'Re: [sleuthkit-users] filesystem to sector mapping'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-users
Subject:    Re: [sleuthkit-users] filesystem to sector mapping
From:       Brian Carrier <carrier () sleuthkit ! org>
Date:       2011-10-18 14:01:08
Message-ID: 70DF25EA-A4E7-4F9E-8803-CDF7504E0255 () sleuthkit ! org
[Download RAW message or body]

The 'ffind' and 'ifind' tools do this for you. You can also create a SQLite database using tsk_loaddb and perform queries on it to find this data.

brian


On Oct 17, 2011, at 8:40 PM, stuart@apl.washington.edu wrote:

> I am looking for a tool which might build some data structure so that I
> can answer the following query.  Given a read/write operation accessing a
> raw disk at offset O, with length L (like what xxd, dd do all the time),
> 
> * does this fall into an allocated partition/file system?
> 
> * given yes above, where exactly?  Directory entry, inode, file content? 
> Some combination?
> 
> Ideally, the mapping would be 2 way.  So, given a file F, which sectors
> does it occupy for its name, metadata (inode) and content.
> 
> I thought perhaps the TSK blk* tools might do this, but cannot fathom out
> what they do.  fiwalk looks promising, since it includes 'img_offset' for
> allocated files at least.  Perhaps I could parse the dfxml to obtain my
> desired map.
> 
> If I had to start from scratch with the tsk library, do the tsk data
> structures provide rich enough data to solve my problem?
> 
> Any help appreciated.
> 
> stu
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic