ntfs - Error in metadata structure (Error Finding Bitmap Data Attribute) #368
Comments
|
I got here while trying to recover a hard disk and tried to find out which files get corrupted by the unreadable sectors via the Later I am trying now to find out why fsstat cannot open this partition - while ntfs-3g is able to. As far as I see sleuthkit expects in Lines 3276 to 3281 in ff6e54d Unfortunately my partition just has a It looks like ntfs-3g retrieves a element from the |
Getting a strange error with a 500GB NTFS HD (using latest source from github, and older versions too).
Here is the mmls:
./mmls -v /dev/sda
tsk_img_open: Type: 0 NumImg: 1 Img1: /dev/sda
tsk_img_findFiles: /dev/sda found
tsk_img_findFiles: 1 total segments found
raw_open: segment: 0 size: 500107862016 max offset: 500107862016 path: /dev/sda
dos_load_prim: Table Sector: 0
raw_read: byte offset: 0 len: 65536
raw_read: found in image 0 relative offset: 0 len: 65536
raw_read_segment: opening file into slot 0: /dev/sda
dos_load_prim_table: Testing FAT/NTFS conditions
load_pri:0:0 Start: 2048 Size: 976771072 Type: 7
load_pri:0:1 Start: 0 Size: 0 Type: 0
load_pri:0:2 Start: 0 Size: 0 Type: 0
load_pri:0:3 Start: 0 Size: 0 Type: 0
bsd_load_table: Table Sector: 1
gpt_load_table: Sector: 0
gpt_open: Trying other sector sizes
gpt_open: Trying sector size: 512
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 1024
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 2048
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 4096
gpt_load_table: Sector: 0
gpt_open: Trying sector size: 8192
gpt_load_table: Sector: 0
sun_load_table: Trying sector: 0
sun_load_table: Trying sector: 1
mac_load_table: Sector: 1
mac_load: Missing initial magic value
mac_open: Trying 4096-byte sector size instead of 512-byte
mac_load_table: Sector: 1
mac_load: Missing initial magic value
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002047 0000002048 Unallocated
02: 00:00 0000002048 0976773119 0976771072 NTFS / exFAT (0x07)
03: ----- 0976773120 0976773167 0000000048 Unallocated
And here is the fls in verbose (error):
./fls -f ntfs -v /dev/sda1
tsk_img_open: Type: 0 NumImg: 1 Img1: /dev/sda1
tsk_img_findFiles: /dev/sda1 found
tsk_img_findFiles: 1 total segments found
raw_open: segment: 0 size: 500106788864 max offset: 500106788864 path: /dev/sda1
raw_read: byte offset: 0 len: 65536
raw_read: found in image 0 relative offset: 0 len: 65536
raw_read_segment: opening file into slot 0: /dev/sda1
ntfs_dinode_lookup: Processing MFT 0
raw_read: byte offset: 3221225472 len: 65536
raw_read: found in image 0 relative offset: 3221225472 len: 65536
ntfs_proc_attrseq: Processing extended entry for primary entry 0
ntfs_proc_attrseq: Resident Attribute in Type: 16 Id: 0 IdNew: 0 Name:
ntfs_proc_attrseq: Resident Attribute in Type: 48 Id: 3 IdNew: 3 Name:
ntfs_proc_attrseq: Non-Resident Attribute Type: 128 Id: 1 IdNew: 1 Name: Start VCN: 0
ntfs_make_data_run: Len idx: 0 cur: 128 (80) tot: 128 (80)
