Re: [sleuthkit-users] icat and ifind -- Help with -- Please DO NOT hijack threads
Brought to you by:
carrier
From: Theodore P. <te...@gm...> - 2009-11-22 15:29:49
|
I think you've got that right. It's early and I haven't had any caffeine yet. When you run the istat command on the inode you found via ifind, you can cross validate your result by looking at the cluster numbers underneath "Type: $DATA (128-3) Name: $J Non-Resident, Sparse size: 5296921952" One of them should be the one you calculated: 214612 Normally when you see a filename with $ in front, it means that it's a special NTFS internal metadata file and they are hidden from the Windows Explorer. In this case, the <filename>:<blah> notation means you are looking at an Alternate Data Stream of the file called <filename>. And as luck would have it, it seems damage in that file can cause boot issues. See: http://forums.techguy.org/all-other-software/631384-what-c-extend-usnjrnl-j.html http://microsoft-personal-operating-systems.hostweb.com/TopicMessages/microsoft.public.windowsxp.general/2026959/1/Default.aspx And http://support.microsoft.com/kb/311724 tells how to use chkdsk to fix it. Though you seemed to have a pretty long list of bad blocks so some of the other ones might also be causing issues, especially if they are corrupting system files. On Sun, Nov 22, 2009 at 2:35 AM, Al Grant <big...@gm...> wrote: > > Hi Theodore, > > I think I followed your instructions ok. Let see what I got: > > > Theodore Pham wrote: >> >> On Sat, Nov 21, 2009 at 8:47 PM, Theodore Pham <te...@gm...> wrote: >> Ok, let's try this again but with the proper physical sector to >> partition relative block/cluster mapping this time. I was looking at >> a really old script I wrote the first time I tried to write this up >> and of course that script was wrong. Sorry. >> >> Run mmls -i raw /dev/sdb >> > > al@al-ubuntu:~$ sudo mmls /dev/sdb > DOS Partition Table > Offset Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) > 01: ----- 0000000001 0000000062 0000000062 Unallocated > 02: 00:00 0000000063 0000128519 0000128457 Dell Utilities FAT > (0xde) > 03: ----- 0000128520 0000129023 0000000504 Unallocated > 04: 00:01 0000129024 0021100543 0020971520 NTFS (0x07) > 05: 00:02 0021100544 0307335167 0286234624 NTFS (0x07) > 06: 00:03 0307335168 0312578047 0005242880 Win95 Extended (0x0F) > 07: ----- 0307335168 0307335168 0000000001 Extended Table (#1) > 08: ----- 0307335169 0307337215 0000002047 Unallocated > 09: 01:00 0307337216 0312578047 0005240832 Hidden CTOS Memdump? > (0xdd) > 10: ----- 0312578048 0312581807 0000003760 Unallocated > > > > Theodore Pham wrote: >> >> Next, you need to know the cluster (aka block) size for the filesystem >> in the partition you care about. >> >> Run fsstat -i raw -o <absolute start sector of partition> <dd image >> file or /dev device> >> > > Now I know from badblocks that one of the badblocks is 22817441. > > I can see that this number falls in the range of one of the partitions that > is listed as starting at 21100544. So the offset in fsstat is : > > al@al-ubuntu:~$ sudo fsstat -o 21100544 /dev/sdb > FILE SYSTEM INFORMATION > -------------------------------------------- > File System Type: NTFS > Volume Serial Number: 8C3E8ADC3E8ABF28 > OEM Name: NTFS > Volume Name: OS > Version: Windows XP > > METADATA INFORMATION > -------------------------------------------- > First Cluster of MFT: 786432 > First Cluster of MFT Mirror: 18217343 > Size of MFT Entries: 1024 bytes > Size of Index Records: 4096 bytes > Range: 0 - 137151 > Root Directory: 5 > > CONTENT INFORMATION > -------------------------------------------- > Sector Size: 512 > Cluster Size: 4096 > Total Cluster Range: 0 - 35779325 > Total Sector Range: 0 - 286234607 > <SNIP> > > > Theodore Pham wrote: >> >> Now calculate the partition relative cluster number using this formula >> >> Partition relative cluster number = (Absolute sector number in >> question - Absolute sector number of partition start) * sector size / >> cluster size >> >> If the result is a floating point number, then you just want the integer >> part. >> > > Ok, not sure I have done this step right, but plugging in my numbers: > > Partition Relative Cluster Number = (22817441 - 21100544) * 512/4096 > = 1716897 * 0.125 > = 214612.125 > = 214612 (integer only) > > > > Theodore Pham wrote: >> >> Now use ifind with the -o argument to tell it what absolute sector the >> partition begins at and the -d argument to indicate the partition >> relative cluster number you're interested in. >> >> For your example absolute sector of 22817441, let's assume the >> partition containing it starts at 22817300. Your relative sector >> number would be 22817441 - 22817300 = 141. So you would run: >> >> ifind -i raw -o 22817300 -d 17 <dd image or /dev device> >> > > Ok, again plugging in my numbers: > > al@al-ubuntu:~$ sudo ifind -o 21100544 -d 214612 /dev/sdb > 51798-128-3 > > > > Theodore Pham wrote: >> >> Once you have the inode number, you can run: >> >> istat -i raw -o <partition start absolute sector> <dd image or /dev >> device> <inode number> >> > > al@al-ubuntu:~$ sudo istat -o 21100544 /dev/sdb 51798-128-3 |more > MFT Entry Header Values: > Entry: 51798 Sequence: 1 > $LogFile Sequence Number: 19669486580 > Allocated File > Links: 1 > > $STANDARD_INFORMATION Attribute Values: > Flags: Hidden, System, Archive, Sparse > Owner ID: 0 > Created: Tue Mar 11 20:43:50 2008 > File Modified: Tue Mar 11 20:43:50 2008 > MFT Modified: Tue Mar 11 20:43:50 2008 > Accessed: Tue Mar 11 20:43:50 2008 > > $FILE_NAME Attribute Values: > Flags: Hidden, System, Archive, Sparse > Name: $UsnJrnl > Parent MFT Entry: 11 Sequence: 11 > Allocated Size: 0 Actual Size: 0 > Created: Tue Mar 11 20:43:50 2008 > File Modified: Tue Mar 11 20:43:50 2008 > MFT Modified: Tue Mar 11 20:43:50 2008 > Accessed: Tue Mar 11 20:43:50 2008 > Attributes: > Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 72 > Type: $FILE_NAME (48-1) Name: N/A Resident size: 82 > Type: $DATA (128-3) Name: $J Non-Resident, Sparse size: 5296921952 > 0 0 0 0 0 0 0 0 > 0 0 0 0 0 0 0 0 > <SNIP> > 24670595 24670596 24670597 24670598 24670599 24670600 24670601 24670602 > 24670603 24670604 24670605 24670606 24670607 24670608 24670609 24670610 > 24670611 24670612 24670613 24670614 24670615 24670616 24670617 24670618 > 24670619 24670620 24670621 24670622 24670623 24670624 24670625 24670626 > 24670627 24670628 24670629 24670630 24670631 24670632 24670633 24670634 > Type: $DATA (128-5) Name: $Max Resident size: 32 > al@al-ubuntu:~$ > > > > Theodore Pham wrote: >> >> to show you useful information about the inode including, whether or >> not it is allocated, it's relative name and what data clusters are >> allocated to it. >> >> Then you can run ffind with the same arguments to give you the full >> path and filename: >> >> ffind -i raw -o <partition start absolute sector> <dd image or /dev >> device> <inode number> >> > > Now this last bit of information is very cryptic: > > al@al-ubuntu:~$ sudo ffind -o 21100544 /dev/sdb 51798-128-3 > /$Extend/$UsnJrnl:$J > al@al-ubuntu:~$ > > So I would like to know if you think I have followed the instructions > correctly? > > I am not sure what file the badblock affected? > > I also again appreciate all your patient help on this one Theodore. Input > from others still welcome. > > Cheers > > -Al > > > > > -- > View this message in context: http://old.nabble.com/icat-and-ifind----Help-with----Please-DO-NOT-hijack-threads-tp26452166p26463322.html > Sent from the sleuthkit-users mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |