Thread: [sleuthkit-users] Linux and "unrecognized" sectors
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-users
|
From: Paul S. <pa...@vn...> - 2006-01-18 03:28:39
|
Hello all,
I'm reading some articles and one that I have come across (was
handed to me unfortunately no link) and it says that Linux will not
recognize the last sector of a disk if it has an odd number of sectors.
I had never heard this before and it has prompted a couple of questions.
1) will this affect an image acquired using dd?
2) will it affect Sleuthkit's handling of an image of this drive?
Thanks!
Paul
|
|
From: Eagle I. S. Inc. <in...@ea...> - 2006-01-18 07:57:59
|
Paul, This is a well discussed, and well solved issue. Look in the archives, or on linuxforensics yahoo group. The simplest answer is to use the 2.6 kernel or use a patch for the 2.4 kernel to get around this. Google is your friend. And, Sleuthkit won't be affected per se, since it will analyze whatever you hand to it and quite successfully too. Niall. Paul Stillwell wrote: > Hello all, > > I'm reading some articles and one that I have come across (was > handed to me unfortunately no link) and it says that Linux will not > recognize the last sector of a disk if it has an odd number of sectors. > I had never heard this before and it has prompted a couple of questions. > > 1) will this affect an image acquired using dd? > > 2) will it affect Sleuthkit's handling of an image of this drive? > > Thanks! > > Paul > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
|
From: farmer d. <far...@ya...> - 2006-01-18 20:48:41
|
Hi Paul, Linux doesn't access the last odd sector when initializing file systems and so the article you read probably indicated using Linux to acquire may leave the last sector if the count is odd or similar. This is true for the 2.4 Linux kernel because the block layer uses 1024 and a sector is 512, so it cannot be accessed when going through the block layer (such as 'dd' does when dumping a device). The block layer was rewritten in the 2.6 kernel so a 2.6 can access this last odd sector for those Windows file system types that use it. A side note, you can happily acquire that sector using the 2.4 Linux kernel, too. Just avoid the block layer and use the raw device. I do this when I need to and teach about it in my training classes. You don't need a 2.6 kernel to get the last odd sector. You only need to know what the problem is and how to work around it in the 2.4 series kernels. regards, farmerdude http://www.farmerdude.com/ --- Paul Stillwell <pa...@vn...> wrote: > Hello all, > > I'm reading some articles and one that I have > come across (was > handed to me unfortunately no link) and it says that > Linux will not > recognize the last sector of a disk if it has an odd > number of sectors. > I had never heard this before and it has prompted a > couple of questions. > > 1) will this affect an image acquired using dd? > > 2) will it affect Sleuthkit's handling of an image > of this drive? > > Thanks! > > Paul > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
|
From: Paul S. <pa...@vn...> - 2006-01-19 04:21:09
|
Thanks everyone! Paul farmer dude wrote: >Hi Paul, > >Linux doesn't access the last odd sector when >initializing file systems and so the article you read >probably indicated using Linux to acquire may leave >the last sector if the count is odd or similar. > >This is true for the 2.4 Linux kernel because the >block layer uses 1024 and a sector is 512, so it >cannot be accessed when going through the block layer >(such as 'dd' does when dumping a device). The block >layer was rewritten in the 2.6 kernel so a 2.6 can >access this last odd sector for those Windows file >system types that use it. > >A side note, you can happily acquire that sector using >the 2.4 Linux kernel, too. Just avoid the block layer >and use the raw device. I do this when I need to and >teach about it in my training classes. You don't need >a 2.6 kernel to get the last odd sector. You only >need to know what the problem is and how to work >around it in the 2.4 series kernels. > > >regards, > >farmerdude > >http://www.farmerdude.com/ > > > >--- Paul Stillwell <pa...@vn...> wrote: > > > >>Hello all, >> >> I'm reading some articles and one that I have >>come across (was >>handed to me unfortunately no link) and it says that >>Linux will not >>recognize the last sector of a disk if it has an odd >>number of sectors. >>I had never heard this before and it has prompted a >>couple of questions. >> >>1) will this affect an image acquired using dd? >> >>2) will it affect Sleuthkit's handling of an image >>of this drive? >> >>Thanks! >> >>Paul >> >> >> >> >> >------------------------------------------------------- > > >>This SF.net email is sponsored by: Splunk Inc. Do >>you grep through log files >>for problems? Stop! Download the new AJAX search >>engine that makes >>searching your log files as easy as surfing the >>web. DOWNLOAD SPLUNK! >> >> >> >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > > >>_______________________________________________ >>sleuthkit-users mailing list >> >> >> >https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > >>http://www.sleuthkit.org >> >> >> > > >__________________________________________________ >Do You Yahoo!? >Tired of spam? Yahoo! Mail has the best spam protection around >http://mail.yahoo.com > > > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X