C++ class that automatically analyzes a disk image to extract files from it. More...
#include <tsk_auto.h>
Classes | |
| struct | error_record |
Public Member Functions | |
| virtual void | closeImage () |
| Closes the handles to the open disk image. More... | |
| virtual void | disableImageWriter () |
| Disables image writer. | |
| virtual TSK_RETVAL_ENUM | enableImageWriter (const char *imagePath) |
| Enables image writer, which creates a copy of the image as it is being processed. More... | |
| virtual TSK_FILTER_ENUM | filterFs (TSK_FS_INFO *fs_info) |
| TskAuto calls this method before it processes each file system that is found in a volume. More... | |
| virtual TSK_FILTER_ENUM | filterPool (const TSK_POOL_INFO *pool_info) |
| TskAuto calls this method before it processes each pool that is found. More... | |
| virtual TSK_FILTER_ENUM | filterPoolVol (const TSK_POOL_VOLUME_INFO *pool_vol) |
| TskAuto calls this method before it processes each pool volume that is found in a pool. More... | |
| virtual TSK_FILTER_ENUM | filterVol (const TSK_VS_PART_INFO *vs_part) |
| TskAuto calls this method before it processes each volume that is found in a volume system. More... | |
| virtual TSK_FILTER_ENUM | filterVs (const TSK_VS_INFO *vs_info) |
| TskAuto calls this method before it processes the volume system that is found in an image. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_INUM_T inum) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, TSK_INUM_T inum) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_FS_INFO *a_fs_info) |
| Processes the file system represented by the given TSK_FS_INFO pointer. More... | |
| uint8_t | findFilesInFs (TSK_FS_INFO *a_fs_info, TSK_INUM_T inum) |
| Processes the file system represented by the given TSK_FS_INFO pointer. More... | |
| TSK_RETVAL_ENUM | findFilesInFsRet (TSK_OFF_T start, TSK_FS_TYPE_ENUM a_ftype) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInImg () |
| Starts in sector 0 of the opened disk images and looks for a volume or file system. More... | |
| uint8_t | findFilesInPool (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More... | |
| uint8_t | findFilesInPool (TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype) |
| Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More... | |
| uint8_t | findFilesInVs (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More... | |
| uint8_t | findFilesInVs (TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype) |
| Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More... | |
| std::string | getCurVsPartDescr () const |
| get volume description of the lastly processed volume More... | |
| TSK_VS_PART_FLAG_ENUM | getCurVsPartFlag () const |
| get volume flags of the lastly processed volume. More... | |
| const std::vector< error_record > | getErrorList () |
| Get the list of errors that were added to the internal list. More... | |
| TSK_OFF_T | getImageSize () const |
| bool | getStopProcessing () const |
| Returns true if all processing and recursion should stop. | |
| virtual uint8_t | handleError () |
| Override this method to get called for each error that is registered. More... | |
| bool | hasPool (TSK_OFF_T a_start) |
| Checks whether a volume contains a pool. More... | |
| bool | isCurVsValid () const |
| Determine if we are inside of a volume system and therefore we can trust the results of getCurVsPartFlag/Desc. | |
| virtual uint8_t | openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| Opens the disk image to be analyzed. More... | |
| virtual uint8_t | openImageHandle (TSK_IMG_INFO *) |
| Uses the already opened image for future analysis. More... | |
| virtual uint8_t | openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| Opens the disk image to be analyzed. More... | |
| virtual TSK_RETVAL_ENUM | processFile (TSK_FS_FILE *fs_file, const char *path)=0 |
| TskAuto calls this method for each file and directory that it finds in an image. More... | |
| uint8_t | registerError () |
| Internal method that TskAuto calls when it encounters issues while processing an image. More... | |
| void | resetErrorList () |
| Remove the errors on the internal list. | |
| void | setExternalFileSystemList (const std::list< TSK_FS_INFO * > &exteralFsInfoList) |
