Announcement

Collapse
No announcement yet.

OSFMount auto-correct size for NTFS partition

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSFMount auto-correct size for NTFS partition

    Hi all,

    I've seen several instances when an NTFS partition is smaller than the NTFS header says it should be. Interestingly, Windows doesn't seem to have a problem mounting them, but I've seen other forensic tools fail to mount them properly.

    OSFMount is clearly aware of this and has the elegant:

    The image file size is smaller than the size of the NTFS partition... auto-correct this?
    Two questions...
    1. Does anybody know why this occurs? It doesn't seem to be a corruption issue, it just seems to happen sometimes. (E.g. Create a 1GB VHD in Windows, format the full VHD as an NTFS volume - I bet the NTFS header thinks it's 7 sectors bigger than it actually is.)
    2. Is there a switch for the command line version of OSFMount that will tell it to go ahead and autocorrect?


    Thanks,
    BtG

  • #2
    We aren't sure when or how this situation occurs.
    But the warning message is only displayed when using the graphical user interface.
    If you are using the command line, then the image size is always used (which should generally be OK, as Windows seems to be able to deal with it).

    Comment


    • #3
      I created a dd image with TestDisk and I can't figure out how to restore the NTFS Windows partition contained inside.

      I got the warning mentioned above but OSFMount mounted the NTFS partition just fine and I can see my files. I can also see my files in TestDisk as long as I select "None" for the partition type. BUT, I can't open this DD image or see the files inside in any other program which is making cloning the dd image back to a physical disk very difficult.

      What is OSFMount doing that is so special? When I look at the dd image with fdisk, it sees 4 partitions with weird file systems like QNX4 and Speedstar or something. And when I tried restoring the dd image using a vanilla dd command, I go 4 unreadable partitions as well.

      Is it possible for me to figure out what OSFMount is doing so I can mount my NTFS partition from the DD image?

      Or would it be possible for me to clone the OSFMount-mounted partition to another real/physical partition? I haven't found any software yet that will let me do that.

      Comment


      • #4
        I don't really understand the problem.
        If you are using dd, then it shouldn't really care about the type and number of partitions.

        For example the dd command should be something like this,
        Code:
        dd if=YourImageFile.img of=/dev/sdc
        This will restore the entire image back to the drive, with all the partitions intact.

        I might be wrong, but I don't think you are able to use dd to extract a single partition to a physical drive. You would be missing the partition table. MBR, etc..

        Comment


        • #5
          My issue is that the DD image that TestDisk created has a crazy partition table so restoring it as a whole disk just isn't working:

          Click image for larger version

Name:	capture1.png
Views:	2
Size:	12.5 KB
ID:	34953

          TestDisk won't repair the partition table:

          Click image for larger version

Name:	capture2.png
Views:	2
Size:	21.6 KB
ID:	34954

          I don't know why I'm having all these issues: the disk wasn't even physically damaged.

          The only thing that can get to read the files is OSFMount and TestDisk so I don't know how to restore this image.

          Comment


          • #6
            My problem is that the partition table in the image that TestDisk created is totally screwed up:
            Click image for larger version

Name:	capture1.png
Views:	2
Size:	12.5 KB
ID:	34955

            And TestDisk won't recover the NTFS partition, even with a deep search:
            Click image for larger version

Name:	capture2.png
Views:	2
Size:	21.6 KB
ID:	34956

            So cloning the entire disk image back to the drive with partitions intact doesn't seem to be an option, unfortunately. The only things I can get to read the files on the NTFS partition in the disk image are TestDisk when I select "None" as the partition type, and OSFMount.

            Comment


            • #7
              We don't really know anything about TestDisk. It isn't our product. You might want to contact the TestDisk developer. If it created a messed up image of the source disk, then don't use it. There are lots of other alternatives.

              Our OSForensics product and OSFClone can create a dd style image.

              It seems, to us, a fruitless exercise to spend time investigating why our product works, when others don't.

              Comment


              • #8
                Right, I guess I should have been more clear that the main question I'm posing here is: how can one clone an OSF-mounted image to another partition?

                Comment


                • #9
                  We have software for cloning whole drives, and copying disk images to drives, but nothing that will copy partition to partition.

                  Comment

                  Working...
                  X