Block device to regular file?

Polytropon freebsd at edvax.de
Tue Apr 14 17:18:51 UTC 2009 

On Tue, 14 Apr 2009 18:17:24 +0200, cpghost <cpghost at cordula.ws> wrote:
> I'm trying to recover some deleted files from a UFS2 file
> system with the sleuthkit.

:-(



> Unfortunatly, most sleuthkit
> utilities expect regular image files and won't operate
> on block devices:
> 
>   phenom# fls /dev/ad4s1e
>   Sector offset supplied is larger than disk image (maximum: 0)

Because I already have my own sad story of data loss, I could
provide the idea of using FreeBSD's memory disks. I've always
used this to get TSK tools working "the other way round", when
I had a dd copy, but required a "device file".

Maybe this works as well in your case when you create a virtual
note for the device file:

	# mdconfig -a -t vnode -u 10 -f /dev/ad4s1e
	md10

You can now use TSK with /dev/md10, but I can't confirm that it
won't complain.



> Of course, I could always dd(1) the block device into another
> file system, and analyze that:
> 
>   phenom# dd if=/dev/ad4s1e of=/mnt/ad4s1e.dd
>   phenom# fls /mnt/ad4s1e.dd | more
>   <regular-output-of-fls>
> 
> but unfortunatly, the file system I'm trying to analyze
> is VERY large and I don't have enough disk space elsewhere
> to take an image.

I would strongly advice you *not* to experiment with the original
disk, because this *may* lead you to more problems. Hard disks
are cheap today. Buy a fresh disk and make a dd copy onto it.
Work with this dd copy only - if the dd copy is a real copy
(and therefore replicates the defects of the original file system).

In my case, I'm talking about a ca. 80 GB partition which needs
4 hours to be transferred.

Always have in mind that your data may be more important than
the money for a new disk and the time spent for the dd copy.



> Now, is there an easy way to turn a block device into
> something that would behave like a regular file?
> Something like "mdconfig -t vnode", but in reverse?

Maybe you could dd the partition into a (named) pipe and then
run TSK on this pipe?

Anyway, I'm not sure if this is such a good idea...



-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list