Jon
August 18, 2019, 1:21pm
1
Hello!
parted -l: Model: SanDisk Cruzer Blade (scsi) Disk /dev/sdb: 4005MB Sector size (logical/physical): 512B/512B Partition Table: msdos
Number Start End Size Type File system Flags
mmls -V: The Sleuth Kit ver 4.6.7
fdisk -l: /dev/sdb1 * 128 7821311 7821184 3,7G b W95 FAT32
sha1sum /dev/sdb1 > /home/jon/Desktop/usb-copy.sha1: dd if=/dev/sdb1 of=/home/jon/Desktop/usb-copy.dd conv=noerror,sync: sha1sum /home/jon/Desktop/usb-copy.dd:
Comparation Hash OK!
mmls usb-copy.dd: Cannot determine partition type
HELP?
uname -a: Linux jon 3.16.0-10-amd64 #1 SMP Debian 3.16.70-1 (2019-07-22) x86_64 GNU/Linux
It looks like you have done an image of only partition1 not the whole device. Try imaging the whole device instead.
dd if=/dev/sdb of=[output path] conv=noerror,sync
Then try running mmls on the image.
You can probably run fls directly on the image you’ve created as you only have the partition imaged.
$ fls usb-copy.dd
Best regards
Hey! Jessica, I am getting the error “Cannot determine the File System Type” when I tried to look out the File System details for a forensic image.
Can you please help me out ?
If this is a full disk image then you will need to tell fsstat where the partition starts in order to get the stats on it. I would suggest using mmls to get the partition list first. Once you have the offset of the partition then use the -o option in fsstat.
