Re: [sleuthkit-users] Cannot determine file system type

[MichaelStein <do...@li...>]

Thanks for that Jason. I changed to Hexidecimal and it worked!The only thing still bothering me is - why does fsstat not work on the file? Why do I keep getting "Cannot determine file system type"? Any ideas?
Thanks again,

Mike Goldstein


Date: Sun, 18 May 2014 17:44:38 -0700
From: ml-...@n3...
To: do...@li...
Subject: Re: Cannot determine file system type



	Michael,

It looks like you set your start sector of the volume to 0x2168 * 512. The sector start is in decimal from mmls. 2168 = 0x878

Jason

On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]> wrote:

I have been trying to design a program that opens a file system (/dev/sda)

and processes all the files. The image opens fine. But when I use

tsk_fs_open_img, it says "cannot determine file system type". And yet I know

that when I run mmls on the drive, it says that it's a FAT32 file system. I

find also that when I run fsstat on my drive I get the same message. I also

noticed that when I view the image I made of the drive in a Hex editor, it

says "Invalid partition table. Error loading operating system." What can be

done to rectify the problem?



This is my code so far:



using namespace std;

int main(int argc, char **argv)

{

        TSK_IMG_INFO *img;

        TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;

        TSK_TCHAR **temp = (TSK_TCHAR **) argv;



        if (argc < 1) {

        printf("You must enter a drive name.\n");

        exit(EXIT_FAILURE);

        }



        printf("Opening Image %s ...\n", temp[1]);



        TSK_OFF_T off = 0;



        TSK_FS_INFO *fs;

        TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;





        TSK_DADDR_T imgOffset = 0x00000000;



        TSK_VS_INFO *vs;

        TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;



        int numOfDrives = 1;



        TSK_TCHAR *driveName;



        if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) {

        tsk_error_print(stderr);

        exit(EXIT_FAILURE);

        }



        uint sectorSize = img->sector_size;

        TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;



        printf("Image opened successfully!\n");

        /* Try it as a file system */



        printf("Now opening file system...\n");

        if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {

        tsk_error_print(stderr);

        img -> close(img);

        exit(EXIT_FAILURE);

        }



        printf("File system opened successfuly!\n\n");



        printf("Now opening volume system...\n");

        if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {

        tsk_error_print(stderr);

        img -> close(img);

        exit(EXIT_FAILURE);

        }



        fs -> close(fs);

        img -> close(img);

        return 0;

}



This is what I get when I run mmls on the drive:

$ sudo mmls /dev/sdc

DOS Partition Table

Offset Sector: 0

Units are in 512-byte sectors



     Slot    Start        End          Length       Description

00:  Meta    0000000000   0000000000   0000000001   Primary Table (#0)

01:  -----   0000000000   0000002167   0000002168   Unallocated

02:  00:00   0000002168   0031283199   0031281032   Win95 FAT32 (0x0b)





This is the file viewed in Hex Editor:

<http://filesystems.996266.n3.nabble.com/file/n8606/image558.png>











--

View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html


Sent from the sleuthkit-users mailing list archive at Nabble.com.



------------------------------------------------------------------------------

"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE

Instantly run your Selenium tests across 300+ browser/OS combos.

Get unparalleled scalability from the best Selenium testing platform available

Simple to use. Nothing to install. Get started now for free."

http://p.sf.net/sfu/SauceLabs

_______________________________________________

sleuthkit-users mailing list

https://lists.sourceforge.net/lists/listinfo/sleuthkit-users

http://www.sleuthkit.org




------------------------------------------------------------------------------

"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE

Instantly run your Selenium tests across 300+ browser/OS combos.

Get unparalleled scalability from the best Selenium testing platform available

Simple to use. Nothing to install. Get started now for free."

http://p.sf.net/sfu/SauceLabs
_______________________________________________

sleuthkit-users mailing list

https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


	
	
	
	

	

	
	
		If you reply to this email, your message will be added to the discussion below:
		http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html
	
	
		
		To unsubscribe from Cannot determine file system type, click here.

		NAML
	 		 	   		  



--
View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8608.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.