sleuthkit-users

[sleuthkit-users] istat Output - Direct Blocks Question

[Efstratios S. <esk...@gm...>]

Dear all,

I have a question about the tool istat from sleuth kit library API.
Using the tool we get some Direct block "addresses" like on the
following example :

inode: 2670461
Allocated
Group: 326
Generation Id: 2797282208
uid / gid: 1000 / 1000
mode: rrw-------
size: 6613
num of links: 1

Inode Times:
Accessed:	2015-12-03 11:03:34 (EET)
File Modified:	2015-03-27 14:05:13 (EET)
Inode Modified:	2015-11-30 18:16:04 (EET)

Direct Blocks:
21120876 21120877

 Those Direct Blocks (numbers) are the Physical Addresses of Blocks on
the virtual storage ? Virtual addresses of the blocks ? what exactly?

 If I use blkcat and one of those number I get correct output of the
file I am viewing.

 My intention is to write a file on a domU of Xen from a dom0
perspective. I tried to use write() function but got a bad file
descriptor error ..

Thanks,
Efstratios

Re: [sleuthkit-users] istat Output - Direct Blocks Question

[Efstratios S. <esk...@gm...>]

I did a bit research on how to find direct blocks on local storage so I
used the exact commands on the Xen guest vm (running Ubuntu 12.04) :

sudo debugfs /dev/storage_containing_filesystem
stat /path_to_file

And as output I got the same direct block numbers - " addresses " as istat
provides !! Here is a screenshot : http://prntscr.com/9a6m1k

So I guess they are the correct block addresses? :/ correct me if I am
wrong. .

Thanks for your time,
Efstratios


On Fri, Dec 4, 2015 at 2:02 AM, Kazi Fazal <ka...@gm...> wrote:

> I believe those are virtual offsets, not actual addresses. I'm pretty sure
> about that but I could be wrong as I've done this a while back. Please look
> it up. I once had similar problems with sleuthkit in the past.
> On Dec 3, 2015 4:38 PM, "Efstratios Skleparis" <esk...@gm...>
> wrote:
>
>> Dear all,
>>
>> I have a question about the tool istat from sleuth kit library API.
>> Using the tool we get some Direct block "addresses" like on the
>> following example :
>>
>> inode: 2670461
>> Allocated
>> Group: 326
>> Generation Id: 2797282208
>> uid / gid: 1000 / 1000
>> mode: rrw-------
>> size: 6613
>> num of links: 1
>>
>> Inode Times:
>> Accessed:       2015-12-03 11:03:34 (EET)
>> File Modified:  2015-03-27 14:05:13 (EET)
>> Inode Modified: 2015-11-30 18:16:04 (EET)
>>
>> Direct Blocks:
>> 21120876 21120877
>>
>>  Those Direct Blocks (numbers) are the Physical Addresses of Blocks on
>> the virtual storage ? Virtual addresses of the blocks ? what exactly?
>>
>>  If I use blkcat and one of those number I get correct output of the
>> file I am viewing.
>>
>>  My intention is to write a file on a domU of Xen from a dom0
>> perspective. I tried to use write() function but got a bad file
>> descriptor error ..
>>
>> Thanks,
>> Efstratios
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
>> OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>