[prev in list] [next in list] [prev in thread] [next in thread]
List: sleuthkit-users
Subject: Re: [sleuthkit-users] Cannot determine file system type
From: MichaelStein <doingit () live ! co ! za>
Date: 2014-05-19 12:06:01
Message-ID: DUB122-W3102533513636E4473E0C8D320 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Ah yes! Thank you. When I specified the offset then it worked. Had to get it using \
the mmls command. Mike Goldstein
Date: Sun, 18 May 2014 23:39:14 -0700
From: ml-node+s996266n8609h14@n3.nabble.com
To: doingit@live.co.za
Subject: Re: Cannot determine file system type
Did you specify the correct offset to the file system using fsstat's -o option?
http://www.sleuthkit.org/sleuthkit/man/fsstat.html
Ketil
On 19 May 2014 04:39, "MichaelStein" <[hidden email]> wrote:
Thanks for that Jason. I changed to Hexidecimal and it worked!The only thing still \
bothering me is - why does fsstat not work on the file? Why do I keep getting "Cannot \
determine file system type"? Any ideas?
Thanks again,
Mike Goldstein
Date: Sun, 18 May 2014 17:44:38 -0700
From: [hidden email]
To: [hidden email]
Subject: Re: Cannot determine file system type
Michael,
It looks like you set your start sector of the volume to 0x2168 * 512. The sector \
start is in decimal from mmls. 2168 = 0x878
Jason
On Sun, May 18, 2014 at 7:53 PM, MichaelStein <[hidden email]> wrote:
I have been trying to design a program that opens a file system (/dev/sda)
and processes all the files. The image opens fine. But when I use
tsk_fs_open_img, it says "cannot determine file system type". And yet I know
that when I run mmls on the drive, it says that it's a FAT32 file system. I
find also that when I run fsstat on my drive I get the same message. I also
noticed that when I view the image I made of the drive in a Hex editor, it
says "Invalid partition table. Error loading operating system." What can be
done to rectify the problem?
This is my code so far:
using namespace std;
int main(int argc, char **argv)
{
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_TCHAR **temp = (TSK_TCHAR **) argv;
if (argc < 1) {
printf("You must enter a drive name.\n");
exit(EXIT_FAILURE);
}
printf("Opening Image %s ...\n", temp[1]);
TSK_OFF_T off = 0;
TSK_FS_INFO *fs;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_DADDR_T imgOffset = 0x00000000;
TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int numOfDrives = 1;
TSK_TCHAR *driveName;
if((img = tsk_img_open(numOfDrives, &temp[1], imgtype, 512)) == NULL) {
tsk_error_print(stderr);
exit(EXIT_FAILURE);
}
uint sectorSize = img->sector_size;
TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;
printf("Image opened successfully!\n");
/* Try it as a file system */
printf("Now opening file system...\n");
if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
tsk_error_print(stderr);
img -> close(img);
exit(EXIT_FAILURE);
}
printf("File system opened successfuly!\n\n");
printf("Now opening volume system...\n");
if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) {
tsk_error_print(stderr);
img -> close(img);
exit(EXIT_FAILURE);
}
fs -> close(fs);
img -> close(img);
return 0;
}
This is what I get when I run mmls on the drive:
$ sudo mmls /dev/sdc
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01: ----- 0000000000 0000002167 0000002168 Unallocated
02: 00:00 0000002168 0031283199 0031281032 Win95 FAT32 (0x0b)
This is the file viewed in Hex Editor:
<http://filesystems.996266.n3.nabble.com/file/n8606/image558.png>
--
View this message in context: \
http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
If you reply to this email, your message will be added to the discussion below:
http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html
To unsubscribe from Cannot determine file system type, click here.
NAML
View this message in context: RE: Cannot determine file system type
Sent from the sleuthkit-users mailing list archive at Nabble.com.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
If you reply to this email, your message will be added to the discussion below:
http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8609.html
To unsubscribe from Cannot determine file system type, click here.
NAML
--
View this message in context: \
http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8610.html
Sent from the sleuthkit-users mailing list archive at Nabble.com.
