Re: [sleuthkit-developers] Finding byte offset of file on disk

[Alex N. <ajn...@cs...>]

Oh, it looks like you never got an answer to this.

The straightforward way is to have Fiwalk generate its XML output.  The byte_run elements' img_offset attribute is exactly what you were looking for.  This will serve you just fine if you were asking about file content addresses.

If you were asking about non-content addresses (like MFT entries), though, that still requires manual calculation.  I've proposed a way to record those addresses in Fiwalk's output ( https://github.com/dfxml-working-group/dfxml_schema/issues/5 ), but after that is discussed, there will be a not-terribly-straightforward-looking batch of code to write to actually implement it.

I hope that helps.

--Alex


On Aug 28, 2013, at 16:11 , Robert James <sro...@gm...> wrote:

>> From a TSK_FS_META, I know how to find the offset of every run making
> up the file. But those offsets are relative to the start of the
> _filesystem_, and in units of filesystem blocks.
> 
> I'd like to turn those into offsets relative to the start of the
> _disk_, factoring in any filesystem or volume system. And I'd like
> them in units of bytes (or device sectors).
> 
> That is, given a TSK_FS_META, I'd like to find the byte offset in the
> disk of the runs. Something I could feed right into dd. Can I do this?
> How?
> 
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers