The Sleuth Kit  4.11.1
Functions
encase.c File Reference

Contains the Encase hash database specific extraction and printing routines. More...

#include "tsk_hashdb_i.h"

Functions

uint8_t encase_get_entry (TSK_HDB_INFO *hdb_info, const char *hash, TSK_OFF_T offset, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *cb_ptr)
 Find the entry at a given offset. More...
 
uint8_t encase_make_index (TSK_HDB_INFO *hdb_info_base, TSK_TCHAR *dbtype)
 Process the database to create a sorted index of it. More...
 
TSK_HDB_INFOencase_open (FILE *hDb, const TSK_TCHAR *db_path)
 
uint8_t encase_test (FILE *hFile)
 Test the file to see if it is an Encase database. More...
 

Detailed Description

Contains the Encase hash database specific extraction and printing routines.

Function Documentation

uint8_t encase_get_entry ( TSK_HDB_INFO hdb_info,
const char *  hash,
TSK_OFF_T  offset,
TSK_HDB_FLAG_ENUM  flags,
TSK_HDB_LOOKUP_FN  action,
void *  cb_ptr 
)

Find the entry at a given offset.

The offset was likely determined from the index. The callback is called for each entry. EnCase does not store names, so the callback is called with just the hash value.

Parameters
hdb_infoHash database to get data from
hashMD5 hash value that was searched for
offsetByte offset where hash value should be located in db_file
flags(not used)
actionCallback used for each entry found in lookup
cb_ptrPointer to data passed to callback
Returns
1 on error and 0 on succuss

References TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_HTYPE_MD5_LEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.

uint8_t encase_make_index ( TSK_HDB_INFO hdb_info_base,
TSK_TCHAR dbtype 
)

Process the database to create a sorted index of it.

Consecutive entries with the same hash value are not added to the index, but will be found during lookup.

Parameters
hdb_info_baseHash database to make index of.
dbtypeType of hash database (should always be TSK_HDB_DBTYPE_ENCASE_STR)
Returns
1 on error and 0 on success.

References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_bin(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), and tsk_verbose.

uint8_t encase_test ( FILE *  hFile)

Test the file to see if it is an Encase database.

Parameters
hFileFile handle to hash database
Returns
1 if encase and 0 if not

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.