Get direct blocks pointers for files/dirs

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Get direct blocks pointers for files/dirs

Efstratios Skleparis
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Pasquale Rinaldi
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Efstratios Skleparis
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org




------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Pasquale Rinaldi
Efstratios,

Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function,  which would reset the array and then only store the last value in the loop since you just reset the array.

It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping.

Pasquale

On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org





------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Efstratios Skleparis
Pasquale,

You are right, sorry ! here is what I have done : 


Global variables : 

TSK_DADDR_T *blockstring ; // array where i want to store block numbers

int fs_file_block_number; // numbers of direct blocks per files

GetBlockAddress Function code : 

TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

/*Memory Allocation for Block Addresses Array*/
blockstring = malloc(size * sizeof(TSK_DADDR_T));

int i = 0, s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */

if (addr) {

blockstring[i] = addr;
i++;

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
s -= fs_file->fs_info->block_size;

printf("blockstring[%d] = %lu\n", i, blockstring[i] );
printf(" iteration [%d], s = %d \n", i, s);

// tsk_printf("blockstring :%"
//            PRIuDADDR
//            "\n ", blockstring[fs_file_block_number]);

// tsk_printf("[%d]\n", fs_file_block_number);

}
} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress

How I call - use the above function in main :


TSK_FS_FILE *fs_file = NULL;


fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on inode number

if ((fs_file != NULL) && (fs_file->meta != NULL)) {
/* Error Checking*/

if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {

/*Ext4 file system*/

tsk_fs_file_walk(fs_file,
                (TSK_FS_FILE_WALK_FLAG_ENUM)(
                    TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK),
                GetBlockAddress, NULL);


}

}

printf("\n fs_file_block_number = %d \n", fs_file_block_number);
for (i = 0; i < fs_file_block_number; i++) {
printf("Direct Blocks: %lu\n", blockstring[i] );
}


And the output i get is the following : 
>>> inside function printfs <<<
addr = 24172552
blockstring[1] = 0
 iteration [1], s = 0 
addr = 24172553
blockstring[1] = 0
 iteration [1], s = 0 

>>> main printfs <<<
 fs_file_block_number = 2 

Direct Blocks: 24172553

Direct Blocks: 0

Thanks for your time,
Efstratios

On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function,  which would reset the array and then only store the last value in the loop since you just reset the array.

It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping.

Pasquale

On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org






------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Jean-François Gingras-2

If I'm not mistaking, each time GetBlockAddress gets call, you reinitialize your blockstring variable (malloc).

You should probably use a linked list of TSK_DADDR_T object and add your block in GetBlockAddress to that list.

Or you could resize the array.

Also, I'm not sure the size parameter of GetBlockAddress has anything to do with the TSK_DADDR_T structure.

Hope this will help

Le 17 nov. 2015 3:02 PM, "Efstratios Skleparis" <[hidden email]> a écrit :
Pasquale,

You are right, sorry ! here is what I have done : 


Global variables : 

TSK_DADDR_T *blockstring ; // array where i want to store block numbers

int fs_file_block_number; // numbers of direct blocks per files

GetBlockAddress Function code : 

TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

/*Memory Allocation for Block Addresses Array*/
blockstring = malloc(size * sizeof(TSK_DADDR_T));

int i = 0, s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */

if (addr) {

blockstring[i] = addr;
i++;

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
s -= fs_file->fs_info->block_size;

printf("blockstring[%d] = %lu\n", i, blockstring[i] );
printf(" iteration [%d], s = %d \n", i, s);

// tsk_printf("blockstring :%"
//            PRIuDADDR
//            "\n ", blockstring[fs_file_block_number]);

// tsk_printf("[%d]\n", fs_file_block_number);

}
} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress

How I call - use the above function in main :


TSK_FS_FILE *fs_file = NULL;


fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on inode number

if ((fs_file != NULL) && (fs_file->meta != NULL)) {
/* Error Checking*/

if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {

/*Ext4 file system*/

tsk_fs_file_walk(fs_file,
                (TSK_FS_FILE_WALK_FLAG_ENUM)(
                    TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK),
                GetBlockAddress, NULL);


}

}

printf("\n fs_file_block_number = %d \n", fs_file_block_number);
for (i = 0; i < fs_file_block_number; i++) {
printf("Direct Blocks: %lu\n", blockstring[i] );
}


And the output i get is the following : 
>>> inside function printfs <<<
addr = 24172552
blockstring[1] = 0
 iteration [1], s = 0 
addr = 24172553
blockstring[1] = 0
 iteration [1], s = 0 

>>> main printfs <<<
 fs_file_block_number = 2 

Direct Blocks: 24172553

Direct Blocks: 0

Thanks for your time,
Efstratios

On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function,  which would reset the array and then only store the last value in the loop since you just reset the array.

It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping.

Pasquale

On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org






------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org


------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Efstratios Skleparis
In reply to this post by Efstratios Skleparis
I forgot to erase one line as I was copying the code  "s -= fs_file->fs_info->block_size;" . don't mind it when you see it inside for loop

On Tue, Nov 17, 2015 at 9:57 PM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

You are right, sorry ! here is what I have done : 


Global variables : 

TSK_DADDR_T *blockstring ; // array where i want to store block numbers

int fs_file_block_number; // numbers of direct blocks per files

GetBlockAddress Function code : 

TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

/*Memory Allocation for Block Addresses Array*/
blockstring = malloc(size * sizeof(TSK_DADDR_T));

int i = 0, s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */

if (addr) {

blockstring[i] = addr;
i++;

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
s -= fs_file->fs_info->block_size;

printf("blockstring[%d] = %lu\n", i, blockstring[i] );
printf(" iteration [%d], s = %d \n", i, s);

// tsk_printf("blockstring :%"
//            PRIuDADDR
//            "\n ", blockstring[fs_file_block_number]);

// tsk_printf("[%d]\n", fs_file_block_number);

}
} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress

How I call - use the above function in main :


TSK_FS_FILE *fs_file = NULL;


fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on inode number

if ((fs_file != NULL) && (fs_file->meta != NULL)) {
/* Error Checking*/

if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {

/*Ext4 file system*/

tsk_fs_file_walk(fs_file,
                (TSK_FS_FILE_WALK_FLAG_ENUM)(
                    TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK),
                GetBlockAddress, NULL);


}

}

printf("\n fs_file_block_number = %d \n", fs_file_block_number);
for (i = 0; i < fs_file_block_number; i++) {
printf("Direct Blocks: %lu\n", blockstring[i] );
}


And the output i get is the following : 
>>> inside function printfs <<<
addr = 24172552
blockstring[1] = 0
 iteration [1], s = 0 
addr = 24172553
blockstring[1] = 0
 iteration [1], s = 0 

>>> main printfs <<<
 fs_file_block_number = 2 

Direct Blocks: 24172553

Direct Blocks: 0

Thanks for your time,
Efstratios

On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function,  which would reset the array and then only store the last value in the loop since you just reset the array.

It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping.

Pasquale

On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org







------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Efstratios Skleparis
In reply to this post by Jean-François Gingras-2
Dear all,

I tried to implement a linked list like this : 

struct List {
struct List *next;
TSK_DADDR_T addr;
};

struct List *list; /*Global list*/

void createL() {
list = NULL;
}

void insertL(TSK_DADDR_T addr) {
struct List *node;

if (list == NULL) { /*First node of our list*/
list = malloc(sizeof(struct List));
list->next = NULL;
list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate space*/
if (list->addr == NULL) {
printf("Error in insertL malloc \n");
return;
}
list->addr = addr;
printf(" First Node - InsertL, list - > addr : %lu\n", list->addr); // just for debugging
} else {
node = malloc(sizeof(struct List));
node->next = list; /* This node becomes head of the list*/
list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate space*/
if (node->addr == NULL) {
printf("Error in insertL malloc \n");
return;
}
node->addr = addr;
list = node;
printf("____InsertL - > list - > addr : %lu\n", node->addr); // just for debugging
}
}

void display(struct List *list)
{ // just print the list
while (list != NULL)
{
printf("Direct Blocks: %lu\t", list->addr);
list = list->next;
}
printf("\n");
}

void reversedisplay(struct List *head)
{ // print the list in reverse
if (head != NULL)
{
reversedisplay(head->next);
printf("%d\t", head->addr);
}
}

---------------------------------------------------------------------------------

And in GetBlockAddress I am calling insertL like this : 


TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

int  s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

//printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */


insertL(addr);
printf("Blockstring after insertion = %lu\n",  list->addr ); // just for debugging

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;

printf(" iteration [%d], s = %d \n", fs_file_block_number,  s);

} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress


But still when i am printing the list on the main function i get this : 

First Node - InsertL, list - > addr : 24172552
Blockstring after insertion = 24172552
 iteration [1], s = 4096 
____InsertL - > list - > addr : 24172553
Blockstring after insertion = 24172553
 iteration [2], s = 4096 

 fs_file_block_number = 2 // just for debugging - correct

//reverse(display)
34986192 24172553

//display(list)
Direct Blocks: 24172553 Direct Blocks: 34986192

I still can't get the first block number !! Thought when I am calling the GetBlockAddress the direct block numbers inside the function  is correct, when I am inserting it on the global list the number is correct again!!!  But on main.c it's not I can only get the second block number ( my file has a size of 6113 bytes - > 2 blocks only - each block has 4096 size , Correct direct block numbers are : 24172552 and 24172553 verified by istat and checked on the raw storage ) 

I am starting to believe there is a "problem" with the calling of :
 tsk_fs_file_walk(fs_file, (TSK_FS_FILE_WALK_FLAG_ENUM)(TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK), GetBlockAddress, NULL);    Correct me if I am wrong or is it something with my implementation?? 

Thanks again for your time,
Efstratios


On Tue, Nov 17, 2015 at 10:26 PM, Jean-François Gingras <[hidden email]> wrote:

If I'm not mistaking, each time GetBlockAddress gets call, you reinitialize your blockstring variable (malloc).

You should probably use a linked list of TSK_DADDR_T object and add your block in GetBlockAddress to that list.

Or you could resize the array.

Also, I'm not sure the size parameter of GetBlockAddress has anything to do with the TSK_DADDR_T structure.

Hope this will help

Le 17 nov. 2015 3:02 PM, "Efstratios Skleparis" <[hidden email]> a écrit :
Pasquale,

You are right, sorry ! here is what I have done : 


Global variables : 

TSK_DADDR_T *blockstring ; // array where i want to store block numbers

int fs_file_block_number; // numbers of direct blocks per files

GetBlockAddress Function code : 

TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

/*Memory Allocation for Block Addresses Array*/
blockstring = malloc(size * sizeof(TSK_DADDR_T));

int i = 0, s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */

if (addr) {

blockstring[i] = addr;
i++;

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
s -= fs_file->fs_info->block_size;

printf("blockstring[%d] = %lu\n", i, blockstring[i] );
printf(" iteration [%d], s = %d \n", i, s);

// tsk_printf("blockstring :%"
//            PRIuDADDR
//            "\n ", blockstring[fs_file_block_number]);

// tsk_printf("[%d]\n", fs_file_block_number);

}
} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress

How I call - use the above function in main :


TSK_FS_FILE *fs_file = NULL;


fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on inode number

if ((fs_file != NULL) && (fs_file->meta != NULL)) {
/* Error Checking*/

if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {

/*Ext4 file system*/

tsk_fs_file_walk(fs_file,
                (TSK_FS_FILE_WALK_FLAG_ENUM)(
                    TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK),
                GetBlockAddress, NULL);


}

}

printf("\n fs_file_block_number = %d \n", fs_file_block_number);
for (i = 0; i < fs_file_block_number; i++) {
printf("Direct Blocks: %lu\n", blockstring[i] );
}


And the output i get is the following : 
>>> inside function printfs <<<
addr = 24172552
blockstring[1] = 0
 iteration [1], s = 0 
addr = 24172553
blockstring[1] = 0
 iteration [1], s = 0 

>>> main printfs <<<
 fs_file_block_number = 2 

Direct Blocks: 24172553

Direct Blocks: 0

Thanks for your time,
Efstratios

On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function,  which would reset the array and then only store the last value in the loop since you just reset the array.

It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping.

Pasquale

On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org






------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org



------------------------------------------------------------------------------
Give your users amazing mobile app experiences with Intel XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2-D/3-D games for multiple OSs.
Then get your creation into app stores sooner, with many ways to monetize.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
Reply | Threaded
Open this post in threaded view
|

Re: Get direct blocks pointers for files/dirs

Pasquale Rinaldi
Efstatios,

Two things I see in the first code provided:

1. fs_file_block_number += size / 4096; seem like it should be fs_file_block_number = size / 4096, otherwise with each loop it should be fs_file_block_number = 0 + 2, then fs_file_block_number = 2 + 2, etc for the required loops.

2. inside the loop, the blockstring[i] isn't provided the right answers to coincide with your addr printf's. the printf's should be

addr = 24172552
blockstring[0] = 24172552
 
addr = 24172553
blockstring[1] = 24172552

which would show the current address value which gets replaced (addr) is being stored in your array (blockstring) which is incrementing and not overwriting its value (0, 1, etc...)

When in doubt, debug the crap out of it with more minute variable debug/printf statements.

