[sleuthkit-users] Getting the starting offset with the Sleuthkit library
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Getting the starting offset with the Sleuthkit library
|
From: Mike G. <do...@li...> - 2014-05-20 22:51:05
|
Hi all,
I have been writing a program to analyze an image (/dev/sdc for a USB stick ). So far all works. The only thing is: How do I write code to get the starting offset that the file system begins at.
Let me explain.So far, my code looks as follows: TskImgInfo *img_info = new TskImgInfo(); TSK_TCHAR **temp = (TSK_TCHAR **) argv; TSK_OFF_T fsStartBlock = 0x878*512;
printf("Offset at: %lu \n", fsStartBlock);
printf("Opening Image %s \n", temp[1]); if(img_info->open(argv[1], TSK_IMG_TYPE_DETECT, fsStartBlock) == 0) { printf("Image opened successfully\n"); } else { printf("Error opening image %s \n", temp[1]); exit(1); }
Now, I found the fsStartBlock to be 0x878 by using the mmls on /dev/sdc. Then I can tell where the FAT32 file system begins. But this means that every time I insert another USB or even try to analyze another drive I have to change the code. Is there a function in the Sleuthkit library that can get the offset automatically for the program?
Many thanksMike Goldstein
|
