On Tue, 14 Apr 2009 18:17:24 +0200, cpghost <cpgh...@cordula.ws> wrote: > I'm trying to recover some deleted files from a UFS2 file > system with the sleuthkit.
:-( > Unfortunatly, most sleuthkit > utilities expect regular image files and won't operate > on block devices: > > phenom# fls /dev/ad4s1e > Sector offset supplied is larger than disk image (maximum: 0) Because I already have my own sad story of data loss, I could provide the idea of using FreeBSD's memory disks. I've always used this to get TSK tools working "the other way round", when I had a dd copy, but required a "device file". Maybe this works as well in your case when you create a virtual note for the device file: # mdconfig -a -t vnode -u 10 -f /dev/ad4s1e md10 You can now use TSK with /dev/md10, but I can't confirm that it won't complain. > Of course, I could always dd(1) the block device into another > file system, and analyze that: > > phenom# dd if=/dev/ad4s1e of=/mnt/ad4s1e.dd > phenom# fls /mnt/ad4s1e.dd | more > <regular-output-of-fls> > > but unfortunatly, the file system I'm trying to analyze > is VERY large and I don't have enough disk space elsewhere > to take an image. I would strongly advice you *not* to experiment with the original disk, because this *may* lead you to more problems. Hard disks are cheap today. Buy a fresh disk and make a dd copy onto it. Work with this dd copy only - if the dd copy is a real copy (and therefore replicates the defects of the original file system). In my case, I'm talking about a ca. 80 GB partition which needs 4 hours to be transferred. Always have in mind that your data may be more important than the money for a new disk and the time spent for the dd copy. > Now, is there an easy way to turn a block device into > something that would behave like a regular file? > Something like "mdconfig -t vnode", but in reverse? Maybe you could dd the partition into a (named) pipe and then run TSK on this pipe? Anyway, I'm not sure if this is such a good idea... -- Polytropon >From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"