Re: [sleuthkit-users] dls linux-ext3 error

[Brian C. <ca...@sl...>]

On 14 Jun 2003 19:11 PDT you wrote:

> Hi:
> 
> I am trying to recover some deleted files on partition hda6.
> I created an image using this command:
> 
> dls -v -f linux-ext3 /dev/hda6 > /mnt/usb/output
> 
> But when I tried to stat the image I get this error:
> 
> debian:# fsstat -f linux-ext3 /mnt/usb/output
> fsstat: Error: /mnt/usb/output is not an EXT2FS file system
> 
> Well of course it's not an ext2 system. It's a ext3 system. Am I 
> going to have to redo this image as an ext2 system in order to 
> import it? Perhaps I did something wrong when using dls?

I'll fix the error message.  EXT2FS and EXT3FS are almost identical
and therefore use the same code in the Sleuth Kit.  I'll make that
message reflect the specific FS though.

The message is appearing because the result is no longer a file
system.  'dls' goes through the allocation bitmap and finds the
ones that are not allocated and prints them.  So, there is no 
longer any structure to the data, it is just raw data.  Therefore,
all you can do with it is search it and use data carving tools.

> Also the Image size doesn't appear to match the size of 'available' space on the target partition.
> 
> partion sizes (kb):
> /dev/hda6             13179944   3945620   8564820  32% /mnt/hda6
> 
> image size(b):
> -rw-r--r--    1 root     root     9455947776 Jun 13 18:29 output

Actually, they do work out.  I'm assuming the full disk is 13179944k
and 3945620k is the used space.  If you subtract them, you 
actually get 9234324k (not 8564820k).  If you divide the size
of the dls output by 1024 you get:

9455947776 / 1024 = 9234324k

I have no clue where df got the 8564820k value came from.  

brian