[Attachment #5 (text/html)]
<div dir='ltr'><br>Ah yes! Thank you. When I specified the offset then it worked. Had \
to get it using the mmls command.<br>Mike Goldstein<br><br><br><div><hr \
id="stopSpelling">Date: Sun, 18 May 2014 23:39:14 -0700<br>From: <a \
href="/user/SendEmail.jtp?type=node&node=8610&i=0" target="_top" rel="nofollow" \
link="external">[hidden email]</a><br>To: <a \
href="/user/SendEmail.jtp?type=node&node=8610&i=1" target="_top" rel="nofollow" \
link="external">[hidden email]</a><br>Subject: Re: Cannot determine file system \
type<br><br>
<p dir="ltr">Did you specify the correct offset to the file system using fsstat's -o \
option? </p> <p dir="ltr"><a \
href="http://www.sleuthkit.org/sleuthkit/man/fsstat.html" rel="nofollow" \
target="_blank" link="external">http://www.sleuthkit.org/sleuthkit/man/fsstat.html</a></p>
<p dir="ltr">Ketil </p>
<div class="ecxgmail_quote">On 19 May 2014 04:39, "MichaelStein" <<a \
href="https:///user/SendEmail.jtp?type=node&node=8609&i=0" rel="nofollow" \
target="_blank" link="external">[hidden email]</a>> wrote:<br><blockquote \
style='border-left:2px solid #CCCCCC;padding:0 1em' style="border-left:2px solid \
#CCCCCC;padding:0 1em;" class="ecxgmail_quote">
<div dir="ltr">Thanks for that Jason. I changed to Hexidecimal and it worked!<div>The \
only thing still bothering me is - why does fsstat not work on the file? Why do I \
keep getting "Cannot determine file system type"? Any ideas?</div> \
<div><br></div><div>Thanks again,<br><div><br>Mike \
Goldstein<br><br><br><div><hr>Date: Sun, 18 May 2014 17:44:38 -0700<br>From: <a \
href="http://user/SendEmail.jtp?type=node&node=8608&i=0" rel="nofollow" \
target="_blank" link="external">[hidden email]</a><br>
To: <a href="http://user/SendEmail.jtp?type=node&node=8608&i=1" \
rel="nofollow" target="_blank" link="external">[hidden email]</a><br>Subject: Re: \
Cannot determine file system type<br><br>
<div dir="ltr"><div \
style="font-family:arial,helvetica,sans-serif;">Michael,</div><div \
style="font-family:arial,helvetica,sans-serif;"><br></div><div \
style="font-family:arial,helvetica,sans-serif;"> It looks like you set your start \
sector of the volume to 0x2168 * 512. The sector start is in decimal from mmls. 2168 \
= 0x878</div><div style="font-family:arial,helvetica,sans-serif;"><br></div><div \
style="font-family:arial,helvetica,sans-serif;">
Jason</div></div><div><br><br><div>On Sun, May 18, 2014 at 7:53 PM, MichaelStein \
<span dir="ltr"><<a rel="nofollow" target="_blank" link="external">[hidden \
email]</a>></span> wrote:<br>
I have been trying to design a program that opens a file system (/dev/sda)<br>
and processes all the files. The image opens fine. But when I use<br>
tsk_fs_open_img, it says "cannot determine file system type". And yet I know<br>
that when I run mmls on the drive, it says that it's a FAT32 file system. I<br>
find also that when I run fsstat on my drive I get the same message. I also<br>
noticed that when I view the image I made of the drive in a Hex editor, it<br>
says "Invalid partition table. Error loading operating system." What can be<br>
done to rectify the problem?<br>
<br>
This is my code so far:<br>
<br>
using namespace std;<br>
int main(int argc, char **argv)<br>
{<br>
TSK_IMG_INFO *img;<br>
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;<br>
TSK_TCHAR **temp = (TSK_TCHAR **) argv;<br>
<br>
if (argc < 1) {<br>
printf("You must enter a drive name.\n");<br>
exit(EXIT_FAILURE);<br>
}<br>
<br>
printf("Opening Image %s ...\n", temp[1]);<br>
<br>
TSK_OFF_T off = 0;<br>
<br>
TSK_FS_INFO *fs;<br>
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;<br>
<br>
<br>
TSK_DADDR_T imgOffset = 0x00000000;<br>
<br>
TSK_VS_INFO *vs;<br>
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;<br>
<br>
int numOfDrives = 1;<br>
<br>
TSK_TCHAR *driveName;<br>
<br>
if((img = tsk_img_open(numOfDrives, &temp[1], \
imgtype, 512)) == NULL) {<br> \
tsk_error_print(stderr);<br> exit(EXIT_FAILURE);<br>
}<br>
<br>
uint sectorSize = img->sector_size;<br>
TSK_OFF_T fsStartBlock = 0x00002168*sectorSize;<br>
<br>
printf("Image opened successfully!\n");<br>
