Re: [sleuthkit-users] Cannot determine file system type
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Cannot determine file system type
|
From: Ketil F. <ke...@fr...> - 2014-05-19 06:37:17
|
Did you specify the correct offset to the file system using fsstat's -o option? http://www.sleuthkit.org/sleuthkit/man/fsstat.html Ketil On 19 May 2014 04:39, "MichaelStein" <do...@li...> wrote: > Thanks for that Jason. I changed to Hexidecimal and it worked! > The only thing still bothering me is - why does fsstat not work on the > file? Why do I keep getting "Cannot determine file system type"? Any ideas? > > Thanks again, > > Mike Goldstein > > > ------------------------------ > Date: Sun, 18 May 2014 17:44:38 -0700 > From: [hidden email] <http://user/SendEmail.jtp?type=node&node=8608&i=0> > To: [hidden email] <http://user/SendEmail.jtp?type=node&node=8608&i=1> > Subject: Re: Cannot determine file system type > > Michael, > > It looks like you set your start sector of the volume to 0x2168 * 512. The > sector start is in decimal from mmls. 2168 = 0x878 > > Jason > > > On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]<https:///user/SendEmail.jtp?type=node&node=8607&i=0> > > wrote: > > I have been trying to design a program that opens a file system (/dev/sda) > and processes all the files. The image opens fine. But when I use > tsk_fs_open_img, it says "cannot determine file system type". And yet I > know > that when I run mmls on the drive, it says that it's a FAT32 file system. I > find also that when I run fsstat on my drive I get the same message. I also > noticed that when I view the image I made of the drive in a Hex editor, it > says "Invalid partition table. Error loading operating system." What can be > done to rectify the problem? > > This is my code so far: > > using namespace std; > int main(int argc, char **argv) > { > TSK_IMG_INFO *img; > TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; > TSK_TCHAR **temp = (TSK_TCHAR **) argv; > > if (argc < 1) { > printf("You must enter a drive name.\n"); > exit(EXIT_FAILURE); > } > > printf("Opening Image %s ...\n", temp[1]); > > TSK_OFF_T off = 0; > > TSK_FS_INFO *fs; > TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; > > > TSK_DADDR_T imgOffset = 0x00000000; > > TSK_VS_INFO *vs; > TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; > > int numOfDrives = 1; > > TSK_TCHAR *driveName; > > if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == > NULL) { > tsk_error_print(stderr); > exit(EXIT_FAILURE); > } > > uint sectorSize = img->sector_size; > TSK_OFF_T fsStartBlock = 0x00002168*sectorSize; > > printf("Image opened successfully!\n"); > /* Try it as a file system */ > > printf("Now opening file system...\n"); > if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) { > tsk_error_print(stderr); > img -> close(img); > exit(EXIT_FAILURE); > } > > printf("File system opened successfuly!\n\n"); > > printf("Now opening volume system...\n"); > if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) { > tsk_error_print(stderr); > img -> close(img); > exit(EXIT_FAILURE); > } > > fs -> close(fs); > img -> close(img); > return 0; > } > > This is what I get when I run mmls on the drive: > $ sudo mmls /dev/sdc > DOS Partition Table > Offset Sector: 0 > Units are in 512-byte sectors > > Slot Start End Length Description > 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) > 01: ----- 0000000000 0000002167 0000002168 Unallocated > 02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b) > > > This is the file viewed in Hex Editor: > <http://filesystems.996266.n3.nabble.com/file/n8606/image558.png> > > > > > > -- > View this message in context: > http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html > Sent from the sleuthkit-users mailing list archive at Nabble.com. > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > ------------------------------------------------------------------------------ > > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html > To unsubscribe from Cannot determine file system type, click here. > NAML<http://filesystems.996266.n3.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble:email.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble:email.naml-instant_emails%21nabble:email.naml-send_instant_email%21nabble:email.naml> > > ------------------------------ > View this message in context: RE: Cannot determine file system type<http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8608.html> > Sent from the sleuthkit-users mailing list archive<http://filesystems.996266.n3.nabble.com/sleuthkit-users-f4.html>at Nabble.com. > > > ------------------------------------------------------------------------------ > "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE > Instantly run your Selenium tests across 300+ browser/OS combos. > Get unparalleled scalability from the best Selenium testing platform > available > Simple to use. Nothing to install. Get started now for free." > http://p.sf.net/sfu/SauceLabs > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
