search for: internal_find_block

The internal_find_block command searches all entries referring to the given filesystem data block and returns a tsk_dirent structure for each of them. For filesystems such as NTFS which do not delete the block mapping when removing files, it is possible to get multiple non-allocated entries for the same block. The gathe...

The internal_find_block command searches all entries referring to the given filesystem data block and returns a tsk_dirent structure for each of them. For filesystems such as NTFS which do not delete the block mapping when removing files, it is possible to get multiple non-allocated entries for the same block. The gathe...

The internal_find_block command searches all entries referring to the given filesystem data block and returns a tsk_dirent structure for each of them. For filesystems such as NTFS which do not delete the block mapping when removing files, it is possible to get multiple non-allocated entries for the same block. The gathe...

On Monday, 19 September 2016 23:26:57 CEST Matteo Cafasso wrote: > The internal_find_block command searches all entries referring to the > given filesystem data block and returns a tsk_dirent structure > for each of them. > > For filesystems such as NTFS which do not delete the block mapping > when removing files, it is possible to get multiple non-allocated > entries...

On Tuesday, 20 September 2016 16:19:30 CEST Matteo Cafasso wrote: > + for (index = 0; index < count; index++) { > + fsattr = tsk_fs_file_attr_get_idx (fsfile, index); > + > + if (fsattr != NULL && fsattr->flags & TSK_FS_ATTR_NONRES) > + tsk_fs_attr_walk (fsattr, flags, attrwalk_callback, (void *) &blkdata); The return code of tsk_fs_attr_walk must

v2: - use boolean field in struct - move refactoring to previous series Matteo Cafasso (3): New API: internal_find_block New API: find_block find_block: added API tests daemon/tsk.c | 90 ++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 25 ++++++++++++ src/MAX_PROC_NR | 2 +- src/tsk.c | 17 +++++++++ tests/tsk/Makefile.am | 1...

v3: - fixed attribute walk callback: checking against TSK_FS_BLOCK_FLAG_RAW flag would exclude compressed data blocks which are still important. Yet we want to exclude sparse blocks (TSK_FS_BLOCK_FLAG_SPARSE) as they are not stored on the disk. Matteo Cafasso (3): New API: internal_find_block New API: find_block find_block: added API tests daemon/tsk.c | 91 ++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 25 ++++++++++++ src/MAX_PROC_NR | 2 +- src/tsk.c | 17 +++++++++ tests/tsk/Makefile.am | 1...

...esystem entries referring to a given data block and returns a tsk_dirent structure for each of them. Use case examples: - Check whether a block containing a deleted file has been re-used to store a new one. - Map a certain area of a disk with the contained files. Matteo Cafasso (4): New API: internal_find_block New API: find_block find_block: added API tests TSK: small refactoring daemon/tsk.c | 89 ++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 25 +++++++++++++ src/MAX_PROC_NR | 2 +- src/tsk.c | 65 +++++++++++++++++++...

...] So we do not have to enforce the blocks to be RAW as we would be missing COMPRESSED ones (NTFS only). [1] https://github.com/sleuthkit/sleuthkit/pull/721 [2] http://www.sleuthkit.org/sleuthkit/docs/api-docs/4.2/group__fslib.html#ga3ce8349107b00e1b1502c86a5d6c0727 Matteo Cafasso (3): New API: internal_find_block New API: find_block find_block: added API tests daemon/tsk.c | 96 ++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 25 ++++++++++++ src/MAX_PROC_NR | 2 +- src/tsk.c | 17 ++++++++ tests/tsk/Makefile.am | 1 +...