Re: [sleuthkit-developers] Reading file data using the database tsk_file_layout information
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-developers] Reading file data using the database tsk_file_layout information
|
From: Edward D. <eld...@tr...> - 2016-09-09 19:48:43
|
On 9/9/2016 1:55 PM, Brian Carrier wrote: > The C/C++ code doesn’t have any methods that use the DB info. If you want to open a file mentioned in the DB though, you can use tsk_fs_file_open_meta. If you want to open a given block, you can use tsk_fs_block…. to get it. > > The Java side has code that uses that table. Actually the C/C++ code does have the tsk_img_open... functions for opening an image and the tsk_img_read function for reading data from anyplace in the image. When I realized that the tsk_file_layout table's 'byte_start' field is, in 4.2.0, the start from the partition and not from the image itself I was able to use the tsk_file_layout table to directly read a file without having to use the tsk_fs_... functionality. I was completely wrong about the fact that the "tsk_file_layout information for a file contains blocks of data which has both the file data and non-file data filling out the blocks". Instead the information is purely the file's data. Eddie Diener > > > > > >> On Sep 6, 2016, at 7:28 PM, Edward Diener <eld...@tr...> wrote: >> >> How do I read the contents of a file from an image using the database's >> tsk_file_layout information for a file ? >> >> Is there a way to use some tsk file functionality to read the file's >> data using the tsk_file_layout information ? >> >> I have found out that the tsk_file_layout information for a file >> contains blocks of data which has both the file data and non-file data >> filling out the blocks, so a naive attempt at just reading the >> information directly from the image using tsk_image_open and >> tsk_image_read does not work. >> >> Any help with this would be appreciated. |
