Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOThijack threads
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOThijack threads
|
From: Grundy B. J T. <Bar...@ti...> - 2009-11-21 15:48:56
|
I should point out that the exercise on pg 150 is for an ext file system, but there are also exercise for ntfs that will help you decipher the other "numbers" (MFT entries) you were asking about. Barry /************************************************ Barry J. Grundy Senior Special Agent System Intrusion and Network Attack Response Team Strategic Enforcement Division Treasury Inspector General for Tax Administration (202) 283-5915 (w) (202) 527-5778 (c) Bar...@ti... *************************************************\ > -----Original Message----- > From: Grundy Barry J TIGTA [mailto:Bar...@ti...] > Sent: Saturday, November 21, 2009 10:32 AM > To: sle...@li... > Subject: Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO > NOThijack threads > > Al, > > May I point you to the LinuxIntro guide at http://www.linuxleo.com ? > > The exercise on page 150 of the current guide answers (I think) a lot of > your questions with examples and graphics to assist. > > On a side note, for those who have been asking, portions of the updated > guide are currently in review. > > Thanks, > Barry > > /************************************************ > Barry J. Grundy > Senior Special Agent > System Intrusion and Network Attack Response Team > Strategic Enforcement Division > Treasury Inspector General for Tax Administration > (202) 283-5915 (w) > (202) 527-5778 (c) > Bar...@ti... > *************************************************\ > > > -----Original Message----- > > From: Al Grant [mailto:big...@gm...] > > Sent: Saturday, November 21, 2009 9:11 AM > > To: sle...@li... > > Subject: Re: [sleuthkit-users] icat and ifind -- Help with -- Please > DO > > NOT hijack threads > > > > > > I think I am having dialogue with myself here, but anyway this is what > I > > did: > > > > 1. Imaged the disk with the badblocks > > 2. sudo fdisk -lu test_bad_disk.bin which gave: > > > > al@al-ubuntu:~$ sudo fdisk -lu /home/al/test_bad_disk.bin > > You must set cylinders. > > You can do this from the extra functions menu. > > > > Disk /home/al/test_bad_disk.bin: 0 MB, 0 bytes > > 255 heads, 63 sectors/track, 0 cylinders, total 0 sectors > > Units = sectors of 1 * 512 = 512 bytes > > Disk identifier: 0x70000000 > > > > Device Boot Start End Blocks > Id > > System > > /home/al/test_bad_disk.bin1 63 128519 64228+ > de > > Dell Utility > > /home/al/test_bad_disk.bin2 129024 21100543 10485760 > 7 > > HPFS/NTFS > > Partition 2 has different physical/logical endings: > > phys=(1023, 254, 63) logical=(1313, 114, 17) > > /home/al/test_bad_disk.bin3 * 21100544 307335167 143117312 > 7 > > HPFS/NTFS > > Partition 3 has different physical/logical beginnings (non-Linux?): > > phys=(1023, 254, 63) logical=(1313, 114, 18) > > Partition 3 has different physical/logical endings: > > phys=(1023, 254, 63) logical=(19130, 185, 63) > > /home/al/test_bad_disk.bin4 307335168 312578047 2621440 > f > > W95 Ext'd (LBA) > > Partition 4 has different physical/logical beginnings (non-Linux?): > > phys=(1023, 254, 63) logical=(19130, 186, 1) > > Partition 4 has different physical/logical endings: > > phys=(1023, 254, 63) logical=(19457, 21, 20) > > /home/al/test_bad_disk.bin5 307337216 312578047 2620416 > dd > > Unknown > > > > Now lets say I am interested on what should be on 22817440 (a bad > block > > taken from output of badbocks). This number falls between the > start/end > > sectors for partition 2. > > > > So I try this command with ifind: > > > > al@al-ubuntu:~$ sudo ifind -f ntfs -d 22817440 -o 21100544 > > /home/al/test_bad_disk.bin > > > > And the result is: > > > > 99512-128-4 > > > > I have no idea what that number means, what to do with it, or even if > I > > put > > the right offset in for my partition, or even if the badblocks block > > number > > can go straight into the ifind command -d? > > > > Love to hear from anyone who can tell me the answers to these > questions. > > > > Cheers > > > > -Al > > > > > > > > > > > > > > > > -- > > View this message in context: http://old.nabble.com/icat-and-ifind---- > > Help-with----Please-DO-NOT-hijack-threads-tp26452166p26456925.html > > Sent from the sleuthkit-users mailing list archive at Nabble.com. > > > > > > > ------------------------------------------------------------------------ > -- > > ---- > > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30- > > Day > > trial. Simplify your report design, integration and deployment - and > focus > > on > > what you do best, core application coding. Discover what's new with > > Crystal Reports now. http://p.sf.net/sfu/bobj-july > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > ------------------------------------------------------------------------ -- > ---- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30- > Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
