need help with fls ...
 
Notifications
Clear all

need help with fls (the sleuthkit)  

  RSS
Rampage
(@rampage)
Active Member

Hello everyone, i'm playing around with tsk commands and i'm having a strange issue.

first of all, does anyone know if fls has problem operating on live devices?

i'm going to make a bitstream image of this disc to check this out later, but now i'm having this issue with fls command

first of all i managed to use mmls to obtain the partitions offset


# mmls -i raw /dev/sda
DOS Partition Table
Offset Sector 0
Units are in 512-byte sectors

Slot Start End Length Description
00 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01 ----- 0000000000 0000000062 0000000063 Unallocated
02 0000 0000000063 0302728859 0302728797 Linux (0x83)
03 Meta 0302728860 0312576704 0009847845 DOS Extended (0x05)
04 Meta 0302728860 0302728860 0000000001 Extended Table (#1)
05 ----- 0302728860 0302728922 0000000063 Unallocated
06 0100 0302728923 0312576704 0009847782 Linux Swap / Solaris x86 (0x82)
07 ----- 0312576705 0312581807 0000005103 Unallocated


then i take the partition 02 and run fls


# fls -o 63 -i raw -f ext3 -D /dev/sda
d/d 11 lost+found
d/d 8193 var
d/d 16386 etc
d/d 24577 media
d/d 32769 bin
d/d 32770 boot
d/d 40961 dev
d/d 40962 home
d/d 49153 lib
d/d 49154 mnt
d/d 57345 opt
d/d 57346 proc
d/d 65537 root
d/d 65538 sbin
d/d 73729 selinux
d/d 73730 srv
d/d 81921 sys
d/d 81922 tmp
d/d 90113 usr
d/d 9461761 $OrphanFiles

then i take the metadata address for /usr and want to see the directories in /usr


# fls -o 63 -i raw -f ext3 -D /dev/sda 90113

but no output is given.

there are directories into /usr


# ls -la /usr/
totale 220
drwxr-xr-x 13 root root 4096 2009-11-20 1809 .
drwxr-xr-x 21 root root 4096 2010-04-26 0902 ..
drwxr-xr-x 2 root root 69632 2010-04-21 1122 bin
drwxr-xr-x 3 root root 4096 2009-11-20 1809 etc
drwxr-xr-x 2 root root 4096 2009-10-28 2109 games
drwxr-xr-x 91 root root 16384 2010-04-12 0913 include
drwxr-xr-x 235 root root 73728 2010-04-16 1730 lib
drwxr-xr-x 3 root root 4096 2009-11-20 1441 lib64
drwxr-xr-x 2 root root 4096 2009-11-20 1809 libexec
drwxr-xr-x 11 root root 4096 2009-11-20 1708 local
drwxr-xr-x 2 root root 12288 2010-04-16 1730 sbin
drwxr-xr-x 320 root root 12288 2010-03-24 1627 share
drwxrwsr-x 15 root src 4096 2010-03-08 1134 src

my question is why fls doesn't show them?

the same goes for each directory.

Quote
Posted : 26/04/2010 4:28 pm
Audio
(@audio)
Active Member

Not sure, but then again I'm pretty new to TSK. I tried the same thing you posted and it works fine for me. I'm using the SANS SIFT workstation and TSK 3.1.0.

I had to use an offset of 4482135 instead of 63.

$ sudo mmls -i raw /dev/sdaDOS Partition Table
Offset Sector 0
Units are in 512-byte sectors

Slot Start End Length Description
00 Meta 0000000000 0000000000 0000000001 Primary Table (#0)
01 ----- 0000000000 0000000062 0000000063 Unallocated
02 0000 0000000063 0000481949 0000481887 Linux (0x83)
03 0001 0000481950 0004482134 0004000185 Linux Swap / Solaris x86 (0x82)
04 0002 0004482135 0062910539 0058428405 Linux (0x83)
05 ----- 0062910540 0062914559 0000004020 Unallocated

ReplyQuote
Posted : 27/04/2010 3:29 am
Rampage
(@rampage)
Active Member

couse that offset is a linux partition start offset in your partition table.

you have 2 partitions?

ReplyQuote
Posted : 30/04/2010 3:47 am
Share: