sleuthkit-users

[sleuthkit-users] python tsk

[alan b. <ala...@gm...>]

Hello list

I seem to be stuck at step 3. I have been able to open the filesystem at 
a particular offset to get access to the partition but I am looking at 
how I can get a list of directory paths and/or inodes within that 
partition. As per the wiki page, to open the directory node assumes that 
I know the inode or directory path.

## Step 1: get an IMG_INFO object
img=  pytsk3.Img_Info(url)

## Step 2: Open the filesystem
fs=  pytsk3.FS_Info(img)

## Step 3: Open the directory node this will open the node based on path
## or inode as specified.
directory=  fs.open_dir(path=path,  inode=inode)

## Step 4: Iterate over all files in the directory and print their
## name. What you get in each iteration is a proxy object for the
## TSK_FS_FILE struct - you can further dereference this struct into a
## TSK_FS_NAME and TSK_FS_META structs.
for  fin  directory:
     print  f.info.meta.size,  f.info.name.name


-- 
Regards

###########################
#			  #
#	Alan Browne	  #
#			  #
###########################

Re: [sleuthkit-users] python tsk

[Michael C. <scu...@gm...>]

Hi Alan,
  Not sure what you are asking here. You can open the directory either
by path name or by inode number so:

directory=  fs.open_dir(path="/")

or
directory=  fs.open_dir(inode=2)

If you dont know anything about the filesystem you can just use path =
"/" or inode = 2.

Hope this helps,
Michael.


On 20 September 2013 13:46, alan browne <ala...@gm...> wrote:
> Hello list
>
> I seem to be stuck at step 3. I have been able to open the filesystem at
> a particular offset to get access to the partition but I am looking at
> how I can get a list of directory paths and/or inodes within that
> partition. As per the wiki page, to open the directory node assumes that
> I know the inode or directory path.
>
> ## Step 1: get an IMG_INFO object
> img=  pytsk3.Img_Info(url)
>
> ## Step 2: Open the filesystem
> fs=  pytsk3.FS_Info(img)
>
> ## Step 3: Open the directory node this will open the node based on path
> ## or inode as specified.
> directory=  fs.open_dir(path=path,  inode=inode)
>
> ## Step 4: Iterate over all files in the directory and print their
> ## name. What you get in each iteration is a proxy object for the
> ## TSK_FS_FILE struct - you can further dereference this struct into a
> ## TSK_FS_NAME and TSK_FS_META structs.
> for  fin  directory:
>      print  f.info.meta.size,  f.info.name.name
>
>
> --
> Regards
>
> ###########################
> #                         #
> #       Alan Browne       #
> #                         #
> ###########################
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org

Re: [sleuthkit-users] python tsk

[Jason W. <jwr...@gm...>]

A couple of questions for you, because I've been looking at stuff like this
myself lately.

1. Are you including the offset as a parameter in FS_Info. I've had to
include that in the FS_Info call to be able to grab metadata or other
things on that file system object?

2. Second, do you have the inode for what you are looking? Do you have
corresponding fiwalk or fls. Fiwalk has been pretty effiective for building
off of in this sense for me of late. The fileobjects have everything you
need to interact with the sleuthkit framework in this way. The filenames
are the fullpath and the inodes are included, as well as the volume offset
for each of the fileobjects. This may be what you need to get that
directory information. I've been able to start there and work the same kind
of processes with success.

R/

Jason Wright


On Fri, Sep 20, 2013 at 7:46 AM, alan browne <ala...@gm...>wrote:

> Hello list
>
> I seem to be stuck at step 3. I have been able to open the filesystem at
> a particular offset to get access to the partition but I am looking at
> how I can get a list of directory paths and/or inodes within that
> partition. As per the wiki page, to open the directory node assumes that
> I know the inode or directory path.
>
> ## Step 1: get an IMG_INFO object
> img=  pytsk3.Img_Info(url)
>
> ## Step 2: Open the filesystem
> fs=  pytsk3.FS_Info(img)
>
> ## Step 3: Open the directory node this will open the node based on path
> ## or inode as specified.
> directory=  fs.open_dir(path=path,  inode=inode)
>
> ## Step 4: Iterate over all files in the directory and print their
> ## name. What you get in each iteration is a proxy object for the
> ## TSK_FS_FILE struct - you can further dereference this struct into a
> ## TSK_FS_NAME and TSK_FS_META structs.
> for  fin  directory:
>      print  f.info.meta.size,  f.info.name.name
>
>
> --
> Regards
>
> ###########################
> #                         #
> #       Alan Browne       #
> #                         #
> ###########################
>
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>