Hi Am not sure who to address this query to, there is no list for ZFS forensics (yet). I'm looking at a DD dump of a VTOC partition containing a ZFS test file system, follow the Uberblock DVAs to 3 separate locations (ditto blocks, as expected) but don't find an object I can recognise. It should be the MOS, which is type objset_phys_t, ie. it starts with a dnode, followed by a zil_header_t and a uint64_t os_type. However, I can't see a dnode in this, can someone help me to interpret this?
First DVA of Uberblock points here (blkptr offset is 0x084F): 00509e00 00 0a 0e 01 03 00 00 00 01 6c 00 20 00 06 38 03 |.........l. ..8.| 00509e10 1e 38 12 50 11 05 a9 0c 18 08 4a 0c 08 00 10 10 |.8.P......J.....| 00509e20 68 30 10 00 d0 64 00 0a 07 03 00 04 4c 00 1f 10 |h0...d......L...| 00509e30 28 50 07 0a 48 10 19 16 01 00 08 9c d3 dd 79 49 |(P..H.........yI| 00509e40 00 00 00 db 2b 51 9f 8a c0 00 bb 00 b2 29 6d 81 |....+Q.......)m.| 00509e50 cf 4b 78 14 c0 71 54 01 31 0e d0 00 20 fc 03 7f |.Kx..qT.1... ...| 00509e60 fc 42 fc 42 fc 42 fc 42 fc 42 fc 42 cc 42 01 0f |.B.B.B.B.B.B.B..| 00509e70 cc 37 fc 36 fc 42 fc 42 00 00 00 00 00 00 00 00 |.7.6.B.B........| 00509e80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * [all blanks for 70+sectors or so] 0050a000 48 80 04 00 00 01 09 d7 00 05 00 10 00 09 00 0e |H...............| The 3 DVAs point to the same data (first 400 bytes are the same for each find. But a Dnode should begin at the first byte with a uint8 for dn_type, but type 00 stands for unallocated (DMU_OT_NONE), which is wrong. It gets worse. Am I missing something here? Thanks for any tips! Regards Mark PS is anyone interested in ZFS forensics and an OpenSolaris forensics mailling lists or corresponding directly on this topic?
