Re: [sleuthkit-users] EXT2 superblock

[Lisa M. <34....@gm...>]

Thank you Brian, 

I tried copying the "copy" of the superblock, but after I examined it,
the copies were identical to the the actual superblock.

I'm not well versed in this area, so I'm sort of plugging around. 

Is there  a command that displays all the "magic numbers" such as the 

# newfs -N 

command for sun? 

I'm using a knoppix CD to examine this drive. 

And yes, I pointed Autopsy to 

/dev/sda1

The filesystem, not the device. 

I copied the superblock from another device, unfortunately a device
that multiple partitions on it so it didn't work.

I'm curious as to how one would tackle this in a forensics situtation,
if one didn't know the filesystem type, etc.

I'm running testdisk now, to see if that can produce any more relevant results. 

I'll have to wait until that's finished to try to copy another
superblock form another drive that I know only has oen ext2 partition.

On Sun, 3 Oct 2004 09:48:00 -0500, Brian Carrier <ca...@sl...> wrote:
> 
> On Oct 3, 2004, at 5:44 AM, Lisa Muir wrote:
> 
> > What information is contained in the ext2 superblock?
> 
> There is a lot of size and layout information in there.
> 
> > I have a drive which I can't mount because it has a damaged
> > superblock, and I'm wondering if I copy the superblock off another
> > drive with the same partitioning and size, will I be able to get
> > access to my file.
> >
> > All I want to do is get a single dd image file off the drive, but I
> > can't even mount the drive in Autopsy, says not a vald linux
> > filesystem.
> 
> You are using the file system image and not the disk image right?
> Autopsy needs the file system image (i.e. hda1) and checks only that
> the magic value is there, so I would first check that you are using the
> actual file system image.  Otherwise, you can try and copy a superblock
> from another system.  There are also many backup copies of the
> superblock in the file system, which is not always easy to restore.
> 
> brian
> 
>