A few (maybe dumb) questions

Tool requests, development, and troubleshooting topics related to TSK.

Moderator: carrier

A few (maybe dumb) questions

Postby jeffthompson » Wed Jun 22, 2016 1:46 pm

Hi all, I'm new to the digital forensics and hard-drive worlds - I'm an artist, working on a project visualizing the data on my hard drive! I'm using Sleuth Kit via Python to unpack my drive and get info about the files on it. I've done a lot of research, but have a few nuts-and-bolts questions I'm hoping you folks can help me with!

1. Can someone explain the difference between a sector (ex: files listed using fsstat or istat) and inodes in the context of Sleuth Kit? Are they the same thing?

2. As I understand it, fsstat gives me information about the entire drive, dividing it into sections (I've pasted some sample output below). In my sample output, I see that the "data area" is inodes 7662-3913661, and the inodes before those are for the FAT tables. This makes sense. But the "metadata information" section lists the range as 2-62496006. I read this article which explains fsstat in detail, but I can't figure out which is the actual full range for the drive!

3. I see that the istat command tells me whether a file is "Allocated" or "Unallocated". Using fls I can see if it is deleted or not (marked with an *). Is that the same thing? If not, can someone tell me the difference?

Thanks all!

Sample fsstat output:

Code: Select all
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32

OEM Name: BSD  4.4
Volume ID: 0x47a170c
Volume Label (Boot Sector): THOMPSON   
Volume Label (Root Directory):
File System Type Label: FAT32   
Next Free Sector (FS Info): 587598
Free Sector Count (FS Info): 2547008

Sectors before file system: 2

File System Layout (in sectors)
Total Range: 0 - 3913661
* Reserved: 0 - 31
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 6
* FAT 0: 32 - 3846
* FAT 1: 3847 - 7661
* Data Area: 7662 - 3913661
** Cluster Area: 7662 - 3913661
*** Root Directory: 7662 - 7669

METADATA INFORMATION
--------------------------------------------
Range: 2 - 62496006
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 2 - 488251

FAT CONTENTS (in sectors)
--------------------------------------------
7662-7669 (8) -> EOF
7670-7677 (8) -> EOF
7678-7685 (8) -> EOF
7702-7709 (8) -> EOF
7710-7717 (8) -> EOF
7718-7725 (8) -> EOF
7726-7733 (8) -> EOF
7734-7741 (8) -> 27534
jeffthompson
 
Posts: 1
Joined: Wed Jun 22, 2016 1:31 pm

Return to The Sleuth Kit (TSK)

Who is online

Users browsing this forum: No registered users and 1 guest