Using the Sleuth Kit function tsk_fs_open_img() returns an error that the FS is not a FAT FS

4

I am writing a program using the Sleuth Kit Library that is designed to printout the File Allocation Table of a FAT32 filesystem. Everything in my program works fine until I call the tsk_fs_open_img() function. At that point the program returns and error stating "Invalid magic value (Not a FATFS file system(magic))." The FS is indeed a FAT32 FS and I have verified the magic value (AA55 @ offset 1FE) using a hex editor. Also using mmls and fls, which are command-line tools included in the Sleuth Kit Library, work on this drive image that I am using and show that it is indeed a FAT32 FS and also provide the offset of 63 for the FS.

If anyone could help me figure out why this function is not working it would be greatly appreciated. Thanks in advance.

Here is the link to the API for the function: TSK_FS_OPEN_IMG()

Here is my code:

using namespace std;

#include <tsk3/libtsk.h>
#include <iostream>
#include <string.h>

int main (int argc, const char * argv[])
{

TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;

TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_FAT32;
TSK_FS_INFO *fs;

TSK_DADDR_T imgOffset = 0x00000000;
TSK_OFF_T fsStartBlock = 0x00000063;

TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;

const TSK_VS_PART_INFO *part;
TSK_PNUM_T partLocation = part -> addr;

TSK_TCHAR *driveName;
TSK_DADDR_T startAddress = 0x00000000;
TSK_DADDR_T numBlocksToRead = 0x00000001;
TSK_FS_BLKCAT_FLAG_ENUM flags = TSK_FS_BLKCAT_ASCII;

int numOfDrives = 1;
uint sectorSize = 0;
uint8_t blockBytes = 0;

if (argc < 1) {
    printf("You must enter a drive name.\n");
    exit(EXIT_FAILURE);
}

driveName = (TSK_TCHAR*) argv[1];

cout << "\nOpening Drive\n\n";

if((img = tsk_img_open(numOfDrives, &driveName, imgtype, sectorSize)) == NULL) {
    tsk_error_print(stderr);
    exit(EXIT_FAILURE);
}

cout << "Drive opened successfuly.\n\n";

cout << "Opening File System\n\n";

if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
    tsk_error_print(stderr);
    if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
        tsk_fs_type_print(stderr);
    img -> close(img);
    exit(EXIT_FAILURE);
}

cout << "File system opened successfuly.\n\n";

blockBytes = tsk_fs_blkcat(fs, flags, startAddress, numBlocksToRead);

fs -> close(fs);
img -> close(img);
return 0;
}
c++
unix
filesystems
fat32
dd
asked on Stack Overflow Dec 19, 2011 by James Poore • edited Dec 19, 2011 by James Poore

1 Answer

2

The offset argument to tsk_fs_open_img is in bytes, not sectors. So, you need to multiply fsStartBlock by img->sector_size.

answered on Stack Overflow Jan 20, 2012 by Brian Carrier • edited Jan 20, 2012 by Mark Hall

User contributions licensed under CC BY-SA 3.0