Re: [sleuthkit-users] No inode found for some blocks reported as allocated by blkstat.
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] No inode found for some blocks reported as allocated by blkstat.
|
From: <slo...@gm...> - 2016-08-30 01:09:42
|
I found the source file using the tsk_file_layout table in sleuthkit database created by tsk_loaddb. When I perform an istat lookup on the metadata structure, I find the file has the following blocks identified. Type: $DATA (128-1) Name: N/A Non-Resident size: 1442836480 > init_size: 0 > 6710176 0 0 0 0 0 0 0 > 0 0 0 0 0 0 0 0 > 0 0 0 0 0 0 0 0 > I know Brian has explained the zeros in the block list, but I no longer recall why they occur. Is this the reason for the ifind failure to identifiy the meta data address? Are there any command line workarounds for building a file layout without invoking and relying on tsk_loaddb? I'm willing to work with the db, but the complexity is more than I need and the flag definitions are hard to find (i.e., attribute types and id's, etc). The links from the wiki are broken, too. Thanks, and suggestions appreciated. John On Mon, Aug 29, 2016 at 5:38 PM, slo...@gm... <slo...@gm...> wrote: > I have an artifact of interest in block 6713248 of a partition (here > represented with the variable $p4). The blkstat tool and the results of > blkls -el both indicate the block is allocated. > > $ blkstat $p4 6713248 >> Cluster: 6713248 >> Allocated >> > > However, when I use ifind to determine the associated metadata structure, > no inode can be found: > > $ ifind $p4 -d 6713248 >> Inode not found >> > > Is this a bug? How do I determine the associated file/meta data structure > without ifind? > > Thanks, > John > > Platform: Linux > TSK v. 4.3.0 and 4.2.0 > |
