The Sleuth Kit  4.11.1
Classes | Macros | Typedefs | Enumerations | Functions
tsk_fs.h File Reference

External header file for file system support. More...

#include <sys/types.h>

Classes

struct  TSK_FS_ATTR
 Holds information about the location of file content (or a file attribute). More...
 
struct  TSK_FS_ATTR_RUN
 Holds information about a single data run, which has a starting address and length. More...
 
struct  TSK_FS_ATTRLIST
 Structure used as the head of an attribute list. More...
 
struct  TSK_FS_BLOCK
 Generic data structure to hold block data with metadata. More...
 
struct  TSK_FS_BLOCK_WALK_CPP_DATA
 
struct  TSK_FS_DIR
 A handle to a directory so that its files can be individually accessed. More...
 
struct  TSK_FS_DIR_WALK_CPP_DATA
 
struct  TSK_FS_FILE
 Generic structure used to refer to files in the file system. More...
 
struct  TSK_FS_FILE_WALK_CPP_DATA
 
struct  TSK_FS_HASH_RESULTS
 
struct  TSK_FS_INFO
 Stores state information for an open file system. More...
 
struct  TSK_FS_JBLK_WALK_CPP_DATA
 
struct  TSK_FS_JENTRY
 
struct  TSK_FS_JENTRY_WALK_CPP_DATA
 
struct  TSK_FS_META
 TSK data structure to store general file and directory metadata. More...
 
struct  TSK_FS_META_NAME_LIST
 Relatively generic structure to hold file names that are stored with the file metadata. More...
 
struct  TSK_FS_META_WALK_CPP_DATA
 
struct  TSK_FS_NAME
 Generic structure to store the file name information that is stored in a directory. More...
 
class  TskFsAttribute
 Stores information about a file attribute. More...
 
class  TskFsAttrRun
 Contains information about a single data run, which has a starting address and length. More...
 
class  TskFsBlock
 Stores information about a file system block. More...
 
class  TskFsDir
 Stores information about a directory in the file system. More...
 
class  TskFsFile
 Class that represents an allocated or deleted file. More...
 
class  TskFsInfo
 Stores information about an open file system. More...
 
class  TskFsJEntry
 
class  TskFsMeta
 Stores metadata about a file. More...
 
class  TskFsMetaName
 Stores information about names that are located in metadata structures. More...
 
class  TskFsName
 Stores the file name information that is stored in a directory. More...
 

Macros

#define TSK_FS_ISDOT(str)
 

Typedefs

typedef enum TSK_FS_BLKCALC_FLAG_ENUM TSK_FS_BLKCALC_FLAG_ENUM
 
typedef enum TSK_FS_BLKCAT_FLAG_ENUM TSK_FS_BLKCAT_FLAG_ENUM
 
typedef enum TSK_FS_BLKLS_FLAG_ENUM TSK_FS_BLKLS_FLAG_ENUM
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CPP_CB) (const TskFsBlock *a_block, void *a_ptr)
 Function definition used for callback to blockWalk(). More...
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CPP_CB) (TskFsFile *a_fs_file, const char *a_path, void *a_ptr)
 Definition of callback function that is used by tsk_fs_dir_walk(). More...
 
typedef enum TSK_FS_FFIND_FLAG_ENUM TSK_FS_FFIND_FLAG_ENUM
 
typedef struct TSK_FS_FILE TSK_FS_FILE
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CPP_CB) (TskFsFile *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)
 File walk callback function definition. More...
 
typedef enum TSK_FS_FLS_FLAG_ENUM TSK_FS_FLS_FLAG_ENUM
 
typedef enum TSK_FS_IFIND_FLAG_ENUM TSK_FS_IFIND_FLAG_ENUM
 
typedef enum TSK_FS_ILS_FLAG_ENUM TSK_FS_ILS_FLAG_ENUM
 
typedef struct TSK_FS_INFO TSK_FS_INFO
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_JBLK_WALK_CPP_CB) (TskFsInfo *a_fsInfo, char *a_string, int a_num, void *a_ptr)
 Function definition for callback in TskFsInfo.jblkWalk(). More...
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_JENTRY_WALK_CPP_CB) (TskFsInfo *a_fsInfo, TskFsJEntry *a_jentry, int a_num, void *a_ptr)
 Function definition for callback in TskFsInfo.jentryWalk(). More...
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CPP_CB) (TskFsFile *a_fs_file, void *a_ptr)
 inode walk callback function definition. More...
 
typedef struct _TSK_POOL_INFO TSK_POOL_INFO
 
Generic File System Journal Data Structures
typedef TSK_WALK_RET_ENUM(* TSK_FS_JBLK_WALK_CB) (TSK_FS_INFO *, char *, int, void *)
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_JENTRY_WALK_CB) (TSK_FS_INFO *, TSK_FS_JENTRY *, int, void *)
 

