Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads

[Theodore P. <te...@gm...>]

On Sat, Nov 21, 2009 at 8:47 PM, Theodore Pham <te...@gm...> wrote:
> Folks, ignore this.  I think I forgot to map the physical sector to a
> partition relative cluster number.  I'll repost shortly when I double
> check this on a real data.

Ok, let's try this again but with the proper physical sector to
partition relative block/cluster mapping this time.  I was looking at
a really old script I wrote the first time I tried to write this up
and of course that script was wrong. Sorry.


Run mmls -i raw /dev/sdb

BTW, if you use a dd image, you may be able to drop the -i raw from
this command and the rest of the TSK commands.

That will print out the partition table with the absolute sector start
and end values and the sector size (usually 512 bytes.)

Find the partition that your absolute sector value belongs to and note
the absolute start sector.

Next, you need to know the cluster (aka block) size for the filesystem
in the partition you care about.

Run fsstat -i raw -o <absolute start sector of partition> <dd image
file or /dev device>

You'll see output that should include:

<begin excerpt>
CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 26522894
Total Range in Image: 0 - 26522262
Total Sector Range: 0 - 212183166
<end excerpt>

That example output snippet comes from an NTFS partition and usually
NTFS uses a cluster size of 4096 bytes, but this is configurable at
format time.

Now calculate the partition relative cluster number using this formula

Partition relative cluster number = (Absolute sector number in
question - Absolute sector number of partition start) * sector size /
cluster size

If the result is a floating point number, then you just want the integer part.

Going back to your absolute sector of 22817441 and assuming absolute
sector number of partition start is 22817300, sector size is 512, and
cluster size is 4096, then:

(22817441 - 22817300) * 512 / 4096 = 17.625

So your partition relative cluster number is 17.

Now use ifind with the -o argument to tell it what absolute sector the
partition begins at and the -d argument to indicate the partition
relative cluster number you're interested in.

For your example absolute sector of 22817441, let's assume the
partition containing it starts at 22817300. Your relative sector
number would be 22817441 - 22817300 = 141.  So you would run:

ifind -i raw -o 22817300 -d 17 <dd image or /dev device>

ifind will tell you the inode number(s) for the file the data block is
associated with.  An inode is a metadata structure that contains
information for a file or directory. What information it contains
depends on the file system type, but knowing the inode number uniquely
identifies a file or directory.  And yes, ifind may return multiple
inode numbers because a data block may have been reallocated -
normally this means only one of the returned inodes is allocated and
the rest are unallocated (represents a deleted file/directory).  If
you find two allocated inodes referencing the same data block, then
you either have a hard linked file (intentional and valid for some
filesystem types) OR a cross linked one (corrupted file system.)

Once you have the inode number, you can run:

istat -i raw -o <partition start absolute sector> <dd image or /dev
device>  <inode number>

to show you useful information about the inode including, whether or
not it is allocated, it's relative name and what data clusters are
allocated to it.

Then you can run ffind with the same arguments to give you the full
path and filename:

ffind -i raw -o <partition start absolute sector> <dd image or /dev
device>  <inode number>

However, if your bad block is being used to house inodes, then istat
and ffind may fail because they may not be able to valid data needed
to traverse the file system.