Hi,
I’ve taken an .001 image from a 512 Gb windows drive, and added it as a data source in Autopsy. I run some ingests and wait about 2 hours for it to finish. It does not show up any files that have been analyzed or any file system, only an “$unalloc” folder.
I’ve loaded the same image into FTK Imager and it shows the file system, orphan files and unallocated space just fine, and really fast. What could be wrong here?
How it looks in Autopsy
How it looks in FTK
Thank you for any help!
It’s likely that the ingest modules you ran are what caused Autopsy to take a while, especially if you ran photo rec or keyword search. If you want to you could try again with no ingest modules and see if it’s fast. Not that it’s that important (it’s not going to magically cause the files to load), it’s just a more fair comparison with what FTK is doing.
Autopsy is a bit more strict than FTK when detecting volume systems and file systems. It’s possible there’s something a little off in your image that is making Autopsy decide that it isn’t NTFS. For example, Autopsy generally requires the 0x55aa marker at the end of the boot sector while FTK is ok if it is missing.
I am having this exact same problem. Did you ever get a solution to this?