Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Theodore,

I think I followed your instructions ok. Let see what I got:

Theodore Pham wrote:
> 
> On Sat, Nov 21, 2009 at 8:47 PM, Theodore Pham <te...@gm...> wrote:
> Ok, let's try this again but with the proper physical sector to
> partition relative block/cluster mapping this time.  I was looking at
> a really old script I wrote the first time I tried to write this up
> and of course that script was wrong. Sorry.
> 
> Run mmls -i raw /dev/sdb
> 

al@al-ubuntu:~$ sudo mmls /dev/sdb
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0000128519   0000128457   Dell Utilities FAT
(0xde)
03:  -----   0000128520   0000129023   0000000504   Unallocated
04:  00:01   0000129024   0021100543   0020971520   NTFS (0x07)
05:  00:02   0021100544   0307335167   0286234624   NTFS (0x07)
06:  00:03   0307335168   0312578047   0005242880   Win95 Extended (0x0F)
07:  -----   0307335168   0307335168   0000000001   Extended Table (#1)
08:  -----   0307335169   0307337215   0000002047   Unallocated
09:  01:00   0307337216   0312578047   0005240832   Hidden CTOS Memdump? 
(0xdd)
10:  -----   0312578048   0312581807   0000003760   Unallocated

Theodore Pham wrote:
> 
> Next, you need to know the cluster (aka block) size for the filesystem
> in the partition you care about.
> 
> Run fsstat -i raw -o <absolute start sector of partition> <dd image
> file or /dev device>
> 

Now I know from badblocks that one of the badblocks is 22817441.

I can see that this number falls in the range of one of the partitions that
is listed as starting at 21100544. So the offset in fsstat is :

al@al-ubuntu:~$ sudo fsstat -o 21100544 /dev/sdb
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: NTFS
Volume Serial Number: 8C3E8ADC3E8ABF28
OEM Name: NTFS    
Volume Name: OS
Version: Windows XP

METADATA INFORMATION
--------------------------------------------
First Cluster of MFT: 786432
First Cluster of MFT Mirror: 18217343
Size of MFT Entries: 1024 bytes
Size of Index Records: 4096 bytes
Range: 0 - 137151
Root Directory: 5

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 0 - 35779325
Total Sector Range: 0 - 286234607
<SNIP>

Theodore Pham wrote:
> 
> Now calculate the partition relative cluster number using this formula
> 
> Partition relative cluster number = (Absolute sector number in
> question - Absolute sector number of partition start) * sector size /
> cluster size
> 
> If the result is a floating point number, then you just want the integer
> part.
> 

Ok, not sure I have done this step right, but plugging in my numbers:

Partition Relative Cluster Number = (22817441 - 21100544) * 512/4096
 = 1716897 * 0.125
 = 214612.125
 = 214612 (integer only)

Theodore Pham wrote:
> 
> Now use ifind with the -o argument to tell it what absolute sector the
> partition begins at and the -d argument to indicate the partition
> relative cluster number you're interested in.
> 
> For your example absolute sector of 22817441, let's assume the
> partition containing it starts at 22817300. Your relative sector
> number would be 22817441 - 22817300 = 141.  So you would run:
> 
> ifind -i raw -o 22817300 -d 17 <dd image or /dev device>
> 

Ok, again plugging in my numbers:

al@al-ubuntu:~$ sudo ifind -o 21100544 -d 214612 /dev/sdb
51798-128-3

Theodore Pham wrote:
> 
> Once you have the inode number, you can run:
> 
> istat -i raw -o <partition start absolute sector> <dd image or /dev
> device>  <inode number>
> 

al@al-ubuntu:~$ sudo istat -o 21100544 /dev/sdb 51798-128-3 |more
MFT Entry Header Values:
Entry: 51798        Sequence: 1
$LogFile Sequence Number: 19669486580
Allocated File
Links: 1

$STANDARD_INFORMATION Attribute Values:
Flags: Hidden, System, Archive, Sparse
Owner ID: 0
Created:	Tue Mar 11 20:43:50 2008
File Modified:	Tue Mar 11 20:43:50 2008
MFT Modified:	Tue Mar 11 20:43:50 2008
Accessed:	Tue Mar 11 20:43:50 2008

$FILE_NAME Attribute Values:
Flags: Hidden, System, Archive, Sparse
Name: $UsnJrnl
Parent MFT Entry: 11 	Sequence: 11
Allocated Size: 0   	Actual Size: 0
Created:	Tue Mar 11 20:43:50 2008
File Modified:	Tue Mar 11 20:43:50 2008
MFT Modified:	Tue Mar 11 20:43:50 2008
Accessed:	Tue Mar 11 20:43:50 2008
Attributes: 
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-1)   Name: N/A   Resident   size: 82
Type: $DATA (128-3)   Name: $J   Non-Resident, Sparse   size: 5296921952
0 0 0 0 0 0 0 0 
0 0 0 0 0 0 0 0 
<SNIP>
24670595 24670596 24670597 24670598 24670599 24670600 24670601 24670602 
24670603 24670604 24670605 24670606 24670607 24670608 24670609 24670610 
24670611 24670612 24670613 24670614 24670615 24670616 24670617 24670618 
24670619 24670620 24670621 24670622 24670623 24670624 24670625 24670626 
24670627 24670628 24670629 24670630 24670631 24670632 24670633 24670634 
Type: $DATA (128-5)   Name: $Max   Resident   size: 32
al@al-ubuntu:~$ 

Theodore Pham wrote:
> 
> to show you useful information about the inode including, whether or
> not it is allocated, it's relative name and what data clusters are
> allocated to it.
> 
> Then you can run ffind with the same arguments to give you the full
> path and filename:
> 
> ffind -i raw -o <partition start absolute sector> <dd image or /dev
> device>  <inode number>
> 

Now this last bit of information is very cryptic:

al@al-ubuntu:~$ sudo ffind -o 21100544 /dev/sdb 51798-128-3
/$Extend/$UsnJrnl:$J
al@al-ubuntu:~$ 

So I would like to know if you think I have followed the instructions
correctly?

I am not sure what file the badblock affected?

I also again appreciate all your patient help on this one Theodore. Input
from others still welcome.

Cheers

-Al

-- 
View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26463322.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.