Re: [sleuthkit-users] Cannot determine file system type
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Cannot determine file system type
|
From: Jason W. <jwr...@gm...> - 2014-05-19 00:42:29
|
Michael,
It looks like you set your start sector of the volume to 0x2168 * 512. The
sector start is in decimal from mmls. 2168 = 0x878
Jason
On Sun, May 18, 2014 at 7:53 PM, MichaelStein <do...@li...> wrote:
> I have been trying to design a program that opens a file system (/dev/sda)
> and processes all the files. The image opens fine. But when I use
> tsk_fs_open_img, it says "cannot determine file system type". And yet I
> know
> that when I run mmls on the drive, it says that it's a FAT32 file system. I
> find also that when I run fsstat on my drive I get the same message. I also
> noticed that when I view the image I made of the drive in a Hex editor, it
> says "Invalid partition table. Error loading operating system." What can be
> done to rectify the problem?
>
> This is my code so far:
>
> using namespace std;
> int main(int argc, char **argv)
> {
> TSK_IMG_INFO *img;
> TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
> TSK_TCHAR **temp = (TSK_TCHAR **) argv;
>
> if (argc < 1) {
> printf("You must enter a drive name.\n");
> exit(EXIT_FAILURE);
> }
>
> printf("Opening Image %s ...\n", temp[1]);
>
> TSK_OFF_T off = 0;
>
> TSK_FS_INFO *fs;
> TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
>
>
> TSK_DADDR_T imgOffset = 0x00000000;
>
> TSK_VS_INFO *vs;
> TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
>
> int numOfDrives = 1;
>
> TSK_TCHAR *driveName;
>
> if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) ==
> NULL) {
> tsk_error_print(stderr);
> exit(EXIT_FAILURE);
> }
>
> uint sectorSize = img->sector_size;
> TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;
>
> printf("Image opened successfully!\n");
> /* Try it as a file system */
>
> printf("Now opening file system...\n");
> if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
> tsk_error_print(stderr);
> img -> close(img);
> exit(EXIT_FAILURE);
> }
>
> printf("File system opened successfuly!\n\n");
>
> printf("Now opening volume system...\n");
> if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {
> tsk_error_print(stderr);
> img -> close(img);
> exit(EXIT_FAILURE);
> }
>
> fs -> close(fs);
> img -> close(img);
> return 0;
> }
>
> This is what I get when I run mmls on the drive:
> $ sudo mmls /dev/sdc
> DOS Partition Table
> Offset Sector: 0
> Units are in 512-byte sectors
>
> Slot Start End Length Description
> 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
> 01: ----- 0000000000 0000002167 0000002168 Unallocated
> 02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b)
>
>
> This is the file viewed in Hex Editor:
> <http://filesystems.996266.n3.nabble.com/file/n8606/image558.png>
>
>
>
>
>
> --
> View this message in context:
> http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html
> Sent from the sleuthkit-users mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
|
