Hi, im trying to work out the inode numbers for 5 different files. Im using FTK imager, which gives the inode number within the properties.. but i dont see how the value they give was achieved.
If the inode value is equal to the byte ranger 0-3
then how can the following screenshot be correct?
The inode number is 12 and the first three bytes are D0 CF 11
Your dump is the start of the data file - a Microsoft Office document
I don't think iNodes have their number in the iNode, it is just their location you have to work it out from
inodes are used to map out the file locations on *nix type systems by storing metadata about the files (permissions, type, ownership, location of blocks on disk, timestamps etc.). They don't have anything to do with the file content itself.
If the inode value is equal to the byte ranger 0-3
then how can the following screenshot be correct?
It sounds as you already have concluded that your assumption is wrong – or at least that there's something that is wrong about it.
Begin with the file system – it's clearly something Unix-related, as there are inodes, but exactly what file system is it? (I'm going to assume ext2/ext3, but for all I know it could be AdvFS or ZFS.)
With ext2/ext3, inodes do not contain inode number. bytes 0-3 is used for file mode and part of the user ID.
You *may* be thinking of the ext2/ext3 super block in which bytes 0-3 contain the *total* number of inodes that particular file system contains. Perhaps you've mixed that one up with the individual inode number of a separate file.
If you don't have Brian Carrier's book File System Forensic Analysis, buy, borrow or … well, not that. It helps identify and remove such misunderstandings.