[sleuthkit-users] Autopsy 3 - file offset information
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Autopsy 3 - file offset information
|
From: Sam K <sku...@gm...> - 2015-04-01 15:17:39
|
Good morning: Can anyone shed light on where Autopsy 3.1.2 would store the starting physical sector for a file, if that information is *not *contained in the tsk_file_layout table? I'm guessing it must be stored somewhere (and not re-parsed from the MFT every time I view the file), but have been unsuccessful in finding it. Based on the output in the Metadata tab, Autopsy does store the information. I've confirmed with another tool that 118341 is indeed the starting physical sector. I want this information included with a report module I'm working on, and can't seem to reference it anywhere in the API or database (there's no entry for the file in tsk_file_layout, perhaps because it's contiguous and not fragmented). Attributes: Type: ? (16-0) Name: N/A Resident size: 72 Type: ? (48-6) Name: N/A Resident size: 90 Type: ? (48-5) Name: N/A Resident size: 110 Type: ? (128-4) Name: N/A Non-Resident size: 25600 init_size: 25600 118341 118342 118343 118344 118345 118346 118347 118348 118349 118350 118351 118352 118353 118354 118355 118356 118357 118358 118359 118360 118361 118362 118363 118364 118365 118366 118367 118368 118369 118370 118371 118372 118373 118374 118375 118376 118377 118378 118379 118380 118381 118382 118383 118384 118385 118386 118387 118388 118389 118390 Thanks in advance for any feedback. |
