Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Efstratios S. <esk...@gm...> - 2015-11-17 10:35:13
|
Pasquale, Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-) My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool. I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY. Thanks a lot for your time and help, Efstratios On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...> wrote: > Efstratios, > > Check out this function on a program I am working on which incorporates > the sleuthkit c library functions. I calculate the direct block addresses > and store this value in my db table. The functions to look at are > "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They > are on lines: 517-588. > > > https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp > > I hope it helps. > Pasquale > > On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis < > esk...@gm...> wrote: > >> Dear all, >> >> I am using Sleuth kit library in order to write an introspection tool for >> *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my question is if >> we have the inode number of a file on a disk [ guest VM - *ext4* >> filesystem], for example 6031126 and want to handle the *direct block >> pointers of a file/directory* later in a program,how can we get >> them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the sleuth kit >> function *istat* inside my program like on istat.cpp program of the >> library: >> >> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { >> tsk_error_print(stderr); >> fs->close(fs); >> img->close(img); >> exit(1); >> } >> >> to get information about this inode and i got this : >> >> inode: 6031126 >> Allocated >> Group: 736 >> Generation Id: 3880935525 >> uid / gid: 1000 / 1000 >> mode: rrw------- >> Flags: Extents, >> size: 6613 >> num of links: 1 >> >> Inode Times: >> Accessed: 2015-11-12 17:47:55.857360000 (EET) >> File Modified: 2015-03-27 14:05:13.000000000 (EET) >> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST) >> File Created: 2015-07-12 00:51:07.489188000 (EEST) >> >> Direct Blocks: >> 24172552 24172553 >> >> I know the block numbers by calling that function but i don't know where >> they are stored and how to retrieve them in a variable..? in order to use >> them later in my tool! >> >> Any tips/suggestions or documentation would be appreciated! >> Thanks in advance! >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> > |
