Re: [sleuthkit-users] Listing files in a live disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Listing files in a live disk
|
From: Brian C. <ca...@sl...> - 2016-01-22 02:01:33
|
Are you seeing differences in what files are listed or just differences in the verbose output?
About the device, I don’t know anything about the Windows usbstor device.
> On Jan 17, 2016, at 9:14 AM, Lloyd <llo...@gm...> wrote:
>
> Further debugging issue I found that the data read from the disk is not correct in the case of live disk.
>
> I just commented the line 115 in raw.c ( "if (cimg->seek_pos != rel_offset )" ) and in my first observation the code seems to be working. So i think there is some issue in storing the seek position of live disks!
>
> Thanks a lot,
> Lloyd
>
>
>
> On Sat, Jan 16, 2016 at 7:59 PM, Lloyd <llo...@gm...> wrote:
> HI,
>
> I ran my code in verbose mode and the output files (only differences and line numbers are in the file) are attached for your reference. After parsing sector 8512 ("fatfs_dent_parse_buf: Parsing sector 8512") there seems to have some difference between "raw_dump" and "live_disk". I would greatly appreciate any input or hints.
>
> Thanks a lot,
> Lloyd
>
> On Fri, Jan 15, 2016 at 10:01 AM, Lloyd <llo...@gm...> wrote:
> Thanks Brian,
>
> Yes the drive is mounted. It is mounted at "F:", so I tried
>
> TSK_IMG_INFO *tsk_img = tsk_img_open_sing(_T("\\\\.\\F:"), TSK_IMG_TYPE_RAW, 512);
>
> and it gives the correct result. Why could this ("\\?\usbstor#...") be failing?
>
> Autopsy also correctly loads this as "local disk". Isn't autopsy also using "\\?\usbstor" name to open the device? I tried to check the code of autopsy, as I am not familiar with java, couldn't locate the calls to "tsk_img_open".
>
> Any help, hint, tips would be greatly appreciated.
>
> Thanks,
> Lloyd
>
>
>
> On Thu, Jan 14, 2016 at 10:11 PM, Brian Carrier <ca...@sl...> wrote:
> Is the drive mounted? What happens if you use something like \\.\G:?
>
> > On Jan 14, 2016, at 5:54 AM, Lloyd <llo...@gm...> wrote:
> >
> > Hi,
> >
> > I am using libtsk (sleuthkit 4.2) to open and find files in a "live usb disk (4gb)". For that I have used tsk_img_open_sing with TSK_IMG_TYPE_RAW. The device name starts with "\\?\usbstor#..."
> >
> > The files listed in this are incomplete and wrong.
> >
> > So I took a raw image of the disk and again fed to tsk the same way, this time it shows the result correctly.
> >
> > Am I doing something wrong? When I checked the source of "tsk_img_open_sing " it shows that opening "winobj" is supported.
> >
> > Any guidance is greatly appreciated.
> >
> > Thanks,
> > Lloyd
> > ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
|
