Re: [sleuthkit-users] Linux LVM on ext3: partitions or offsets?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Linux LVM on ext3: partitions or offsets?
|
From: Brian C. <ca...@sl...> - 2005-09-02 15:42:44
|
On Sep 1, 2005, at 10:57 AM, Chris Stoughton wrote: > I created a disk image using dd_rhelp, which claimed to finish > without error. I am using sleuth kit ver 2.02 to inspect the disk > image, called dev-scd.img > > fdisk and mmls seem to disagree about the partitions. Can you > help? Is there something I need to do with the partition table or > offset calculations? Do I need to set the cylinders in the image, > and if so, how? The mmls output looks more normal since most partitions start in sector 63. Further, mmls properly shows the location of the /boot/ partition. However, there is another level of partitions because LVM is being used. The big partition at the end actually contains one or more partitions, which is why you can't run any tools directly on it. I have not been able to restore LVM partitions using loopback or other techniques and have had to restore the image to a disk and boot a linux system. This process is described in my book and you may be able to find some online references in the book bibliography: http://digital-evidence.org/fsfa/biblio.html#ch7 brian > > Here is the output of fdisk -l > > # /sbin/fdisk -l dev-scd.img > You must set cylinders. > You can do this from the extra functions menu. > Disk dev-scd.img: 0 MB, 0 bytes > 255 heads, 63 sectors/track, 0 cylinders > Units = cylinders of 16065 * 512 = 8225280 bytes > Device Boot Start End Blocks Id System > dev-scd.img1 * 1 13 104391 83 Linux > dev-scd.img2 14 7296 58500697+ 8e Linux LVM > Partition 2 has different physical/logical endings: > phys=(1023, 254, 63) logical=(7295, 254, 63) > > In the log file below, lines beginning with "+" echo the command > performed, generated by running this bash script: > > ========= listing of sleuth.sh ============================ > #!/bin/bash -x > ls -l dev-scd.img > img_stat -V > mmls -V > fsstat -V > img_stat dev-scd.img > mmls dev-scd.img > fsstat -o 0 dev-scd.img > fsstat -o 1 dev-scd.img > fsstat -o 63 dev-scd.img > fsstat -o 208845 dev-scd.img > > > It looks like I can see the third partition (Linux 0x83) but I can > not see the fourth partition (Linux Logical Volume Manager (0x8e) > which is where the "good stuff" is I'd like to recover. > > Is there something else I need to be able to inspect a Linux > Logical Volume? > > The image was created from a disk which was running and ext3 file > system under Fedora Core3. Please let me know if there is > something else I can provide. > > Thanks, and thanks for this tool set. > > Chris > > ======= log file of sleuth.sh > ======================================================== > > + ls -l dev-scd.img > -rw-r--r-- 1 stoughto sdss 60003254272 Aug 31 16:40 dev-scd.img > + img_stat -V > The Sleuth Kit ver 2.02 > + mmls -V > The Sleuth Kit ver 2.02 > + fsstat -V > The Sleuth Kit ver 2.02 > + img_stat dev-scd.img > IMAGE FILE INFORMATION > -------------------------------------------- > Image Type: raw > Size in bytes: 60003254272 > + mmls dev-scd.img > DOS Partition Table > Sector: 0 > Units are in 512-byte sectors > Slot Start End Length Description > 00: ----- 0000000000 0000000000 0000000001 Primary Table (#0) > 01: ----- 0000000001 0000000062 0000000062 Unallocated > 02: 00:00 0000000063 0000208844 0000208782 Linux (0x83) > 03: 00:01 0000208845 0117210239 0117001395 Linux Logical > Volume Manager (0x8e) > + fsstat -o 0 dev-scd.img > Cannot determine file system type > + fsstat -o 1 dev-scd.img > Cannot determine file system type > + fsstat -o 63 dev-scd.img > FILE SYSTEM INFORMATION > -------------------------------------------- > File System Type: Ext3 > Volume Name: /boot > Volume ID: 1c41e5f4cd136bb7a5448b3056203ba5 > Last Written at: Sun Aug 14 23:19:30 2005 > Last Checked at: Thu Feb 3 08:15:06 2005 > Last Mounted at: Sun Aug 14 23:19:30 2005 > Unmounted properly > Last mounted on: > Source OS: Linux > Dynamic Structure > Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index > InCompat Features: Filetype, Needs Recovery, > Read Only Compat Features: Sparse Super, > Journal ID: 00 > Journal Inode: 8 > METADATA INFORMATION > -------------------------------------------- > Inode Range: 1 - 26104 > Root Directory: 2 > Free Inodes: 26040 > CONTENT INFORMATION > -------------------------------------------- > Block Range: 0 - 104387 > Block Size: 1024 > Reserved