The Sleuth Kit
4.11.1
|
Holds information about the location of file content (or a file attribute). More...
#include <tsk_fs.h>
Public Attributes | |
TSK_FS_ATTR_FLAG_ENUM | flags |
Flags for attribute. | |
TSK_FS_FILE * | fs_file |
Pointer to the file that this is from. | |
uint16_t | id |
Id of attribute. | |
char * | name |
Name of attribute (in UTF-8). Will be NULL if attribute doesn't have a name. | |
size_t | name_size |
Number of bytes allocated to name. | |
TSK_FS_ATTR * | next |
Pointer to next attribute in list. | |
struct { | |
TSK_OFF_T allocsize | |
Number of bytes that are allocated in all clusters of non-resident run (will be larger than size - does not include skiplen). This is defined when the attribute is created and used to determine slack space. | |
uint32_t compsize | |
Size of compression units (needed only if NTFS file is compressed) | |
TSK_OFF_T initsize | |
Number of bytes (starting from offset 0) that have data (including FILLER) saved for them (smaller then or equal to size). This is defined when the attribute is created. | |
TSK_FS_ATTR_RUN * run | |
Linked list of runs for non-resident attributes. | |
TSK_FS_ATTR_RUN * run_end | |
Pointer to final run in the list. | |
uint32_t skiplen | |
Number of initial bytes in run to skip before content begins. The size field does not include this length. | |
} | nrd |
Data associated with a non-resident file / attribute. More... | |
ssize_t(* | r )(const TSK_FS_ATTR *fs_attr, TSK_OFF_T a_offset, char *a_buf, size_t a_len) |
struct { | |
uint8_t * buf | |
Buffer for resident data. | |
size_t buf_size | |
Number of bytes allocated to buf. | |
TSK_OFF_T offset | |
Starting offset in bytes relative to start of file system (NOT YET IMPLEMENTED) | |
} | rd |
Data associated with a resident attribute / file. More... | |
TSK_OFF_T | size |
Size in bytes of the attribute resident and non-resident content (does not include skiplen for non-resident attributes) | |
TSK_FS_ATTR_TYPE_ENUM | type |
Type of attribute. | |
uint8_t(* | w )(const TSK_FS_ATTR *fs_attr, int flags, TSK_FS_FILE_WALK_CB, void *) |
Holds information about the location of file content (or a file attribute).
For most file systems, a file has only a single attribute that stores the file content. Other file systems, such as NTFS, have multiple attributes. If multiple attributes exist, they are stored in a linked list. Attributes can be "resident", which means the data is stored in a small buffer instead of being stored in a full file system block. "Non-resident" attributes store data in blocks and they are stored in the data structure as a series of runs. This structure is used to represent both of these cases.
The non-resident data has several size values.
* |--------------------------------------------------------------------| * |skiplen|---------------allocsize------------------------------------| * |skiplen|---------------size-----------------------------------| * |skiplen|---------------initsize------------| *
struct { ... } TSK_FS_ATTR::nrd |
Data associated with a non-resident file / attribute.
The data is stored in one or more data runs.
Referenced by TskFsAttribute::getAllocSize(), TskFsAttribute::getCompSize(), TskFsAttribute::getInitSize(), TskFsAttribute::getRun(), TskFsAttribute::getRunCount(), TskFsAttribute::getSkipLen(), ntfs_dinode_lookup(), tsk_fs_attr_append_run(), and tsk_fs_attr_read().
struct { ... } TSK_FS_ATTR::rd |
Data associated with a resident attribute / file.
The data is stored in a buffer.
Referenced by TskFsAttribute::getBuf(), and tsk_fs_attr_read().
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.