| Store a list of pointers to open file systems to use when calling findFilesInImg instead of opening a new copy. | |
| void | setFileFilterFlags (TSK_FS_DIR_WALK_FLAG_ENUM) |
| Set the attributes for the files that should be processed. More... | |
| void | setVolFilterFlags (TSK_VS_PART_FLAG_ENUM) |
| Set the attributes for the volumes that should be processed. More... | |
Static Public Member Functions | |
| static std::string | errorRecordToString (error_record &rec) |
Public Attributes | |
| unsigned int | m_tag |
Protected Member Functions | |
| uint8_t | isDefaultType (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr) |
| Utility method to help determine if an attribute is the default type for the file/dir. More... | |
| uint8_t | isDir (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a directory. More... | |
| uint8_t | isDotDir (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a . More... | |
| uint8_t | isFATSystemFiles (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a FAT file system file (such as $MBR). More... | |
| uint8_t | isFile (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a file (and not a directory). More... | |
| uint8_t | isNonResident (const TSK_FS_ATTR *fs_attr) |
| Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data) More... | |
| uint8_t | isNtfsSystemFiles (TSK_FS_FILE *fs_file, const char *path) |
| Utility method to help determine if a file is an NTFS file system file (such as $MFT). More... | |
| virtual TSK_RETVAL_ENUM | processAttribute (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr, const char *path) |
| Method that is called from processAttributes() for each attribute that a file has. More... | |
| TSK_RETVAL_ENUM | processAttributes (TSK_FS_FILE *fs_file, const char *path) |
| Method that can be used from within processFile() to look at each attribute that a file may have. More... | |
| void | setStopProcessing () |
| When called, will cause TskAuto to not continue to recurse into directories and volumes. | |
Protected Attributes | |
| std::list< TSK_FS_INFO * > | m_exteralFsInfoList |
| bool | m_imageWriterEnabled |
| TSK_TCHAR * | m_imageWriterPath |
| TSK_IMG_INFO * | m_img_info |
| bool | m_internalOpen |
| True if m_img_info was opened in TskAuto and false if passed in. | |
| std::vector< const TSK_POOL_INFO * > | m_poolInfos |
| bool | m_stopAllProcessing |
| True if no further processing should occur. | |
Detailed Description
C++ class that automatically analyzes a disk image to extract files from it.
This class hides many of the details that are required to use lower-level TSK APIs to analyze volume and file systems.
The processFile() method must be implemented and it will be called for each file and directory that is found.
An image file must be first opened using openImage(). It can then be analyzed using one of the findFilesInXXXX() methods. The filterXX() methods can be used to skip volumes and file systems.
This class, by default, will not stop if an error occurs. It registers the error into an internal list. Those can be retrieved with getErrorList(). If you want to deal with errors differently, you must implement handleError().
Member Function Documentation
|
virtual |
Closes the handles to the open disk image.
Should be called after you have completed analysis of the image.
Reimplemented in TskAutoDb.
References m_internalOpen, and tsk_img_close().
Referenced by TskAutoDb::closeImage(), openImage(), openImageHandle(), and openImageUtf8().
|
virtual |
Enables image writer, which creates a copy of the image as it is being processed.
- Parameters
-
imagePath UTF8 version of path to write the image to
References TSK_ERR, tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, tsk_UTF8toUTF16(), TSKconversionOK, and TSKlenientConversion.
|
virtual |
TskAuto calls this method before it processes each file system that is found in a volume.
You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.
- Parameters
-
fs_info file system details
- Returns
- Value to show if FS should be processed, skipped, or process should stop.
Reimplemented in TskAutoDb, and TskIsImageSupported.
References TSK_FILTER_CONT.
|
virtual |
TskAuto calls this method before it processes each pool that is found.
You can use this to learn about each pool before it is processed and you can force TskAuto to skip this volume.
