Hi
Am not sure who to address this query to, there is no list for ZFS forensics
(yet). I''m looking at a DD dump of a VTOC partition containing a ZFS
test
file system, follow the Uberblock DVAs to 3 separate locations (ditto blocks,
as expected) but don''t find an object I can recognise. It should be the
MOS,
which is type objset_phys_t, ie. it starts with a dnode, followed by a
zil_header_t and a uint64_t os_type. However, I can''t see a dnode in
this,
can someone help me to interpret this?
First DVA of Uberblock points here (blkptr offset is 0x084F):
00509e00 00 0a 0e 01 03 00 00 00 01 6c 00 20 00 06 38 03 |.........l. ..8.|
00509e10 1e 38 12 50 11 05 a9 0c 18 08 4a 0c 08 00 10 10 |.8.P......J.....|
00509e20 68 30 10 00 d0 64 00 0a 07 03 00 04 4c 00 1f 10 |h0...d......L...|
00509e30 28 50 07 0a 48 10 19 16 01 00 08 9c d3 dd 79 49 |(P..H.........yI|
00509e40 00 00 00 db 2b 51 9f 8a c0 00 bb 00 b2 29 6d 81 |....+Q.......)m.|
00509e50 cf 4b 78 14 c0 71 54 01 31 0e d0 00 20 fc 03 7f |.Kx..qT.1... ...|
00509e60 fc 42 fc 42 fc 42 fc 42 fc 42 fc 42 cc 42 01 0f |.B.B.B.B.B.B.B..|
00509e70 cc 37 fc 36 fc 42 fc 42 00 00 00 00 00 00 00 00 |.7.6.B.B........|
00509e80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
* [all blanks for 70+sectors or so]
0050a000 48 80 04 00 00 01 09 d7 00 05 00 10 00 09 00 0e |H...............|
The 3 DVAs point to the same data (first 400 bytes are the same for each find.
But a Dnode should begin at the first byte with a uint8 for dn_type, but type
00 stands for unallocated (DMU_OT_NONE), which is wrong. It gets worse. Am I
missing something here?
Thanks for any tips!
Regards
Mark
PS is anyone interested in ZFS forensics and an OpenSolaris forensics mailling
lists or corresponding directly on this topic?