Re: [sleuthkit-users] Listing files in a live disk

[Lloyd <llo...@gm...>]

Thanks Brian,

Yes the drive is mounted. It is mounted at "F:", so I tried

TSK_IMG_INFO *tsk_img = tsk_img_open_sing(_T("\\\\.\\F:"),
TSK_IMG_TYPE_RAW, 512);

and it gives the correct result. Why could this ("\\?\usbstor#...") be
failing?

Autopsy also correctly loads this as "local disk". Isn't autopsy also using
"\\?\usbstor" name to open the device? I tried to check the code of
autopsy, as I am not familiar with java, couldn't locate the calls to  "
tsk_img_open".

Any help, hint, tips would be greatly appreciated.

Thanks,
  Lloyd



On Thu, Jan 14, 2016 at 10:11 PM, Brian Carrier <ca...@sl...>
wrote:

> Is the drive mounted?  What happens if you use something like \\.\G:?
>
> > On Jan 14, 2016, at 5:54 AM, Lloyd <llo...@gm...> wrote:
> >
> > Hi,
> >
> > I am using libtsk (sleuthkit 4.2) to open and find files in a "live usb
> disk (4gb)". For that I have used tsk_img_open_sing with TSK_IMG_TYPE_RAW.
> The device name starts with "\\?\usbstor#..."
> >
> > The files listed in this are incomplete and wrong.
> >
> > So I took a raw image of the disk and again fed to tsk the same way,
> this time it shows the result correctly.
> >
> > Am I doing something wrong? When I checked the source of
> "tsk_img_open_sing " it shows that opening "winobj" is supported.
> >
> > Any guidance is greatly appreciated.
> >
> > Thanks,
> >   Lloyd
> >
> ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>