[sleuthkit-users] Accessing a file not through an iso image
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Accessing a file not through an iso image
|
From: Mike G. <do...@li...> - 2014-05-14 19:07:36
|
Hi there, I am new to Sleuthkit and I have been doing research in how to use it with a C++ API. The documentation on http://fossies.org/dox/sleuthkit-4.1.3/ has been helpful.But I have one question: The documentation indicates that one always needs to be analyzing an image (like a .iso file) of the drive. Is there any way that I can just insert a usb stick and analyze it as one of the files. Let me make myself clearer:I find that I have to declare, TskImgInfo *img_info = new TskImgInfo(); and then open the file as follows:img_info->open("/home/Desktop/Image.iso", TSK_IMG_TYPE_DETECT, 0); Followed by another declaration:TskFsInfo *fs_info = new TskFsInfo(); Followed by another open function:(fs_info->open(img_info, 0, TSK_FS_TYPE_DETECT); So I want to know - is there a way I can just access the usb drive (for example) in the API using just the path (such as /dev/sdc) like I would in the command line? I mean, if I want to analyze a drive, do I have to make an ISO image of the file and then access it with the above code every time? I tried to ask this question before, but it seems like I wasn't so clear so nobody answered.☹Thanks to anyone who responds. Mike Goldstein |
