Re: [sleuthkit-developers] [TSK & PhotoRec] File Block problem

[Michael C. <scu...@gm...>]

On Tue, Aug 18, 2009 at 10:00 AM, Stefano
Guidobaldi<ste...@ya...> wrote:
Hi Stefano,

> I have a problem in performing a new feature in PhotoRec.
> Photorec carves file from corrupted hard drives and saves them in default
> directories named "recup_dir.*".
> It saves file in the format "f0000000.extension", where number represents
> the offset of the file from the start of the disk image, divided by
> blocksize.

This scheme might lead to problems when dealing with very small
resident files as they might be at different disk offsets, but within
the same block (so they get the same name). Resident files live in the
MFT and are not block aligned. Similarly filesystems like Reiser are
not block aligned btw.

> Now, I'm trying to use TSK in order to retrieve filenames from hdd, and
> then, writing some code in PhotoRec, I intend to add the feature of saving
> files with their own name, not the "f00000000.ext" stuff.
>
> Problem is, I don't find anything in TSK that tells me which physical blocks
> of hdd are allocated to a certain filename. Is there a way to retrieve this
> information?

Essentially you need to build a big table of all allocated blocks in
all reachanble files (do an filesystem walk,  open each file, and get
its block allocation) and map them back to the filename (or more
correctly the inode). Then you can resolve which file contains any
given block?

Here is something similar written using the python bindings:
http://code.google.com/p/aff4/source/browse/python/fsbuilder.py

> TSK gives me the inode metadata structure of every file, which could be
> useful, but totally useless in case the filesystem table of the original hdd
> is corrupted.

If the filesystem is corrupted you will not have block allocation or
filename information, so you may not be able to resolve the filename.

> Thanks for the suggestions,

Thanks for working on photorec - great tool!!!

Michael.