The Sleuth Kit
4.11.1
|
Public Member Functions | |
TSK_RETVAL_ENUM | addCarvedFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId, int64_t dataSourceObjId) |
Adds information about a carved file with layout ranges into the database. More... | |
int | addFileLayoutRange (const TSK_DB_FILE_LAYOUT_RANGE &fileLayoutRange) |
Add file layout info to the database. More... | |
int | addFileLayoutRange (int64_t a_fileObjId, uint64_t a_byteStart, uint64_t a_byteLen, int a_sequence) |
Add file layout info to the database. More... | |
int | addFsFile (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr, const char *path, const unsigned char *const md5, const TSK_DB_FILES_KNOWN_ENUM known, int64_t fsObjId, int64_t &objId, int64_t dataSourceObjId) |
Add a file system file to the database. More... | |
int | addFsInfo (const TSK_FS_INFO *fs_info, int64_t parObjId, int64_t &objId) |
int | addImageInfo (int type, int size, int64_t &objId, const string &timezone) |
deprecated | |
int | addImageInfo (int type, int size, int64_t &objId, const string &timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256) |
int | addImageInfo (int type, TSK_OFF_T ssize, int64_t &objId, const string &timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string &deviceId, const string &collectionDetails) |
Adds image details to the existing database tables. More... | |
int | addImageName (int64_t objId, char const *imgName, int sequence) |
int | addPoolInfoAndVS (const TSK_POOL_INFO *pool_info, int64_t parObjId, int64_t &vsObjId) |
Creates a new tsk_pool_info database entry and a new tsk_vs_info entry with the tsk_pool_info as its parent. More... | |
int | addPoolVolumeInfo (const TSK_POOL_VOLUME_INFO *pool_vol, int64_t parObjId, int64_t &objId) |
Adds the sector addresses of the pool volumes into the db. More... | |
int | addUnallocatedPoolVolume (int vol_index, int64_t parObjId, int64_t &objId) |
Adds a fake volume that will hold the unallocated blocks for the pool. More... | |
TSK_RETVAL_ENUM | addUnallocBlockFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId, int64_t dataSourceObjId) |
Adds information about a unallocated file with layout ranges into the database. More... | |
TSK_RETVAL_ENUM | addUnallocFsBlockFilesParent (const int64_t fsObjId, int64_t &objId, int64_t dataSourceObjId) |
Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs. More... | |
TSK_RETVAL_ENUM | addUnusedBlockFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId, int64_t dataSourceObjId) |
Adds information about a unused file with layout ranges into the database. More... | |
TSK_RETVAL_ENUM | addVirtualDir (const int64_t fsObjId, const int64_t parentDirId, const char *const name, int64_t &objId, int64_t dataSourceObjId) |
Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them. More... | |
int | addVolumeInfo (const TSK_VS_PART_INFO *vs_part, int64_t parObjId, int64_t &objId) |
Adds the sector addresses of the volumes into the db. More... | |
int | addVsInfo (const TSK_VS_INFO *vs_info, int64_t parObjId, int64_t &objId) |
int | close () |
int | createSavepoint (const char *name) |
Create a savepoint. More... | |
bool | dbExists () |
TSK_RETVAL_ENUM | getFileLayouts (vector< TSK_DB_FILE_LAYOUT_RANGE > &fileLayouts) |
Query tsk_file_layout and return rows for every entry in tsk_file_layout table. More... | |
TSK_RETVAL_ENUM | getFsInfos (int64_t imgId, vector< TSK_DB_FS_INFO > &fsInfos) |
Query tsk_fs_info and return rows for every entry in tsk_fs_info table. More... | |
TSK_RETVAL_ENUM | getFsRootDirObjectInfo (const int64_t fsObjId, TSK_DB_OBJECT &rootDirObjInfo) |
Query tsk_objects and tsk_files given file system id and return the root directory object. More... | |
TSK_RETVAL_ENUM | getObjectInfo (int64_t objId, TSK_DB_OBJECT &objectInfo) |
Query tsk_objects with given id and returns object info entry. More... | |
TSK_RETVAL_ENUM | getParentImageId (const int64_t objId, int64_t &imageId) |
Query tsk_objects to find the root image id for the object. More... | |
TSK_RETVAL_ENUM | getVsInfo (int64_t objId, TSK_DB_VS_INFO &vsInfo) |
Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry. More... | |
TSK_RETVAL_ENUM | getVsInfos (int64_t imgId, vector< TSK_DB_VS_INFO > &vsInfos) |
Query tsk_vs_info and return rows for every entry in tsk_vs_info table. More... | |
TSK_RETVAL_ENUM | getVsPartInfos (int64_t imgId, vector< TSK_DB_VS_PART_INFO > &vsPartInfos) |
Query tsk_vs_part and return rows for every entry in tsk_vs_part table. More... | |
bool | inTransaction () |
bool | isDbOpen () |
Returns true if database is opened. | |
int | open (bool) |
int | releaseSavepoint (const char *name) |
Release a savepoint. More... | |
int | revertSavepoint (const char *name) |
Rollback to specified savepoint and release. More... | |
TskDbSqlite (const char *a_dbFilePathUtf8, bool a_blkMapFlag) | |
Set the locations and logging object. More... | |
Public Member Functions inherited from TskDb | |
virtual bool | getParentPathAndName (const char *path, const char **ret_parent_path, const char **ret_name) |
TskDb (const char *a_dbFilePathUtf8, bool a_blkMapFlag) | |
Set the locations and logging object. More... | |
Additional Inherited Members | |
Protected Member Functions inherited from TskDb | |
void | extractExtension (char *name, char *extension) |
Extract the extension from the given file name and store it in the supplied string. More... | |
TskDbSqlite::TskDbSqlite | ( | const char * | a_dbFilePathUtf8, |
bool | a_blkMapFlag | ||
) |
Set the locations and logging object.
