Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Jean-François G. <jea...@gm...> - 2015-11-17 20:26:14
|
If I'm not mistaking, each time GetBlockAddress gets call, you reinitialize
your blockstring variable (malloc).
You should probably use a linked list of TSK_DADDR_T object and add your
block in GetBlockAddress to that list.
Or you could resize the array.
Also, I'm not sure the size parameter of GetBlockAddress has anything to do
with the TSK_DADDR_T structure.
Hope this will help
Le 17 nov. 2015 3:02 PM, "Efstratios Skleparis" <esk...@gm...> a
écrit :
> Pasquale,
>
> You are right, sorry ! here is what I have done :
>
>
> Global variables :
>
> TSK_DADDR_T *blockstring ; // array where i want to store block numbers
>
> int fs_file_block_number; // numbers of direct blocks per files
>
> GetBlockAddress Function code :
>
> TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
> TSK_DADDR_T addr, char *buf, size_t size,
> TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr)
> {
>
> /*Memory Allocation for Block Addresses Array*/
> blockstring = malloc(size * sizeof(TSK_DADDR_T));
>
> int i = 0, s;
>
> if (flags & TSK_FS_BLOCK_FLAG_CONT) {
>
> /* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
>
> printf("addr = %lu\n", addr );
>
> for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
> /* Parse all the blocks, every 4096 bytes */
>
> if (addr) {
>
> blockstring[i] = addr;
> i++;
>
> /* Calculate how many direct blocks the file has */
> fs_file_block_number += size / 4096;
> s -= fs_file->fs_info->block_size;
>
> printf("blockstring[%d] = %lu\n", i, blockstring[i] );
> printf(" iteration [%d], s = %d \n", i, s);
>
> // tsk_printf("blockstring :%"
> // PRIuDADDR
> // "\n ", blockstring[fs_file_block_number]);
>
> // tsk_printf("[%d]\n", fs_file_block_number);
>
> }
> } /* end of for*/
>
> } /* end of if*/
>
> return TSK_WALK_CONT;
>
> }// end of GetBlockAddress
>
> How I call - use the above function in main :
>
>
> TSK_FS_FILE *fs_file = NULL;
>
>
> fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on
> inode number
>
> if ((fs_file != NULL) && (fs_file->meta != NULL)) {
> /* Error Checking*/
>
> if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {
>
> /*Ext4 file system*/
>
> tsk_fs_file_walk(fs_file,
> (TSK_FS_FILE_WALK_FLAG_ENUM)(
> TSK_FS_FILE_WALK_FLAG_AONLY |
> TSK_FS_FILE_WALK_FLAG_SLACK),
> GetBlockAddress, NULL);
>
>
> }
>
> }
>
> printf("\n fs_file_block_number = %d \n", fs_file_block_number);
> for (i = 0; i < fs_file_block_number; i++) {
> printf("Direct Blocks: %lu\n", blockstring[i] );
> }
>
>
> And the output i get is the following :
> >>> inside function printfs <<<
> addr = 24172552
> blockstring[1] = 0
> iteration [1], s = 0
> addr = 24172553
> blockstring[1] = 0
> iteration [1], s = 0
>
> >>> main printfs <<<
> fs_file_block_number = 2
>
> Direct Blocks: 24172553
>
> Direct Blocks: 0
>
> Thanks for your time,
> Efstratios
>
> On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <pjr...@gm...>
> wrote:
>
>> Efstratios,
>>
>> Without seeing the code, its hard to tell. It sounds like you have the
>> array initialization inside your looping function, which would reset the
>> array and then only store the last value in the loop since you just reset
>> the array.
>>
>> It's hard to say without seeing the code though. Its purely a guess based
>> on common mistakes I make when doing this kind of looping.
>>
>> Pasquale
>>
>> On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <
>> esk...@gm...> wrote:
>>
>>> Pasquale,
>>>
>>> Thanks a lot for the information you provided me :-) I finally managed
>>> to get the direct block pointers of a file !!
>>>
>>> That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on
>>> GetBlockAddress function! :-)
>>>
>>> My question is there a reason you can only "Save" the last one from
>>> NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something
>>> wrong? I am using C not C++ for my introspection tool.
>>>
>>> I tried using an array but still only NumberZ is saved the others are
>>> lost. . I placed some printfs and for some reason every time the array
>>> is initialized after it returns the NumberX, NumberY.
>>>
>>> Thanks a lot for your time and help,
>>> Efstratios
>>>
>>> On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...>
>>> wrote:
>>>
>>>> Efstratios,
>>>>
>>>> Check out this function on a program I am working on which incorporates
>>>> the sleuthkit c library functions. I calculate the direct block addresses
>>>> and store this value in my db table. The functions to look at are
>>>> "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They
>>>> are on lines: 517-588.
>>>>
>>>>
>>>> https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp
>>>>
>>>> I hope it helps.
>>>> Pasquale
>>>>
>>>> On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <
>>>> esk...@gm...> wrote:
>>>>
>>>>> Dear all,
>>>>>
>>>>> I am using Sleuth kit library in order to write an introspection tool
>>>>> for *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my question
>>>>> is if we have the inode number of a file on a disk [ guest VM - *ext4*
>>>>> filesystem], for example 6031126 and want to handle the *direct block
>>>>> pointers of a file/directory* later in a program,how can we get
>>>>> them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the sleuth kit
>>>>> function *istat* inside my program like on istat.cpp program of the
>>>>> library:
>>>>>
>>>>> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
>>>>> tsk_error_print(stderr);
>>>>> fs->close(fs);
>>>>> img->close(img);
>>>>> exit(1);
>>>>> }
>>>>>
>>>>> to get information about this inode and i got this :
>>>>>
>>>>> inode: 6031126
>>>>> Allocated
>>>>> Group: 736
>>>>> Generation Id: 3880935525
>>>>> uid / gid: 1000 / 1000
>>>>> mode: rrw-------
>>>>> Flags: Extents,
>>>>> size: 6613
>>>>> num of links: 1
>>>>>
>>>>> Inode Times:
>>>>> Accessed: 2015-11-12 17:47:55.857360000 (EET)
>>>>> File Modified: 2015-03-27 14:05:13.000000000 (EET)
>>>>> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
>>>>> File Created: 2015-07-12 00:51:07.489188000 (EEST)
>>>>>
>>>>> Direct Blocks:
>>>>> 24172552 24172553
>>>>>
>>>>> I know the block numbers by calling that function but i don't know
>>>>> where they are stored and how to retrieve them in a variable..? in order to
>>>>> use them later in my tool!
>>>>>
>>>>> Any tips/suggestions or documentation would be appreciated!
>>>>> Thanks in advance!
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> sleuthkit-users mailing list
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>> http://www.sleuthkit.org
>>>>>
>>>>>
>>>>
>>>
>>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>
>
|