/* Try it as a file system */<br>
<br>
printf("Now opening file system...\n");<br>
if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == \
NULL) {<br> tsk_error_print(stderr);<br>
img -> close(img);<br>
exit(EXIT_FAILURE);<br>
}<br>
<br>
printf("File system opened successfuly!\n\n");<br>
<br>
printf("Now opening volume system...\n");<br>
if((vs = tsk_vs_open(img, fsStartBlock, vstype)) == NULL) \
{<br> tsk_error_print(stderr);<br>
img -> close(img);<br>
exit(EXIT_FAILURE);<br>
}<br>
<br>
fs -> close(fs);<br>
img -> close(img);<br>
return 0;<br>
}<br>
<br>
This is what I get when I run mmls on the drive:<br>
$ sudo mmls /dev/sdc<br>
DOS Partition Table<br>
Offset Sector: 0<br>
Units are in 512-byte sectors<br>
<br>
Slot Start End \
Length \
Description<br>
00: Meta 0000000000 0000000000 0000000001 \
Primary Table (#0)<br>
01: ----- 0000000000 0000002167 0000002168 \
Unallocated<br>
02: 00:00 0000002168 0031283199 0031281032 Win95 \
FAT32 (0x0b)<br> <br>
<br>
This is the file viewed in Hex Editor:<br>
<<a href="http://filesystems.996266.n3.nabble.com/file/n8606/image558.png" \
rel="nofollow" target="_blank" \
link="external">http://filesystems.996266.n3.nabble.com/file/n8606/image558.png</a>><br>
<br>
<br>
<br>
<br>
<br>
--<br>
View this message in context: <a \
href="http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html" \
rel="nofollow" target="_blank" \
link="external">http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606.html</a><br>
Sent from the sleuthkit-users mailing list archive at Nabble.com.<br>
<br>
------------------------------------------------------------------------------<br>
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE<br>
Instantly run your Selenium tests across 300+ browser/OS combos.<br>
Get unparalleled scalability from the best Selenium testing platform available<br>
Simple to use. Nothing to install. Get started now for free."<br>
<a href="http://p.sf.net/sfu/SauceLabs" rel="nofollow" target="_blank" \
link="external">http://p.sf.net/sfu/SauceLabs</a><br> \
_______________________________________________<br> sleuthkit-users mailing list<br>
<a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" rel="nofollow" \
target="_blank" link="external">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br>
<a href="http://www.sleuthkit.org" rel="nofollow" target="_blank" \
link="external">http://www.sleuthkit.org</a><br> \
</div></div></div></div></div></div></blockquote></div><br></div> \
<br>------------------------------------------------------------------------------ \
<br>"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE \
<br>Instantly run your Selenium tests across 300+ browser/OS combos. <br>Get \
unparalleled scalability from the best Selenium testing platform available <br>Simple \
to use. Nothing to install. Get started now for free." <br><a \
href="http://p.sf.net/sfu/SauceLabs" rel="nofollow" target="_blank" \
link="external">http://p.sf.net/sfu/SauceLabs</a><br>_______________________________________________
<br>sleuthkit-users mailing list
<br><a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" \
rel="nofollow" target="_blank" \
link="external">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br><a \
href="http://www.sleuthkit.org" rel="nofollow" target="_blank" \
link="external">http://www.sleuthkit.org</a><br>
<br>
<br>
<hr noshade="" size="1" color="#cccccc">
<div style="color:#444;font:12px tahoma,geneva,helvetica,arial,sans-serif;">
<div style="font-weight:bold;">If you reply to this email, your message will be \
added to the discussion below:</div> <a \
href="http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html" \
rel="nofollow" target="_blank" \
link="external">http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8607.html</a>
</div>
<div style="color:#666;font:11px \
tahoma,geneva,helvetica,arial,sans-serif;line-height:1.5em;">
To unsubscribe from Cannot determine file system type, <a rel="nofollow" \
target="_blank" link="external">click here</a>.<br> <a \
href="http://filesystems.996266.n3.nabble.com/template/NamlServlet.jtp?macro=macro_vie \
