Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Folks, ignore this.  I think I forgot to map the physical sector to a
partition relative cluster number.  I'll repost shortly when I double
check this on a real data.

On Sat, Nov 21, 2009 at 10:04 AM, Theodore Pham <te...@gm...> wrote:
> Run mmls -i raw /dev/sdb
>
> That will print out the partition table with the absolute sector start
> and end values.
>
> Next, you will want to use ifind with the -o argument to tell it what
> absolute sector the partition begins at and the -d argument to
> indicate the relative sector number (absolute sector number - absolute
> sector number of partition start) you're interested in.
>
> For your example absolute sector of 22817441, let's assume the
> partition containing it starts at 22817300. Your relative sector
> number would be 22817441 - 22817300 = 141.  So you would run:
>
> ifind -i raw -o 22817300 -d 141 <dd image or /dev device>
>
> BTW, if you use a dd image, you may be able to drop the -i raw.
>
> ifind will tell you the inode number(s) for the file the data block is
> associated with.  An inode is a metadata structure that contains
> information for a file or directory. What information it contains
> depends on the file system type, but knowing the inode number uniquely
> identifies a file or directory.  And yes, ifind may return multiple
> inode numbers because a data block may have been reallocated -
> normally this means only one of the returned inodes is allocated and
> the rest are unallocated (represents a deleted file/directory).  If
> you find two allocated inodes referencing the same data block, then
> you either have a hard linked file (intentional and valid for some
> filesystem types) OR a cross linked one (corrupted file system.)
>
> Once you have the inode number, you can run:
>
> istat -i raw -o <partition start absolute sector> <dd image or /dev
> device>  <inode number>
>
> to show you useful information about the inode including, whether or
> not it is allocated, it's relative name and what data clusters are
> allocated to it.  1 cluster = multiple sectors and cluster size is
> defined by the file system format of the partition.
>
> Then you can run ffind with the same arguments to give you the full
> path and filename:
>
> ffind -i raw -o <partition start absolute sector> <dd image or /dev
> device>  <inode number>
>
> However, if your bad block is being used to house inodes, then istat
> and ffind may fail because they may not be able to valid data needed
> to traverse the file system.
>
> On Sat, Nov 21, 2009 at 6:33 AM, Al Grant <big...@gm...> wrote:
>>
>> Disk /dev/sdb: 160.0 GB, 160041885696 bytes
>> 255 heads, 63 sectors/track, 19457 cylinders
>> Units = cylinders of 16065 * 512 = 8225280 bytes
>> Disk identifier: 0x70000000
>>
>>   Device Boot      Start         End      Blocks   Id  System
>> /dev/sdb1               1           8       64228+  de  Dell Utility
>> /dev/sdb2               9        1314    10485760    7  HPFS/NTFS
>> /dev/sdb3   *        1314       19131   143117312    7  HPFS/NTFS
>> /dev/sdb4           19131       19458     2621440    f  W95 Ext'd (LBA)
>> /dev/sdb5           19131       19458     2620416   dd  Unknown
>> al@al-ubuntu:~$ sudo badblocks -b 512 -vs /dev/sdb
>> Checking blocks 0 to 312581807
>> Checking for bad blocks (read-only test): 22817408done, 4:46 elapsed
>> 22817432done, 5:55 elapsed
>> 22817433done, 6:18 elapsed
>> 22817434done, 6:42 elapsed
>> 22817435done, 7:05 elapsed
>> 22817436done, 7:28 elapsed
>> 22817437done, 7:51 elapsed
>> 22817438done, 8:14 elapsed
>> 22817439done, 8:37 elapsed
>> 22817440
>> 22817441
>>
>> For example how do I determine which partition 22817441 resides on?
>>
>> -Al
>>
>> --
>> View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26455702.html
>> Sent from the sleuthkit-users mailing list archive at Nabble.com.
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>