Get Direct Block numbers from istat

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Get Direct Block numbers from istat

Efstratios Skleparis
Dear all,

I am new into Sleuthkit library and I am trying to write an introspection tool using Sleuthkit on XEN hypervisor running Ubuntu 12.04 x64 bit and trying to inspect a guestVM - domU running ubuntu 12.04 x64bit as well .. 

After successfuly getting information about an inode given to my program running the following code : 

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

I get as output the following [numblock initialized as 0 , sec_skew as well] : 

Bla bla bla
. . .
. . .
 Direct Blocks : numberX,numberY. .

problem is how can i get those block numbers : numberX and nymberY in order to use them on my program later? I tried reading many source files [ ntfs.c where fs->istat is located , fs_block.c , blkstat.c and others ] but it didn't help me .

Thanks in advance ! 
Efstratios



------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org