I’ve generated a database with “tsk_loaddb -h image.001”.
I see that the folders are listed in table tsk_event_descriptions and files are listed in tsk_files.
Partitions are listed in tsk_vs_parts.
How can I know which folder belongs to which partition?
How can I know which file belongs to which partition?
What you need is the tsk_objects table. The tsk_event_descriptions table is only used for populating the timeline.
tsk_vs_parts - partitions
tsk_fs_info - file systems
tsk_files - all files and folders (I believe dir_type tells you whether the entry is a file or folder)
tsk_objects - Gives the parent and type for each database object
Here’s an example of what the tables look like. I have three partitions, one with a file system. On that file system I’m looking at the file 0000/0000_a.txt. To trace that back to its partition, I have to trace the parents back through tsk_objects until I find a volume.
Note that you can also go directly from a file to its file system using the fs_obj_id column.
Thanks, that worked!
