Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks Theodore,

I had a quick crack at following your instructions and got this:

al@al-ubuntu:~$ sudo mmls -i raw /home/al/test_bad_disk.bin 
[sudo] password for al: 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0000128519   0000128457   Dell Utilities FAT
(0xde)
03:  -----   0000128520   0000129023   0000000504   Unallocated
04:  00:01   0000129024   0021100543   0020971520   NTFS (0x07)
05:  00:02   0021100544   0307335167   0286234624   NTFS (0x07)
06:  00:03   0307335168   0312578047   0005242880   Win95 Extended (0x0F)
07:  -----   0307335168   0307335168   0000000001   Extended Table (#1)
08:  -----   0307335169   0307337215   0000002047   Unallocated
09:  01:00   0307337216   0312578047   0005240832   Hidden CTOS Memdump? 
(0xdd)
10:  -----   0312578048   0312581807   0000003760   Unallocated

Now lets say I am interested in whats on badblock 22817441. This falls on
one of the NTFS partitions (slot 05).
relative bad sectors is now 22817441 - 21100544 = 1716879. Thus:

al@al-ubuntu:~$ sudo ifind -i raw -o 21100544 -d 1716879 /dev/sdb
9845-128-4

Then:

al@al-ubuntu:~$ sudo istat -i raw -o 21100544 /dev/sdb 9845-128-4
MFT Entry Header Values:
Entry: 9845        Sequence: 1
$LogFile Sequence Number: 1747782526
Allocated File
Links: 2

$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Created:	Thu Nov  2 23:43:10 2006
File Modified:	Thu Nov  2 23:41:55 2006
MFT Modified:	Wed Mar 12 04:09:31 2008
Accessed:	Thu Nov  2 23:41:55 2006

$FILE_NAME Attribute Values:
Flags: Archive
Name:
x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970
Parent MFT Entry: 2239 	Sequence: 1
Allocated Size: 0   	Actual Size: 0
Created:	Wed Mar 12 04:09:31 2008
File Modified:	Wed Mar 12 04:09:31 2008
MFT Modified:	Wed Mar 12 04:09:31 2008
Accessed:	Wed Mar 12 04:09:31 2008

Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-3)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-2)   Name: N/A   Resident   size: 306
Type: $DATA (128-4)   Name: $Data   Non-Resident   size: 33791880
1715691 1715692 1715693 1715694 1715695 1715696 1715697 1715698 
1715699 1715700 1715701 1715702 1715703 1715704 1715705 1715706 
1715707 1715708 1715709 1715710 1715711 1715712 1715713 1715714 
1715715 1715716 1715717 1715718 1715719 1715720 1715721 1715722 
LOTS MORE NUMBERS

And ffind:

al@al-ubuntu:~$ sudo ffind -i raw -o 21100544 /dev/sdb 9845-128-4
/Windows/winsxs/Backup/x86_microsoft-windows-font-truetype-mingliub_31bf3856ad364e35_6.0.6000.16386_none_c6eae5a23b4a0d1e_mingliub.ttc_b8743970
al@al-ubuntu:~$ 

A little bit of trouble interpreting this result as its not a file name and
path that I am used to seeing. Is it something in
C:\Windows\winsxs\Backup\????

Cheers
-Al

-- 
View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26461410.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.