trying to find out what file is located at offset

df925 · December 28, 2021, 2:00pm

I used ddrescue to backup a Windows HDD, and there were errors

# Mapfile. Created by GNU ddrescue version 1.25
# Command line: ddrescue -f -r3 /dev/sda /dev/sdg mapfile
# Start time:   2021-11-30 12:02:21
# Current time: 2021-11-30 14:40:08
# Finished
# current_pos  current_status  current_pass
0xA39DA3FE00     +               3
#      pos        size  status
0x00000000  0xA39D7A8000  +
0xA39D7A8000  0x00001000  -
0xA39D7A9000  0x0014A000  +
0xA39D8F3000  0x00001000  -
0xA39D8F4000  0x0014B000  +
0xA39DA3F000  0x00001000  -
0xA39DA40000  0x4543376000  +

fdisk -l /dev/sda

The backup GPT table is not on the end of the device.
Disk /dev/sda: 1.82 TiB, 2000398933504 bytes, 3907029167 sectors
Disk model: BUP Ultra Touch 
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 8BB1F33B-CBFA-4A6D-AF91-B4EABE93FF50

Device          Start        End    Sectors   Size Type
/dev/sda1        2048    1026047    1024000   500M EFI System
/dev/sda2     1026048    1288191     262144   128M Microsoft reserved
/dev/sda3     1288192 1925378047 1924089856 917.5G Microsoft basic data
/dev/sda4  1925378048 1927122943    1744896   852M Windows recovery environment
/dev/sda5  1927122944 1953523711   26400768  12.6G Windows recovery environment

how can I get a list of all files to determine what files are impacted at the offsets in my mapfile?

I tried to use mmls and icat to get a list of all the files. but icat -i 1288192 /dev/sda 0 > mft.raw fails with

Unsupported image type: 1288192

I’m so confused with the Basic data partition. Any help please?

FYI I also tried to use ddru_ntfsfindbad -i (1288192*512) but that failed as well.

I dont understand the relationship between Basic data partition and NTFS

Thanks
DF

atdt0 · December 29, 2021, 8:52pm

Hello. Both fdisk and mmls will show you your partition structure but what you are looking for is something like fls to show the files and directories that are within each partition. In your case, start with something like ‘fls -o 1288192 -r /dev/sda | less’ to recursively show the files and directories in /dev/sda3. After that you can use ‘icat’ + the offset to extract the individual files based on their MFT entry number.

Also, if you wanted to extract just the MFT you could use something like ‘icat -o 1288192 /dev/sda 0 > mft’ and then feed the MFT into a parser.

Hope that helps get you started!

df925 · December 31, 2021, 4:27pm

Thank you,

I’m so dumb, I used icat -i instead of icat -o

Got info from filesystem - Create a copy of MFT using DD and convert to CSV? - Ask Ubuntu

Testing the rest now.

Also for anyone else trying, analyzeMFT.py requires Python 2

Topic		Replies	Views
How to determine largest file within a .dd extention The Sleuth Kit Help	1	403	May 26, 2023
String search with an NTFS partition The Sleuth Kit Help	2	1429	November 30, 2019
Cannot determine partition type The Sleuth Kit Help	3	8717	February 3, 2022
Problems reading EXT4 in RAID1 Autopsy Help	0	1219	October 31, 2019
Section 3 Lab. Failed to Add Data. device1_laptop.e01 Online Training	8	2321	May 6, 2020

trying to find out what file is located at offset

Related Topics