Date: Fri, 13 Jun 2014 07:52:46 -0700 From: falcon17@hushmail.com To: freebsd-hackers@freebsd.org Subject: picking data out of a UFS image Message-ID: <20140613145246.DB840C00AA@smtp.hushmail.com>
next in thread | raw e-mail | index | archive | help
I had an old dying disk and I managed to make a dd image of half of it before it went completely bellyup. When I have done this in the past I have been able to use the sleuth kit ffind, fls, etc to dig around, or even vnconfig and mount the whole image. This time none of that is working, in fact it claims bad superblock altho I think I found an alternate that works. In any case I am able to find some textual data when I simply hexdump or strings the image, and some of that is what I was looking to recover. Is it reasonably easy to work backwards from that, say, using the location I found for the start of this file, to search backwards and hunt down its inode? Maybe work from there to pick out others? I guess what I am looking for is a little guidance on picking out UFS data structures manually. Thanks! From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 13 15:30:08 2014 Return-Path: <owner-freebsd-hackers@FreeBSD.ORG> Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 30DAAD65 for <freebsd-hackers@freebsd.org>; Fri, 13 Jun 2014 15:30:08 +0000 (UTC) Received: from smtp5.hushmail.com (smtp5a.hushmail.com [65.39.178.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.hushmail.com", Issuer "Self-signed" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 16B372755 for <freebsd-hackers@freebsd.org>; Fri, 13 Jun 2014 15:30:07 +0000 (UTC) Received: from smtp5.hushmail.com (smtp5a.hushmail.com [65.39.178.235]) by smtp5.hushmail.com (Postfix) with SMTP id BF89E60176 for <freebsd-hackers@freebsd.org>; Fri, 13 Jun 2014 14:54:47 +0000 (UTC) Received: from smtp.hushmail.com (w3.hushmail.com [65.39.178.62]) by smtp5.hushmail.com (Postfix) with ESMTP for <freebsd-hackers@freebsd.org>; Fri, 13 Jun 2014 14:54:47 +0000 (UTC) Received: by smtp.hushmail.com (Postfix, from userid 99) id A297FC00AA; Fri, 13 Jun 2014 14:54:47 +0000 (UTC) MIME-Version: 1.0 Date: Fri, 13 Jun 2014 07:54:47 -0700 To: freebsd-hackers@freebsd.org Subject: alternate src dir for world build From: falcon17@hushmail.com Message-Id: <20140613145447.A297FC00AA@smtp.hushmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Technical Discussions relating to FreeBSD <freebsd-hackers.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>; List-Post: <mailto:freebsd-hackers@freebsd.org> List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 13 Jun 2014 15:30:08 -0000 Is there any reason other than convention to build from /usr/src? I wanted to have a /usr/src92, /usr/src/93, /usr/src/10 etc. Any problem expected? Should I symlink /usr/src to one of those or does that even matter? Thanks! From owner-freebsd-hackers@FreeBSD.ORG Fri Jun 13 15:31:09 2014 Return-Path: <owner-freebsd-hackers@FreeBSD.ORG> Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3C588EF1 for <freebsd-hackers@freebsd.org>; Fri, 13 Jun 2014 15:31:09 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 1990E2770 for <freebsd-hackers@freebsd.org>; Fri, 13 Jun 2014 15:31:08 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s5DFV7S9038794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Jun 2014 08:31:08 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s5DFV7et038793; Fri, 13 Jun 2014 08:31:07 -0700 (PDT) (envelope-from jmg) Date: Fri, 13 Jun 2014 08:31:07 -0700 From: John-Mark Gurney <jmg@funkthat.com> To: falcon17@hushmail.com Subject: Re: picking data out of a UFS image Message-ID: <20140613153107.GX31367@funkthat.com> Mail-Followup-To: falcon17@hushmail.com, freebsd-hackers@freebsd.org References: <20140613145246.DB840C00AA@smtp.hushmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140613145246.DB840C00AA@smtp.hushmail.com> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Fri, 13 Jun 2014 08:31:08 -0700 (PDT) Cc: freebsd-hackers@freebsd.org X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Technical Discussions relating to FreeBSD <freebsd-hackers.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>; List-Post: <mailto:freebsd-hackers@freebsd.org> List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 13 Jun 2014 15:31:09 -0000 falcon17@hushmail.com wrote this message on Fri, Jun 13, 2014 at 07:52 -0700: > I had an old dying disk and I managed to make a dd image of half of it > before it went completely bellyup. When I have done this in the past I > have been able to use the sleuth kit ffind, fls, etc to dig around, or > even vnconfig and mount the whole image. This time none of that is > working, in fact it claims bad superblock altho I think I found an > alternate that works. > In any case I am able to find some textual data when I simply hexdump > or strings the image, and some of that is what I was looking to > recover. Is it reasonably easy to work backwards from that, say, using > the location I found for the start of this file, to search backwards > and hunt down its inode? Maybe work from there to pick out others? > I guess what I am looking for is a little guidance on picking out UFS > data structures manually. Thanks! I developed a python script to extract data from a broken FFS... the sources are here: https://people.freebsd.org/~jmg/ffsrecov/ It's been a long time since I've looked at it, but should help you.. -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140613145246.DB840C00AA>