[prev in list] [next in list] [prev in thread] [next in thread]
List: sleuthkit-users
Subject: Re: [sleuthkit-users] filesystem to sector mapping
From: Brian Carrier <carrier () sleuthkit ! org>
Date: 2011-10-18 14:01:08
Message-ID: 70DF25EA-A4E7-4F9E-8803-CDF7504E0255 () sleuthkit ! org
[Download RAW message or body]
The 'ffind' and 'ifind' tools do this for you. You can also create a SQLite database using tsk_loaddb and perform queries on it to find this data.
brian
On Oct 17, 2011, at 8:40 PM, stuart@apl.washington.edu wrote:
> I am looking for a tool which might build some data structure so that I
> can answer the following query. Given a read/write operation accessing a
> raw disk at offset O, with length L (like what xxd, dd do all the time),
>
> * does this fall into an allocated partition/file system?
>
> * given yes above, where exactly? Directory entry, inode, file content?
> Some combination?
>
> Ideally, the mapping would be 2 way. So, given a file F, which sectors
> does it occupy for its name, metadata (inode) and content.
>
> I thought perhaps the TSK blk* tools might do this, but cannot fathom out
> what they do. fiwalk looks promising, since it includes 'img_offset' for
> allocated files at least. Perhaps I could parse the dfxml to obtain my
> desired map.
>
> If I had to start from scratch with the tsk library, do the tsk data
> structures provide rich enough data to solve my problem?
>
> Any help appreciated.
>
> stu
>
>
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic