Re: [sleuthkit-users] Autopsy 3 - file offset information

[ade <adr...@nt...>]

Hi Sam

The metadata you have presented is the data-runs, which are the block (or 
cluster)  numbers, parsed from the inode information .  AFAIK, tsk doesn't
get the starting sector number for files as this is not maintained by any 
structures on the disk.  You would have to calculate the sector number based 
on the first cluster number in the data run, taking into account the partition 
start sector and the number of sectors per cluster.

Stumpy

On Wednesday 01 Apr 2015 11:17:32 Sam K wrote:
> Good morning:
> 
> Can anyone shed light on where Autopsy 3.1.2 would store the starting
> physical sector for a file, if that information is *not *contained in the
> tsk_file_layout table? I'm guessing it must be stored somewhere (and not
> re-parsed from the MFT every time I view the file), but have been
> unsuccessful in finding it.
> 
> Based on the output in the Metadata tab, Autopsy does store the
> information.  I've confirmed with another tool that 118341 is indeed the
> starting physical sector.  I want this information included with a report
> module I'm working on, and can't seem to reference it anywhere in the API
> or database (there's no entry for the file in tsk_file_layout, perhaps
> because it's contiguous and not fragmented).
> 
> Attributes:
> Type: ? (16-0)   Name: N/A   Resident   size: 72
> Type: ? (48-6)   Name: N/A   Resident   size: 90
> Type: ? (48-5)   Name: N/A   Resident   size: 110
> Type: ? (128-4)   Name: N/A   Non-Resident   size: 25600  init_size: 25600
> 118341 118342 118343 118344 118345 118346 118347 118348
> 118349 118350 118351 118352 118353 118354 118355 118356
> 118357 118358 118359 118360 118361 118362 118363 118364
> 118365 118366 118367 118368 118369 118370 118371 118372
> 118373 118374 118375 118376 118377 118378 118379 118380
> 118381 118382 118383 118384 118385 118386 118387 118388
> 118389 118390
> 
> Thanks in advance for any feedback.