Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Pasquale R. <pjr...@gm...> - 2015-11-17 18:25:05
|
Efstratios, Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function, which would reset the array and then only store the last value in the loop since you just reset the array. It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping. Pasquale On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <esk...@gm...> wrote: > Pasquale, > > Thanks a lot for the information you provided me :-) I finally managed to > get the direct block pointers of a file !! > > That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress > function! :-) > > My question is there a reason you can only "Save" the last one from > NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something > wrong? I am using C not C++ for my introspection tool. > > I tried using an array but still only NumberZ is saved the others are > lost. . I placed some printfs and for some reason every time the array > is initialized after it returns the NumberX, NumberY. > > Thanks a lot for your time and help, > Efstratios > > On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...> > wrote: > >> Efstratios, >> >> Check out this function on a program I am working on which incorporates >> the sleuthkit c library functions. I calculate the direct block addresses >> and store this value in my db table. The functions to look at are >> "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They >> are on lines: 517-588. >> >> >> https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp >> >> I hope it helps. >> Pasquale >> >> On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis < >> esk...@gm...> wrote: >> >>> Dear all, >>> >>> I am using Sleuth kit library in order to write an introspection tool >>> for *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my question >>> is if we have the inode number of a file on a disk [ guest VM - *ext4* >>> filesystem], for example 6031126 and want to handle the *direct block >>> pointers of a file/directory* later in a program,how can we get >>> them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the sleuth kit >>> function *istat* inside my program like on istat.cpp program of the >>> library: >>> >>> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { >>> tsk_error_print(stderr); >>> fs->close(fs); >>> img->close(img); >>> exit(1); >>> } >>> >>> to get information about this inode and i got this : >>> >>> inode: 6031126 >>> Allocated >>> Group: 736 >>> Generation Id: 3880935525 >>> uid / gid: 1000 / 1000 >>> mode: rrw------- >>> Flags: Extents, >>> size: 6613 >>> num of links: 1 >>> >>> Inode Times: >>> Accessed: 2015-11-12 17:47:55.857360000 (EET) >>> File Modified: 2015-03-27 14:05:13.000000000 (EET) >>> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST) >>> File Created: 2015-07-12 00:51:07.489188000 (EEST) >>> >>> Direct Blocks: >>> 24172552 24172553 >>> >>> I know the block numbers by calling that function but i don't know where >>> they are stored and how to retrieve them in a variable..? in order to use >>> them later in my tool! >>> >>> Any tips/suggestions or documentation would be appreciated! >>> Thanks in advance! >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> >> > |
