[sleuthkit-users] Get Direct Block numbers from istat
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Get Direct Block numbers from istat
|
From: Efstratios S. <esk...@gm...> - 2015-10-30 00:22:17
|
Dear all,
I am new into Sleuthkit library and I am trying to write an introspection
tool using Sleuthkit on XEN hypervisor running Ubuntu 12.04 x64 bit and
trying to inspect a guestVM - domU running ubuntu 12.04 x64bit as well ..
After successfuly getting information about an inode given to my program
running the following code :
if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
I get as output the following [numblock initialized as 0 , sec_skew as
well] :
Bla bla bla
. . .
. . .
Direct Blocks : numberX,numberY. .
problem is how can i get those block numbers : numberX and nymberY in order
to use them on my program later? I tried reading many source files [ ntfs.c
where fs->istat is located , fs_block.c , blkstat.c and others ] but it
didn't help me .
Thanks in advance !
Efstratios
|
