I am having an issue adding a “local drive” as well as a “disk image” of the same drive (e01 - should have tried single file raw DD but I doubt that’s the issue) to an autopsy case. I get the following errors,
“*Failed to add data source (critical errors encountered). Click below to view the log.”
Log below,
Errors occurred while ingesting image
Cannot determine file system type (Sector offset: 0)
I believe this drive to be empty (wiped), however, my compressed e01 of the drive is over 1GB (750gb physical drive) and to me, that seems reasonable to believe there might be something on there. Regardless of data present, how are you supposed to analyze a drive that is raw (not containing a file system)? FTK Imager pulls it up without flaw so i browse in HEX view. Of course, I don’t want to browse in the HEX view to find anything. I’d rather have a tool carve it for me.
Any suggestions? Am I ingesting the image/drive incorrectly?
Appears to have added the file. Does this work with all image types (raw, dd, e01, segmentation, etc)? Also is there a way to essentially add an “unallocated” physical drive?
Thank you for your help. Unfortunately it does not appear that you can add an “unallocated” physical drive. Hopefully this can be put in as a feature request!
I experienced the same issue (Autopsy 4.14.0). Trying to add E01 image. Getting error Failed to add data source. Cannot determine file system type (Sector offset: 0). Does anyone know what cause this problem?
I think it’s ridiculous that as fully-featured as Autopsy is, it doesn’t support adding raw disks - both Windows and Linux expose their raw disks so there’s no obstacle there. Most established data recovery programs allow for this because of how easy it is for a disk to have its partition table (always in the first 512 bytes) removed, especially in criminal cases. I was looking forward to using Autopsy but the lack of this feature makes it pointless given how often I work with disks that aren’t and cannot be initialised for forensic reasons.
Hello mark, i have the same problem and i tried your solution and now it doesnt give me the error but it has no data/files inside the data source even though it should.