Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Efstratios S. <esk...@gm...> - 2015-11-17 19:58:08
|
Pasquale,
You are right, sorry ! here is what I have done :
Global variables :
TSK_DADDR_T *blockstring ; // array where i want to store block numbers
int fs_file_block_number; // numbers of direct blocks per files
GetBlockAddress Function code :
TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
TSK_DADDR_T addr, char *buf, size_t size,
TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {
/*Memory Allocation for Block Addresses Array*/
blockstring = malloc(size * sizeof(TSK_DADDR_T));
int i = 0, s;
if (flags & TSK_FS_BLOCK_FLAG_CONT) {
/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
printf("addr = %lu\n", addr );
for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */
if (addr) {
blockstring[i] = addr;
i++;
/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
s -= fs_file->fs_info->block_size;
printf("blockstring[%d] = %lu\n", i, blockstring[i] );
printf(" iteration [%d], s = %d \n", i, s);
// tsk_printf("blockstring :%"
// PRIuDADDR
// "\n ", blockstring[fs_file_block_number]);
// tsk_printf("[%d]\n", fs_file_block_number);
}
} /* end of for*/
} /* end of if*/
return TSK_WALK_CONT;
}// end of GetBlockAddress
How I call - use the above function in main :
TSK_FS_FILE *fs_file = NULL;
fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on
inode number
if ((fs_file != NULL) && (fs_file->meta != NULL)) {
/* Error Checking*/
if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {
/*Ext4 file system*/
tsk_fs_file_walk(fs_file,
(TSK_FS_FILE_WALK_FLAG_ENUM)(
TSK_FS_FILE_WALK_FLAG_AONLY |
TSK_FS_FILE_WALK_FLAG_SLACK),
GetBlockAddress, NULL);
}
}
printf("\n fs_file_block_number = %d \n", fs_file_block_number);
for (i = 0; i < fs_file_block_number; i++) {
printf("Direct Blocks: %lu\n", blockstring[i] );
}
And the output i get is the following :
>>> inside function printfs <<<
addr = 24172552
blockstring[1] = 0
iteration [1], s = 0
addr = 24172553
blockstring[1] = 0
iteration [1], s = 0
>>> main printfs <<<
fs_file_block_number = 2
Direct Blocks: 24172553
Direct Blocks: 0
Thanks for your time,
Efstratios
On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <pjr...@gm...>
wrote:
> Efstratios,
>
> Without seeing the code, its hard to tell. It sounds like you have the
> array initialization inside your looping function, which would reset the
> array and then only store the last value in the loop since you just reset
> the array.
>
> It's hard to say without seeing the code though. Its purely a guess based
> on common mistakes I make when doing this kind of looping.
>
> Pasquale
>
> On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <
> esk...@gm...> wrote:
>
>> Pasquale,
>>
>> Thanks a lot for the information you provided me :-) I finally managed to
>> get the direct block pointers of a file !!
>>
>> That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress
>> function! :-)
>>
>> My question is there a reason you can only "Save" the last one from
>> NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something
>> wrong? I am using C not C++ for my introspection tool.
>>
>> I tried using an array but still only NumberZ is saved the others are
>> lost. . I placed some printfs and for some reason every time the array
>> is initialized after it returns the NumberX, NumberY.
>>
>> Thanks a lot for your time and help,
>> Efstratios
>>
>> On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...>
>> wrote:
>>
>>> Efstratios,
>>>
>>> Check out this function on a program I am working on which incorporates
>>> the sleuthkit c library functions. I calculate the direct block addresses
>>> and store this value in my db table. The functions to look at are
>>> "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They
>>> are on lines: 517-588.
>>>
>>>
>>> https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp
>>>
>>> I hope it helps.
>>> Pasquale
>>>
>>> On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <
>>> esk...@gm...> wrote:
>>>
>>>> Dear all,
>>>>
>>>> I am using Sleuth kit library in order to write an introspection tool
>>>> for *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my question
>>>> is if we have the inode number of a file on a disk [ guest VM - *ext4*
>>>> filesystem], for example 6031126 and want to handle the *direct block
>>>> pointers of a file/directory* later in a program,how can we get
>>>> them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the sleuth kit
>>>> function *istat* inside my program like on istat.cpp program of the
>>>> library:
>>>>
>>>> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
>>>> tsk_error_print(stderr);
>>>> fs->close(fs);
>>>> img->close(img);
>>>> exit(1);
>>>> }
>>>>
>>>> to get information about this inode and i got this :
>>>>
>>>> inode: 6031126
>>>> Allocated
>>>> Group: 736
>>>> Generation Id: 3880935525
>>>> uid / gid: 1000 / 1000
>>>> mode: rrw-------
>>>> Flags: Extents,
>>>> size: 6613
>>>> num of links: 1
>>>>
>>>> Inode Times:
>>>> Accessed: 2015-11-12 17:47:55.857360000 (EET)
>>>> File Modified: 2015-03-27 14:05:13.000000000 (EET)
>>>> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
>>>> File Created: 2015-07-12 00:51:07.489188000 (EEST)
>>>>
>>>> Direct Blocks:
>>>> 24172552 24172553
>>>>
>>>> I know the block numbers by calling that function but i don't know
>>>> where they are stored and how to retrieve them in a variable..? in order to
>>>> use them later in my tool!
>>>>
>>>> Any tips/suggestions or documentation would be appreciated!
>>>> Thanks in advance!
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> sleuthkit-users mailing list
>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>> http://www.sleuthkit.org
>>>>
>>>>
>>>
>>
>
|
