RE: [sleuthkit-users] What are indirect blocks?
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] What are indirect blocks?
|
From: Aaron S. <aa...@se...> - 2005-05-16 17:33:11
|
On Mon, May 16, 2005, ""Baskin, Brian"" <ba...@dc...> said: [snip] > The 14th pointer then acts as a double indirect. This pointer holds the address for another 8KB data block, but instead of this data block containing contents or direct pointers, it contains 2048 single indirects. So, each of these single indirects point to another 8KB data block that contains 2048 direct pointers. All filled, a file can acheive 32GB of size. ((2048*2048*8K)+96K) My blocksize is 4k, and the file that I get by dcat'ing each of the blocks that istat is able to give me is 4.1M; so it looks like my "13th pointer" is in good shape, but my "14th pointer" is trashed. Which means that I'm missing all but the first 4MB of my 6GB file. Do any of these indirect blocks have backlinks that can be used to locate them with a binary grep? > I can only guess that a corrupted value was placed in one of the pointers. If it's an indirect pointer value that was corrupted, that could mean the loss of quite a bit of information (16MB), but when recovered it may not be too dramatic of a loss. However, seeing as how the direct blocks are sequential, with none missing, it may just be the loss of a single direct pointer value, which can be insignificant once recovered. I would try viewing the contents of the data blocks immediately before and after the error, either through the GUI or through dcat, and seeing if they report errors or seem bad: Right, you mean the loss of everything > 16MB. But in my blocksize, it's 4MB. I'd be surprised if there's anything of value up in that first 4MB :-\ The blocks are sequential in groups of a few dozen, with fairly large jumps between them. Sounds like the ext2/3 preallocation strategy. > To pull this file out, is the image a full disk image or a partition? The image is a partition, and the file inside is also a partition; I rarely (if ever) do a 'dd if=/dev/hda of=image' because of the relative difficulty in mounting up the individual partitions inside with the loopback driver. Aaron |