- Parameters
-
pool_vol Pool details
- Returns
- Value to show if pool should be processed, skipped, or process should stop.
Reimplemented in TskAutoDb, and TskIsImageSupported.
References TSK_FILTER_SKIP, and tsk_verbose.
Referenced by findFilesInPool().
|
virtual |
TskAuto calls this method before it processes each pool volume that is found in a pool.
You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume.
- Parameters
-
pool_vol Pool volume details
- Returns
- Value to show if pool volume should be processed, skipped, or process should stop.
Reimplemented in TskAutoDb, and TskIsImageSupported.
References TSK_FILTER_SKIP, and tsk_verbose.
Referenced by findFilesInPool().
|
virtual |
TskAuto calls this method before it processes each volume that is found in a volume system.
You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.
- Parameters
-
vs_part Parition details
- Returns
- Value to show if volume should be processed, skipped, or process should stop.
Reimplemented in TskAutoDb, and TskIsImageSupported.
References TSK_FILTER_CONT.
|
virtual |
TskAuto calls this method before it processes the volume system that is found in an image.
You can use this to learn about the volume system before it is processed and you can force TskAuto to skip this volume system.
- Parameters
-
vs_info volume system details
- Returns
- Value to show if Vs should be processed, skipped, or process should stop.
Reimplemented in TskAutoDb.
References TSK_FILTER_CONT.
Referenced by findFilesInVs().
| uint8_t TskAuto::findFilesInFs | ( | TSK_OFF_T | a_start | ) |
Starts in a specified byte offset of the opened disk images and looks for a file system.
Will call processFile() on each file that is found.
- Parameters
-
a_start Byte offset of file system starting location.
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References TSK_FS_TYPE_DETECT.
Referenced by findFilesInFs(), findFilesInImg(), and findFilesInVs().
| uint8_t TskAuto::findFilesInFs | ( | TSK_OFF_T | a_start, |
| TSK_FS_TYPE_ENUM | a_ftype | ||
| ) |
Starts in a specified byte offset of the opened disk images and looks for a file system.
Will call processFile() on each file that is found.
- Parameters
-
a_start Byte offset of file system starting location. a_ftype Type of file system that is located at the offset.
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References findFilesInFsRet().
| uint8_t TskAuto::findFilesInFs | ( | TSK_OFF_T | a_start, |
| TSK_INUM_T | a_inum | ||
| ) |
Starts in a specified byte offset of the opened disk images and looks for a file system.
Will start processing the file system at a specified file system. Will call processFile() on each file that is found in that directory.
- Parameters
-
a_start Byte offset of file system starting location. a_inum inum to start walking files system at.
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References findFilesInFs(), and TSK_FS_TYPE_DETECT.
| uint8_t TskAuto::findFilesInFs | ( | TSK_OFF_T | a_start, |
| TSK_FS_TYPE_ENUM | a_ftype, | ||
| TSK_INUM_T | a_inum | ||
| ) |
Starts in a specified byte offset of the opened disk images and looks for a file system.
Will start processing the file system at a specified file system. Will call processFile() on each file that is found in that directory.
- Parameters
-
a_start Byte offset of file system starting location. a_ftype Type of file system that will be analyzed. a_inum inum to start walking files system at.
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References getCurVsPartDescr(), getCurVsPartFlag(), isCurVsValid(), registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fs_close(), tsk_fs_open_img(), and TSK_VS_PART_FLAG_ALLOC.
| uint8_t TskAuto::findFilesInFs | ( | TSK_FS_INFO * | a_fs_info | ) |
Processes the file system represented by the given TSK_FS_INFO pointer.
Will Call processFile() on each file that is found.
- Parameters
-
a_fs_info Pointer to a previously opened file system.
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References registerError(), TSK_FS_INFO::root_inum, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().
| uint8_t TskAuto::findFilesInFs | ( | TSK_FS_INFO * | a_fs_info, |
| TSK_INUM_T | inum | ||
| ) |
Processes the file system represented by the given TSK_FS_INFO pointer.
