folder are some of those with the unreadable sectors?


Not necessarily -- after all, there may be other errors in the file system. It's usually a good idea to do 'chkdsk' or equivalent on any acquired volume (safely mounted through a writeblocker) just to see if there is any damage that may give any non-professional tool a hiccough.
Back to top
View user's profile
4n6art
Newbie
Newbie


Joined: Jun 28, 2008
Posts: 67

PostPosted: Mon Dec 14, 2009 1:15 am    Post subject: Reply with quote

Try to make another image but this time change as many factors as you can:
- different forensic imaging computer
- different write blocker
- different imaging software maybe?
- different connection into your forensic machine.

Have you tried linux to image? It is more forgiving than a Windoze app most times.

I have had instances where changing some of these factors gives me different (sometimes betters, sometimes worse) results. Give it a try - you could end up with less than 115 sectors that are marked bad.

Just some thots....
Good luck.
-=Art=-
Back to top
View user's profile
farmerdude
Newbie
Newbie


Joined: Jan 12, 2006
Posts: 263

PostPosted: Tue Dec 22, 2009 2:32 am    Post subject: Reply with quote

If you've encountered I/O errors when acquiring media I strongly recommend ddrescue - the GNU version. This Linux-based application has been designed and optimized for pulling data from media with I/O errors. It has no financial cost and is incredibly efficient.

That aside, within FTK Imager, are you able to set options for how many sectors to discard when a bad sector is encountered? Unfortunately a number of the forensic GUI acquisition engines may discard more than a single sector when an I/O error is encountered.

Cheers!

farmerdude

www . onlineforensictraining . com

www . forensicbootcd . com
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.