Re: [sleuthkit-users] Listing files in a live disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Listing files in a live disk
|
From: Lloyd <llo...@gm...> - 2016-01-17 14:14:12
|
Further debugging issue I found that the data read from the disk is not
correct in the case of live disk.
I just commented the line 115 in raw.c ( "if (cimg->seek_pos != rel_offset
)" ) and in my first observation the code seems to be working. So i think
there is some issue in storing the seek position of live disks!
Thanks a lot,
Lloyd
On Sat, Jan 16, 2016 at 7:59 PM, Lloyd <llo...@gm...> wrote:
> HI,
>
> I ran my code in verbose mode and the output files (only differences and
> line numbers are in the file) are attached for your reference. After
> parsing sector 8512 ("fatfs_dent_parse_buf: Parsing sector 8512") there
> seems to have some difference between "raw_dump" and "live_disk". I would
> greatly appreciate any input or hints.
>
> Thanks a lot,
> Lloyd
>
> On Fri, Jan 15, 2016 at 10:01 AM, Lloyd <llo...@gm...> wrote:
>
>> Thanks Brian,
>>
>> Yes the drive is mounted. It is mounted at "F:", so I tried
>>
>> TSK_IMG_INFO *tsk_img = tsk_img_open_sing(_T("\\\\.\\F:"),
>> TSK_IMG_TYPE_RAW, 512);
>>
>> and it gives the correct result. Why could this ("\\?\usbstor#...") be
>> failing?
>>
>> Autopsy also correctly loads this as "local disk". Isn't autopsy also
>> using "\\?\usbstor" name to open the device? I tried to check the code
>> of autopsy, as I am not familiar with java, couldn't locate the calls to "
>> tsk_img_open".
>>
>> Any help, hint, tips would be greatly appreciated.
>>
>> Thanks,
>> Lloyd
>>
>>
>>
>> On Thu, Jan 14, 2016 at 10:11 PM, Brian Carrier <ca...@sl...>
>> wrote:
>>
>>> Is the drive mounted? What happens if you use something like \\.\G:?
>>>
>>> > On Jan 14, 2016, at 5:54 AM, Lloyd <llo...@gm...> wrote:
>>> >
>>> > Hi,
>>> >
>>> > I am using libtsk (sleuthkit 4.2) to open and find files in a "live
>>> usb disk (4gb)". For that I have used tsk_img_open_sing with
>>> TSK_IMG_TYPE_RAW. The device name starts with "\\?\usbstor#..."
>>> >
>>> > The files listed in this are incomplete and wrong.
>>> >
>>> > So I took a raw image of the disk and again fed to tsk the same way,
>>> this time it shows the result correctly.
>>> >
>>> > Am I doing something wrong? When I checked the source of
>>> "tsk_img_open_sing " it shows that opening "winobj" is supported.
>>> >
>>> > Any guidance is greatly appreciated.
>>> >
>>> > Thanks,
>>> > Lloyd
>>> >
>>> ------------------------------------------------------------------------------
>>> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> > Monitor end-to-end web transactions and take corrective actions now
>>> > Troubleshoot faster and improve end-user experience. Signup Now!
>>> >
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
>>> > sleuthkit-users mailing list
>>> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> > http://www.sleuthkit.org
>>>
>>>
>>
>
|
