Re: [sleuthkit-developers] tsk_file_layout in V3 schema documentation error

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 9/9/2016 1:54 PM, Brian Carrier
      wrote:<br>
    </div>
    <blockquote
      cite="mid:7B1...@sl..."
      type="cite">
      <pre wrap="">The docs are correct and that is the way that Autopsy also populates that table when it adds entries for carved files. If you are seeing something different from the C++ code when it adds the layout for files when it creates the DB, then it could be a bug in the C++ code.  Thanks for finding the issue.  Can you supply a pull request?</pre>
    </blockquote>
    I did not look at the tsk_loaddb internal code to see what it is
    doing. I only know that when I treat the 'byte_start' field of
    'tsk_file_layout' table as an offset from the start of the partition
    and not from the start of the image I am able to successfully access
    the data content of a file. Whereas treating the 'byte_start' field
    of 'tsk_file_layout' table as an offset from the start of the image
    gives me garbage when accessing the content of a file. My results
    correspond to the earlier message I cited, which was also
    corroborated at the time by someone else.<br>
    <br>
    I do not work with Autopsy but did use tsk_loaddb to populate the
    table. <br>
    <br>
    The tsk_loaddb.exe did work in version 4.2.0 to create a database
    from an ewf image but trying tsk_loaddb.exe in version 4.3.0 to
    create a database from the exact same ewf image crashes with an
    exception. I can therefore assert that tsk_loaddb.exe in 4.2.0 works
    as I explain above, but have no idea what tsk_loaddb.exe 4.3.0 is
    doing because of the crash. <br>
    <br>
    Eddie Diener<br>
    <blockquote
      cite="mid:7B1...@sl..."
      type="cite">
      <blockquote type="cite">
        <pre wrap="">On Sep 7, 2016, at 9:33 PM, Edward Diener <a class="moz-txt-link-rfc2396E" href="mailto:eld...@tr...">&lt;eld...@tr...&gt;</a> wrote:

In the documentation, at 
<a class="moz-txt-link-freetext" href="http://wiki.sleuthkit.org/index.php?title=SQLite_Database_v3_Schema">http://wiki.sleuthkit.org/index.php?title=SQLite_Database_v3_Schema</a>, for 
the V3 schema of the sqlite database it says in the description of the 
tsk_file_layout table:

"byte_start - Byte offset of fragment relative to the start of the image 
file"

This is not the case. The 'byte_start' offset is relative to the start 
of the file system in which the file resides, not to the image itself. 
To get the actual byte_start relative to the start of the image file you 
need to add this value to the tsk_fs_info img_offset value for the 
appropriate tsk_fs_info row.

In a message dated 11/26/2014 at 
<a class="moz-txt-link-freetext" href="https://sourceforge.net/p/sleuthkit/mailman/message/33084547/">https://sourceforge.net/p/sleuthkit/mailman/message/33084547/</a> the same 
correction to the documentation was offered. Since this is some 22 
months ago can the documentation be corrected accordingly now ?

Eddie Diener</pre>
      </blockquote>
    </blockquote>
  </body>
</html>