The Sleuth Kit  4.11.1
Functions
ifind_lib.c File Reference

Contains the library API functions used by the TSK ifind command line tool. More...

#include "tsk_fs_i.h"
#include "tsk_hfs.h"

Functions

uint8_t tsk_fs_ifind_data (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM lclflags, TSK_DADDR_T blk)
 
uint8_t tsk_fs_ifind_par (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM lclflags, TSK_INUM_T par)
 Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME). More...
 
int8_t tsk_fs_ifind_path (TSK_FS_INFO *fs, TSK_TCHAR *tpath, TSK_INUM_T *result)
 Find the meta data address for a given file TCHAR name. More...
 
int8_t tsk_fs_path2inum (TSK_FS_INFO *a_fs, const char *a_path, TSK_INUM_T *a_result, TSK_FS_NAME *a_fs_name)
 Find the meta data address for a given file name (UTF-8). More...
 

Detailed Description

Contains the library API functions used by the TSK ifind command line tool.

Function Documentation

uint8_t tsk_fs_ifind_par ( TSK_FS_INFO fs,
TSK_FS_IFIND_FLAG_ENUM  lclflags,
TSK_INUM_T  par 
)

Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME).

Parameters
fsFile system to search
lclflagsFlags
parParent directory MFT entry address
Returns
1 on error and 0 on success

References TSK_FS_INFO::first_inum, TSK_FS_INFO::inode_walk, TSK_FS_INFO::last_inum, and TSK_FS_META_FLAG_UNALLOC.

int8_t tsk_fs_ifind_path ( TSK_FS_INFO fs,
TSK_TCHAR tpath,
TSK_INUM_T result 
)

Find the meta data address for a given file TCHAR name.

Parameters
fsFS to analyze
tpathPath of file to search for
[out]resultMeta data address of file
Returns
-1 on error, 0 if found, and 1 if not found

References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_path2inum(), tsk_UTF16toUTF8_lclorder(), TSKconversionOK, and TSKlenientConversion.


Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.