Re: [sleuthkit-users] Autopsy 3 - file offset information
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Autopsy 3 - file offset information
|
From: Brian C. <ca...@sl...> - 2015-04-07 15:52:54
|
Hi Sam, The data below is created “in real time” by calling the TSK code. It isn’t stored anywhere in the Autopsy DB. It is the same info that you get from running the ‘stat’ command in TSK. Autopsy doesn’t store any file info for speed reasons. It would take A LOT longer to add a data source into Autopsy if we did that (we did in the very early days) and there aren’t that many use cases (in Autopsy at least) that need it. The theory was that we would expose an API to the data via TSK if a use case ever presented itself. And perhaps one now has. Are you looking for a method that returns the list of blocks for a given file? As Alex pointed out, NTFS further complicates this because of resident files that have data that are not on sector boundaries. So, to be truly generic, the API would need to be starting byte of a file. brian > On Apr 1, 2015, at 11:17 AM, Sam K <sku...@gm...> wrote: > > Good morning: > > Can anyone shed light on where Autopsy 3.1.2 would store the starting physical sector for a file, if that information is not contained in the tsk_file_layout table? I'm guessing it must be stored somewhere (and not re-parsed from the MFT every time I view the file), but have been unsuccessful in finding it. > > Based on the output in the Metadata tab, Autopsy does store the information. I've confirmed with another tool that 118341 is indeed the starting physical sector. I want this information included with a report module I'm working on, and can't seem to reference it anywhere in the API or database (there's no entry for the file in tsk_file_layout, perhaps because it's contiguous and not fragmented). > Attributes: > Type: ? (16-0) Name: N/A Resident size: 72 > Type: ? (48-6) Name: N/A Resident size: 90 > Type: ? (48-5) Name: N/A Resident size: 110 > Type: ? (128-4) Name: N/A Non-Resident size: 25600 init_size: 25600 > 118341 118342 118343 118344 118345 118346 118347 118348 > 118349 118350 118351 118352 118353 118354 118355 118356 > 118357 118358 118359 118360 118361 118362 118363 118364 > 118365 118366 118367 118368 118369 118370 118371 118372 > 118373 118374 118375 118376 118377 118378 118379 118380 > 118381 118382 118383 118384 118385 118386 118387 118388 > 118389 118390 > Thanks in advance for any feedback. > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/_______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
