Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Pasquale R. <pjr...@gm...> - 2015-11-16 01:23:48
|
Efstratios, Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588. https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp I hope it helps. Pasquale On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <esk...@gm... > wrote: > Dear all, > > I am using Sleuth kit library in order to write an introspection tool for > *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my question is if > we have the inode number of a file on a disk [ guest VM - *ext4* > filesystem], for example 6031126 and want to handle the *direct block > pointers of a file/directory* later in a program,how can we get > them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the sleuth kit > function *istat* inside my program like on istat.cpp program of the > library: > > if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { > tsk_error_print(stderr); > fs->close(fs); > img->close(img); > exit(1); > } > > to get information about this inode and i got this : > > inode: 6031126 > Allocated > Group: 736 > Generation Id: 3880935525 > uid / gid: 1000 / 1000 > mode: rrw------- > Flags: Extents, > size: 6613 > num of links: 1 > > Inode Times: > Accessed: 2015-11-12 17:47:55.857360000 (EET) > File Modified: 2015-03-27 14:05:13.000000000 (EET) > Inode Modified: 2015-07-12 00:51:07.489188000 (EEST) > File Created: 2015-07-12 00:51:07.489188000 (EEST) > > Direct Blocks: > 24172552 24172553 > > I know the block numbers by calling that function but i don't know where > they are stored and how to retrieve them in a variable..? in order to use > them later in my tool! > > Any tips/suggestions or documentation would be appreciated! > Thanks in advance! > > > ------------------------------------------------------------------------------ > > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
