« Return to Thread: icat and ifind -- Help with -- Please DO NOT hijack threads
Re: icat and ifind -- Help with -- Please DO NOT hijack threads
by Theodore Pham
::
Rate this Message:
Folks, ignore this. I think I forgot to map the physical sector to a
partition relative cluster number. I'll repost shortly when I double
check this on a real data.
On Sat, Nov 21, 2009 at 10:04 AM, Theodore Pham <telamon@...> wrote:
> Run mmls -i raw /dev/sdb
>
> That will print out the partition table with the absolute sector start
> and end values.
>
> Next, you will want to use ifind with the -o argument to tell it what
> absolute sector the partition begins at and the -d argument to
> indicate the relative sector number (absolute sector number - absolute
> sector number of partition start) you're interested in.
>
> For your example absolute sector of 22817441, let's assume the
> partition containing it starts at 22817300. Your relative sector
> number would be 22817441 - 22817300 = 141. So you would run:
>
> ifind -i raw -o 22817300 -d 141 <dd image or /dev device>
>
> BTW, if you use a dd image, you may be able to drop the -i raw.
>
> ifind will tell you the inode number(s) for the file the data block is
> associated with. An inode is a metadata structure that contains
> information for a file or directory. What information it contains
> depends on the file system type, but knowing the inode number uniquely
> identifies a file or directory. And yes, ifind may return multiple
> inode numbers because a data block may have been reallocated -
> normally this means only one of the returned inodes is allocated and
> the rest are unallocated (represents a deleted file/directory). If
> you find two allocated inodes referencing the same data block, then
> you either have a hard linked file (intentional and valid for some
> filesystem types) OR a cross linked one (corrupted file system.)
>
> Once you have the inode number, you can run:
>
> istat -i raw -o <partition start absolute sector> <dd image or /dev
> device> <inode number>
>
> to show you useful information about the inode including, whether or
> not it is allocated, it's relative name and what data clusters are
> allocated to it. 1 cluster = multiple sectors and cluster size is
> defined by the file system format of the partition.
>
> Then you can run ffind with the same arguments to give you the full
> path and filename:
>
> ffind -i raw -o <partition start absolute sector> <dd image or /dev
> device> <inode number>
>
> However, if your bad block is being used to house inodes, then istat
> and ffind may fail because they may not be able to valid data needed
> to traverse the file system.
>
> On Sat, Nov 21, 2009 at 6:33 AM, Al Grant <bigal.nz@...> wrote:
>>
>> Disk /dev/sdb: 160.0 GB, 160041885696 bytes
>> 255 heads, 63 sectors/track, 19457 cylinders
>> Units = cylinders of 16065 * 512 = 8225280 bytes
>> Disk identifier: 0x70000000
>>
>> Device Boot Start End Blocks Id System
>> /dev/sdb1 1 8 64228+ de Dell Utility
>> /dev/sdb2 9 1314 10485760 7 HPFS/NTFS
>> /dev/sdb3 * 1314 19131 143117312 7 HPFS/NTFS
>> /dev/sdb4 19131 19458 2621440 f W95 Ext'd (LBA)
>> /dev/sdb5 19131 19458 2620416 dd Unknown
>> al@al-ubuntu:~$ sudo badblocks -b 512 -vs /dev/sdb
>> Checking blocks 0 to 312581807
>> Checking for bad blocks (read-only test): 22817408done, 4:46 elapsed
>> 22817432done, 5:55 elapsed
>> 22817433done, 6:18 elapsed
>> 22817434done, 6:42 elapsed
>> 22817435done, 7:05 elapsed
>> 22817436done, 7:28 elapsed
>> 22817437done, 7:51 elapsed
>> 22817438done, 8:14 elapsed
>> 22817439done, 8:37 elapsed
>> 22817440
>> 22817441
>>
>> For example how do I determine which partition 22817441 resides on?
>>
>> -Al
>>
>> --
>> View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26455702.html
>> Sent from the sleuthkit-users mailing list archive at Nabble.com.