wer&id=instant_html%21nabble:email.naml&base=nabble.naml.namespaces.BasicNames \
pace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&a \
mp;breadcrumbs=notify_subscribers%21nabble:email.naml-instant_emails%21nabble:email.naml-send_instant_email%21nabble:email.naml" \
rel="nofollow" style="font:9px serif;" target="_blank" link="external">NAML</a> \
</div>
<br><hr align="left" width="300">
View this message in context: <a \
href="http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8608.html" \
target="_blank" rel="nofollow" link="external">RE: Cannot determine file system \
type</a><br> Sent from the <a \
href="http://filesystems.996266.n3.nabble.com/sleuthkit-users-f4.html" \
target="_blank" rel="nofollow" link="external">sleuthkit-users mailing list \
archive</a> at Nabble.com.<br><br>------------------------------------------------------------------------------<br>
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE<br>
Instantly run your Selenium tests across 300+ browser/OS combos.<br>
Get unparalleled scalability from the best Selenium testing platform available<br>
Simple to use. Nothing to install. Get started now for free."<br>
<a href="http://p.sf.net/sfu/SauceLabs" target="_blank" rel="nofollow" \
link="external">http://p.sf.net/sfu/SauceLabs</a><br>_______________________________________________<br>
sleuthkit-users mailing list<br>
<a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" \
target="_blank" rel="nofollow" \
link="external">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br> \
<a href="http://www.sleuthkit.org" target="_blank" rel="nofollow" \
link="external">http://www.sleuthkit.org</a><br> <br>
<br>------------------------------------------------------------------------------
<br>"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
<br>Instantly run your Selenium tests across 300+ browser/OS combos.
<br>Get unparalleled scalability from the best Selenium testing platform available
<br>Simple to use. Nothing to install. Get started now for free."
<br><a href="http://p.sf.net/sfu/SauceLabs" rel="nofollow" target="_blank" \
link="external">http://p.sf.net/sfu/SauceLabs</a><br>_______________________________________________
<br>sleuthkit-users mailing list
<br><a href="https://lists.sourceforge.net/lists/listinfo/sleuthkit-users" \
rel="nofollow" target="_blank" \
link="external">https://lists.sourceforge.net/lists/listinfo/sleuthkit-users</a><br><a \
href="http://www.sleuthkit.org" rel="nofollow" target="_blank" \
link="external">http://www.sleuthkit.org</a><br>
<br>
<br>
<hr noshade="noshade" size="1" color="#cccccc">
<div style="color:#444;font:12px tahoma,geneva,helvetica,arial,sans-serif;">
<div style="font-weight:bold;">If you reply to this email, your message will be \
added to the discussion below:</div> <a \
href="http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8609.html" \
target="_blank" rel="nofollow" \
link="external">http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8609.html</a>
</div>
<div style="color:#666;font:11px \
tahoma,geneva,helvetica,arial,sans-serif;line-height:1.5em;">
To unsubscribe from Cannot determine file system type, <a href="" target="_blank" \
rel="nofollow" link="external">click here</a>.<br> <a \
href="http://filesystems.996266.n3.nabble.com/template/NamlServlet.jtp?macro=macro_vie \
wer&id=instant_html%21nabble:email.naml&base=nabble.naml.namespaces.BasicNames \
pace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&a \
mp;breadcrumbs=notify_subscribers%21nabble:email.naml-instant_emails%21nabble:email.naml-send_instant_email%21nabble:email.naml" \
rel="nofollow" style="font:9px serif;" target="_blank" link="external">NAML</a> \
</div> </div>
<br/><hr align="left" width="300" />
View this message in context: <a \
href="http://filesystems.996266.n3.nabble.com/Cannot-determine-file-system-type-tp8606p8610.html">RE: \
Cannot determine file system type</a><br/> Sent from the <a \
href="http://filesystems.996266.n3.nabble.com/sleuthkit-users-f4.html">sleuthkit-users \
mailing list archive</a> at Nabble.com.<br/>
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic