Public Member Functions | |
| uint8_t | addFilesInImgToDb () |
| Analyzes the open image and adds image info to a database. More... | |
| virtual void | closeImage () |
| Closes the handles to the open disk image. More... | |
| int64_t | commitAddImage () |
| Finish the transaction after the startAddImage is finished. More... | |
| virtual void | createBlockMap (bool flag) |
| virtual TSK_FILTER_ENUM | filterFs (TSK_FS_INFO *fs_info) |
| TskAuto calls this method before it processes each file system that is found in a volume. More... | |
| virtual TSK_FILTER_ENUM | filterPool (const TSK_POOL_INFO *pool_info) |
| TskAuto calls this method before it processes each pool that is found. More... | |
| virtual TSK_FILTER_ENUM | filterPoolVol (const TSK_POOL_VOLUME_INFO *pool_vol) |
| TskAuto calls this method before it processes each pool volume that is found in a pool. More... | |
| virtual TSK_FILTER_ENUM | filterVol (const TSK_VS_PART_INFO *vs_part) |
| TskAuto calls this method before it processes each volume that is found in a volume system. More... | |
| virtual TSK_FILTER_ENUM | filterVs (const TSK_VS_INFO *vs_info) |
| TskAuto calls this method before it processes the volume system that is found in an image. More... | |
| const std::string | getCurDir () |
| Returns the directory currently being analyzed by processFile(). More... | |
| virtual void | hashFiles (bool flag) |
| Calculate hash values of files and add them to database. More... | |
| bool | isDbOpen () |
| Check if we can talk to the database. More... | |
| virtual uint8_t | openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize, const char *deviceId=NULL) |
| Adds an image to the database. More... | |
| virtual uint8_t | openImage (const char *a_deviceId=NULL) |
| Adds an image to the database. More... | |
| virtual uint8_t | openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize, const char *deviceId=NULL) |
| Adds an image to the database. More... | |
| virtual TSK_RETVAL_ENUM | processFile (TSK_FS_FILE *fs_file, const char *path) |
| TskAuto calls this method for each file and directory that it finds in an image. More... | |
| int | revertAddImage () |
| Revert all changes after the startAddImage() process has run successfully. More... | |
| void | setAddFileSystems (bool addFileSystems) |
| Sets whether or not the file systems for an image should be added when the image is added to the case database. More... | |
| virtual void | setAddUnallocSpace (bool addUnallocSpace) |
| When enabled, records for unallocated file system space will be added to the database. More... | |
| virtual void | setAddUnallocSpace (bool addUnallocSpace, int64_t minChunkSize) |
| When enabled, records for unallocated file system space will be added to the database. More... | |
| virtual void | setAddUnallocSpace (int64_t minChunkSize, int64_t maxChunkSize) |
| When enabled, records for unallocated file system space will be added to the database with the given parameters. More... | |
| virtual void | setNoFatFsOrphans (bool noFatFsOrphans) |
| Skip processing of orphans on FAT filesystems. More... | |
| virtual void | setTz (std::string tzone) |
| Set the current image's timezone. | |
| uint8_t | startAddImage (int numImg, const TSK_TCHAR *const imagePaths[], TSK_IMG_TYPE_ENUM imgType, unsigned int sSize, const char *deviceId=NULL) |
| Start the process to add image/file metadata to database inside of a transaction. More... | |
| uint8_t | startAddImage (TSK_IMG_INFO *img_info, const char *deviceId=NULL) |
| Start the process to add image/file metadata to database inside of a transaction. More... | |
| void | stopAddImage () |
| Cancel the running process. More... | |
| TskAutoDb (TskDb *a_db, TSK_HDB_INFO *a_NSRLDb, TSK_HDB_INFO *a_knownBadDb) | |
 Public Member Functions inherited from TskAuto | |
| virtual void | disableImageWriter () |
| Disables image writer. | |
| virtual TSK_RETVAL_ENUM | enableImageWriter (const char *imagePath) |
| Enables image writer, which creates a copy of the image as it is being processed. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_INUM_T inum) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, TSK_INUM_T inum) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_FS_INFO *a_fs_info) |
| Processes the file system represented by the given TSK_FS_INFO pointer. More... | |
| uint8_t | findFilesInFs (TSK_FS_INFO *a_fs_info, TSK_INUM_T inum) |
| Processes the file system represented by the given TSK_FS_INFO pointer. More... | |
| TSK_RETVAL_ENUM | findFilesInFsRet (TSK_OFF_T start, TSK_FS_TYPE_ENUM a_ftype) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInImg () |
| Starts in sector 0 of the opened disk images and looks for a volume or file system. More... | |
| uint8_t | findFilesInPool (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More... | |
| uint8_t | findFilesInPool (TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype) |
| Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More... | |
| uint8_t | findFilesInVs (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More... | |
| uint8_t | findFilesInVs (TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype) |
| Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More... | |
| std::string | getCurVsPartDescr () const |
| get volume description of the lastly processed volume More... | |
| TSK_VS_PART_FLAG_ENUM | getCurVsPartFlag () const |
| get volume flags of the lastly processed volume. More... | |
| const std::vector< error_record > | getErrorList () |
| Get the list of errors that were added to the internal list. More... | |
| TSK_OFF_T | getImageSize () const |
| bool | getStopProcessing () const |
| Returns true if all processing and recursion should stop. | |
| virtual uint8_t | handleError () |
| Override this method to get called for each error that is registered. More... | |
| bool | hasPool (TSK_OFF_T a_start) |
| Checks whether a volume contains a pool. More... | |
| bool | isCurVsValid () const |
| Determine if we are inside of a volume system and therefore we can trust the results of getCurVsPartFlag/Desc. | |
| virtual uint8_t | openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| Opens the disk image to be analyzed. More... | |
| virtual uint8_t | openImageHandle (TSK_IMG_INFO *) |
| Uses the already opened image for future analysis. More... | |
| virtual uint8_t | openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| Opens the disk image to be analyzed. More... | |
| uint8_t | registerError () |
| Internal method that TskAuto calls when it encounters issues while processing an image. More... | |
| void | resetErrorList () |
| Remove the errors on the internal list. | |
| void | setExternalFileSystemList (const std::list< TSK_FS_INFO * > &exteralFsInfoList) |
| Store a list of pointers to open file systems to use when calling findFilesInImg instead of opening a new copy. | |
| void | setFileFilterFlags (TSK_FS_DIR_WALK_FLAG_ENUM) |
| Set the attributes for the files that should be processed. More... | |
| void | setVolFilterFlags (TSK_VS_PART_FLAG_ENUM) |
| Set the attributes for the volumes that should be processed. More... | |
Additional Inherited Members | |
| Static Public Member Functions inherited from TskAuto | |
| static std::string | errorRecordToString (error_record &rec) |
| Public Attributes inherited from TskAuto | |
| unsigned int | m_tag |
| Protected Member Functions inherited from TskAuto | |
| uint8_t | isDefaultType (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr) |
| Utility method to help determine if an attribute is the default type for the file/dir. More... | |
| uint8_t | isDir (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a directory. More... | |
| uint8_t | isDotDir (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a . More... | |
| uint8_t | isFATSystemFiles (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a FAT file system file (such as $MBR). More... | |
| uint8_t | isFile (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a file (and not a directory). More... | |
| uint8_t | isNonResident (const TSK_FS_ATTR *fs_attr) |
| Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data) More... | |
| uint8_t | isNtfsSystemFiles (TSK_FS_FILE *fs_file, const char *path) |
| Utility method to help determine if a file is an NTFS file system file (such as $MFT). More... | |
| TSK_RETVAL_ENUM | processAttributes (TSK_FS_FILE *fs_file, const char *path) |
| Method that can be used from within processFile() to look at each attribute that a file may have. More... | |
| void | setStopProcessing () |
| When called, will cause TskAuto to not continue to recurse into directories and volumes. | |
| Protected Attributes inherited from TskAuto | |
| std::list< TSK_FS_INFO * > | m_exteralFsInfoList |
| bool | m_imageWriterEnabled |
| TSK_TCHAR * | m_imageWriterPath |
| TSK_IMG_INFO * | m_img_info |
| bool | m_internalOpen |
| True if m_img_info was opened in TskAuto and false if passed in. | |
| std::vector< const TSK_POOL_INFO * > | m_poolInfos |
| bool | m_stopAllProcessing |
| True if no further processing should occur. | |
Constructor & Destructor Documentation
| TskAutoDb::TskAutoDb | ( | TskDb * | a_db, |
| TSK_HDB_INFO * | a_NSRLDb, | ||
| TSK_HDB_INFO * | a_knownBadDb | ||
| ) |
- Parameters
-
a_db Database to add an image to a_NSRLDb Database of "known" files (can be NULL) a_knownBadDb Database of "known bad" files (can be NULL)
Member Function Documentation
| uint8_t TskAutoDb::addFilesInImgToDb | ( | ) |
Analyzes the open image and adds image info to a database.
Does not deal with transactions and such. Refer to startAddImage() for more control.
- Returns
- 1 if a critical error occurred (DB doesn't exist, no file system, etc.), 2 if errors occurred at some point adding files to the DB (corrupt file, etc.), and 0 otherwise. Errors will have been registered.
References TskAuto::findFilesInImg(), TskAuto::registerError(), TskAuto::setVolFilterFlags(), TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, TSK_VS_PART_FLAG_ALLOC, and TSK_VS_PART_FLAG_UNALLOC.
Referenced by startAddImage().
|
virtual |
Closes the handles to the open disk image.
Should be called after you have completed analysis of the image.
Reimplemented from TskAuto.
References TskAuto::closeImage().
| int64_t TskAutoDb::commitAddImage | ( | ) |
Finish the transaction after the startAddImage is finished.
- Returns
- Id of the image that was added or -1 on error (error was NOT registered in list)
References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage().
|
virtual |
TskAuto calls this method before it processes each file system that is found in a volume.
You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.
- Parameters
-
fs_info file system details
- Returns
- Value to show if FS should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TSK_FS_INFO::ftype, processFile(), TskAuto::registerError(), TskAuto::setFileFilterFlags(), TSK_FILTER_CONT, TSK_FILTER_STOP, TSK_FS_DIR_WALK_FLAG_ALLOC, TSK_FS_DIR_WALK_FLAG_NOORPHAN, TSK_FS_DIR_WALK_FLAG_UNALLOC, tsk_fs_file_close(), tsk_fs_file_open(), and TSK_FS_TYPE_ISFAT.
|
virtual |
TskAuto calls this method before it processes each pool that is found.
You can use this to learn about each pool before it is processed and you can force TskAuto to skip this volume.
- Parameters
-
pool_vol Pool details
- Returns
- Value to show if pool should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.
|
virtual |
TskAuto calls this method before it processes each pool volume that is found in a pool.
You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume.
- Parameters
-
pool_vol Pool volume details
- Returns
- Value to show if pool volume should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.
|
virtual |
TskAuto calls this method before it processes each volume that is found in a volume system.
You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.
- Parameters
-
vs_part Parition details
- Returns
- Value to show if volume should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.
|
virtual |
TskAuto calls this method before it processes the volume system that is found in an image.
You can use this to learn about the volume system before it is processed and you can force TskAuto to skip this volume system.
- Parameters
-
vs_info volume system details
- Returns
- Value to show if Vs should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.
| const std::string TskAutoDb::getCurDir | ( | ) |
Returns the directory currently being analyzed by processFile().
Safe to use from another thread than processFile().
- Returns
- curDirPath string representing currently analyzed directory
|
virtual |
Calculate hash values of files and add them to database.
Default is false. Will be set to true if a Hash DB is configured.
- Parameters
-
flag True to calculate hash values and look them up.
| bool TskAutoDb::isDbOpen | ( | ) |
Check if we can talk to the database.
Returns true if the database is reachable with current credentials, false otherwise.
|
virtual |
Adds an image to the database.
- Parameters
-
a_num Number of image parts a_images Array of paths to the image parts a_type Image type a_ssize Size of device sector in bytes (or 0 for default) a_deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 0 for success, 1 for failure
References TskAuto::openImage(), and openImageUtf8().
Referenced by startAddImage().
|
virtual |
Adds an image to the database.
Requires that m_img_info is already initialized
- Parameters
-
a_deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 0 for success, 1 for failure
|
virtual |
Adds an image to the database.
- Parameters
-
a_num Number of image parts a_images Array of paths to the image parts a_type Image type a_ssize Size of device sector in bytes (or 0 for default) a_deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 0 for success, 1 for failure
References TskAuto::openImageUtf8().
Referenced by openImage().
|
virtual |
TskAuto calls this method for each file and directory that it finds in an image.
The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().
- Parameters
-
fs_file file details path full path of parent directory
- Returns
- STOP or OK. All error must have been registered.
Implements TskAuto.
References TskAuto::isDir(), TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_NAME::par_addr, TskAuto::processAttributes(), TSK_DB_FILES_KNOWN_UNKNOWN, tsk_fprintf(), tsk_fs_file_attr_getsize(), TSK_OK, TSK_STOP, and tsk_verbose.
Referenced by filterFs().
| int TskAutoDb::revertAddImage | ( | ) |
Revert all changes after the startAddImage() process has run successfully.
- Returns
- 1 on error (error was NOT registered in list), 0 on success
References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage(), and startAddImage().
| void TskAutoDb::setAddFileSystems | ( | bool | addFileSystems | ) |
Sets whether or not the file systems for an image should be added when the image is added to the case database.
The default value is true.
|
virtual |
When enabled, records for unallocated file system space will be added to the database.
Default value is false.
- Parameters
-
addUnallocSpace If true, create records for contiguous unallocated file system sectors.
|
virtual |
When enabled, records for unallocated file system space will be added to the database.
Default value is false.
- Parameters
-
addUnallocSpace If true, create records for contiguous unallocated file system sectors. minChunkSize the number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk.
|
virtual |
When enabled, records for unallocated file system space will be added to the database with the given parameters.
Automatically sets the flag to create records for contiguous unallocated file system sectors.
- Parameters
-
minChunkSize the number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk. maxChunkSize the maximum number of bytes in one record of unallocated data. A value of -1 will not split the records based on size
|
virtual |
Skip processing of orphans on FAT filesystems.
This will make the loading of the database much faster but you will not have all deleted files. Default value is false.
- Parameters
-
noFatFsOrphans flag set to true if to skip processing orphans on FAT fs
| uint8_t TskAutoDb::startAddImage | ( | int | numImg, |
| const TSK_TCHAR *const | imagePaths[], | ||
| TSK_IMG_TYPE_ENUM | imgType, | ||
| unsigned int | sSize, | ||
| const char * | deviceId = NULL |
||
| ) |
Start the process to add image/file metadata to database inside of a transaction.
User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.
- Parameters
-
numImg Number of image parts imagePaths Array of paths to the image parts imgType Image type sSize Size of device sector in bytes (or 0 for default) deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID)
- Returns
- 0 for success, 1 for failure
References addFilesInImgToDb(), openImage(), TskAuto::registerError(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage().
| uint8_t TskAutoDb::startAddImage | ( | TSK_IMG_INFO * | img_info, |
| const char * | deviceId = NULL |
||
| ) |
Start the process to add image/file metadata to database inside of a transaction.
User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.
- Parameters
-
img_info Previously initialized TSK_IMG_INFO object deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID)
- Returns
- 0 for success, 1 for failure
References addFilesInImgToDb(), openImage(), TskAuto::openImageHandle(), TskAuto::registerError(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.
| void TskAutoDb::stopAddImage | ( | ) |
Cancel the running process.
Will not be handled immediately.
References TskAuto::setStopProcessing(), tsk_fprintf(), and tsk_verbose.
The documentation for this class was generated from the following files:
- tsk/auto/tsk_case_db.h
- tsk/auto/auto_db.cpp