get block list

[pjrinaldi]

Going to look into how to get block address list for a file without the TSK unless i can fix the tsk issue where it is finding blocks for a directory that has a non-resident ads.

[pjrinaldi]

i possibly fixed the block list issue, but now the resident offset for certain files isn't where it should be...

so i broke something when i modified the WriteFileProperties...

need to look at what I changed and see what I screwed up.

[pjrinaldi]

Need to look into using the TSK_FS_ATTR_FLAG_ENUM to see if it is TSK_FS_ATTR_NONRES or TSK_FS_ATTR_RES to determine if it is resident or non-resident and then implement the block/resident offset code from there...

there should take care of the issue better between resident content and non-resident ads for the same file and not run the getblocklist code when i don't need it.

[pjrinaldi]

Order to resolve this issue:

1. update what I store in the properties file to acount for resident/non-resident.
2. use this to determine what to run when i get content for a file.
3. download older TSK and see if it has the "0" block padding as 4.6.7 has.
4. check my code and see where it still fails.
5. fix my code where needed.

[pjrinaldi]

1. taken care of.
2. taken care of.
3. not necessary
4. found issue - issue is for a MFT which has non-continuous blocks.
5. working on a solution now to implement this...

[pjrinaldi]

Fixed issues when going to resident attributes... found a more efficient way as well to utilize the mft block list and the inode address. Just need to clean up the code, comment, and then implement a qhash for multiple evidence items cases to store mftblocklist's, probably QHash<QString, QStringList> if it will work or <QString, QString> and i'll block it out. Will need to implement the hash for each partition for each evidence item,so <QString will be e#-v#-p#, and then QStringList> will be respective block StringList.

[pjrinaldi]

working on the issue with generatevid and generatethumb...

then i'll implement for multiple evidence.

[pjrinaldi]

Fixed issues. When I implemented final code, I got some of the if/else braces wrong, so the block address display and functionality was being skipped...

Just need to implement for multiple evidence items.

[pjrinaldi]

issue with read dd file during return file content on some of blake. need to find the exact issue and what is causing it.

[pjrinaldi]

issue is a deleted and non deleted file with the same inode (example 8149)... some of the content is correct, other content isn't.. mostly properties.

need to figure out where it is getting crossed, and then resolve it... cause the attributes are being pulled for the file not the zero one....

Need to figure out how deleted icon is determined, then figure out why properties is pulling the wrong file information rather than the deleted information...

[pjrinaldi]

all seems to be working now. fixed issue by changing the property store.

need to test further.

[pjrinaldi]

fixed. still need to implement multiple mft block string storage as a qhash and then test, but i made a ticket for this, so i'm closing this one.