[sleuthkit-users] Linux LVM on ext3: partitions or offsets?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I created a disk image using dd_rhelp, which claimed to finish without 
error.  I am using sleuth kit ver 2.02 to inspect the disk image, called 
dev-scd.img

fdisk and mmls seem to disagree about the partitions.  Can you help?  Is 
there something I need to do with the partition table or offset 
calculations?  Do I need to set the cylinders in the image, and if so, how?

Here is the output of fdisk -l

# /sbin/fdisk -l dev-scd.img
You must set cylinders.
You can do this from the extra functions menu.

Disk dev-scd.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

      Device Boot    Start       End    Blocks   Id  System
dev-scd.img1   *         1        13    104391   83  Linux
dev-scd.img2            14      7296  58500697+  8e  Linux LVM
Partition 2 has different physical/logical endings:
     phys=(1023, 254, 63) logical=(7295, 254, 63)

In the log file below, lines beginning with "+" echo the command 
performed, generated by running this bash script:

========= listing of sleuth.sh ============================
#!/bin/bash -x
ls -l dev-scd.img
img_stat -V
mmls -V
fsstat -V
img_stat dev-scd.img
mmls dev-scd.img
fsstat -o 0 dev-scd.img
fsstat -o 1 dev-scd.img
fsstat -o 63 dev-scd.img
fsstat -o 208845 dev-scd.img

It looks like I can see the third partition (Linux 0x83) but I can not 
see the fourth partition (Linux Logical Volume Manager (0x8e) which is 
where the "good stuff" is I'd like to recover.

Is there something else I need to be able to inspect a Linux Logical Volume?

The image was created from a disk which was running and ext3 file system 
under Fedora Core3.  Please let me know if there is something else I can 
provide.

Thanks, and thanks for this tool set.

Chris

======= log file of sleuth.sh 
========================================================

+ ls -l dev-scd.img
-rw-r--r--    1 stoughto sdss     60003254272 Aug 31 16:40 dev-scd.img
+ img_stat -V
The Sleuth Kit ver 2.02
+ mmls -V
The Sleuth Kit ver 2.02
+ fsstat -V
The Sleuth Kit ver 2.02
+ img_stat dev-scd.img
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: raw

Size in bytes: 60003254272
+ mmls dev-scd.img
DOS Partition Table
Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  -----   0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000001   0000000062   0000000062   Unallocated
02:  00:00   0000000063   0000208844   0000208782   Linux (0x83)
03:  00:01   0000208845   0117210239   0117001395   Linux Logical Volume 
Manager (0x8e)
+ fsstat -o 0 dev-scd.img
Cannot determine file system type
+ fsstat -o 1 dev-scd.img
Cannot determine file system type
+ fsstat -o 63 dev-scd.img
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext3
Volume Name: /boot
Volume ID: 1c41e5f4cd136bb7a5448b3056203ba5

Last Written at: Sun Aug 14 23:19:30 2005
Last Checked at: Thu Feb  3 08:15:06 2005

Last Mounted at: Sun Aug 14 23:19:30 2005
Unmounted properly
Last mounted on:

Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index
InCompat Features: Filetype, Needs Recovery,
Read Only Compat Features: Sparse Super,

Journal ID: 00
Journal Inode: 8

METADATA INFORMATION
--------------------------------------------
Inode Range: 1 - 26104
Root Directory: 2
Free Inodes: 26040

CONTENT INFORMATION
--------------------------------------------
Block Range: 0 - 104387
Block Size: 1024
Reserved Blocks Before Block Groups: 1
Free Blocks: 69023

BLOCK GROUP INFORMATION
--------------------------------------------
Number of Block Groups: 13
Inodes per group: 2008
Blocks per group: 8192

Group: 0:
  Inode Range: 1 - 2008
  Block Range: 1 - 8192
  Layout:
    Super Block: 1 - 1
    Group Descriptor Table: 2 - 2
    Data bitmap: 259 - 259
    Inode bitmap: 260 - 260
    Inode Table: 261 - 511
    Data Blocks: 512 - 8192
  Free Inodes: 1984 (98%)
  Free Blocks: 0 (0%)
  Total Directories: 2

Group: 1:
  Inode Range: 2009 - 4016
  Block Range: 8193 - 16384
  Layout:
    Super Block: 8193 - 8193
    Group Descriptor Table: 8194 - 8194
    Data bitmap: 8451 - 8451
    Inode bitmap: 8452 - 8452
    Inode Table: 8453 - 8703
    Data Blocks: 8704 - 16384
  Free Inodes: 1991 (99%)
  Free Blocks: 3972 (48%)
  Total Directories: 1