Let me know if any of those help you out,

Pasquale


On Tue, Nov 17, 2015 at 4:43 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I tried to implement a linked list like this : 

struct List {
struct List *next;
TSK_DADDR_T addr;
};

struct List *list; /*Global list*/

void createL() {
list = NULL;
}

void insertL(TSK_DADDR_T addr) {
struct List *node;

if (list == NULL) { /*First node of our list*/
list = malloc(sizeof(struct List));
list->next = NULL;
list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate space*/
if (list->addr == NULL) {
printf("Error in insertL malloc \n");
return;
}
list->addr = addr;
printf(" First Node - InsertL, list - > addr : %lu\n", list->addr); // just for debugging
} else {
node = malloc(sizeof(struct List));
node->next = list; /* This node becomes head of the list*/
list->addr = (TSK_DADDR_T*) malloc(4096 * sizeof(TSK_DADDR_T)); /*allocate space*/
if (node->addr == NULL) {
printf("Error in insertL malloc \n");
return;
}
node->addr = addr;
list = node;
printf("____InsertL - > list - > addr : %lu\n", node->addr); // just for debugging
}
}

void display(struct List *list)
{ // just print the list
while (list != NULL)
{
printf("Direct Blocks: %lu\t", list->addr);
list = list->next;
}
printf("\n");
}

void reversedisplay(struct List *head)
{ // print the list in reverse
if (head != NULL)
{
reversedisplay(head->next);
printf("%d\t", head->addr);
}
}

---------------------------------------------------------------------------------

And in GetBlockAddress I am calling insertL like this : 


TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

int  s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

//printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */


insertL(addr);
printf("Blockstring after insertion = %lu\n",  list->addr ); // just for debugging

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;

printf(" iteration [%d], s = %d \n", fs_file_block_number,  s);

} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress


But still when i am printing the list on the main function i get this : 

First Node - InsertL, list - > addr : 24172552
Blockstring after insertion = 24172552
 iteration [1], s = 4096 
____InsertL - > list - > addr : 24172553
Blockstring after insertion = 24172553
 iteration [2], s = 4096 

 fs_file_block_number = 2 // just for debugging - correct

//reverse(display)
34986192 24172553

//display(list)
Direct Blocks: 24172553 Direct Blocks: 34986192

I still can't get the first block number !! Thought when I am calling the GetBlockAddress the direct block numbers inside the function  is correct, when I am inserting it on the global list the number is correct again!!!  But on main.c it's not I can only get the second block number ( my file has a size of 6113 bytes - > 2 blocks only - each block has 4096 size , Correct direct block numbers are : 24172552 and 24172553 verified by istat and checked on the raw storage ) 

I am starting to believe there is a "problem" with the calling of :
 tsk_fs_file_walk(fs_file, (TSK_FS_FILE_WALK_FLAG_ENUM)(TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK), GetBlockAddress, NULL);    Correct me if I am wrong or is it something with my implementation?? 

Thanks again for your time,
Efstratios


On Tue, Nov 17, 2015 at 10:26 PM, Jean-François Gingras <[hidden email]> wrote:

If I'm not mistaking, each time GetBlockAddress gets call, you reinitialize your blockstring variable (malloc).

You should probably use a linked list of TSK_DADDR_T object and add your block in GetBlockAddress to that list.

Or you could resize the array.

Also, I'm not sure the size parameter of GetBlockAddress has anything to do with the TSK_DADDR_T structure.

Hope this will help

Le 17 nov. 2015 3:02 PM, "Efstratios Skleparis" <[hidden email]> a écrit :
Pasquale,

You are right, sorry ! here is what I have done : 


Global variables : 

TSK_DADDR_T *blockstring ; // array where i want to store block numbers

int fs_file_block_number; // numbers of direct blocks per files

GetBlockAddress Function code : 

TSK_WALK_RET_ENUM GetBlockAddress(TSK_FS_FILE *fs_file, TSK_OFF_T off, TSK_DADDR_T addr, char *buf, size_t size,
                                  TSK_FS_BLOCK_FLAG_ENUM flags, void *ptr) {

/*Memory Allocation for Block Addresses Array*/
blockstring = malloc(size * sizeof(TSK_DADDR_T));

int i = 0, s;

if (flags & TSK_FS_BLOCK_FLAG_CONT) {

/* Bitwise and , SK_FS_BLOCK_FLAG_CONT = Block contains file content.*/

printf("addr = %lu\n", addr );

for (  s = (int) size ; s > 0 ; s -= fs_file->fs_info->block_size ) {
/* Parse all the blocks, every 4096 bytes */

if (addr) {

blockstring[i] = addr;
i++;

/* Calculate how many direct blocks the file has */
fs_file_block_number += size / 4096;
s -= fs_file->fs_info->block_size;

printf("blockstring[%d] = %lu\n", i, blockstring[i] );
printf(" iteration [%d], s = %d \n", i, s);

