Re: [sleuthkit-users] Help on indirect blocks!
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Help on indirect blocks!
|
From: Brian C. <ca...@sl...> - 2005-09-27 15:05:05
|
It looks like the block that used to hold the other block pointers has been reused. You can sometimes make some assumptions about where the data was, but Solaris fragments the files quite a bit so that they are spread around the file system. For example, the indirect block is in block 60,018,960 while the last direct block was 1,566,824 (in your system). Solaris frequently puts the blocks after the first 12 direct blocks in a different cylinder group. So, I'm afraid that you could be out of luck since the usual carving tools won't help. brian On Sep 26, 2005, at 11:14 AM, Monserrat Ramirez wrote: > Hello everyone! > > I'm a new user of the Sleuth Kit and I don't know if > I'm doing something wrong... I lost a entire FS (the > super block was damaged... the backup copies either) > but I only want to recover one file; by now I know > that the inode that this file use is the 182584, but > when I ran the icat command with the verbose option, > the output is as follow: > > inodes 12393472 root ino 2 cyl groups 2128 blocks > 104587230 > fs_read_block: read block 1525976 offs 1562599424 len > 8192 (inode block) > fs_read_block: read block 1525720 offs 1562337280 len > 8192 (cylinder block) > fs_read_block: read block 1566736 offs 1604337664 len > 8192 (data block) > fs_read_block: read block 1566744 offs 1604345856 len > 8192 (data block) > fs_read_block: read block 1566752 offs 1604354048 len > 8192 (data block) > fs_read_block: read block 1566760 offs 1604362240 len > 8192 (data block) > fs_read_block: read block 1566768 offs 1604370432 len > 8192 (data block) > fs_read_block: read block 1566776 offs 1604378624 len > 8192 (data block) > fs_read_block: read block 1566784 offs 1604386816 len > 8192 (data block) > fs_read_block: read block 1566792 offs 1604395008 len > 8192 (data block) > fs_read_block: read block 1566800 offs 1604403200 len > 8192 (data block) > fs_read_block: read block 1566808 offs 1604411392 len > 8192 (data block) > fs_read_block: read block 1566816 offs 1604419584 len > 8192 (data block) > fs_read_block: read block 1566824 offs 1604427776 len > 8192 (data block) > ffs_file_walk_indir: level 1 block 60018960 > fs_read_block: read block 60018960 offs 61459415040 > len 8192 (disk address block) > fs_read_block: read block 26886951 offs 27532237824 > len 8192 (data block) > Invalid address in indirect list (too large): > 965017603 > > My guess is that I have troubles with the reference > with the reference to the indirect blocks... in fact, > in the output file the output from the direct blocks > are consistent with the info I'm expecting but the > indirect blocks aren't. > > Any help? I running the Sleuth kit in a Solaris 8 > environment... believe me, any help will be > appreciate. |
