|
The Sleuth Kit
4.11.1
|
Stores state information for an open file system. More...
#include <tsk_fs.h>
Public Attributes | |
| struct { | |
| TSK_IMG_INFO * img_info | |
| Pointer to the image layer state. | |
| TSK_OFF_T offset | |
| Byte offset into img_info that fs starts. | |
| }; | |
| TSK_DADDR_T | block_count |
| Number of blocks in fs. | |
| TSK_FS_BLOCK_FLAG_ENUM(* | block_getflags )(TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr) |
| unsigned int | block_post_size |
| Number of bytes that follow each block (currently only used for RAW CDs) | |
| unsigned int | block_pre_size |
| Number of bytes that precede each block (currently only used for RAW CDs) | |
| unsigned int | block_size |
| Size of each block (in bytes) | |
| uint8_t(* | block_walk )(TSK_FS_INFO *fs, TSK_DADDR_T start, TSK_DADDR_T end, TSK_FS_BLOCK_WALK_FLAG_ENUM flags, TSK_FS_BLOCK_WALK_CB cb, void *ptr) |
| FS-specific function: Call tsk_fs_block_walk() instead. | |
| void(* | close )(TSK_FS_INFO *fs) |
| FS-specific function: Call tsk_fs_close() instead. | |
| uint8_t(* | decrypt_block )(TSK_FS_INFO *fs, TSK_DADDR_T start, void *data) |
| unsigned int | dev_bsize |
| Size of device block (typically always 512) | |
| TSK_RETVAL_ENUM(* | dir_open_meta )(TSK_FS_INFO *fs, TSK_FS_DIR **a_fs_dir, TSK_INUM_T inode, int recursion_depth) |
| const char * | duname |
| string "name" of data unit type | |
| TSK_ENDIAN_ENUM | endian |
| Endian order of data. | |
| uint8_t(* | file_add_meta )(TSK_FS_INFO *fs, TSK_FS_FILE *fs_file, TSK_INUM_T addr) |
| TSK_DADDR_T | first_block |
| Address of first block. | |
| TSK_INUM_T | first_inum |
| First valid metadata address. | |
| TSK_FS_INFO_FLAG_ENUM | flags |
| flags for file system | |
| uint8_t(* | fread_owner_sid )(TSK_FS_FILE *, char **) |
| uint8_t | fs_id [TSK_FS_INFO_FS_ID_LEN] |
| File system id (as reported in boot sector) | |
| size_t | fs_id_used |
| Number of bytes in fs_id that are being used. | |
| uint8_t(* | fscheck )(TSK_FS_INFO *, FILE *) |
| uint8_t(* | fsstat )(TSK_FS_INFO *fs, FILE *hFile) |
| TSK_FS_TYPE_ENUM | ftype |
| type of file system | |
| TSK_FS_ATTR_TYPE_ENUM(* | get_default_attr_type )(const TSK_FS_FILE *) |
| void * | impl |
| uint8_t(* | inode_walk )(TSK_FS_INFO *fs, TSK_INUM_T start, TSK_INUM_T end, TSK_FS_META_FLAG_ENUM flags, TSK_FS_META_WALK_CB cb, void *ptr) |
| FS-specific function: Call tsk_fs_meta_walk() instead. | |
| TSK_INUM_T | inum_count |
| Number of metadata addresses. | |
| uint8_t(* | istat )(TSK_FS_INFO *fs, TSK_FS_ISTAT_FLAG_ENUM flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew) |
| Pointer to file system specific function that prints details on a specific file to a file handle. More... | |
| uint8_t(* | jblk_walk )(TSK_FS_INFO *, TSK_DADDR_T, TSK_DADDR_T, int, TSK_FS_JBLK_WALK_CB, void *) |
| uint8_t(* | jentry_walk )(TSK_FS_INFO *, int, TSK_FS_JENTRY_WALK_CB, void *) |
| uint8_t(* | jopen )(TSK_FS_INFO *, TSK_INUM_T) |
| TSK_INUM_T | journ_inum |
| Address of journal inode. | |
| TSK_DADDR_T | last_block |
| Address of last block as reported by file system (could be larger than last_block in image if end of image does not exist) | |
| TSK_DADDR_T | last_block_act |
| Address of last block – adjusted so that it is equal to the last block in the image or volume (if image is not complete) | |
| TSK_INUM_T | last_inum |
| Last valid metadata address. | |
| TSK_LIST * | list_inum_named |
| List of unallocated inodes that are pointed to by a file name – Used to find orphan files. More... | |
| tsk_lock_t | list_inum_named_lock |
| uint8_t(* | load_attrs )(TSK_FS_FILE *) |
| int(* | name_cmp )(TSK_FS_INFO *, const char *, const char *) |
| TSK_FS_DIR * | orphan_dir |
| Files and dirs in the top level of the $OrphanFiles directory. NULL if orphans have not been hunted for yet. (r/w shared - lock) | |
| tsk_lock_t | orphan_dir_lock |
| TSK_INUM_T | root_inum |
| Metadata address of root directory. | |
| int | tag |
Stores state information for an open file system.
One of these are generated for each open files system and it contains file system-type specific data. These values are all filled in by the file system code and not the caller functions. This struct (and its subclasses) should be allocated only by tsk_fs_malloc and deallocated only by tsk_fs_free, which handle init/deinit of the locks.
| uint8_t(* TSK_FS_INFO::istat) (TSK_FS_INFO *fs, TSK_FS_ISTAT_FLAG_ENUM flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew) |
Pointer to file system specific function that prints details on a specific file to a file handle.
| fs | File system file is located in |
| hFile | File handle to print text to |
| inum | Address of file in file system |
| numblock | The number of blocks in file to force print (can go beyond file size) |
| sec_skew | Clock skew in seconds to also print times in |
Referenced by ntfs_open().
| TSK_LIST* TSK_FS_INFO::list_inum_named |
List of unallocated inodes that are pointed to by a file name – Used to find orphan files.
Is filled after looking for orphans or afer a full name_walk is performed. (r/w shared - lock)
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.