Re: [sleuthkit-users] Listing files in a live disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Listing files in a live disk
|
From: Lloyd <llo...@gm...> - 2016-01-16 14:29:45
|
HI,
I ran my code in verbose mode and the output files (only differences and
line numbers are in the file) are attached for your reference. After
parsing sector 8512 ("fatfs_dent_parse_buf: Parsing sector 8512") there
seems to have some difference between "raw_dump" and "live_disk". I would
greatly appreciate any input or hints.
Thanks a lot,
Lloyd
On Fri, Jan 15, 2016 at 10:01 AM, Lloyd <llo...@gm...> wrote:
> Thanks Brian,
>
> Yes the drive is mounted. It is mounted at "F:", so I tried
>
> TSK_IMG_INFO *tsk_img = tsk_img_open_sing(_T("\\\\.\\F:"),
> TSK_IMG_TYPE_RAW, 512);
>
> and it gives the correct result. Why could this ("\\?\usbstor#...") be
> failing?
>
> Autopsy also correctly loads this as "local disk". Isn't autopsy also
> using "\\?\usbstor" name to open the device? I tried to check the code of
> autopsy, as I am not familiar with java, couldn't locate the calls to "
> tsk_img_open".
>
> Any help, hint, tips would be greatly appreciated.
>
> Thanks,
> Lloyd
>
>
>
> On Thu, Jan 14, 2016 at 10:11 PM, Brian Carrier <ca...@sl...>
> wrote:
>
>> Is the drive mounted? What happens if you use something like \\.\G:?
>>
>> > On Jan 14, 2016, at 5:54 AM, Lloyd <llo...@gm...> wrote:
>> >
>> > Hi,
>> >
>> > I am using libtsk (sleuthkit 4.2) to open and find files in a "live usb
>> disk (4gb)". For that I have used tsk_img_open_sing with TSK_IMG_TYPE_RAW.
>> The device name starts with "\\?\usbstor#..."
>> >
>> > The files listed in this are incomplete and wrong.
>> >
>> > So I took a raw image of the disk and again fed to tsk the same way,
>> this time it shows the result correctly.
>> >
>> > Am I doing something wrong? When I checked the source of
>> "tsk_img_open_sing " it shows that opening "winobj" is supported.
>> >
>> > Any guidance is greatly appreciated.
>> >
>> > Thanks,
>> > Lloyd
>> >
>> ------------------------------------------------------------------------------
>> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> > Monitor end-to-end web transactions and take corrective actions now
>> > Troubleshoot faster and improve end-user experience. Signup Now!
>> >
>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
>> > sleuthkit-users mailing list
>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> > http://www.sleuthkit.org
>>
>>
>
|
