Get numblock from istat

Tool requests, development, and troubleshooting topics related to TSK.

Moderator: carrier

Get numblock from istat

Postby rel0aded » Thu Oct 29, 2015 11:03 pm

Dear all,

I am new into the Sleuth Kit(TSK) library in general , I am trying to develop an introspection tool using XEN hypervisor [running ubuntu 12.04 x64bit and guest - domU runs ubuntu 12.04 as well ]

And my question is very specific.. Running :
Code: Select all
if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
            tsk_error_print(stderr);
            fs->close(fs);
            img->close(img);
            exit(1);
         }

Gives me information about a specific inum i have provided on my program , and provides me on the ouput with Direct blocks : numberX,numberY. . . though if I enter the following code

Code: Select all
 if (tsk_fs_blkstat(fs, numblock)) {
             tsk_error_print(stderr);
             fs->close(fs);
             img->close(img);
             exit(1);
          }


in order to get statistics about those specif blocks istat retunred the numblock is printed as 0 and not as numberX,numberY.. etc :/ [ as initialized ] I mean istat returns correct blocks but I can't handle them further in my program any way to get the numblock from istat in order to handle it ?

Thanks in advance,
Stratos
Where there is a shell, there is a way.
User avatar
rel0aded
 
Posts: 3
Joined: Thu Oct 22, 2015 10:03 am

Re: Get numblock from istat

Postby bradleelee » Mon Nov 02, 2015 4:41 pm

Know that I am not a C++ Guru and had to come up with this solution using a lot of trial and error. If someone sees a problem or knows an easier way, then let me know.

I had a similar problem when I was attempting to map the inode/cluster location for returned slack space utilizing blkls.exe. I had to iterate through the program to find where the slack was being written to stdout and then determine what variable was being used to iterate through the MFT. I believe you would have to do the same type of step-through for istat, however I can tell you that I found that the variable used to iterate through the MFT was "mftnum." Just to give you some reference, I will show you the code I wrote into the program to get it to present the inode/cluster location.

//START CODE
In file named ntfs.c, line 3841

fprintf(stdout,"Inode Location = %d\n",mftnum); //This line was added to print the INODE location required

retval = a_action(fs_file, ptr); //This prints the slack space to file

fprintf(stdout,"\n"); //This line was added just to add a return before the next slack space data
//END CODE

I know this is not exactly your case, but it should put you in the right direction. I am using Python and will use the pytsk3 bindings. Once you have the inode location, you can run a lot of tools on that number for that specific file.

I really with this was a built-in function since it would actually help my research a lot.

I hope this helps you though!
bradleelee
 
Posts: 1
Joined: Mon Nov 02, 2015 4:24 pm

Re: Get numblock from istat

Postby rel0aded » Tue Nov 03, 2015 11:28 pm

Hello ,

Thanks for the answer ! By the wat I forgot to mention that the file system is ext4 so I am now checking the tsk/fs/ext2fs.c file I am trying to make it work but still I can't get the direct blocks number

I am checking the print_addr_act and tsk_fs_file_walk functions on the file. .

Thanks again for your time
Where there is a shell, there is a way.
User avatar
rel0aded
 
Posts: 3
Joined: Thu Oct 22, 2015 10:03 am


Return to The Sleuth Kit (TSK)

Who is online

Users browsing this forum: No registered users and 1 guest

cron