All geek questions in one place

Using the Sleuth Kit function, tsk_fs_open_img () returns an error that FS is not FAT FS

I am writing a program using the Sleuth kits library, which is designed to print out the FAT32 file system file allocation table. Everything in my program works fine until I call the tsk_fs_open_img () function. At this point, the program will return and report the error "Invalid magic value (not FATFS file system (magic)"). FS is really FAT32 FS, and I checked the magic value (AA55 @offset 1FE) with a hex editor. Also, using mmls and fls, which are the command line tools included with the Sleuth Kit library, work on this image of the disk I am using and show that it is really FAT32 FS and also provides 63 offset for FS.

If anyone can help me figure out why this feature does not work, we will be very grateful. Thanks in advance.

Here is the API reference for the function: TSK_FS_OPEN_IMG ()

Here is my code:

using namespace std; #include <tsk3/libtsk.h> #include <iostream> #include <string.h> int main (int argc, const char * argv[]) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_FAT32; TSK_FS_INFO *fs; TSK_DADDR_T imgOffset = 0x00000000; TSK_OFF_T fsStartBlock = 0x00000063; TSK_VS_INFO *vs; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; const TSK_VS_PART_INFO *part; TSK_PNUM_T partLocation = part -> addr; TSK_TCHAR *driveName; TSK_DADDR_T startAddress = 0x00000000; TSK_DADDR_T numBlocksToRead = 0x00000001; TSK_FS_BLKCAT_FLAG_ENUM flags = TSK_FS_BLKCAT_ASCII; int numOfDrives = 1; uint sectorSize = 0; uint8_t blockBytes = 0; if (argc < 1) { printf("You must enter a drive name.\n"); exit(EXIT_FAILURE); } driveName = (TSK_TCHAR*) argv[1]; cout << "\nOpening Drive\n\n"; if((img = tsk_img_open(numOfDrives, &driveName, imgtype, sectorSize)) == NULL) { tsk_error_print(stderr); exit(EXIT_FAILURE); } cout << "Drive opened successfuly.\n\n"; cout << "Opening File System\n\n"; if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img -> close(img); exit(EXIT_FAILURE); } cout << "File system opened successfuly.\n\n"; blockBytes = tsk_fs_blkcat(fs, flags, startAddress, numBlocksToRead); fs -> close(fs); img -> close(img); return 0; }
+4
source share
1 answer

The offset argument for tsk_fs_open_img is in bytes, not sectors. So you need to multiply fsStartBlock by img->sector_size .

+2
source

Source: https://habr.com/ru/post/1386987/

More articles:


All Articles