sleuthkit-users

[sleuthkit-users] blkcat fails to output textfile

[Kai P. <ka...@po...>]

Hello sleuthkit folks,

I try do display the content of a text file with the help of blkcat. But
the output is none. I did sync before.

# cat /mnt/not-encrypted-disk/sensitive-file.txt sensitive text
# ls -li /mnt/not-encrypted-disk/sensitive-file.txt
12 -rw-r--r-- 1 root root 15 Jan 24 17:15
/mnt/not-encrypted-disk/sensitive-file.txt
# istat /dev/sdb1 12
inode: 12
Allocated
Group: 0
Generation Id: 2192492698
uid / gid: 0 / 0
mode: rrw-r--r--
Flags:
size: 15
num of links: 1

Inode Times:
Accessed:   2015-01-24 17:15:58 (CET)
File Modified:  2015-01-24 17:15:27 (CET)
Inode Modified: 2015-01-24 17:15:27 (CET)

Direct Blocks:
127754
# sync
# blkcat /dev/sdb1 127754
#


Souldn't 'blkcat /dev/sdb1 127754 ' display the content of the file? How
do I blkcat the content of the file? Thanks in advance.

Re: [sleuthkit-users] blkcat fails to output textfile

[Ketil F. <ke...@fr...>]

Kai,

I see you added the sync Simson suggested, but still no joy? I tried
to recreate your example, and it works for me. I tested by creating a
simple loopback file with ext4 on it, like this:

dd if=/dev/zero of=ext4.dd bs=1M count=200
mkfs -t ext4 ext4.dd

and I used tsk 4.1.3 (compiled from github). What file system (and
file system options) do you have on /dev/sdb1, and what version of
blkcat are you using? Does the block contain any data at all? Add the
-h flag to blkcat to see the hex dump of the block, is it all zeros or
is there anything else there?

Regarding the sync call, I tested with and without it right now with
ext4. If the data isn't written out to disk, there's nothing listed
under "Direct Blocks" either.

Cheers, Ketil

On 25 January 2015 at 21:28, Kai Pöritz <ka...@po...> wrote:
> Hello sleuthkit folks,
>
> I try do display the content of a text file with the help of blkcat. But
> the output is none. I did sync before.
>
> # cat /mnt/not-encrypted-disk/sensitive-file.txt sensitive text
> # ls -li /mnt/not-encrypted-disk/sensitive-file.txt
> 12 -rw-r--r-- 1 root root 15 Jan 24 17:15
> /mnt/not-encrypted-disk/sensitive-file.txt
> # istat /dev/sdb1 12
> inode: 12
> Allocated
> Group: 0
> Generation Id: 2192492698
> uid / gid: 0 / 0
> mode: rrw-r--r--
> Flags:
> size: 15
> num of links: 1
>
> Inode Times:
> Accessed:   2015-01-24 17:15:58 (CET)
> File Modified:  2015-01-24 17:15:27 (CET)
> Inode Modified: 2015-01-24 17:15:27 (CET)
>
> Direct Blocks:
> 127754
> # sync
> # blkcat /dev/sdb1 127754
> #
>
>
> Souldn't 'blkcat /dev/sdb1 127754 ' display the content of the file? How
> do I blkcat the content of the file? Thanks in advance.
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>



-- 
-Ketil