RE: [sleuthkit-users] What are indirect blocks?
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] What are indirect blocks?
|
From: Baskin, B. <ba...@dc...> - 2005-05-17 01:15:06
|
Hi Aaron, Indirect blocks allow for larger file sizes within the Extended FS. = In a very basic summary, there are 15 pointers in an inode, and the = first 12 act as direct pointers. Each of these pointers holds an = address to an 8K data block that stores the contents of the file. = However, by using just the 12 direct pointers, a file can only acheive = 96KB of size (12*8K). =20 The 13th pointer then acts as a single indirect. This single indirect = points to another 8KB data block, but instead of holding file contents, = it is split into 2048 direct pointers (similar to the 12 in the inode). = Each of these 2048 pointers then point to an 8KB data block. Using a = single indirect pointer allows a file to acheive about 16MB of size = ((2048*8K)+96K). The 14th pointer then acts as a double indirect. This pointer holds the = address for another 8KB data block, but instead of this data block = containing contents or direct pointers, it contains 2048 single = indirects. So, each of these single indirects point to another 8KB data = block that contains 2048 direct pointers. All filled, a file can = acheive 32GB of size. ((2048*2048*8K)+96K) Along with the pattern, the 15th pointer acts as a triple indirect. = Each pointer points to a 8KB data block that contains 2048 double = indirects, each of these points to a data block that contains 2048 = single indirect, each of these point to a data block that contains 2048 = directs, and each of these direct pointers point to a 8KB data block = that contains file contents. All said and done, around 70TB. = ((2048*2048*2048*8K)+96K) I hope that helps a bit. I found a simple diagram here: = http://www.bb-zone.com/SLGFG/figures/Inode.gif Now, from my limited experience, the istat tool will display all the = direct pointers for a file. It will follow each indirect stream and = display the end direct pointers that they use, which is why it shows = thousands and thousands of them. As far as the error: istat: Invalid address in indirect list (too large): 136081568 I can only guess that a corrupted value was placed in one of the = pointers. If it's an indirect pointer value that was corrupted, that = could mean the loss of quite a bit of information (16MB), but when = recovered it may not be too dramatic of a loss. However, seeing as how = the direct blocks are sequential, with none missing, it may just be the = loss of a single direct pointer value, which can be insignificant once = recovered. I would try viewing the contents of the data blocks = immediately before and after the error, either through the GUI or = through dcat, and seeing if they report errors or seem bad: dcat -f ext AaronOldImage.ext3 534533 | less =20 dcat -f ext AaronOldImage.ext3 534534 | less =20 To pull this file out, is the image a full disk image or a partition? = If a partition, just run: icat -f ext AaronOldImage.ext3 193 > file.dat If part of a full disk image, get the offset of the filesystem by = running: sfdisk -luS ./AaronOldImage.ext3 and record the Start sector of the partition that holds the file, then: icat -f ext -o <start sector> -i raw AaronOldImage.ext3 193 > file.dat I welcome any opinions from the group if my information is wrong in any = way, or could be made better :) -BB -----Original Message----- From: sle...@li... [mailto:sle...@li...]On Behalf Of Aaron Stone Sent: Monday, May 16, 2005 2:59 AM To: sle...@li... Subject: [sleuthkit-users] What are indirect blocks? Hey folks, I've been Googling for days to try to recover what appears to be a = pretty bad image of my old 60GB /home partition. I've given up on e2retieve and e2salvage, and am now working with TSK and e2extract: http://dreamscape.org/toolkit/README.html The scoop is that buried in this image is another image of my old = laptop's hard drive. I desperately need to grab a 6GB needle out of a 60GB haystack. What are indirect blocks, and what does this output from 'istat' mean? bash$ istat AaronOldImage.ext3 193 inode: 193 Allocated Group: 0 Generation Id: 4016250406 uid / gid: 0 / 0 mode: -rw-r--r-- Flags: Immutable, size: 6045548544 num of links: 1 Inode Times: Accessed: Sun Jan 30 17:24:05 2005 File Modified: Wed May 12 14:40:18 2004 Inode Modified: Wed May 12 14:42:13 2004 Direct Blocks: 9373 9600 9602 9603 9604 9605 9606 9799 [snip about 60 lines of block listings] 512422 512423 512424 534529 534530 534531 534532 534533 istat: Invalid address in indirect list (too large): 136081568 534534 534535 534536 534537=20 bash$ Thanks, Aaron ------------------------------------------------------- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=3D7393&alloc_id=3D16281&op=3Dclick _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
