| Author | Message | ||
     David Marques Username: dmarques Registered: N/A |
Hi, I have a drive in from an old unix system, but the costumer doesn't have any clue of what unix version is or what file system is on it. So as I'm not experienced in unix, is there any way to discover what is the file system on the drive and that way, try to get the data back? Thanks. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
> discover what is the file system on the drive I only know it for the file systems that X-Ways Forensics would recognize automatically anyway. | ||
| David Marques Username: dmarques Registered: N/A |
And what unix file systems does forensic version support? | ||
| Don Camillo Username: willybilly Registered: N/A |
You can find this information in the MBR (first sector) - you have to interprete the space from 446 till (before) 55 AA. But I must admit that I don`t know by heart how to interprete it in XWF, in a program starting with "e" this is very simple. Bookmark it, context menu (right mouse) and you can interprete it. I suppose the data interpreter of XWF can do this too. The file systems have different numbers, if you start a Knoppix or Linux CD /HD and try to execute a fdisk related tool, you will find the numbers and their meaning. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
It recognizes UFS1 and UFS2 in little-endian and big-endian byte order and supports many different versions of UFS, including OpenBSD and NetBSD, also recognizes XFS and JFS. | ||
| Don Camillo Username: willybilly Registered: N/A |
As always I forgot the simplest solution: Hang the HD in your system and try to boot a Knoppix CD / DVD. If it is a standard Unix system I am rather sure that you will find something. And: You can handle it like Windows - if you use a KDE version. You could also try a PC-BSD Boot-CD (live CD - forgot the website) - they use a different filesystem. Maybe this helps. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
Partition identifiers can be seen easiest when applying the partition table template to a sector that contains a partition table. List of partition identifiers | ||
| Don Camillo Username: willybilly Registered: N/A |
Just only for your information: PC-BSD with UFS version 2 is recognized, but when trying to add the image I get the following error.log: 02.01.2009, 20:45:27 X-Ways Forensics 15.2 Beta 1 Error Report Windows 6.0.6010 SP 1 (NT) Sectors that were read last: 27: 12475-12475 (UFS, 4,0 GB) 27: 12476-12476 (UFS, 4,0 GB) 27: 12477-12477 (UFS, 4,0 GB) Exception situation type 202 occurred at memory offset 75B52A78 when I [please complete]... Message.txt: 02.01.2009 20:44:59: Unsupported or invalid owner ID encountered, int. ID 758 02.01.2009 20:44:59: Messages of this kind will not be displayed here again for the remainder of this operation. 02.01.2009 20:45:01: Invalid block number for \ Inode # 53744 02.01.2009 20:45:06: Invalid block number for \ Inode # 58595 02.01.2009 20:45:17: Invalid block number for \ Inode # 35841 02.01.2009 20:45:17: Invalid block number for \ Inode # 43521 02.01.2009 20:45:17: Invalid block number for \ Inode # 59137 02.01.2009 20:45:17: Invalid block number for \ Inode # 175104 02.01.2009 20:45:17: Invalid block number for \ Inode # 35841 02.01.2009 20:45:17: Invalid block number for \ Inode # 43521 02.01.2009 20:45:17: Invalid block number for \ Inode # 59137 02.01.2009 20:45:18: Invalid block number for \ Inode # 175104 02.01.2009 20:45:24: Invalid block number for \root\ Inode # 211968 02.01.2009 20:45:24: Invalid block number for \sbin\ Inode # 70656 02.01.2009 20:45:24: Invalid block number for \dev\ Inode # 165039 02.01.2009 20:45:25: Invalid block number for \ Inode # 35841 02.01.2009 20:45:25: Invalid block number for \ Inode # 43521 02.01.2009 20:45:25: Invalid block number for \ Inode # 59137 02.01.2009 20:45:25: Invalid block number for \ Inode # 175104 02.01.2009 20:45:27: Exception situation type 202 occurred at memory offset 75B52A78. The problem was noted in the file "error.log". | ||
| Don Camillo Username: willybilly Registered: N/A |
"Partition identifiers can be seen easiest when applying the partition table template to a sector that contains a partition table." I thought that it will work in XWF too. But: Sorry, my english is too bad to understand this. What do I have to do? Where to click with the mouse? Idiot`s proof, please, you know: "Seufz" | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
1) Open the disk or make sure the cursor is in sector 0 of the disk. 2) View | Template Manager | Master Boot Record OR Only for disks for which partitions have already been detected: Click the button with the white arrow below the search hit list button in the middle of the screen. Select Partition 1 | Partition table (template) | ||
| Ruy Benton Username: ruy_benton Registered: N/A |
Hi, Mr. David sent me an image of the disks and I did some research: 1) Partition ID = 63 Unix System V (SCO, ISC Unix, UnixWare, ...), Mach, GNU Hurd, 2) The 1º x 512bytes -> table, 2º x 512bytes -> the file system, 3) The Unix in the disk -> "NCR UNIX SVR4 MP-RAS" and the file system is VxFS. I try several Linux versions and BSD (Free, Open) to mount the VxFS 1, 2, 4 and other's HTFS, EAFS, AFS, S51K, but the same msg "...wrong fs type, bad option, bad superblock on /dev/hdc4" Thanks for your comments, Ruy | ||
| Klaus Hansemann Username: klaushansemann Registered: N/A |
Hi there, i have a ufs disk here which x-ways froensics acknowledges as the same but comes up with a lot of bad inode messages and an estimated delay of 11 hours to read the file table. since i could'nt belive that i successfuly mounted the disk on an ubuntu system (under VMware) with the ufs2 option. how can i access the disk with x-ways? regards klaus | ||
| Don Camillo Username: willybilly Registered: N/A |
Welcome to the club, see my message from January, 2nd. There are some more wishable filesystems - but I suppose it is the old problem: no time. |