Re: [sleuthkit-users] Autopsy 3 - file offset information
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 3 - file offset information
|
From: Atila <ati...@dp...> - 2015-04-02 15:13:59
|
Sam, Autopsy does not fill tsk_file_layout, but tsk_loaddb does (with some exceptions, like very small files that are stored in MFT for NTFS). Maybe that helps you? On 01-04-2015 12:51, Sam K wrote: > Thanks, that makes sense. Calculating is not a problem - but I can't > seem to find where the data run information is stored for this file. > I was expecting tsk_file_layout, but no joy. Is there an API call or > somewhere else in the SQLite tables it could live? > > > On Wed, Apr 1, 2015 at 11:26 AM, ade <adr...@nt... > <mailto:adr...@nt...>> wrote: > > Hi Sam > > The metadata you have presented is the data-runs, which are the > block (or > cluster) numbers, parsed from the inode information . AFAIK, tsk > doesn't > get the starting sector number for files as this is not maintained > by any > structures on the disk. You would have to calculate the sector > number based > on the first cluster number in the data run, taking into account > the partition > start sector and the number of sectors per cluster. > > Stumpy > > On Wednesday 01 Apr 2015 11:17:32 Sam K wrote: > > Good morning: > > > > Can anyone shed light on where Autopsy 3.1.2 would store the > starting > > physical sector for a file, if that information is *not > *contained in the > > tsk_file_layout table? I'm guessing it must be stored somewhere > (and not > > re-parsed from the MFT every time I view the file), but have been > > unsuccessful in finding it. > > > > Based on the output in the Metadata tab, Autopsy does store the > > information. I've confirmed with another tool that 118341 is > indeed the > > starting physical sector. I want this information included with > a report > > module I'm working on, and can't seem to reference it anywhere > in the API > > or database (there's no entry for the file in tsk_file_layout, > perhaps > > because it's contiguous and not fragmented). > > > > Attributes: > > Type: ? (16-0) Name: N/A Resident size: 72 > > Type: ? (48-6) Name: N/A Resident size: 90 > > Type: ? (48-5) Name: N/A Resident size: 110 > > Type: ? (128-4) Name: N/A Non-Resident size: 25600 > init_size: 25600 > > 118341 118342 118343 118344 118345 118346 118347 118348 > > 118349 118350 118351 118352 118353 118354 118355 118356 > > 118357 118358 118359 118360 118361 118362 118363 118364 > > 118365 118366 118367 118368 118369 118370 118371 118372 > > 118373 118374 118375 118376 118377 118378 118379 118380 > > 118381 118382 118383 118384 118385 118386 118387 118388 > > 118389 118390 > > > > Thanks in advance for any feedback. > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel > Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your > hub for all > things parallel software development, from weekly thought > leadership blogs to > news, videos, case studies, tutorials and more. Take a look and > join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
