[sleuthkit-users] Cannot determine file system type

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I have been trying to design a program that opens a file system (/dev/sda)
and processes all the files. The image opens fine. But when I use
tsk_fs_open_img, it says "cannot determine file system type". And yet I know
that when I run mmls on the drive, it says that it's a FAT32 file system. I
find also that when I run fsstat on my drive I get the same message. I also
noticed that when I view the image I made of the drive in a Hex editor, it
says "Invalid partition table. Error loading operating system." What can be
done to rectify the problem? 

This is my code so far:

using namespace std;
int main(int argc, char **argv)
{
	TSK_IMG_INFO *img;
	TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; 
	TSK_TCHAR **temp = (TSK_TCHAR **) argv;

	if (argc < 1) {
	printf("You must enter a drive name.\n");
	exit(EXIT_FAILURE);
	}

	printf("Opening Image %s ...\n", temp[1]);

	TSK_OFF_T off = 0;	

	TSK_FS_INFO *fs;
	TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;

	TSK_DADDR_T imgOffset = 0x00000000;

	TSK_VS_INFO *vs;
	TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;

	int numOfDrives = 1;

	TSK_TCHAR *driveName;

	if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) {
	tsk_error_print(stderr);
	exit(EXIT_FAILURE);
	}

	uint sectorSize = img->sector_size;
	TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;

	printf("Image opened successfully!\n");
	/* Try it as a file system */

	printf("Now opening file system...\n");
	if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
 	tsk_error_print(stderr);
	img -> close(img);
	exit(EXIT_FAILURE);
	}

	printf("File system opened successfuly!\n\n");

	printf("Now opening volume system...\n");
	if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {
	tsk_error_print(stderr);
	img -> close(img);
	exit(EXIT_FAILURE);
	}

	fs -> close(fs);
	img -> close(img);
	return 0;
}

This is what I get when I run mmls on the drive:
$ sudo mmls /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)
01:  -----   0000000000   0000002167   0000002168   Unallocated
02:  00:00   0000002168   0031283199   0031281032   Win95 FAT32 (0x0b)

This is the file viewed in Hex Editor:
<http://filesystems.996266.n3.nabble.com/file/n8606/image558.png> 

--
View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.