Thanks for any help in advance
I have a USB key that I added about 10 files and removed 5 of them for testing.
I carved out the FAT32 partition using DD and name the file image.dd
I ran strings –radix=d against image.dd > image.dd.str
I then ran more against image.dd.str and found a string from one of the deleted files and copied down the offset number, which happened to be 2030080.
I then ran fsstat against image.dd to find out the block/cluster size. Below are the results. I was under the impression that I take the offset 2030080 / sector size 512 to get the block location of that data, which is 3965.
CONTENT INFORMATION
——————————————–
Sector Size 512
Cluster Size 4096
Total Cluster Range 2 - 250514
Now here is what is troubling. Since this is a deleted file I thought that I had to run dls against image.dd to get a data set from unallocated data.
If that was the case I would need to run dcalc image.dd -d 3965 to get the original location of the data block on the allocated image (which doessn't make sense to me b/c the data wasn't moved. That will return 6.
I think type ifind image.dd -d 6 and get Meta Data.
Okay, so I tried another way.
Again I am starting with the offset of 2030080 / 512 = 3965
Run the following
$ ifind image.dd -d 3965
5
$ ffind image.dd 5
* /my name.doc (which is the name of the file)
Istat will also give me the results I was looking for.
What I don't get is why do you need to run dls? The file that was trying to recover WAS deleted, and when I insert the actual USB key I don't see it listed. Also istat shows that its NOT allocated.
So I am i always going to get the same results by finding the offset / SECTOR SIZE = X
Run
$ ifind file -d X
$ ffind file X or istat file x (depending on what I am doing).
Again, just not sure why I would need to run dls.
Thanks,
Alan
Now here is what is troubling. Since this is a deleted file I thought that I had to run dls against image.dd to get a data set from unallocated data.
…
Again, just not sure why I would need to run dls.
Hi Alan,
While some of your post requires some further "investigation", the short answer to the above question is that you *don't* need to run dls.
You run dls (in the context you give above) if you want to separate the allocated and unallocated clusters. You can examine the entire disk physically (as you are doing in your initial steps), in which case you are examining allocated and unallocated together. Or you can use dls to extract the unallocated and examine it separately.
This is a commonly used technique.
What I find somewhat confusing is your use of "sector size" to determine the data block. It should be cluster size, since these are the file systems data blocks (as defined by TSK)…Unless we are just using different terminology. And since I don't see the context of what you are seeing, it's tough to say.
Bgrundy,
Thanks for your help.
To answer your last section I was taught during a SANS course that to get the data block location on the drive you divide the offset (found from strings) by the block size from from fsstat (which I thought was the same as the cluster size - block and cluster being the same thing just different OS). Below is the output from fsstat. So when I divide by the sector size (512) verse the Cluster size (4096) I get the data that I am expecting to get. When I divide the offset by the cluster size and run ifind I get "meta data" returned as a result.
CONTENT INFORMATION
——————————————–
Sector Size 512
Cluster Size 4096
Total Cluster Range 2 - 250514
Thanks for any assistance.
Alan