// tsk_printf("blockstring :%"
//            PRIuDADDR
//            "\n ", blockstring[fs_file_block_number]);

// tsk_printf("[%d]\n", fs_file_block_number);

}
} /* end of for*/

} /* end of if*/

return TSK_WALK_CONT;

}// end of GetBlockAddress

How I call - use the above function in main :


TSK_FS_FILE *fs_file = NULL;


fs_file = tsk_fs_file_open_meta(fs, NULL, inum); // open file based on inode number

if ((fs_file != NULL) && (fs_file->meta != NULL)) {
/* Error Checking*/

if (fs_file->fs_info->ftype == TSK_FS_TYPE_EXT4) {

/*Ext4 file system*/

tsk_fs_file_walk(fs_file,
                (TSK_FS_FILE_WALK_FLAG_ENUM)(
                    TSK_FS_FILE_WALK_FLAG_AONLY | TSK_FS_FILE_WALK_FLAG_SLACK),
                GetBlockAddress, NULL);


}

}

printf("\n fs_file_block_number = %d \n", fs_file_block_number);
for (i = 0; i < fs_file_block_number; i++) {
printf("Direct Blocks: %lu\n", blockstring[i] );
}


And the output i get is the following : 
>>> inside function printfs <<<
addr = 24172552
blockstring[1] = 0
 iteration [1], s = 0 
addr = 24172553
blockstring[1] = 0
 iteration [1], s = 0 

>>> main printfs <<<
 fs_file_block_number = 2 

Direct Blocks: 24172553

Direct Blocks: 0

Thanks for your time,
Efstratios

On Tue, Nov 17, 2015 at 8:24 PM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Without seeing the code, its hard to tell. It sounds like you have the array initialization inside your looping function,  which would reset the array and then only store the last value in the loop since you just reset the array.

It's hard to say without seeing the code though. Its purely a guess based on common mistakes I make when doing this kind of looping.

Pasquale

On Tue, Nov 17, 2015 at 5:34 AM, Efstratios Skleparis <[hidden email]> wrote:
Pasquale,

Thanks a lot for the information you provided me :-) I finally managed to get the direct block pointers of a file !! 

That if(flags & TSK_FS_BLOCK_FLAG_CONT) did the work, on GetBlockAddress function! :-)

My question is there a reason you can only "Save" the last one from NumberX,NumberY,NumberZ [block pointers, numbers] ? or am I doing something wrong? I am using C not C++ for my introspection tool.

I tried using an array but still only NumberZ is saved the others are lost. . I placed some printfs and for some reason every time the array is initialized after it returns the NumberX, NumberY.

Thanks a lot for your time and help,
Efstratios

On Mon, Nov 16, 2015 at 3:23 AM, Pasquale Rinaldi <[hidden email]> wrote:
Efstratios,

Check out this function on a program I am working on which incorporates the sleuthkit c library functions. I calculate the direct block addresses and store this value in my db table. The functions to look at are "BlockFile", "GetBlockAddress" and the "tsk_fs_file_walk" functions. They are on lines: 517-588.


I hope it helps.
Pasquale

On Sat, Nov 14, 2015 at 12:25 PM, Efstratios Skleparis <[hidden email]> wrote:
Dear all,

I am using Sleuth kit library in order to write an introspection tool for XEN hypervisor running on ubuntu 12.04.5 x64bit and my question is if we have the inode number of a file on a disk [ guest VM - ext4 filesystem], for example 6031126 and want to handle the direct block pointers of a file/directory later in a program,how can we get them(Direct Blocks : NumberX,NymberY etc) ? I used the sleuth kit function istat inside my program like on istat.cpp program of the library:

if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}

to get information about this inode and i got this :

inode: 6031126
Allocated
Group: 736
Generation Id: 3880935525
uid / gid: 1000 / 1000
mode: rrw-------
Flags: Extents, 
size: 6613
num of links: 1

Inode Times:
Accessed:   2015-11-12 17:47:55.857360000 (EET)
File Modified:  2015-03-27 14:05:13.000000000 (EET)
Inode Modified: 2015-07-12 00:51:07.489188000 (EEST)
File Created:   2015-07-12 00:51:07.489188000 (EEST)

Direct Blocks:
24172552 24172553

I know the block numbers by calling that function but i don't know where they are stored and how to retrieve them in a variable..? in order to use them later in my tool! 

Any tips/suggestions or documentation would be appreciated!
Thanks in advance!

------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org






------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org




------------------------------------------------------------------------------

_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org