Group: 2:
  Inode Range: 4017 - 6024
  Block Range: 16385 - 24576
  Layout:
    Data bitmap: 16385 - 16385
    Inode bitmap: 16386 - 16386
    Inode Table: 16387 - 16637
    Data Blocks: 16387 - 16386, 16638 - 24576
  Free Inodes: 2008 (100%)
  Free Blocks: 7939 (96%)
  Total Directories: 0

Group: 3:
  Inode Range: 6025 - 8032
  Block Range: 24577 - 32768
  Layout:
    Super Block: 24577 - 24577
    Group Descriptor Table: 24578 - 24578
    Data bitmap: 24835 - 24835
    Inode bitmap: 24836 - 24836
    Inode Table: 24837 - 25087
    Data Blocks: 25088 - 32768
  Free Inodes: 1995 (99%)
  Free Blocks: 0 (0%)
  Total Directories: 0

Group: 4:
  Inode Range: 8033 - 10040
  Block Range: 32769 - 40960
  Layout:
    Data bitmap: 32769 - 32769
    Inode bitmap: 32770 - 32770
    Inode Table: 32771 - 33021
    Data Blocks: 32771 - 32770, 33022 - 40960
  Free Inodes: 2008 (100%)
  Free Blocks: 5821 (71%)
  Total Directories: 0

Group: 5:
  Inode Range: 10041 - 12048
  Block Range: 40961 - 49152
  Layout:
    Super Block: 40961 - 40961
    Group Descriptor Table: 40962 - 40962
    Data bitmap: 41219 - 41219
    Inode bitmap: 41220 - 41220
    Inode Table: 41221 - 41471
    Data Blocks: 41472 - 49152
  Free Inodes: 1998 (99%)
  Free Blocks: 1074 (13%)
  Total Directories: 0

Group: 6:
  Inode Range: 12049 - 14056
  Block Range: 49153 - 57344
  Layout:
    Data bitmap: 49153 - 49153
    Inode bitmap: 49154 - 49154
    Inode Table: 49155 - 49405
    Data Blocks: 49155 - 49154, 49406 - 57344
  Free Inodes: 2008 (100%)
  Free Blocks: 5208 (63%)
  Total Directories: 0

Group: 7:
  Inode Range: 14057 - 16064
  Block Range: 57345 - 65536
  Layout:
    Super Block: 57345 - 57345
    Group Descriptor Table: 57346 - 57346
    Data bitmap: 57603 - 57603
    Inode bitmap: 57604 - 57604
    Inode Table: 57605 - 57855
    Data Blocks: 57856 - 65536
  Free Inodes: 2008 (100%)
  Free Blocks: 7681 (93%)
  Total Directories: 0

Group: 8:
  Inode Range: 16065 - 18072
  Block Range: 65537 - 73728
  Layout:
    Data bitmap: 65537 - 65537
    Inode bitmap: 65538 - 65538
    Inode Table: 65539 - 65789
    Data Blocks: 65539 - 65538, 65790 - 73728
  Free Inodes: 2008 (100%)
  Free Blocks: 7939 (96%)
  Total Directories: 0

Group: 9:
  Inode Range: 18073 - 20080
  Block Range: 73729 - 81920
  Layout:
    Super Block: 73729 - 73729
    Group Descriptor Table: 73730 - 73730
    Data bitmap: 73987 - 73987
    Inode bitmap: 73988 - 73988
    Inode Table: 73989 - 74239
    Data Blocks: 74240 - 81920
  Free Inodes: 2008 (100%)
  Free Blocks: 7681 (93%)
  Total Directories: 0

Group: 10:
  Inode Range: 20081 - 22088
  Block Range: 81921 - 90112
  Layout:
    Data bitmap: 81921 - 81921
    Inode bitmap: 81922 - 81922
    Inode Table: 81923 - 82173
    Data Blocks: 81923 - 81922, 82174 - 90112
  Free Inodes: 2008 (100%)
  Free Blocks: 7939 (96%)
  Total Directories: 0

Group: 11:
  Inode Range: 22089 - 24096
  Block Range: 90113 - 98304
  Layout:
    Data bitmap: 90113 - 90113
    Inode bitmap: 90114 - 90114
    Inode Table: 90115 - 90365
    Data Blocks: 90115 - 90114, 90366 - 98304
  Free Inodes: 2008 (100%)
  Free Blocks: 7939 (96%)
  Total Directories: 0

Group: 12:
  Inode Range: 24097 - 26104
  Block Range: 98305 - 104387
  Layout:
    Data bitmap: 98305 - 98305
    Inode bitmap: 98306 - 98306
    Inode Table: 98307 - 98557
    Data Blocks: 98307 - 98306, 98558 - 104387
  Free Inodes: 2008 (100%)
  Free Blocks: 5830 (95%)
  Total Directories: 0
+ fsstat -o 208845 dev-scd.img
Cannot determine file system type