« Return to Thread: icat and ifind -- Help with -- Please DO NOT hijack threads
Re: icat and ifind -- Help with -- Please DO NOT hijack threads
by Al Grant
::
Rate this Message:
Thanks Theodore,
I had a quick crack at following your instructions and got this:
al@al-ubuntu:~$ sudo mmls -i raw /home/al/test_bad_disk.bin
[sudo] password for al:
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0000128519 0000128457 Dell Utilities FAT (0xde)
03: ----- 0000128520 0000129023 0000000504 Unallocated
04: 00:01 0000129024 0021100543 0020971520 NTFS (0x07)
05: 00:02 0021100544 0307335167 0286234624 NTFS (0x07)
06: 00:03 0307335168 0312578047 0005242880 Win95 Extended (0x0F)
07: ----- 0307335168 0307335168 0000000001 Extended Table (#1)
08: ----- 0307335169 0307337215 0000002047 Unallocated
09: 01:00 0307337216 0312578047 0005240832 Hidden CTOS Memdump? (0xdd)
10: ----- 0312578048 0312581807 0000003760 Unallocated
Now lets say I am interested in whats on badblock 22817441. This falls on one of the NTFS partitions (slot 05).
relative bad sectors is now 22817441 - 21100544 = 1716879. Thus:
al@al-ubuntu:~$ sudo ifind -i raw -o 21100544 -d 1716879 /dev/sdb
9845-128-4
Then:
al@al-ubuntu:~$ sudo istat -i raw -o 21100544 /dev/sdb 9845-128-4
MFT Entry Header Values:
Entry: 9845 Sequence: 1
$LogFile Sequence Number: 1747782526
Allocated File
Links: 2
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Created: Thu Nov 2 23:43:10 2006
File Modified: Thu Nov 2 23:41:55 2006
MFT Modified: Wed Mar 12 04:09:31 2008
Accessed: Thu Nov 2 23:41:55 2006
$FILE_NAME Attribute Values:
Flags: Archive
Name: x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970
Parent MFT Entry: 2239 Sequence: 1
Allocated Size: 0 Actual Size: 0
Created: Wed Mar 12 04:09:31 2008
File Modified: Wed Mar 12 04:09:31 2008
MFT Modified: Wed Mar 12 04:09:31 2008
Accessed: Wed Mar 12 04:09:31 2008
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $FILE_NAME (48-3) Name: N/A Resident size: 90
Type: $FILE_NAME (48-2) Name: N/A Resident size: 306
Type: $DATA (128-4) Name: $Data Non-Resident size: 33791880
1715691 1715692 1715693 1715694 1715695 1715696 1715697 1715698
1715699 1715700 1715701 1715702 1715703 1715704 1715705 1715706
1715707 1715708 1715709 1715710 1715711 1715712 1715713 1715714
1715715 1715716 1715717 1715718 1715719 1715720 1715721 1715722
LOTS MORE NUMBERS
And ffind:
al@al-ubuntu:~$ sudo ffind -i raw -o 21100544 /dev/sdb 9845-128-4
/Windows/winsxs/Backup/x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970
al@al-ubuntu:~$
A little bit of trouble interpreting this result as its not a file name and path that I am used to seeing. Is it something in C:\Windows\winsxs\Backup\????
Cheers
-Al
I had a quick crack at following your instructions and got this:
al@al-ubuntu:~$ sudo mmls -i raw /home/al/test_bad_disk.bin
[sudo] password for al:
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0000128519 0000128457 Dell Utilities FAT (0xde)
03: ----- 0000128520 0000129023 0000000504 Unallocated
04: 00:01 0000129024 0021100543 0020971520 NTFS (0x07)
05: 00:02 0021100544 0307335167 0286234624 NTFS (0x07)
06: 00:03 0307335168 0312578047 0005242880 Win95 Extended (0x0F)
07: ----- 0307335168 0307335168 0000000001 Extended Table (#1)
08: ----- 0307335169 0307337215 0000002047 Unallocated
09: 01:00 0307337216 0312578047 0005240832 Hidden CTOS Memdump? (0xdd)
10: ----- 0312578048 0312581807 0000003760 Unallocated
Now lets say I am interested in whats on badblock 22817441. This falls on one of the NTFS partitions (slot 05).
relative bad sectors is now 22817441 - 21100544 = 1716879. Thus:
al@al-ubuntu:~$ sudo ifind -i raw -o 21100544 -d 1716879 /dev/sdb
9845-128-4
Then:
al@al-ubuntu:~$ sudo istat -i raw -o 21100544 /dev/sdb 9845-128-4
MFT Entry Header Values:
Entry: 9845 Sequence: 1
$LogFile Sequence Number: 1747782526
Allocated File
Links: 2
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Created: Thu Nov 2 23:43:10 2006
File Modified: Thu Nov 2 23:41:55 2006
MFT Modified: Wed Mar 12 04:09:31 2008
Accessed: Thu Nov 2 23:41:55 2006
$FILE_NAME Attribute Values:
Flags: Archive
Name: x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970
Parent MFT Entry: 2239 Sequence: 1
Allocated Size: 0 Actual Size: 0
Created: Wed Mar 12 04:09:31 2008
File Modified: Wed Mar 12 04:09:31 2008
MFT Modified: Wed Mar 12 04:09:31 2008
Accessed: Wed Mar 12 04:09:31 2008
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72
Type: $FILE_NAME (48-3) Name: N/A Resident size: 90
Type: $FILE_NAME (48-2) Name: N/A Resident size: 306
Type: $DATA (128-4) Name: $Data Non-Resident size: 33791880
1715691 1715692 1715693 1715694 1715695 1715696 1715697 1715698
1715699 1715700 1715701 1715702 1715703 1715704 1715705 1715706
1715707 1715708 1715709 1715710 1715711 1715712 1715713 1715714
1715715 1715716 1715717 1715718 1715719 1715720 1715721 1715722
LOTS MORE NUMBERS
And ffind:
al@al-ubuntu:~$ sudo ffind -i raw -o 21100544 /dev/sdb 9845-128-4
/Windows/winsxs/Backup/x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970
al@al-ubuntu:~$
A little bit of trouble interpreting this result as its not a file name and path that I am used to seeing. Is it something in C:\Windows\winsxs\Backup\????
Cheers
-Al
« Return to Thread: icat and ifind -- Help with -- Please DO NOT hijack threads
| Free embeddable forum powered by Nabble | Forum Help |
