Hi all,
I have been writing a program to analyze an image (/dev/sdc for a USB stick ). So far all works. The only thing is How do I write code to get the starting offset that the file system begins at.
Let me explain.
So far, my code looks as follows
TskImgInfo *img_info = new TskImgInfo();
TSK_TCHAR **temp = (TSK_TCHAR **) argv;
TSK_OFF_T fsStartBlock = 0x878*512;
printf("Offset at %lu \n", fsStartBlock);
printf("Opening Image %s \n", temp[1]);
if(img_info->open(argv[1], TSK_IMG_TYPE_DETECT, fsStartBlock) == 0)
{
printf("Image opened successfully\n");
}
else
{
printf("Error opening image %s \n", temp[1]);
exit(1);
}
Now, I found the fsStartBlock to be 0x878 by using the mmls on /dev/sdc. Then I can tell where the FAT32 file system begins. But this means that every time I insert another USB or even try to analyze another drive I have to change the code. Is there a function in the Sleuthkit library that can get the offset automatically for the program?
Now, I found the fsStartBlock to be 0x878 by using the mmls on /dev/sdc. Then I can tell where the FAT32 file system begins. But this means that every time I insert another USB or even try to analyze another drive I have to change the code. Is there a function in the Sleuthkit library that can get the offset automatically for the program?
Wouldn't it be easier to parse the partition table directly, as was discussed here?
http//www.forensicfocus.com/Forums/viewtopic/t=11783/
Or get the code from the source of mmls and add it to your program?
https://
jaclaz