The Sleuth Kit  4.11.1
Public Member Functions | Static Public Member Functions | Public Attributes | List of all members
TskCaseDb Class Reference

Stores case-level information in a database on one or more disk images. More...

#include <tsk_case_db.h>

Public Member Functions

uint8_t addImage (int numImg, const TSK_TCHAR *const imagePaths[], TSK_IMG_TYPE_ENUM imgType, unsigned int sSize)
 Add an image to the database. More...
 
void clearLookupDatabases ()
 
TskAutoDbinitAddImage ()
 Prepares the process to add an image to the database. More...
 
uint8_t setKnownBadHashDb (TSK_TCHAR *const indexFile)
 
uint8_t setNSRLHashDb (TSK_TCHAR *const indexFile)
 

Static Public Member Functions

static TskCaseDbnewDb (const TSK_TCHAR *path)
 Creates a new single-user case with a new database and initializes its tables. More...
 
static TskCaseDbopenDb (const TSK_TCHAR *path)
 Opens a single-user case from an existing database. More...
 

Public Attributes

unsigned int m_tag
 

Detailed Description

Stores case-level information in a database on one or more disk images.

Member Function Documentation

uint8_t TskCaseDb::addImage ( int  numImg,
const TSK_TCHAR *const  imagePaths[],
TSK_IMG_TYPE_ENUM  imgType,
unsigned int  sSize 
)

Add an image to the database.

This method does not allow you to customize any of the settings for ingest (such as hash calculation, and block map population). Use TskCaseDb::initAddImage() to set these values.

Parameters
numImgNumber of images to add
imagePathsPaths to the image splits to open.
imgTypeTYpe of image format
sSizeSector size of image
Returns
1 on error and 0 on success

References TskAutoDb::commitAddImage(), TskAutoDb::revertAddImage(), and TskAutoDb::startAddImage().

TskAutoDb * TskCaseDb::initAddImage ( )

Prepares the process to add an image to the database.

This method allows the caller to specify options to be used during the ingest.

Returns
TskAutDb object that can be used to add the image.
TskCaseDb * TskCaseDb::newDb ( const TSK_TCHAR path)
static

Creates a new single-user case with a new database and initializes its tables.

Fails if there's already a file at the given path.

Parameters
pathFull path to create new database at.
Returns
Pointer to a new TskCaseDb object, NULL on error

References PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

TskCaseDb * TskCaseDb::openDb ( const TSK_TCHAR path)
static

Opens a single-user case from an existing database.

Parameters
pathFull path to open database from.
Returns
Pointer to a new TskCaseDb object, NULL on error

References PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

The documentation for this class was generated from the following files:

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.