Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Run mmls -i raw /dev/sdb

That will print out the partition table with the absolute sector start
and end values.

Next, you will want to use ifind with the -o argument to tell it what
absolute sector the partition begins at and the -d argument to
indicate the relative sector number (absolute sector number - absolute
sector number of partition start) you're interested in.

For your example absolute sector of 22817441, let's assume the
partition containing it starts at 22817300. Your relative sector
number would be 22817441 - 22817300 = 141.  So you would run:

ifind -i raw -o 22817300 -d 141 <dd image or /dev device>

BTW, if you use a dd image, you may be able to drop the -i raw.

ifind will tell you the inode number(s) for the file the data block is
associated with.  An inode is a metadata structure that contains
information for a file or directory. What information it contains
depends on the file system type, but knowing the inode number uniquely
identifies a file or directory.  And yes, ifind may return multiple
inode numbers because a data block may have been reallocated -
normally this means only one of the returned inodes is allocated and
the rest are unallocated (represents a deleted file/directory).  If
you find two allocated inodes referencing the same data block, then
you either have a hard linked file (intentional and valid for some
filesystem types) OR a cross linked one (corrupted file system.)

Once you have the inode number, you can run:

istat -i raw -o <partition start absolute sector> <dd image or /dev
device>  <inode number>

to show you useful information about the inode including, whether or
not it is allocated, it's relative name and what data clusters are
allocated to it.  1 cluster = multiple sectors and cluster size is
defined by the file system format of the partition.

Then you can run ffind with the same arguments to give you the full
path and filename:

ffind -i raw -o <partition start absolute sector> <dd image or /dev
device>  <inode number>

However, if your bad block is being used to house inodes, then istat
and ffind may fail because they may not be able to valid data needed
to traverse the file system.

On Sat, Nov 21, 2009 at 6:33 AM, Al Grant <big...@gm...> wrote:
>
> Disk /dev/sdb: 160.0 GB, 160041885696 bytes
> 255 heads, 63 sectors/track, 19457 cylinders
> Units = cylinders of 16065 * 512 = 8225280 bytes
> Disk identifier: 0x70000000
>
>   Device Boot      Start         End      Blocks   Id  System
> /dev/sdb1               1           8       64228+  de  Dell Utility
> /dev/sdb2               9        1314    10485760    7  HPFS/NTFS
> /dev/sdb3   *        1314       19131   143117312    7  HPFS/NTFS
> /dev/sdb4           19131       19458     2621440    f  W95 Ext'd (LBA)
> /dev/sdb5           19131       19458     2620416   dd  Unknown
> al@al-ubuntu:~$ sudo badblocks -b 512 -vs /dev/sdb
> Checking blocks 0 to 312581807
> Checking for bad blocks (read-only test): 22817408done, 4:46 elapsed
> 22817432done, 5:55 elapsed
> 22817433done, 6:18 elapsed
> 22817434done, 6:42 elapsed
> 22817435done, 7:05 elapsed
> 22817436done, 7:28 elapsed
> 22817437done, 7:51 elapsed
> 22817438done, 8:14 elapsed
> 22817439done, 8:37 elapsed
> 22817440
> 22817441
>
> For example how do I determine which partition 22817441 resides on?
>
> -Al
>
> --
> View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26455702.html
> Sent from the sleuthkit-users mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>