Must call open() before the object can be used.
|
virtual |
Adds information about a carved file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
parentObjId | Id of the parent object in the database (fs, volume, or image) |
fsObjId | fs id associated with the file, or NULL |
size | Number of bytes in file |
ranges | vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in) |
objId | object id of the file object created (output) |
dataSourceObjId | The object ID for the data source |
Implements TskDb.
References TSK_DB_FILES_TYPE_CARVED.
|
virtual |
Add file layout info to the database.
This table stores the run information for each file so that we can map which parts of an image are used by what files.
fileLayoutRange | TSK_DB_FILE_LAYOUT_RANGE object storing a single file layout range entry |
Implements TskDb.
References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId.
|
virtual |
Add file layout info to the database.
This table stores the run information for each file so that we can map which parts of an image are used by what files.
a_fileObjId | ID of the file |
a_byteStart | Byte address relative to the start of the image file |
a_byteLen | Length of the run in bytes |
a_sequence | Sequence of this run in the file |
Implements TskDb.
|
virtual |
Add a file system file to the database.
fs_file | File structure to add |
fs_attr | Specific attribute to add |
path | Path of parent folder |
md5 | Binary value of MD5 (i.e. 16 bytes) or NULL |
known | Status regarding if it was found in hash database or not |
fsObjId | File system object of its file system |
objId | ID that was assigned to it from the objects table |
dataSourceObjId | The object ID for the data source |
Implements TskDb.
References TSK_FS_FILE::fs_info, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_INFO::root_inum.
|
virtual |
Implements TskDb.
References TSK_FS_INFO::block_count, TSK_FS_INFO::block_size, TSK_FS_INFO::first_inum, TSK_FS_INFO::ftype, TSK_FS_INFO::last_inum, TSK_FS_INFO::offset, TSK_FS_INFO::root_inum, and TSK_DB_OBJECT_TYPE_FS.
|
virtual |
|
virtual |
Adds image details to the existing database tables.
type | Image type |
ssize | Size of device sector in bytes (or 0 for default) |
objId | The object id assigned to the image (out param) |
timezone | The timezone the image is from |
size | The size of the image in bytes. |
md5 | MD5 hash of the image |
deviceId | An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID). |
Implements TskDb.
References TSK_DB_OBJECT_TYPE_IMG.
|
virtual |
Implements TskDb.
|
virtual |
Creates a new tsk_pool_info database entry and a new tsk_vs_info entry with the tsk_pool_info as its parent.
@ param pool_info The pool to save to the database @ param parObjId The ID of the parent of the pool object @ param vsObjId Will be set to the object ID of the new volume system created as a child of the new pool.
Implements TskDb.
References TSK_DB_OBJECT_TYPE_POOL, TSK_DB_OBJECT_TYPE_VS, and TSK_VS_TYPE_APFS.
|
virtual |
Adds the sector addresses of the pool volumes into the db.
pool_vol | The pool volume to save to the DB |
parObjId | The ID of the parent of the pool volume (should be a volume system) |
objId | Will be set to the object ID of the new volume |
Implements TskDb.
References TSK_DB_OBJECT_TYPE_VOL.
|
virtual |
Adds a fake volume that will hold the unallocated blocks for the pool.
vol_index | The index for the new volume (should be one higher than the number of pool volumes) |
parObjId | The object ID of the parent volume system |
objId | Will be set to the object ID of the new volume |
Implements TskDb.
References TSK_DB_OBJECT_TYPE_VOL.
|
virtual |
Adds information about a unallocated file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
parentObjId | Id of the parent object in the database (fs, volume, or image) |
fsObjId | parent fs, or NULL if the file is not associated with fs |
size | Number of bytes in file |
ranges | vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in) |
objId | object id of the file object created (output) |
dataSourceObjId | The object ID for the data source |
Implements TskDb.
References TSK_DB_FILES_TYPE_UNALLOC_BLOCKS.
|
virtual |
Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs.
The dir has is associated with its root dir parent for the fs.
fsObjId | (in) fs id to find root dir for and create $Unalloc dir for |
objId | (out) object id of the $Unalloc dir created |
dataSourceObjId | The object ID for the data source |
Implements TskDb.
References addVirtualDir(), getFsRootDirObjectInfo(), _TSK_DB_OBJECT::objId, and TSK_ERR.
|
virtual |
Adds information about a unused file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
parentObjId | Id of the parent object in the database (fs, volume, or image) |
fsObjId | parent fs, or NULL if the file is not associated with fs |
size | Number of bytes in file |
ranges | vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in) |
objId | object id of the file object created (output) |
dataSourceObjId | The object ID for the data source |
Implements TskDb.
References TSK_DB_FILES_TYPE_UNUSED_BLOCKS.
|
virtual |
Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them.
fsObjId | (in) file system object id to associate with the virtual directory. |
parentDirId | (in) parent dir object id of the new directory: either another virtual directory or root fs directory |
name | name (int) of the new virtual directory |
objId | (out) object id of the created virtual directory object |
dataSourceObjId | The object Id of the data source |
Implements TskDb.
References TSK_DB_FILES_KNOWN_UNKNOWN, TSK_DB_FILES_TYPE_VIRTUAL_DIR, TSK_DB_OBJECT_TYPE_FILE, TSK_ERR, TSK_FS_META_FLAG_ALLOC, TSK_FS_META_FLAG_USED, TSK_FS_META_TYPE_DIR, TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, and TSK_OK.
Referenced by addUnallocFsBlockFilesParent().
|
virtual |
Adds the sector addresses of the volumes into the db.
Implements TskDb.
References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::desc, TSK_VS_PART_INFO::flags, TSK_VS_PART_INFO::len, TSK_VS_PART_INFO::start, and TSK_DB_OBJECT_TYPE_VOL.
|
virtual |
Implements TskDb.
References TSK_VS_INFO::block_size, TSK_VS_INFO::offset, TSK_DB_OBJECT_TYPE_VS, and TSK_VS_INFO::vstype.
|
virtual |
Create a savepoint.
Call revertSavepoint() or releaseSavepoint() to revert or commit.
name | Name to call savepoint |
Implements TskDb.
|
virtual |
Query tsk_file_layout and return rows for every entry in tsk_file_layout table.
fileLayouts | (out) TSK_DB_FILE_LAYOUT_RANGE row representations to return |
Implements TskDb.
References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId, TSK_ERR, and TSK_OK.
|
virtual |
Query tsk_fs_info and return rows for every entry in tsk_fs_info table.
imgId | the object id of the image to get filesystems for |
fsInfos | (out) TSK_DB_FS_INFO row representations to return |
Implements TskDb.
References getParentImageId(), _TSK_DB_FS_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_OK.
|
virtual |
Query tsk_objects and tsk_files given file system id and return the root directory object.
fsObjId | (int) file system id to query root dir object for |
rootDirObjInfo | (out) TSK_DB_OBJECT root dir entry representation to return |
Implements TskDb.
References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by addUnallocFsBlockFilesParent().
|
virtual |
Query tsk_objects with given id and returns object info entry.
objId | object id to query |
objectInfo | (out) TSK_DB_OBJECT entry representation to return |
Implements TskDb.
References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by getParentImageId().
|
virtual |
Query tsk_objects to find the root image id for the object.
objId | (in) object id to query |
imageId | (out) root parent image id returned |
Implements TskDb.
References getObjectInfo(), _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by getFsInfos(), getVsInfos(), and getVsPartInfos().
|
virtual |
Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry.
objId | vs id to query |
vsInfo | (out) TSK_DB_VS_INFO entry representation to return |
Implements TskDb.
References _TSK_DB_VS_INFO::objId, TSK_ERR, and TSK_OK.
|
virtual |
Query tsk_vs_info and return rows for every entry in tsk_vs_info table.
imgId | the object id of the image to get volumesystems for |
vsInfos | (out) TSK_DB_VS_INFO row representations to return |
Implements TskDb.
References getParentImageId(), _TSK_DB_VS_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_OK.
|
virtual |
Query tsk_vs_part and return rows for every entry in tsk_vs_part table.
imgId | the object id of the image to get vs parts for |
vsPartInfos | (out) TSK_DB_VS_PART_INFO row representations to return |
Implements TskDb.
References getParentImageId(), _TSK_DB_VS_PART_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_MAX_DB_VS_PART_INFO_DESC_LEN, and TSK_OK.
|
virtual |
Release a savepoint.
Commits if savepoint was not rollbacked.
name | Name of savepoint |
Implements TskDb.
Referenced by revertSavepoint().
|
virtual |
Rollback to specified savepoint and release.
name | Name of savepoint |
Implements TskDb.
References releaseSavepoint().
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.