Re: [sleuthkit-developers] tsk_file_layout in V3 schema documentation error
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] tsk_file_layout in V3 schema documentation error
|
From: Brian C. <ca...@sl...> - 2016-09-09 17:54:20
|
The docs are correct and that is the way that Autopsy also populates that table when it adds entries for carved files. If you are seeing something different from the C++ code when it adds the layout for files when it creates the DB, then it could be a bug in the C++ code. Thanks for finding the issue. Can you supply a pull request? > On Sep 7, 2016, at 9:33 PM, Edward Diener <eld...@tr...> wrote: > > In the documentation, at > http://wiki.sleuthkit.org/index.php?title=SQLite_Database_v3_Schema, for > the V3 schema of the sqlite database it says in the description of the > tsk_file_layout table: > > "byte_start - Byte offset of fragment relative to the start of the image > file" > > This is not the case. The 'byte_start' offset is relative to the start > of the file system in which the file resides, not to the image itself. > To get the actual byte_start relative to the start of the image file you > need to add this value to the tsk_fs_info img_offset value for the > appropriate tsk_fs_info row. > > In a message dated 11/26/2014 at > https://sourceforge.net/p/sleuthkit/mailman/message/33084547/ the same > correction to the documentation was offered. Since this is some 22 > months ago can the documentation be corrected accordingly now ? > > Eddie Diener > > ------------------------------------------------------------------------------ > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
