My goal is to translate logged block-level accesses (LBAs) to file names. I am logging at UEFI level, so programs and boot loaders mostly read from ESP (EFI System Partition) which has a structure similar to FAT.
I know that fsutil volume querycluster is able to do this for NTFS, is there a solution for FAT?
It is important to operate with a mounted volume and not an image.
A straightforward way to map LBAs (sectors) to filenames (inodes) is to apply TSK utilities one by one: mmls, fls and istat.
mmlsto identify ESP partition offsetflsto retrieve tuples [filename, inode] of all files in the ESPistatto retrieve inode -> sectors mappingI created a script that produces an index from inodes (filenames) to EFI partition sectors, everybody is welcome to use it as a reference.