Using the Sleuth Kit function tsk_fs_open_img() returns an error that the FS is not a FAT FS

Question

I am writing a program using the Sleuth Kit Library that is designed to printout the File Allocation Table of a FAT32 filesystem. Everything in my program works fine until I call the tsk_fs_open_img() function. At that point the program returns and error stating "Invalid magic value (Not a FATFS file system(magic))." The FS is indeed a FAT32 FS and I have verified the magic value (AA55 @ offset 1FE) using a hex editor. Also using mmls and fls, which are command-line tools included in the Sleuth Kit Library, work on this drive image that I am using and show that it is indeed a FAT32 FS and also provide the offset of 63 for the FS.

If anyone could help me figure out why this function is not working it would be greatly appreciated. Thanks in advance.

Here is the link to the API for the function: TSK_FS_OPEN_IMG()

Here is my code:

using namespace std;

#include <tsk3/libtsk.h>
#include <iostream>
#include <string.h>

int main (int argc, const char * argv[])
{

TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;

TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_FAT32;
TSK_FS_INFO *fs;

TSK_DADDR_T imgOffset = 0x00000000;
TSK_OFF_T fsStartBlock = 0x00000063;

TSK_VS_INFO *vs;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;

const TSK_VS_PART_INFO *part;
TSK_PNUM_T partLocation = part -> addr;

TSK_TCHAR *driveName;
TSK_DADDR_T startAddress = 0x00000000;
TSK_DADDR_T numBlocksToRead = 0x00000001;
TSK_FS_BLKCAT_FLAG_ENUM flags = TSK_FS_BLKCAT_ASCII;

int numOfDrives = 1;
uint sectorSize = 0;
uint8_t blockBytes = 0;

if (argc < 1) {
    printf("You must enter a drive name.\n");
    exit(EXIT_FAILURE);
}

driveName = (TSK_TCHAR*) argv[1];

cout << "\nOpening Drive\n\n";

if((img = tsk_img_open(numOfDrives, &driveName, imgtype, sectorSize)) == NULL) {
    tsk_error_print(stderr);
    exit(EXIT_FAILURE);
}

cout << "Drive opened successfuly.\n\n";

cout << "Opening File System\n\n";

if((fs = tsk_fs_open_img(img, fsStartBlock, fstype)) == NULL) {
    tsk_error_print(stderr);
    if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
        tsk_fs_type_print(stderr);
    img -> close(img);
    exit(EXIT_FAILURE);
}

cout << "File system opened successfuly.\n\n";

blockBytes = tsk_fs_blkcat(fs, flags, startAddress, numBlocksToRead);

fs -> close(fs);
img -> close(img);
return 0;
}

I suspect the problem is your `fsStartBlock` parameter... try varying that (for example 0 or 0x3F or 0x1FE) and see what happens... — Yahia, Dec 19 '11 at 05:38
Thanks, but I have tried that with now avail. If the offset is not 63 then it returns an error stating that the image size is not a multiple of 512. And the fsStartBlock is measured in blocks, whereas the magic number is at byte 1FE or 510, these two(blocks and bytes) are not interchangeable. — James Poore, Dec 19 '11 at 07:09

score 2 · Accepted Answer · edited Jan 20 '12 at 23:50

2

The offset argument to tsk_fs_open_img is in bytes, not sectors. So, you need to multiply fsStartBlock by img->sector_size.

edited Jan 20 '12 at 23:50

Mark Hall

53,938
9
94
111

answered Jan 20 '12 at 20:47

Brian Carrier

156
3

Using the Sleuth Kit function tsk_fs_open_img() returns an error that the FS is not a FAT FS

1 Answers1