Re: [sleuthkit-users] Listing files in a live disk
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Listing files in a live disk
|
From: Lloyd <llo...@gm...> - 2016-01-22 04:22:20
|
Yes I was seeing differences in the files were showing. When I opened one
directory, it was showing the contents of another directory! That's why I
checked the verbose output. Now the problem is fixed when I commented the
line "if (cimg->seek_pos != rel_offset )" in raw.c.
On Fri, Jan 22, 2016 at 7:31 AM, Brian Carrier <ca...@sl...>
wrote:
> Are you seeing differences in what files are listed or just differences in
> the verbose output?
>
> About the device, I don’t know anything about the Windows usbstor device.
>
> > On Jan 17, 2016, at 9:14 AM, Lloyd <llo...@gm...> wrote:
> >
> > Further debugging issue I found that the data read from the disk is not
> correct in the case of live disk.
> >
> > I just commented the line 115 in raw.c ( "if (cimg->seek_pos !=
> rel_offset )" ) and in my first observation the code seems to be working.
> So i think there is some issue in storing the seek position of live disks!
> >
> > Thanks a lot,
> > Lloyd
> >
> >
> >
> > On Sat, Jan 16, 2016 at 7:59 PM, Lloyd <llo...@gm...> wrote:
> > HI,
> >
> > I ran my code in verbose mode and the output files (only differences and
> line numbers are in the file) are attached for your reference. After
> parsing sector 8512 ("fatfs_dent_parse_buf: Parsing sector 8512") there
> seems to have some difference between "raw_dump" and "live_disk". I would
> greatly appreciate any input or hints.
> >
> > Thanks a lot,
> > Lloyd
> >
> > On Fri, Jan 15, 2016 at 10:01 AM, Lloyd <llo...@gm...> wrote:
> > Thanks Brian,
> >
> > Yes the drive is mounted. It is mounted at "F:", so I tried
> >
> > TSK_IMG_INFO *tsk_img = tsk_img_open_sing(_T("\\\\.\\F:"),
> TSK_IMG_TYPE_RAW, 512);
> >
> > and it gives the correct result. Why could this ("\\?\usbstor#...") be
> failing?
> >
> > Autopsy also correctly loads this as "local disk". Isn't autopsy also
> using "\\?\usbstor" name to open the device? I tried to check the code of
> autopsy, as I am not familiar with java, couldn't locate the calls to
> "tsk_img_open".
> >
> > Any help, hint, tips would be greatly appreciated.
> >
> > Thanks,
> > Lloyd
> >
> >
> >
> > On Thu, Jan 14, 2016 at 10:11 PM, Brian Carrier <ca...@sl...>
> wrote:
> > Is the drive mounted? What happens if you use something like \\.\G:?
> >
> > > On Jan 14, 2016, at 5:54 AM, Lloyd <llo...@gm...> wrote:
> > >
> > > Hi,
> > >
> > > I am using libtsk (sleuthkit 4.2) to open and find files in a "live
> usb disk (4gb)". For that I have used tsk_img_open_sing with
> TSK_IMG_TYPE_RAW. The device name starts with "\\?\usbstor#..."
> > >
> > > The files listed in this are incomplete and wrong.
> > >
> > > So I took a raw image of the disk and again fed to tsk the same way,
> this time it shows the result correctly.
> > >
> > > Am I doing something wrong? When I checked the source of
> "tsk_img_open_sing " it shows that opening "winobj" is supported.
> > >
> > > Any guidance is greatly appreciated.
> > >
> > > Thanks,
> > > Lloyd
> > >
> ------------------------------------------------------------------------------
> > > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > > Monitor end-to-end web transactions and take corrective actions now
> > > Troubleshoot faster and improve end-user experience. Signup Now!
> > >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> > > sleuthkit-users mailing list
> > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > > http://www.sleuthkit.org
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>
|