ntfs_make_data_run: Len idx: 1 cur: 75 (4b) tot: 19328 (4b80)
ntfs_make_data_run: Off idx: 0 cur: 0 (0) tot: 0 (0)
ntfs_make_data_run: Off idx: 1 cur: 0 (0) tot: 0 (0)
ntfs_make_data_run: Off idx: 2 cur: 12 (c) tot: 786432 (c0000)
ntfs_make_data_run: Signed addr_offset: 786432 Previous address: 0
ntfs_make_data_run: Len idx: 0 cur: 0 (0) tot: 0 (0)
ntfs_make_data_run: Len idx: 1 cur: 11 (b) tot: 2816 (b00)
ntfs_make_data_run: Off idx: 0 cur: 144 (90) tot: 144 (90)
ntfs_make_data_run: Off idx: 1 cur: 70 (46) tot: 18064 (4690)
ntfs_make_data_run: Off idx: 2 cur: 152 (98) tot: 9979536 (984690)
ntfs_make_data_run: Off idx: 3 cur: 0 (0) tot: 9979536 (984690)
ntfs_make_data_run: Signed addr_offset: 9979536 Previous address: 786432
ntfs_make_data_run: Len idx: 0 cur: 128 (80) tot: 128 (80)
ntfs_make_data_run: Len idx: 1 cur: 72 (48) tot: 18560 (4880)
ntfs_make_data_run: Off idx: 0 cur: 132 (84) tot: 132 (84)
ntfs_make_data_run: Off idx: 1 cur: 233 (e9) tot: 59780 (e984)
ntfs_make_data_run: Off idx: 2 cur: 219 (db) tot: 14412164 (dbe984)
ntfs_make_data_run: Signed addr_offset: -2365052 Previous address: 10765968
ntfs_proc_attrseq: Non-Resident Attribute Type: 176 Id: 8 IdNew: 8 Name: Start VCN: 0
ntfs_make_data_run: Len idx: 0 cur: 1 (1) tot: 1 (1)
ntfs_make_data_run: Off idx: 0 cur: 255 (ff) tot: 255 (ff)
ntfs_make_data_run: Off idx: 1 cur: 255 (ff) tot: 65535 (ffff)
ntfs_make_data_run: Off idx: 2 cur: 11 (b) tot: 786431 (bffff)
ntfs_make_data_run: Signed addr_offset: 786431 Previous address: 0
ntfs_make_data_run: Len idx: 0 cur: 4 (4) tot: 4 (4)
ntfs_make_data_run: Off idx: 0 cur: 21 (15) tot: 21 (15)
ntfs_make_data_run: Off idx: 1 cur: 63 (3f) tot: 16149 (3f15)
ntfs_make_data_run: Off idx: 2 cur: 5 (5) tot: 343829 (53f15)
ntfs_make_data_run: Signed addr_offset: 343829 Previous address: 786431
ntfs_dinode_lookup: Processing MFT 3
ntfs_dinode_lookup: Found in offset: 786432 size: 19328 at offset: 3072
ntfs_dinode_lookup: Entry address at: 3221228544
ntfs_proc_attrseq: Processing extended entry for primary entry 3
ntfs_proc_attrseq: Resident Attribute in Type: 16 Id: 0 IdNew: 0 Name:
ntfs_proc_attrseq: Resident Attribute in Type: 48 Id: 1 IdNew: 1 Name:
ntfs_proc_attrseq: Resident Attribute in Type: 64 Id: 6 IdNew: 6 Name:
ntfs_proc_attrseq: Resident Attribute in Type: 96 Id: 4 IdNew: 4 Name:
ntfs_proc_attrseq: Resident Attribute in Type: 112 Id: 5 IdNew: 5 Name:
ntfs_proc_attrseq: Resident Attribute in Type: 128 Id: 3 IdNew: 3 Name:
ntfs_dinode_lookup: Processing MFT 6
ntfs_dinode_lookup: Found in offset: 786432 size: 19328 at offset: 6144
ntfs_dinode_lookup: Entry address at: 3221231616
ntfs_open: Error loading block bitmap (Error in metadata structure (Error Finding Bitmap Data Attribute))
Error in metadata structure (Error Finding Bitmap Data Attribute)
Any ideas on what's causing this?
At last, with the ntfs-3g driver, I can mount and read the data without issues.
The text was updated successfully, but these errors were encountered: