[sleuthkit-users] Linux LVM on ext3: partitions or offsets?
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Linux LVM on ext3: partitions or offsets?
|
From: Chris S. <sto...@fn...> - 2005-09-01 15:57:41
|
I created a disk image using dd_rhelp, which claimed to finish without
error. I am using sleuth kit ver 2.02 to inspect the disk image, called
dev-scd.img
fdisk and mmls seem to disagree about the partitions. Can you help? Is
there something I need to do with the partition table or offset
calculations? Do I need to set the cylinders in the image, and if so, how?
Here is the output of fdisk -l
# /sbin/fdisk -l dev-scd.img
You must set cylinders.
You can do this from the extra functions menu.
Disk dev-scd.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
dev-scd.img1 * 1 13 104391 83 Linux
dev-scd.img2 14 7296 58500697+ 8e Linux LVM
Partition 2 has different physical/logical endings:
phys=(1023, 254, 63) logical=(7295, 254, 63)
In the log file below, lines beginning with "+" echo the command
performed, generated by running this bash script:
========= listing of sleuth.sh ============================
#!/bin/bash -x
ls -l dev-scd.img
img_stat -V
mmls -V
fsstat -V
img_stat dev-scd.img
mmls dev-scd.img
fsstat -o 0 dev-scd.img
fsstat -o 1 dev-scd.img
fsstat -o 63 dev-scd.img
fsstat -o 208845 dev-scd.img
It looks like I can see the third partition (Linux 0x83) but I can not
see the fourth partition (Linux Logical Volume Manager (0x8e) which is
where the "good stuff" is I'd like to recover.
Is there something else I need to be able to inspect a Linux Logical Volume?
The image was created from a disk which was running and ext3 file system
under Fedora Core3. Please let me know if there is something else I can
provide.
Thanks, and thanks for this tool set.
Chris
======= log file of sleuth.sh
========================================================
+ ls -l dev-scd.img
-rw-r--r-- 1 stoughto sdss 60003254272 Aug 31 16:40 dev-scd.img
+ img_stat -V
The Sleuth Kit ver 2.02
+ mmls -V
The Sleuth Kit ver 2.02
+ fsstat -V
The Sleuth Kit ver 2.02
+ img_stat dev-scd.img
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw
Size in bytes: 60003254272
+ mmls dev-scd.img
DOS Partition Table
Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: ----- 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000001 0000000062 0000000062 Unallocated
02: 00:00 0000000063 0000208844 0000208782 Linux (0x83)
03: 00:01 0000208845 0117210239 0117001395 Linux Logical Volume
Manager (0x8e)
+ fsstat -o 0 dev-scd.img
Cannot determine file system type
+ fsstat -o 1 dev-scd.img
Cannot determine file system type
+ fsstat -o 63 dev-scd.img
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext3
Volume Name: /boot
Volume ID: 1c41e5f4cd136bb7a5448b3056203ba5
Last Written at: Sun Aug 14 23:19:30 2005
Last Checked at: Thu Feb 3 08:15:06 2005
Last Mounted at: Sun Aug 14 23:19:30 2005
Unmounted properly
Last mounted on:
Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index
InCompat Features: Filetype, Needs Recovery,
Read Only Compat Features: Sparse Super,
Journal ID: 00
Journal Inode: 8
METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 26104
Root Directory: 2
Free Inodes: 26040
CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 104387
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 69023
BLOCK GROUP INFORMATION
--------------------------------------------
Number of Block Groups: 13
Inodes per group: 2008
Blocks per group: 8192
Group: 0:
Inode Range: 1 - 2008
Block Range: 1 - 8192
Layout:
Super Block: 1 - 1
Group Descriptor Table: 2 - 2
Data bitmap: 259 - 259
Inode bitmap: 260 - 260
Inode Table: 261 - 511
Data Blocks: 512 - 8192
Free Inodes: 1984 (98%)
Free Blocks: 0 (0%)
Total Directories: 2
Group: 1:
Inode Range: 2009 - 4016
Block Range: 8193 - 16384
Layout:
Super Block: 8193 - 8193
Group Descriptor Table: 8194 - 8194
Data bitmap: 8451 - 8451
Inode bitmap: 8452 - 8452
Inode Table: 8453 - 8703
Data Blocks: 8704 - 16384
Free Inodes: 1991 (99%)
Free Blocks: 3972 (48%)
Total Directories: 1
Group: 2:
Inode Range: 4017 - 6024
Block Range: 16385 - 24576
Layout:
Data bitmap: 16385 - 16385
Inode bitmap: 16386 - 16386
Inode Table: 16387 - 16637
Data Blocks: 16387 - 16386, 16638 - 24576
Free Inodes: 2008 (100%)
Free Blocks: 7939 (96%)
Total Directories: 0
Group: 3:
Inode Range: 6025 - 8032
Block Range: 24577 - 32768
Layout:
Super Block: 24577 - 24577
Group Descriptor Table: 24578 - 24578
Data bitmap: 24835 - 24835
Inode bitmap: 24836 - 24836
Inode Table: 24837 - 25087
Data Blocks: 25088 - 32768
Free Inodes: 1995 (99%)
Free Blocks: 0 (0%)
Total Directories: 0
Group: 4:
Inode Range: 8033 - 10040
Block Range: 32769 - 40960
Layout:
Data bitmap: 32769 - 32769
Inode bitmap: 32770 - 32770
Inode Table: 32771 - 33021
Data Blocks: 32771 - 32770, 33022 - 40960
Free Inodes: 2008 (100%)
Free Blocks: 5821 (71%)
Total Directories: 0
Group: 5:
Inode Range: 10041 - 12048
Block Range: 40961 - 49152
Layout:
Super Block: 40961 - 40961
Group Descriptor Table: 40962 - 40962
Data bitmap: 41219 - 41219
Inode bitmap: 41220 - 41220
Inode Table: 41221 - 41471
Data Blocks: 41472 - 49152
Free Inodes: 1998 (99%)
Free Blocks: 1074 (13%)
Total Directories: 0
Group: 6:
Inode Range: 12049 - 14056
Block Range: 49153 - 57344
Layout:
Data bitmap: 49153 - 49153
Inode bitmap: 49154 - 49154
Inode Table: 49155 - 49405
Data Blocks: 49155 - 49154, 49406 - 57344
Free Inodes: 2008 (100%)
Free Blocks: 5208 (63%)
Total Directories: 0
Group: 7:
Inode Range: 14057 - 16064
Block Range: 57345 - 65536
Layout:
Super Block: 57345 - 57345
Group Descriptor Table: 57346 - 57346
Data bitmap: 57603 - 57603
Inode bitmap: 57604 - 57604
Inode Table: 57605 - 57855
Data Blocks: 57856 - 65536
Free Inodes: 2008 (100%)
Free Blocks: 7681 (93%)
Total Directories: 0
Group: 8:
Inode Range: 16065 - 18072
Block Range: 65537 - 73728
Layout:
Data bitmap: 65537 - 65537
Inode bitmap: 65538 - 65538
Inode Table: 65539 - 65789
Data Blocks: 65539 - 65538, 65790 - 73728
Free Inodes: 2008 (100%)
Free Blocks: 7939 (96%)
Total Directories: 0
Group: 9:
Inode Range: 18073 - 20080
Block Range: 73729 - 81920
Layout:
Super Block: 73729 - 73729
Group Descriptor Table: 73730 - 73730
Data bitmap: 73987 - 73987
Inode bitmap: 73988 - 73988
Inode Table: 73989 - 74239
Data Blocks: 74240 - 81920
Free Inodes: 2008 (100%)
Free Blocks: 7681 (93%)
Total Directories: 0
Group: 10:
Inode Range: 20081 - 22088
Block Range: 81921 - 90112
Layout:
Data bitmap: 81921 - 81921
Inode bitmap: 81922 - 81922
Inode Table: 81923 - 82173
Data Blocks: 81923 - 81922, 82174 - 90112
Free Inodes: 2008 (100%)
Free Blocks: 7939 (96%)
Total Directories: 0
Group: 11:
Inode Range: 22089 - 24096
Block Range: 90113 - 98304
Layout:
Data bitmap: 90113 - 90113
Inode bitmap: 90114 - 90114
Inode Table: 90115 - 90365
Data Blocks: 90115 - 90114, 90366 - 98304
Free Inodes: 2008 (100%)
Free Blocks: 7939 (96%)
Total Directories: 0
Group: 12:
Inode Range: 24097 - 26104
Block Range: 98305 - 104387
Layout:
Data bitmap: 98305 - 98305
Inode bitmap: 98306 - 98306
Inode Table: 98307 - 98557
Data Blocks: 98307 - 98306, 98558 - 104387
Free Inodes: 2008 (100%)
Free Blocks: 5830 (95%)
Total Directories: 0
+ fsstat -o 208845 dev-scd.img
Cannot determine file system type
|
