The Sleuth Kit
4.11.1
|
Class that represents an allocated or deleted file. More...
#include <tsk_fs.h>
Public Member Functions | |
void | close () |
Close an open file. More... | |
const TskFsAttribute * | getAttr (int a_idx) |
const TskFsAttribute * | getAttr (TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, uint8_t a_id_used) |
const TskFsAttribute * | getAttrDefault () |
int | getAttrSize () |
TskFsInfo * | getFsInfo () |
Return pointer file system that the file is located in. More... | |
TskFsMeta * | getMeta () |
Return pointer to the file's metadata (or NULL if name has invalid metadata address) More... | |
TskFsName * | getName () |
Return pointer to the file's name (or NULL if file was opened using metadata address) More... | |
uint8_t | open (TskFsInfo *a_fs, TskFsFile *a_fs_file, TSK_INUM_T a_addr) |
Open a file given its metadata address. More... | |
uint8_t | open (TskFsInfo *a_fs, TskFsFile *a_fs_file, const char *a_path) |
Return the handle structure for a specific file, given its full path. More... | |
ssize_t | read (TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
Read the contents of a specific attribute of a file using a typical read() type interface. More... | |
ssize_t | read (TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
Read the contents of the default attribute of a file using a typical read() type interface. More... | |
TskFsFile (TSK_FS_FILE *a_fsFile) | |
Construct a TskFsFile object from a C struct. More... | |
TskFsFile () | |
default constructor to construct a TskFsFile object | |
uint8_t | walk (TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CPP_CB a_action, void *a_ptr) |
Process a specific attribute in a file and call a callback function with the file contents. More... | |
uint8_t | walk (TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CPP_CB a_action, void *a_ptr) |
Process the default attribute for the file and call a callback function with the file contents. More... | |
~TskFsFile () | |
Close an open file. | |
Friends | |
class | TskFsDir |
Class that represents an allocated or deleted file.
The non-default constructor or open method must be called first. otherwise, the results of the getX() methods are undefined. See TSK_FS_FILE for more details.
|
inline |
Construct a TskFsFile object from a C struct.
a_fsFile | a pointer of TSK_FS_FILE |
|
inline |
Close an open file.
See tsk_fs_file_close() for details.
References tsk_fs_file_close().
Referenced by ~TskFsFile().
|
inline |
Return pointer file system that the file is located in.
References TSK_FS_FILE::fs_info.
|
inline |
Return pointer to the file's metadata (or NULL if name has invalid metadata address)
References TSK_FS_FILE::meta.
|
inline |
Return pointer to the file's name (or NULL if file was opened using metadata address)
References TSK_FS_FILE::name.
|
inline |
Open a file given its metadata address.
This function loads the metadata and returns a handle that can be used to read and process the file. Note that the returned class will not have the file name set because it was not used to load the file and this function does not search the directory structure to find the name that points to the address. In general, if you know the metadata address of a file, this function is more efficient then tsk_fs_file_open, which first maps a file name to the metadata address and then open the file using this function. See tsk_fs_file_open_meta() for details
a_fs | File system to analyze |
a_fs_file | object to store file data in or NULL to have one allocated. |
a_addr | Metadata address of file to lookup |
References tsk_fs_file_open_meta().
Return the handle structure for a specific file, given its full path.
Note that if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a more efficient approach. See tsk_fs_file_open() for details
a_fs | File system to analyze |
a_fs_file | Structure to store file data in or NULL to have one allocated. |
a_path | Path of file to open |
References tsk_fs_file_open().
|
inline |
Read the contents of a specific attribute of a file using a typical read() type interface.
0s are returned for missing runs of files. See tsk_fs_file_read_type() for details
a_type | The type of attribute to load |
a_id | The id of attribute to load (use 0 and set a_flags if you do not care) |
a_offset | The byte offset to start reading from. |
a_buf | The buffer to read the data into. |
a_len | The number of bytes to read from the file. |
a_flags | Flags to use while reading |
References tsk_fs_file_read_type().
|
inline |
Read the contents of the default attribute of a file using a typical read() type interface.
0s are returned for missing runs of files. See tsk_fs_file_read() for details
a_offset | The byte offset to start reading from. |
a_buf | The buffer to read the data into. |
a_len | The number of bytes to read from the file. |
a_flags | Flags to use while reading |
References tsk_fs_file_read().
|
inline |
Process a specific attribute in a file and call a callback function with the file contents.
See tsk_fs_file_walk_type() for details
a_type | Attribute type to process |
a_id | Id if attribute to process |
a_flags | Flags to use while processing file |
a_action | Callback action to call with content |
a_ptr | Pointer that will passed to callback |
References tsk_fs_file_walk_type().
|
inline |
Process the default attribute for the file and call a callback function with the file contents.
See tsk_fs_file_walk_type() for details
a_flags | Flags to use while processing file |
a_action | Callback action to call with content |
a_ptr | Pointer that will passed to callback |
References tsk_fs_file_walk().
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.