Will Call processFile() on each file that is found.
- Parameters
-
a_fs_info Pointer to a previously opened file system. a_inum inum to start walking files system at.
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References registerError(), tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().
| TSK_RETVAL_ENUM TskAuto::findFilesInFsRet | ( | TSK_OFF_T | a_start, |
| TSK_FS_TYPE_ENUM | a_ftype | ||
| ) |
Starts in a specified byte offset of the opened disk images and looks for a file system.
Will call processFile() on each file that is found. Same as findFilesInFs, but gives more detailed return values.
- Parameters
-
a_start Byte offset to start analyzing from. a_ftype File system type.
- Returns
- Error (messages will have been registered), OK, or STOP.
References getCurVsPartDescr(), getCurVsPartFlag(), isCurVsValid(), registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fs_close(), tsk_fs_open_img(), TSK_OK, and TSK_VS_PART_FLAG_ALLOC.
Referenced by findFilesInFs().
| uint8_t TskAuto::findFilesInImg | ( | ) |
Starts in sector 0 of the opened disk images and looks for a volume or file system.
Will call processFile() on each file that is found.
- Returns
- 1 if an error occurred (message will have been registered) and 0 on success
References findFilesInFs(), findFilesInVs(), TSK_IMG_INFO::itype, registerError(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_TYPE_LOGICAL, and TSK_IMG_TYPE_LOGICAL.
Referenced by TskAutoDb::addFilesInImgToDb().
| uint8_t TskAuto::findFilesInPool | ( | TSK_OFF_T | start | ) |
Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.
Will call processFile() on each file that is found.
- Parameters
-
start Byte offset to start analyzing from.
- Returns
- 1 if an error occurred (message will have been registered), 0 on success
Referenced by findFilesInVs().
| uint8_t TskAuto::findFilesInPool | ( | TSK_OFF_T | start, |
| TSK_POOL_TYPE_ENUM | ptype | ||
| ) |
Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.
Will call processFile() on each file that is found.
- Parameters
-
start Byte offset to start analyzing from. ptype The type of pool
- Returns
- 1 if an error occurred (message will have been registered), 0 on success
References filterPool(), filterPoolVol(), m_stopAllProcessing, registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_FILTER_SKIP, TSK_FILTER_STOP, tsk_fs_close(), TSK_FS_TYPE_APFS, tsk_img_close(), TSK_OK, and TSK_STOP.
| uint8_t TskAuto::findFilesInVs | ( | TSK_OFF_T | a_start | ) |
Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.
Will call processFile() on each file that is found.
- Parameters
-
a_start Byte offset to start analyzing from.
- Returns
- 1 if an error occurred (message will have been registered), 0 on success
References TSK_VS_TYPE_DETECT.
Referenced by findFilesInImg().
| uint8_t TskAuto::findFilesInVs | ( | TSK_OFF_T | a_start, |
| TSK_VS_TYPE_ENUM | a_vtype | ||
| ) |
Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.
Will call processFile() on each file that is found.
- Parameters
-
a_start Byte offset to start analyzing from. a_vtype Volume system type to analyze
- Returns
- 1 if an error occurred (messages will have been registered) and 0 on success
References filterVs(), findFilesInFs(), findFilesInPool(), hasPool(), m_stopAllProcessing, TSK_VS_INFO::part_count, registerError(), tsk_error_get_errno(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FILTER_SKIP, TSK_FILTER_STOP, tsk_verbose, tsk_vs_close(), tsk_vs_open(), and tsk_vs_part_walk().
| std::string TskAuto::getCurVsPartDescr | ( | ) | const |
get volume description of the lastly processed volume
- Returns
- volume description string of the lastly processed volume
Referenced by findFilesInFs(), and findFilesInFsRet().
| TSK_VS_PART_FLAG_ENUM TskAuto::getCurVsPartFlag | ( | ) | const |
get volume flags of the lastly processed volume.
