Hal Pomeranz · Nov 18, 2022 · 12:40 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

18 Nov 2022

You find a string of interest at a specific byte offset in your XFS file system image. How can you convert this byte offset into an XFS block address using only the command line? #Linux #DFIR #CommandLine #Trivia

Hal Pomeranz · Nov 19, 2022 · 2:36 PM UTC

Hal Pomeranz · Nov 19, 2022 · 2:36 PM UTC

Hal Pomeranz @hal_pomeranz

19 Nov 2022

Wow, yesterday's Linux DFIR command line trivia scared everybody off! Let's start with this string: 6240111554 # I love bash! Because, after all, who doesn't? xfs_db -r -c "convert daddr $((6240111554 / 512)) fsblock" /path/to/image Let's start… infosec.exchange/@hal_pomera…

Hal Pomeranz (@hal_pomeranz@infosec.exchange)

infosec.exchange

Nov 19, 2022 · 2:36 PM UTC

Jon Stewart · Nov 19, 2022 · 2:46 PM UTC

Jon Stewart @codeslack

19 Nov 2022

Replying to @hal_pomeranz

I was like, "first construct a reverse disk map database by recursive descent and ioctl(fiemap)", but xfs_db is TIL.