Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Get direct blocks pointers for files/dirs
|
From: Efstratios S. <esk...@gm...> - 2015-11-17 20:27:16
|
I forgot to erase one line as I was copying the code "s -=
fs_file->fs_info->block_size;" . don't mind it when you see it inside for
loop
On Tue, Nov 17, 2015 at 9:57 PM, Efstratios Skleparis <esk...@gm...>
wrote:
> Pasquale,
>
> You are right, sorry ! here is what I have done :
>
>
> Global variables :
>
> TSK_DADDR_T *blockstring ; // array where i want to store block numbers
>
> int fs_file_block_number; // numbers of direct blocks per files
>
> GetBlockAddress Function code :
>
> TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off,
> TSK_DADDR_T addr, char *buf, size_t size,
> TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr)
> {
>
> /*Memory Allocation for Block Addresses Array*/
> blockstring = malloc(size * sizeof(TSK_DADDR_T));
>
> int i = 0, s;
>
> if (flags & TSK_FS_BLOCK_FLAG_CONT) {
>
> /* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/
>
> printf("addr = %lu\n", addr );
>
> for ( s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
> /* Parse all the blocks, every 4096 bytes */
>
> if (addr) {
>
> blockstring[i] = addr;
> i++;
>
> /* Calculate how many direct blocks the file has */
> fs_file_block_number += size / 4096;
> s -= fs_file->fs_info->block_size;
>
> printf("blockstring[%d] = %lu\n", i, blockstring[i] );
> printf(" iteration [%d], s = %d \n", i, s);
>
> // tsk_printf("blockstring :%"
> // PRIuDADDR
> // "\n ", blockstring[fs_file_block_number]);
>
> // tsk_printf("[%d]\n", fs_file_block_number);
>
> }
> } /* end of for*/
>
> } /* end of if*/
>
> return TSK_WALK_CONT;
>
> }// end of GetBlockAddress
>
> How I call - use the above function in main :
>
>
> TSK_FS_FILE *fs_file = NULL;
>
>
> fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on
> inode number
>
> if ((fs_file != NULL) && (fs_file->meta != NULL)) {
> /* Error Checking*/
>
> if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {
>
> /*Ext4 file system*/
>
> tsk_fs_file_walk(fs_file,
> (TSK_FS_FILE_WALK_FLAG_ENUM)(
> TSK_FS_FILE_WALK_FLAG_AONLY |
> TSK_FS_FILE_WALK_FLAG_SLACK),
> GetBlockAddress, NULL);
>
>
> }
>
> }
>
> printf("\n fs_file_block_number = %d \n", fs_file_block_number);
> for (i = 0; i < fs_file_block_number; i++) {
> printf("Direct Blocks: %lu\n", blockstring[i] );
> }
>
>
> And the output i get is the following :
> >>> inside function printfs <<<
> addr = 24172552
> blockstring[1] = 0
> iteration [1], s = 0
> addr = 24172553
> blockstring[1] = 0
> iteration [1], s = 0
>
> >>> main printfs <<<
> fs_file_block_number = 2
>
> Direct Blocks: 24172553
>
> Direct Blocks: 0
>
> Thanks for your time,
> Efstratios
>
> On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <pjr...@gm...>
> wrote:
>
>> Efstratios,
>>
>> Without seeing the code, its hard to tell. It sounds like you have the
>> array initialization inside your looping function, which would reset the
>> array and then only store the last value in the loop since you just reset
>> the array.
>>
>> It's hard to say without seeing the code though. Its purely a guess based
>> on common mistakes I make when doing this kind of looping.
>>
>> Pasquale
>>
>> On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <
>> esk...@gm...> wrote:
>>
>>> Pasquale,
>>>
>>> Thanks a lot for the information you provided me :-) I finally managed
>>> to get the direct block pointers of a file !!
>>>
>>> That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on
>>> GetBlockAddress function! :-)
>>>
>>> My question is there a reason you can only "Save" the last one from
>>> NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something
>>> wrong? I am using C not C++ for my introspection tool.
>>>
>>> I tried using an array but still only NumberZ is saved the others are
>>> lost. . I placed some printfs and for some reason every time the array
>>> is initialized after it returns the NumberX, NumberY.
>>>
>>> Thanks a lot for your time and help,
>>> Efstratios
>>>
>>> On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <pjr...@gm...>
>>> wrote:
>>>
>>>> Efstratios,
>>>>
>>>> Check out this function on a program I am working on which incorporates
>>>> the sleuthkit c library functions. I calculate the direct block addresses
>>>> and store this value in my db table. The functions to look at are
>>>> "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They
>>>> are on lines: 517-588.
>>>>
>>>>
>>>> https://github.com/pjrinaldi/wombatforensics/blob/master/wombatfunctions.cpp
>>>>
>>>> I hope it helps.
>>>> Pasquale
>>>>
>>>> On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <
>>>> esk...@gm...> wrote:
>>>>
>>>>> Dear all,
>>>>>
>>>>> I am using Sleuth kit library in order to write an introspection tool
>>>>> for *XEN* hypervisor running on ubuntu 12.04.5 x64bit and my question
>>>>> is if we have the inode number of a file on a disk [ guest VM - *ext4*
>>>>> filesystem], for example 6031126 and want to handle the *direct block
>>>>> pointers of a file/directory* later in a program,how can we get
>>>>> them(Direct Blocks : *NumberX*,*NymberY* etc) ? I used the sleuth kit
>>>>> function *istat* inside my program like on istat.cpp program of the
>>>>> library:
>>>>>
>>>>> if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
>>>>> tsk_error_print(stderr);
>>>>> fs->close(fs);
>>>>> img->close(img);
>>>>> exit(1);
>>>>> }
>>>>>
>>>>> to get information about this inode and i got this :
>>>>>
>>>>> inode: 6031126
>>>>> Allocated
>>>>> Group: 736
>>>>> Generation Id: 3880935525
>>>>> uid / gid: 1000 / 1000
>>>>> mode: rrw-------
>>>>> Flags: Extents,
>>>>> size: 6613
>>>>> num of links: 1
>>>>>
>>>>> Inode Times:
>>>>> Accessed: 2015-11-12 17:47:55.857360000 (EET)
>>>>> File Modified: 2015-03-27 14:05:13.000000000 (EET)
>>>>> Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
>>>>> File Created: 2015-07-12 00:51:07.489188000 (EEST)
>>>>>
>>>>> Direct Blocks:
>>>>> 24172552 24172553
>>>>>
>>>>> I know the block numbers by calling that function but i don't know
>>>>> where they are stored and how to retrieve them in a variable..? in order to
>>>>> use them later in my tool!
>>>>>
>>>>> Any tips/suggestions or documentation would be appreciated!
>>>>> Thanks in advance!
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> sleuthkit-users mailing list
>>>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>>>> http://www.sleuthkit.org
>>>>>
>>>>>
>>>>
>>>
>>
>
|
