Re: [sleuthkit-users] Getting the starting offset with the Sleuthkit library

[Brian C. <ca...@sl...>]

There is a whole set of volume system libraries and classes that you can use to determine partition layout. 

Checkout the dev docs if you haven't read them already:

http://sleuthkit.org/sleuthkit/docs/api-docs/



On May 20, 2014, at 6:50 PM, Mike Goldstein <do...@li...> wrote:

> 
> Hi all,
> 
> I have been writing a program to analyze an image (/dev/sdc for a USB stick ). So far all works. The only thing is: How do I write code to get the starting offset that the file system begins at.
> 
> Let me explain.
> So far, my code looks as follows:
> 	TskImgInfo *img_info = new TskImgInfo();
> 	TSK_TCHAR **temp = (TSK_TCHAR **) argv;
> 	
> 	TSK_OFF_T fsStartBlock = 0x878*512;
> 
> 	printf("Offset at: %lu \n", fsStartBlock);
> 
> 	printf("Opening Image %s \n", temp[1]);
> 	
> 	if(img_info->open(argv[1], TSK_IMG_TYPE_DETECT, fsStartBlock) == 0)
> 	{
> 	printf("Image opened successfully\n");
> 	}
> 	else
> 	{
> 	printf("Error opening image %s \n", temp[1]);
> 	exit(1);
> 	}
> 
> Now, I found the fsStartBlock to be 0x878 by using the mmls on /dev/sdc. Then I can tell where the FAT32 file system begins. But this means that every time I insert another USB or even try to analyze another drive I have to change the code. Is there a function in the Sleuthkit library that can get the offset automatically for the program?
> 
> Many thanks
> Mike Goldstein
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org