Blocks Before Block Groups: 1 > Free Blocks: 69023 > BLOCK GROUP INFORMATION > -------------------------------------------- > Number of Block Groups: 13 > Inodes per group: 2008 > Blocks per group: 8192 > Group: 0: > Inode Range: 1 - 2008 > Block Range: 1 - 8192 > Layout: > Super Block: 1 - 1 > Group Descriptor Table: 2 - 2 > Data bitmap: 259 - 259 > Inode bitmap: 260 - 260 > Inode Table: 261 - 511 > Data Blocks: 512 - 8192 > Free Inodes: 1984 (98%) > Free Blocks: 0 (0%) > Total Directories: 2 > Group: 1: > Inode Range: 2009 - 4016 > Block Range: 8193 - 16384 > Layout: > Super Block: 8193 - 8193 > Group Descriptor Table: 8194 - 8194 > Data bitmap: 8451 - 8451 > Inode bitmap: 8452 - 8452 > Inode Table: 8453 - 8703 > Data Blocks: 8704 - 16384 > Free Inodes: 1991 (99%) > Free Blocks: 3972 (48%) > Total Directories: 1 > Group: 2: > Inode Range: 4017 - 6024 > Block Range: 16385 - 24576 > Layout: > Data bitmap: 16385 - 16385 > Inode bitmap: 16386 - 16386 > Inode Table: 16387 - 16637 > Data Blocks: 16387 - 16386, 16638 - 24576 > Free Inodes: 2008 (100%) > Free Blocks: 7939 (96%) > Total Directories: 0 > Group: 3: > Inode Range: 6025 - 8032 > Block Range: 24577 - 32768 > Layout: > Super Block: 24577 - 24577 > Group Descriptor Table: 24578 - 24578 > Data bitmap: 24835 - 24835 > Inode bitmap: 24836 - 24836 > Inode Table: 24837 - 25087 > Data Blocks: 25088 - 32768 > Free Inodes: 1995 (99%) > Free Blocks: 0 (0%) > Total Directories: 0 > Group: 4: > Inode Range: 8033 - 10040 > Block Range: 32769 - 40960 > Layout: > Data bitmap: 32769 - 32769 > Inode bitmap: 32770 - 32770 > Inode Table: 32771 - 33021 > Data Blocks: 32771 - 32770, 33022 - 40960 > Free Inodes: 2008 (100%) > Free Blocks: 5821 (71%) > Total Directories: 0 > Group: 5: > Inode Range: 10041 - 12048 > Block Range: 40961 - 49152 > Layout: > Super Block: 40961 - 40961 > Group Descriptor Table: 40962 - 40962 > Data bitmap: 41219 - 41219 > Inode bitmap: 41220 - 41220 > Inode Table: 41221 - 41471 > Data Blocks: 41472 - 49152 > Free Inodes: 1998 (99%) > Free Blocks: 1074 (13%) > Total Directories: 0 > Group: 6: > Inode Range: 12049 - 14056 > Block Range: 49153 - 57344 > Layout: > Data bitmap: 49153 - 49153 > Inode bitmap: 49154 - 49154 > Inode Table: 49155 - 49405 > Data Blocks: 49155 - 49154, 49406 - 57344 > Free Inodes: 2008 (100%) > Free Blocks: 5208 (63%) > Total Directories: 0 > Group: 7: > Inode Range: 14057 - 16064 > Block Range: 57345 - 65536 > Layout: > Super Block: 57345 - 57345 > Group Descriptor Table: 57346 - 57346 > Data bitmap: 57603 - 57603 > Inode bitmap: 57604 - 57604 > Inode Table: 57605 - 57855 > Data Blocks: 57856 - 65536 > Free Inodes: 2008 (100%) > Free Blocks: 7681 (93%) > Total Directories: 0 > Group: 8: > Inode Range: 16065 - 18072 > Block Range: 65537 - 73728 > Layout: > Data bitmap: 65537 - 65537 > Inode bitmap: 65538 - 65538 > Inode Table: 65539 - 65789 > Data Blocks: 65539 - 65538, 65790 - 73728 > Free Inodes: 2008 (100%) > Free Blocks: 7939 (96%) > Total Directories: 0 > Group: 9: > Inode Range: 18073 - 20080 > Block Range: 73729 - 81920 > Layout: > Super Block: 73729 - 73729 > Group Descriptor Table: 73730 - 73730 > Data bitmap: 73987 - 73987 > Inode bitmap: 73988 - 73988 > Inode Table: 73989 - 74239 > Data Blocks: 74240 - 81920 > Free Inodes: 2008 (100%) > Free Blocks: 7681 (93%) > Total Directories: 0 > Group: 10: > Inode Range: 20081 - 22088 > Block Range: 81921 - 90112 > Layout: > Data bitmap: 81921 - 81921 > Inode bitmap: 81922 - 81922 > Inode Table: 81923 - 82173 > Data Blocks: 81923 - 81922, 82174 - 90112 > Free Inodes: 2008 (100%) > Free Blocks: 7939 (96%) > Total Directories: 0 > Group: 11: > Inode Range: 22089 - 24096 > Block Range: 90113 - 98304 > Layout: > Data bitmap: 90113 - 90113 > Inode bitmap: 90114 - 90114 > Inode Table: 90115 - 90365 > Data Blocks: 90115 - 90114, 90366 - 98304 > Free Inodes: 2008 (100%) > Free Blocks: 7939 (96%) > Total Directories: 0 > Group: 12: > Inode Range: 24097 - 26104 > Block Range: 98305 - 104387 > Layout: > Data bitmap: 98305 - 98305 > Inode bitmap: 98306 - 98306 > Inode Table: 98307 - 98557 > Data Blocks: 98307 - 98306, 98558 - 104387 > Free Inodes: 2008 (100%) > Free Blocks: 5830 (95%) > Total Directories: 0 > + fsstat -o 208845 dev-scd.img > Cannot determine file system type > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > Practices > Agile & Plan-Driven Development * Managing Projects & Teams * > Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/ > bsce5sf > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > |
