Re: [sleuthkit-users] Autopsy 3 - file offset information
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 3 - file offset information
|
From: Sam K <sku...@gm...> - 2015-04-01 15:51:46
|
Thanks, that makes sense. Calculating is not a problem - but I can't seem to find where the data run information is stored for this file. I was expecting tsk_file_layout, but no joy. Is there an API call or somewhere else in the SQLite tables it could live? On Wed, Apr 1, 2015 at 11:26 AM, ade <adr...@nt...> wrote: > Hi Sam > > The metadata you have presented is the data-runs, which are the block (or > cluster) numbers, parsed from the inode information . AFAIK, tsk doesn't > get the starting sector number for files as this is not maintained by any > structures on the disk. You would have to calculate the sector number > based > on the first cluster number in the data run, taking into account the > partition > start sector and the number of sectors per cluster. > > Stumpy > > On Wednesday 01 Apr 2015 11:17:32 Sam K wrote: > > Good morning: > > > > Can anyone shed light on where Autopsy 3.1.2 would store the starting > > physical sector for a file, if that information is *not *contained in the > > tsk_file_layout table? I'm guessing it must be stored somewhere (and not > > re-parsed from the MFT every time I view the file), but have been > > unsuccessful in finding it. > > > > Based on the output in the Metadata tab, Autopsy does store the > > information. I've confirmed with another tool that 118341 is indeed the > > starting physical sector. I want this information included with a report > > module I'm working on, and can't seem to reference it anywhere in the API > > or database (there's no entry for the file in tsk_file_layout, perhaps > > because it's contiguous and not fragmented). > > > > Attributes: > > Type: ? (16-0) Name: N/A Resident size: 72 > > Type: ? (48-6) Name: N/A Resident size: 90 > > Type: ? (48-5) Name: N/A Resident size: 110 > > Type: ? (128-4) Name: N/A Non-Resident size: 25600 init_size: > 25600 > > 118341 118342 118343 118344 118345 118346 118347 118348 > > 118349 118350 118351 118352 118353 118354 118355 118356 > > 118357 118358 118359 118360 118361 118362 118363 118364 > > 118365 118366 118367 118368 118369 118370 118371 118372 > > 118373 118374 118375 118376 118377 118378 118379 118380 > > 118381 118382 118383 118384 118385 118386 118387 118388 > > 118389 118390 > > > > Thanks in advance for any feedback. > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
