Re: [sleuthkit-users] Cannot determine file system type
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Cannot determine file system type
|
From: MichaelStein <do...@li...> - 2014-05-19 12:26:42
|
Ah yes! Thank you. When I specified the offset then it worked. Had to get it using the mmls command. Mike Goldstein Date: Sun, 18 May 2014 23:39:14 -0700 From: ml-...@n3... To: do...@li... Subject: Re: Cannot determine file system type Did you specify the correct offset to the file system using fsstat's -o option? http://www.sleuthkit.org/sleuthkit/man/fsstat.html Ketil On 19 May 2014 04:39, "MichaelStein" <[hidden email]> wrote: Thanks for that Jason. I changed to Hexidecimal and it worked!The only thing still bothering me is - why does fsstat not work on the file? Why do I keep getting "Cannot determine file system type"? Any ideas? Thanks again, Mike Goldstein Date: Sun, 18 May 2014 17:44:38 -0700 From: [hidden email] To: [hidden email] Subject: Re: Cannot determine file system type Michael, It looks like you set your start sector of the volume to 0x2168 * 512. The sector start is in decimal from mmls. 2168 = 0x878 Jason On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]> wrote: I have been trying to design a program that opens a file system (/dev/sda) and processes all the files. The image opens fine. But when I use tsk_fs_open_img, it says "cannot determine file system type". And yet I know that when I run mmls on the drive, it says that it's a FAT32 file system. I find also that when I run fsstat on my drive I get the same message. I also noticed that when I view the image I made of the drive in a Hex editor, it says "Invalid partition table. Error loading operating system." What can be done to rectify the problem? This is my code so far: using namespace std; int main(int argc, char **argv) { TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_TCHAR **temp = (TSK_TCHAR **) argv; if (argc < 1) { printf("You must enter a drive name.\n"); exit(EXIT_FAILURE); } printf("Opening Image %s ...\n", temp[1]); TSK_OFF_T off = 0; TSK_FS_INFO *fs; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_DADDR_T imgOffset = 0x00000000; TSK_VS_INFO *vs; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int numOfDrives = 1; TSK_TCHAR *driveName; if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) { tsk_error_print(stderr); exit(EXIT_FAILURE); } uint sectorSize = img->sector_size; TSK_OFF_T fsStartBlock = 0x00002168*sectorSize; printf("Image opened successfully!\n"); /* Try it as a file system */ printf("Now opening file system...\n"); if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) { tsk_error_print(stderr); img -> close(img); exit(EXIT_FAILURE); } printf("File system opened successfuly!\n\n"); printf("Now opening volume system...\n"); if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) { tsk_error_print(stderr); img -> close(img); exit(EXIT_FAILURE); } fs -> close(fs); img -> close(img); return 0; } This is what I get when I run mmls on the drive: $ sudo mmls /dev/sdc DOS Partition Table Offset Sector: 0 Units are in 512-byte sectors Slot Start End Length Description 00: Meta 0000000000 0000000000 0000000001 Primary Table (#0) 01: ----- 0000000000 0000002167 0000002168 Unallocated 02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b) This is the file viewed in Hex Editor: <http://filesystems.996266.n3.nabble.com/file/n8606/image558.png> -- View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html Sent from the sleuthkit-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org If you reply to this email, your message will be added to the discussion below: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html To unsubscribe from Cannot determine file system type, click here. NAML View this message in context: RE: Cannot determine file system type Sent from the sleuthkit-users mailing list archive at Nabble.com. ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org If you reply to this email, your message will be added to the discussion below: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8609.html To unsubscribe from Cannot determine file system type, click here. NAML -- View this message in context: http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8610.html Sent from the sleuthkit-users mailing list archive at Nabble.com. |
