1

My goal is to translate logged block-level accesses (LBAs) to file names. I am logging at UEFI level, so programs and boot loaders mostly read from ESP (EFI System Partition) which has a structure similar to FAT.

I know that fsutil volume querycluster is able to do this for NTFS, is there a solution for FAT?

It is important to operate with a mounted volume and not an image.

Radical Ed
  • 178
  • 2
  • 13
  • Welcome to Stack Overflow. Please take the [tour] to learn how Stack Overflow works and read [ask] on how to improve the quality of your question. Then check the [help/on-topic] to see what questions you can ask. Please show your attempts you have tried and the problems/error messages you get from your attempts. – Progman Jun 12 '21 at 20:04
  • @Progman Check out [this related](https://superuser.com/questions/907755/determine-filename-at-an-lba-ntfs/908283#908283) question on stack exchange, this is the same question in a different context. Although, it was supported by community unlike mine – Radical Ed Jun 13 '21 at 08:06
  • The problem I have met is the absence of a tool. If it appears that there is no such, then I just make one on my own – Radical Ed Jun 13 '21 at 08:08
  • A simple way to do it would be to use a sequence of TSK commands: mmls, fls and istat – Radical Ed Jul 05 '21 at 06:54

1 Answers1

0

A straightforward way to map LBAs (sectors) to filenames (inodes) is to apply TSK utilities one by one: mmls, fls and istat.

  1. mmls to identify ESP partition offset
  2. fls to retrieve tuples [filename, inode] of all files in the ESP
  3. istat to retrieve inode -> sectors mapping

I created a script that produces an index from inodes (filenames) to EFI partition sectors, everybody is welcome to use it as a reference.

Radical Ed
  • 178
  • 2
  • 13