- Returns
- flags for lastly processed volume.
Referenced by findFilesInFs(), and findFilesInFsRet().
| const std::vector< TskAuto::error_record > TskAuto::getErrorList | ( | ) |
Get the list of errors that were added to the internal list.
This list could be empty if the implementing class already acted on the errors or never called addToErrorList().
- Returns
- list of errors.
| TSK_OFF_T TskAuto::getImageSize | ( | ) | const |
- Returns
- The size of the image in bytes or -1 if the image is not open.
References TSK_IMG_INFO::size.
|
virtual |
Override this method to get called for each error that is registered.
This method allows you to log the message or stop processing. Use setStopProcessing() to do that.
- Returns
- 1 to stop the processing flow and 0 to continue.
Reimplemented in TskIsImageSupported.
Referenced by registerError().
| bool TskAuto::hasPool | ( | TSK_OFF_T | a_start | ) |
Checks whether a volume contains a pool.
- Parameters
-
a_start Byte offset to start analyzing from.
- Returns
- true if a pool is found, false if not or on error
References registerError(), tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().
Referenced by findFilesInVs().
|
protected |
Utility method to help determine if an attribute is the default type for the file/dir.
- Returns
- 1 if the attribute is a default type, 0 if not.
References TSK_FS_FILE::fs_info, and TSK_FS_ATTR::type.
|
protected |
Utility method to help determine if a file is a directory.
- Returns
- 1 if the file is a directory, 0 if not.
References TSK_FS_FILE::meta, TSK_FS_FILE::name, TSK_FS_NAME_TYPE_UNDEF, TSK_FS_META::type, and TSK_FS_NAME::type.
Referenced by TskAutoDb::processFile().
|
protected |
Utility method to help determine if a file is a .
or .. directory.
- Parameters
-
a_fs_file File to evaluate
- Returns
- 1 if the file is a dot directory, 0 if not.
References TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_NAME::name_size, TSK_FS_NAME_TYPE_DIR, and TSK_FS_NAME::type.
|
protected |
Utility method to help determine if a file is a FAT file system file (such as $MBR).
- Returns
- 1 if the file is an FAT System file, 0 if not.
References TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_NAME::meta_addr, TSK_FS_FILE::name, and TSK_FS_TYPE_ISFAT.
|
protected |
Utility method to help determine if a file is a file (and not a directory).
- Returns
- 1 if the file is a file, 0 if not.
References TSK_FS_FILE::meta, TSK_FS_FILE::name, TSK_FS_META_TYPE_REG, TSK_FS_NAME_TYPE_REG, TSK_FS_NAME_TYPE_UNDEF, TSK_FS_META::type, and TSK_FS_NAME::type.
|
protected |
Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data)
- Returns
- 1 if the attribute is non-resident, 0 if not.
References TSK_FS_ATTR::flags, and TSK_FS_ATTR_NONRES.
|
protected |
Utility method to help determine if a file is an NTFS file system file (such as $MFT).
- Returns
- 1 if the file is an NTFS System file, 0 if not.
References TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_TYPE_ISNTFS.
|
virtual |
Opens the disk image to be analyzed.
This must be called before any of the findFilesInXXX() methods.
- Parameters
-
a_numImg The number of images to open (will be > 1 for split images). a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order) a_imgType The disk image type (can be autodetection) a_sSize Size of device sector in bytes (or 0 for default)
- Returns
- 1 on error (messages were NOT registered), 0 on success
References closeImage(), m_internalOpen, resetErrorList(), and tsk_img_open().
Referenced by TskAutoDb::openImage().
|
virtual |
Uses the already opened image for future analysis.
This must be called before any of the findFilesInXXX() methods. Note that the TSK_IMG_INFO will not be freed when the TskAuto class is closed.
- Parameters
-
a_img_info Handle to an already opened disk image.
