From owner-freebsd-questions@freebsd.org Thu Jun 16 14:56:26 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC7F5A72831 for ; Thu, 16 Jun 2016 14:56:26 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 349441CBB for ; Thu, 16 Jun 2016 14:56:26 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: by mail-wm0-x231.google.com with SMTP id a66so61947189wme.0 for ; Thu, 16 Jun 2016 07:56:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cordula-ws.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=azlbNeewaG84ohi23c1inQ0wTeRbbPyjAT2etcA0m5A=; b=Qb3AwK5g0vF9jTY9mOH2ApokGdnzKgmKXFjCfdA8deBNApOSEnWX/pIxDR0/CM6uDk ZXiqCEr7JKSRHTLBuSjIdToxG+mCCCnat+JJ1x5k4ss7+uXLPYXeD06+VSb3VjC+K7Vm hmObig7cCNHc370dHkN9Sd53+gMdaNWjIrsj84lUhyFWtMAb4qQpgnmHxpfoE3tTRbVp BVFmF9vV0o86Bv0wZV8x+/Gxi8PjRhxOxmLkOjPOXesXR9oaB1ubZ85igkuCO1qaqmcx oLdyVrBWaFSmSL0tzuHCwNpui7wWBBf3i5ziE+kEQ6W8ZvSr+Ki4lnnHkmE9KigB4rtL Ehcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=azlbNeewaG84ohi23c1inQ0wTeRbbPyjAT2etcA0m5A=; b=g3x5Uvz5gwy941xH74X4U7JRjtPqgFn4OdulqwCbJNM4HnWJCHQQyKRHRKSkvz35UH H0v/x0oqazJt4rF12mN3rp7AE9HcG2w1rgrzL2/8JNCQB0j/bCJJE0ggJ7i8aOfwSd/i m60I0j4xm293/LoMjlXmM7NTjAVqR2NCNPNwvdgH1Q275wV5br6AYKEmN76DvRerRKhV p8/fovUupwEGs4jYWT7nikNRU2VMxD13C6cdjwu7+L0Rs8pphOziej0Aa1qkwn79Dc5R FxiljcR38kigx+X+0CNEXp7zETS/VSnjXPToU48Y7T6RQoiwYunHdNSJxeC4Vuxbg7K/ gPIA== X-Gm-Message-State: ALyK8tKOCIuFb/nquaujvEyPWJ5O+ZfnY5Yv7yg/BK9U3HuA8IZI2tBW7azP/YKf6mU/Xg== X-Received: by 10.28.4.140 with SMTP id 134mr16419250wme.91.1466088984503; Thu, 16 Jun 2016 07:56:24 -0700 (PDT) Received: from phenom.fritz.box (p4FDBBB1F.dip0.t-ipconnect.de. [79.219.187.31]) by smtp.gmail.com with ESMTPSA id h8sm44037470wjg.9.2016.06.16.07.56.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 16 Jun 2016 07:56:23 -0700 (PDT) To: FreeBSD Questions From: cpghost Subject: ZFS forensics (mapping sector # to file name) Message-ID: <2b478742-ba3a-7f05-56ea-88f6aca1a9db@cordula.ws> Date: Thu, 16 Jun 2016 16:56:21 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 14:56:26 -0000 Hello ZFS gurus/admins, how do you map a sector # to a ZFS object? Or, more concretely: Suppose I'm inspecting a disk /dev/ada0p4[.eli] that belongs to a zpool, and there's something interesting in sector #123456. How do I determine to which file, directory, etc... on which ZFS dataset this sector belongs, or if this sector belongs to a deleted file (unallocated sector), or to something that was there all along before the disk got reformatted to ZFS? Any ideas? Forensics tools? Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/