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
partition relative cluster number. I'll repost shortly when I double
check this on a real data.
On Sat, Nov 21, 2009 at 10:04 AM, Theodore Pham <telamon@...> wrote:
> Run mmls -i raw /dev/sdb
>
> That will print out the partition table with the absolute sector start
> and end values.
>
> Next, you will want to use ifind with the -o argument to tell it what
> absolute sector the partition begins at and the -d argument to
> indicate the relative sector number (absolute sector number - absolute
> sector number of partition start) you're interested in.
>
> For your example absolute sector of 22817441, let's assume the
> partition containing it starts at 22817300. Your relative sector
> number would be 22817441 - 22817300 = 141. So you would run:
>
> ifind -i raw -o 22817300 -d 141 <dd image or /dev device>
>
> BTW, if you use a dd image, you may be able to drop the -i raw.
>
> ifind will tell you the inode number(s) for the file the data block is
> associated with. An inode is a metadata structure that contains
> information for a file or directory. What information it contains
> depends on the file system type, but knowing the inode number uniquely
> identifies a file or directory. And yes, ifind may return multiple
> inode numbers because a data block may have been reallocated -
> normally this means only one of the returned inodes is allocated and
> the rest are unallocated (represents a deleted file/directory). If
> you find two allocated inodes referencing the same data block, then
> you either have a hard linked file (intentional and valid for some
> filesystem types) OR a cross linked one (corrupted file system.)
>
> Once you have the inode number, you can run:
>
> istat -i raw -o <partition start absolute sector> <dd image or /dev
> device> <inode number>
>
> to show you useful information about the inode including, whether or
> not it is allocated, it's relative name and what data clusters are
> allocated to it. 1 cluster = multiple sectors and cluster size is
> defined by the file system format of the partition.
>
> Then you can run ffind with the same arguments to give you the full
> path and filename:
>
> ffind -i raw -o <partition start absolute sector> <dd image or /dev
> device> <inode number>
>
> However, if your bad block is being used to house inodes, then istat
> and ffind may fail because they may not be able to valid data needed
> to traverse the file system.
>
> On Sat, Nov 21, 2009 at 6:33 AM, Al Grant <bigal.nz@...> wrote:
>>
>> Disk /dev/sdb: 160.0 GB, 160041885696 bytes
>> 255 heads, 63 sectors/track, 19457 cylinders
>> Units = cylinders of 16065 * 512 = 8225280 bytes
>> Disk identifier: 0x70000000
>>
>> Device Boot Start End Blocks Id System
>> /dev/sdb1 1 8 64228+ de Dell Utility
>> /dev/sdb2 9 1314 10485760 7 HPFS/NTFS
>> /dev/sdb3 * 1314 19131 143117312 7 HPFS/NTFS
>> /dev/sdb4 19131 19458 2621440 f W95 Ext'd (LBA)
>> /dev/sdb5 19131 19458 2620416 dd Unknown
>> al@al-ubuntu:~$ sudo badblocks -b 512 -vs /dev/sdb
>> Checking blocks 0 to 312581807
>> Checking for bad blocks (read-only test): 22817408done, 4:46 elapsed
>> 22817432done, 5:55 elapsed
>> 22817433done, 6:18 elapsed
>> 22817434done, 6:42 elapsed
>> 22817435done, 7:05 elapsed
>> 22817436done, 7:28 elapsed
>> 22817437done, 7:51 elapsed
>> 22817438done, 8:14 elapsed
>> 22817439done, 8:37 elapsed
>> 22817440
>> 22817441
>>
>> For example how do I determine which partition 22817441 resides on?
>>
>> -Al
>>
>> --
>> View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26455702.html
>> Sent from the sleuthkit-users mailing list archive at Nabble.com.
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
« Return to Thread: icat and ifind -- Help with -- Please DO NOT hijack threads
| Free embeddable forum powered by Nabble | Forum Help |
