Ian Macdonald (Thu, Sep 12, 2002 at 12:11:06PM -0400): > One problem I issue I have is I get this error /usr/local/task/bin/fls: read > block read error (8192@2148171776):Success > which makes me think I that I am not closing the connection properly. How do > people end the netcat session once the DD has reported all the data blocks > that it has read? If dd reported now many records in and out it performed, then you can close the session by just doing a control-c. You can also use the '-w' flag on the send side of nc to set a timeout and the connection will close after not getting any data for X seconds (it is broken on the windows version though): dd if=/dev/XYZ | nc -w 5 10.0.0.1 9000 You can also verify the size of the image by going to 'File System Details' in Autopsy and multiplying the number of fragments and the fragment size. That should be the same size as your image. It maybe just coincidence, but the byte offset in your error is around the 2GB large file limit. Did your server support large files? > Also I see a lot of files that are in red which means that they are deleted > but I all the files have a zero inode. Is it possible to recover deleted > files from a solaris partition? Solaris sets the inode pointer in the directory entry structures to 0 when it deletes a file. So, there is no mapping between the file name and the inode structure. The inode structure itself has a bunch of fields zeroed, so it would do little good anyway (except give you the time it was deleted). brian ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 09:59:48 PDT