Re: [sleuthkit-users] how to map a bad block back to a file?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] how to map a bad block back to a file?
|
From: Gary F. <ga...@in...> - 2006-11-21 16:21:12
|
> -----Original Message----- Simson Garfinkel wrote: > Sleuthkit can't do this out-of-the-box. Are you really > running Sleuth > Kit on the raw drive? No. We plan to run Sleuthkit on the image of the drive. However, the image has known hardware errors, where the error sectors have been replaced with zeros. The dclfdd output looks something like this: dcfldd:/dev/hde: Input/output error 6601392+31 records in 6601423+0 records out dcfldd:/dev/hde: Input/output error 18533840+32 records in 18533872+0 records out dcfldd:/dev/hde: Input/output error 18533840+33 records in 18533873+0 records out The original dclfdd command was something like this: dcfldd if=/dev/hde of=/evidence/Dell8100.img bs=512 \ hash=md5 conv=error,sync \ hashlog=/evidence/Dell8100.md5 \ errlog=/evidence/Dell8100.err_log There is sufficient information in the error log to determine which blocks (sectors) had read errors. > > However, the combination of aimage & sleuthkit and some fancy > software that I am working can do this pretty easily. What would you > use it for? Please tell us more about that fancy software. <g> Generally, I planned on simply having the imaging script identify the file data and/or metadata that had likely been lost. What we typically do in the case that the drive has errors is to copy the image file back onto a scratch drive, and then run chkdsk or its equivalent on the scratch drive, and then run our analysis on the resulting file system(s). We'd take the same steps if we were simply restoring a failing drive by copying it to a new drive (first make an image, then copy the image to the new drive, then run chkdsk). However, from what I recall, chkdsk doesn't print any information regarding which files or data might have been lost during the fix up pass. As a matter of completeness, we'd like to have that information, and we'd like to obtain that information as part of the drive imaging process, in an automated fashion. |
