Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I think I am having dialogue with myself here, but anyway this is what I did:

1. Imaged the disk with the badblocks
2. sudo fdisk -lu test_bad_disk.bin which gave:

al@al-ubuntu:~$ sudo fdisk -lu /home/al/test_bad_disk.bin 
You must set cylinders.
You can do this from the extra functions menu.

Disk /home/al/test_bad_disk.bin: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders, total 0 sectors
Units = sectors of 1 * 512 = 512 bytes
Disk identifier: 0x70000000

                     Device Boot      Start         End      Blocks   Id 
System
/home/al/test_bad_disk.bin1              63      128519       64228+  de 
Dell Utility
/home/al/test_bad_disk.bin2          129024    21100543    10485760    7 
HPFS/NTFS
Partition 2 has different physical/logical endings:
     phys=(1023, 254, 63) logical=(1313, 114, 17)
/home/al/test_bad_disk.bin3   *    21100544   307335167   143117312    7 
HPFS/NTFS
Partition 3 has different physical/logical beginnings (non-Linux?):
     phys=(1023, 254, 63) logical=(1313, 114, 18)
Partition 3 has different physical/logical endings:
     phys=(1023, 254, 63) logical=(19130, 185, 63)
/home/al/test_bad_disk.bin4       307335168   312578047     2621440    f 
W95 Ext'd (LBA)
Partition 4 has different physical/logical beginnings (non-Linux?):
     phys=(1023, 254, 63) logical=(19130, 186, 1)
Partition 4 has different physical/logical endings:
     phys=(1023, 254, 63) logical=(19457, 21, 20)
/home/al/test_bad_disk.bin5       307337216   312578047     2620416   dd 
Unknown

Now lets say I am interested on what should be on 22817440 (a bad block
taken from output of badbocks). This number falls between the start/end
sectors for partition 2.

So I try this command with ifind:

al@al-ubuntu:~$ sudo ifind -f ntfs -d 22817440 -o 21100544
/home/al/test_bad_disk.bin

And the result is:

99512-128-4

I have no idea what that number means, what to do with it, or even if I put
the right offset in for my partition, or even if the badblocks block number
can go straight into the ifind command -d?

Love to hear from anyone who can tell me the answers to these questions.

Cheers

-Al

-- 
View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26456925.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.