- Returns
- 1 on error (messages were NOT registered) and 0 on success
References closeImage(), m_internalOpen, and resetErrorList().
Referenced by TskAutoDb::startAddImage().
|
virtual |
Opens the disk image to be analyzed.
This must be called before any of the findFilesInXXX() methods. Always uses the utf8 tsk_img_open even in windows.
- Parameters
-
a_numImg The number of images to open (will be > 1 for split images). a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order) a_imgType The disk image type (can be autodetection) a_sSize Size of device sector in bytes (or 0 for default)
- Returns
- 1 on error (messages were NOT registered), 0 on success
References closeImage(), m_internalOpen, resetErrorList(), and tsk_img_open_utf8().
Referenced by TskAutoDb::openImageUtf8().
|
protectedvirtual |
Method that is called from processAttributes() for each attribute that a file has.
processAttributes() is not called by default. It exists so that implementations of processFile() can choose to call it if they want to look at all of the attributes. You must implement this method to see each attribute and modify processFile() so that it calls processAttributes().
- Parameters
-
fs_file File being analyzed. fs_attr Attribute of the file. path full path of parent directory
- Returns
- STOP or OK. All error must have been registered.
References TSK_OK.
Referenced by processAttributes().
|
protected |
Method that can be used from within processFile() to look at each attribute that a file may have.
This will call the processAttribute() method (which you must implement) on each of the attributes in the file.
- Parameters
-
fs_file file details path full path of parent directory
- Returns
- STOP if the file system processing should stop and not process more files or OK.
References m_stopAllProcessing, processAttribute(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_getsize(), TSK_OK, and TSK_STOP.
Referenced by TskAutoDb::processFile().
|
pure virtual |
TskAuto calls this method for each file and directory that it finds in an image.
The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().
- Parameters
-
fs_file file details path full path of parent directory
- Returns
- STOP or OK. All error must have been registered.
Implemented in TskAutoDb, and TskIsImageSupported.
| uint8_t TskAuto::registerError | ( | ) |
Internal method that TskAuto calls when it encounters issues while processing an image.
It will add the error to an internal list and then call handleError() to allow the sub-class to decide what to do with the error. The tsk global error values must be set before this is called (tsk_error_set_errno, etc.). This method will reset the error values before it returns.
- Returns
- 1 if the caller should stop processing (registerError() implementation should also call setStopProcessing() to ensure all processes stop) or 0 if they should continue.
References handleError(), tsk_error_get_errno(), tsk_error_get_errstr(), tsk_error_get_errstr2(), and tsk_error_reset().
Referenced by TskAutoDb::addFilesInImgToDb(), TskAutoDb::filterFs(), TskAutoDb::filterPool(), TskAutoDb::filterPoolVol(), TskAutoDb::filterVol(), TskAutoDb::filterVs(), findFilesInFs(), findFilesInFsRet(), findFilesInImg(), findFilesInPool(), findFilesInVs(), hasPool(), and TskAutoDb::startAddImage().
| void TskAuto::setFileFilterFlags | ( | TSK_FS_DIR_WALK_FLAG_ENUM | file_flags | ) |
Set the attributes for the files that should be processed.
The default settings are for all files (allocated and deleted). This must be called before the findFilesInXX() method.
- Parameters
-
file_flags Flags to use for filtering
Referenced by TskAutoDb::filterFs().
| void TskAuto::setVolFilterFlags | ( | TSK_VS_PART_FLAG_ENUM | vs_flags | ) |
Set the attributes for the volumes that should be processed.
The default settings are for Allocated Non-Meta volumes only. This must be called before the findFilesInXX() method.
- Parameters
-
vs_flags Flags to use for filtering
Referenced by TskAutoDb::addFilesInImgToDb().
The documentation for this class was generated from the following files:
- tsk/auto/tsk_auto.h
- tsk/auto/auto.cpp