Re: [sleuthkit-users] EXT2 superblock
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] EXT2 superblock
|
From: Brian C. <ca...@sl...> - 2004-10-03 23:47:43
|
On Oct 3, 2004, at 10:24 AM, Lisa Muir wrote: > Thank you Brian, > > I tried copying the "copy" of the superblock, but after I examined it, > the copies were identical to the the actual superblock. How did you copy it? The EXTxFS superblock is located 1,024 bytes from the start of the file system and is 1,024 bytes long. Did you do a cut and paste with a hex editor? > Is there a command that displays all the "magic numbers" such as the > # newfs -N > command for sun? As "lt" alluded to, the backup copies of the superblocks are located at the start of each block group. The default size of each block group is based on the block size. So, if the file system had a 4,096-byte block size, then the backup copy would be located in block 32769 (multiply block size by 8 and add 1). You can try the different block size-based locations. The signature value is 0xEF53 at byte offset 56 to 57. > I copied the superblock from another device, unfortunately a device > that multiple partitions on it so it didn't work. That shouldn't be a problem. The superblock is contained in one of the partitions and it does not care about any other partitions. > I'm curious as to how one would tackle this in a forensics situtation, > if one didn't know the filesystem type, etc. As "lt" mentioned, running a tool like 'fsck' is one way to approach it. The issue is that 'fsck' may change a lot of things and move data around and overwrite stuff. So, keep a backup copy of the pre-fsck data. If it is just the magic value that is messed up, then I can show you how to change TSk so that it ignores that value. But, in most cases there are many other problems in the image that are not fixed by ignoring them. It is actually relatively easy for me to have TSK search for the backup copies. One of these days I will add that feature. brian |
