Problems reading images with encrypted/corrupt partitions #530
Comments
|
Are you sure it is stopping? We have several disk images where there is one or more partitions w/out file systems in them. If no file systems are ever found in the disk image, then nothing will be found. If a single file is found, then it will be added. The database is committed only if it successfully ends. Is any data at all added to the database or not? |
|
It starts adding data to the database, stops at around ~57MB database file size (I guess this is the point where it tries to read data from the encrypted/corrupt partition) for several seconds and then throws the TskDataException which results in a revert of all changes made to the database file (the database file size afterwards is 1MB). If im reading it with tsk_loaddb command, it works just fine. In case it is helpful, here is the output of "mmls" of the image file: DOS Partition Table 000: Meta 0000000000 0000000000 0000000001 Primary Table (#0) |
ghost
closed this as 
Hello,
i have two different E01 images from two different cases. Both have several partitions with at least one encrypted partition and some unencrypted partitions.
Using AddImageProcess, I want to add those Images to the local .sqlite database. For the unencrypted partitions this works as expected, but as soon as TSK tries to read the encrypted partitions into the database a TskDataException is thrown and the process is stopped. What can I do to "bypass" reading the encrypted partitions, reading only the partitions into the database which TSK is able to read? Now I'm having the problem that as soon as the AddImageProcess is stopped, all the other data which can be read by TSK is also dropped.
The text was updated successfully, but these errors were encountered: