The Sleuth Kit  4.11.1
Macros | Typedefs | Enumerations | Functions
nsrl.c File Reference

NSRL specific functions to read the database. More...

#include "tsk_hashdb_i.h"

Macros

#define is_valid_nsrl(x)
 Perform a basic check on a string to see if it starts with quotes and contains a possible SHA-1 value. More...
 

Typedefs

typedef enum TSK_HDB_NSRL_FORM_ENUM TSK_HDB_NSRL_FORM_ENUM
 

Enumerations

enum  TSK_HDB_NSRL_FORM_ENUM { TSK_HDB_NSRL_FORM1 = (1 << 0), TSK_HDB_NSRL_FORM2 = (1 << 1) }
 Version of NSRL Database. More...
 

Functions

uint8_t nsrl_getentry (TSK_HDB_INFO *hdb_info_base, const char *hash, TSK_OFF_T offset, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *cb_ptr)
 Find the corresponding name at a given offset. More...
 
uint8_t nsrl_makeindex (TSK_HDB_INFO *hdb_info_base, TSK_TCHAR *dbtype)
 Process the database to create a sorted index of it. More...
 
TSK_HDB_INFOnsrl_open (FILE *hDb, const TSK_TCHAR *db_path)
 
uint8_t nsrl_test (FILE *hFile)
 Test the file to see if it is an NSRL database. More...
 

Detailed Description

NSRL specific functions to read the database.

Macro Definition Documentation

#define is_valid_nsrl (   x)
Value:
( (strlen((x)) > TSK_HDB_HTYPE_SHA1_LEN + 4) && \
((x)[0] == '"') && ((x)[TSK_HDB_HTYPE_SHA1_LEN + 1] == '"') && \
((x)[TSK_HDB_HTYPE_SHA1_LEN + 2] == ',') && ((x)[TSK_HDB_HTYPE_SHA1_LEN + 3] == '"') )
#define TSK_HDB_HTYPE_SHA1_LEN
Length of SHA1 hash.
Definition: tsk_hashdb.h:54

Perform a basic check on a string to see if it starts with quotes and contains a possible SHA-1 value.

Parameters
xstring to test
Returns
1 if NSRL and 0 if not

Enumeration Type Documentation

Version of NSRL Database.

Enumerator
TSK_HDB_NSRL_FORM1 

Version 1.

TSK_HDB_NSRL_FORM2 

Version 2.

Function Documentation

uint8_t nsrl_getentry ( TSK_HDB_INFO hdb_info_base,
const char *  hash,
TSK_OFF_T  offset,
TSK_HDB_FLAG_ENUM  flags,
TSK_HDB_LOOKUP_FN  action,
void *  cb_ptr 
)

Find the corresponding name at a given offset.

The offset was likely determined from the index. The entries in the DB following the one specified are also processed if they have the same hash value and their name is different. The callback is called for each entry.

Parameters
hdb_info_baseDatabase to get data from.
hashMD5/SHA-1 hash value that was searched for
offsetByte offset where hash value should be located in db_file
flags(not used)
actionCallback used for each entry found in lookup
cb_ptrPointer to data passed to callback
Returns
1 on error and 0 on success

References TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_SHA1_LEN, TSK_HDB_MAXLEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.

uint8_t nsrl_makeindex ( TSK_HDB_INFO hdb_info_base,
TSK_TCHAR dbtype 
)

Process the database to create a sorted index of it.

Consecutive entries with the same hash value are not added to the index, but will be found during lookup.

Parameters
hdb_info_baseHash database to make index of.
dbtypeType of database
Returns
1 on error and 0 on success.

References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hash_len, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_str(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_SHA1_LEN, TSK_HDB_MAXLEN, and tsk_verbose.

uint8_t nsrl_test ( FILE *  hFile)

Test the file to see if it is an NSRL database.

Parameters
hFileFile handle to hash database
Returns
1 if NSRL and 0 if not

References TSK_HDB_MAXLEN.


Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.