From owner-freebsd-questions@FreeBSD.ORG Tue Apr 14 17:18:51 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0379E106566C for ; Tue, 14 Apr 2009 17:18:51 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id B72248FC0A for ; Tue, 14 Apr 2009 17:18:50 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r55.edvax.de (port-92-196-97-234.dynamic.qsc.de [92.196.97.234]) by mx01.qsc.de (Postfix) with ESMTP id 0F5E43D2E9; Tue, 14 Apr 2009 19:18:48 +0200 (CEST) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id n3EHIh7H001789; Tue, 14 Apr 2009 19:18:43 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Tue, 14 Apr 2009 19:18:43 +0200 From: Polytropon To: cpghost Message-Id: <20090414191843.c32e7f93.freebsd@edvax.de> In-Reply-To: <20090414161724.GA3721@phenom.cordula.ws> References: <20090414161724.GA3721@phenom.cordula.ws> Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Block device to regular file? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Apr 2009 17:18:51 -0000 On Tue, 14 Apr 2009 18:17:24 +0200, cpghost wrote: > I'm trying to recover some deleted files from a UFS2 file > system with the sleuthkit. :-( > Unfortunatly, most sleuthkit > utilities expect regular image files and won't operate > on block devices: > > phenom# fls /dev/ad4s1e > Sector offset supplied is larger than disk image (maximum: 0) Because I already have my own sad story of data loss, I could provide the idea of using FreeBSD's memory disks. I've always used this to get TSK tools working "the other way round", when I had a dd copy, but required a "device file". Maybe this works as well in your case when you create a virtual note for the device file: # mdconfig -a -t vnode -u 10 -f /dev/ad4s1e md10 You can now use TSK with /dev/md10, but I can't confirm that it won't complain. > Of course, I could always dd(1) the block device into another > file system, and analyze that: > > phenom# dd if=/dev/ad4s1e of=/mnt/ad4s1e.dd > phenom# fls /mnt/ad4s1e.dd | more > > > but unfortunatly, the file system I'm trying to analyze > is VERY large and I don't have enough disk space elsewhere > to take an image. I would strongly advice you *not* to experiment with the original disk, because this *may* lead you to more problems. Hard disks are cheap today. Buy a fresh disk and make a dd copy onto it. Work with this dd copy only - if the dd copy is a real copy (and therefore replicates the defects of the original file system). In my case, I'm talking about a ca. 80 GB partition which needs 4 hours to be transferred. Always have in mind that your data may be more important than the money for a new disk and the time spent for the dd copy. > Now, is there an easy way to turn a block device into > something that would behave like a regular file? > Something like "mdconfig -t vnode", but in reverse? Maybe you could dd the partition into a (named) pipe and then run TSK on this pipe? Anyway, I'm not sure if this is such a good idea... -- Polytropon >From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...