Enumerations

enum  TSK_FS_BLKCALC_FLAG_ENUM { TSK_FS_BLKCALC_DD = 0x01, TSK_FS_BLKCALC_BLKLS = 0x02, TSK_FS_BLKCALC_SLACK = 0x04 }
 
enum  TSK_FS_BLKCAT_FLAG_ENUM {
  TSK_FS_BLKCAT_NONE = 0x00, TSK_FS_BLKCAT_HEX = 0x01, TSK_FS_BLKCAT_ASCII = 0x02, TSK_FS_BLKCAT_HTML = 0x04,
  TSK_FS_BLKCAT_STAT = 0x08
}
 
enum  TSK_FS_BLKLS_FLAG_ENUM { TSK_FS_BLKLS_NONE = 0x00, TSK_FS_BLKLS_CAT = 0x01, TSK_FS_BLKLS_LIST = 0x02, TSK_FS_BLKLS_SLACK = 0x04 }
 
enum  TSK_FS_FFIND_FLAG_ENUM { TSK_FS_FFIND_ALL = 0x01 }
 
enum  TSK_FS_FLS_FLAG_ENUM {
  TSK_FS_FLS_NONE = 0x00, TSK_FS_FLS_DOT = 0x01, TSK_FS_FLS_LONG = 0x02, TSK_FS_FLS_FILE = 0x04,
  TSK_FS_FLS_DIR = 0x08, TSK_FS_FLS_FULL = 0x10, TSK_FS_FLS_MAC = 0x20, TSK_FS_FLS_HASH = 0x40
}
 
enum  TSK_FS_IFIND_FLAG_ENUM { TSK_FS_IFIND_NONE = 0x00, TSK_FS_IFIND_ALL = 0x01, TSK_FS_IFIND_PAR_LONG = 0x02 }
 
enum  TSK_FS_ILS_FLAG_ENUM {
  TSK_FS_ILS_NONE = 0x00, TSK_FS_ILS_OPEN = 0x01, TSK_FS_ILS_MAC = 0x02, TSK_FS_ILS_LINK = 0x04,
  TSK_FS_ILS_UNLINK = 0x08
}
 

Functions

int8_t tsk_fs_blkcalc (TSK_FS_INFO *fs, TSK_FS_BLKCALC_FLAG_ENUM flags, TSK_DADDR_T cnt)
 
uint8_t tsk_fs_blkcat (TSK_FS_INFO *fs, TSK_FS_BLKCAT_FLAG_ENUM flags, TSK_DADDR_T addr, TSK_DADDR_T read_num_units)
 Read a specific number of blocks and print the contents to STDOUT. More...
 
uint8_t tsk_fs_blkls (TSK_FS_INFO *fs, TSK_FS_BLKLS_FLAG_ENUM lclflags, TSK_DADDR_T bstart, TSK_DADDR_T bend, TSK_FS_BLOCK_WALK_FLAG_ENUM flags)
 
uint8_t tsk_fs_blkstat (TSK_FS_INFO *fs, TSK_DADDR_T addr)
 
TSK_WALK_RET_ENUM tsk_fs_block_cpp_c_cb (const TSK_FS_BLOCK *a_block, void *a_ptr)
 
TSK_WALK_RET_ENUM tsk_fs_dir_walk_cpp_c_cb (TSK_FS_FILE *a_file, const char *a_path, void *a_ptr)
 
uint8_t tsk_fs_ffind (TSK_FS_INFO *fs, TSK_FS_FFIND_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_DIR_WALK_FLAG_ENUM flags)
 
TSK_WALK_RET_ENUM tsk_fs_file_cpp_c_cb (TSK_FS_FILE *a_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)
 
uint8_t tsk_fs_fls (TSK_FS_INFO *fs, TSK_FS_FLS_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_DIR_WALK_FLAG_ENUM flags, TSK_TCHAR *pre, int32_t skew)
 
uint8_t tsk_fs_icat (TSK_FS_INFO *fs, TSK_INUM_T inum, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_FILE_WALK_FLAG_ENUM flags)
 
uint8_t tsk_fs_ifind_data (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM flags, TSK_DADDR_T blk)
 
uint8_t tsk_fs_ifind_par (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM flags, TSK_INUM_T par)
 Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME). More...
 
int8_t tsk_fs_ifind_path (TSK_FS_INFO *fs, TSK_TCHAR *path, TSK_INUM_T *result)
 Find the meta data address for a given file TCHAR name. More...
 
uint8_t tsk_fs_ils (TSK_FS_INFO *fs, TSK_FS_ILS_FLAG_ENUM lclflags, TSK_INUM_T istart, TSK_INUM_T ilast, TSK_FS_META_FLAG_ENUM flags, int32_t skew, const TSK_TCHAR *img)
 Library API for inode walking. More...
 
TSK_WALK_RET_ENUM tsk_fs_jblk_walk_cpp_c_cb (TSK_FS_INFO *a_fsInfo, char *a_string, int a_num, void *a_ptr)
 
TSK_WALK_RET_ENUM tsk_fs_jentry_walk_cpp_c_cb (TSK_FS_INFO *a_fsInfo, TSK_FS_JENTRY *a_jentry, int a_num, void *a_ptr)
 
TSK_WALK_RET_ENUM tsk_fs_meta_walk_cpp_c_cb (TSK_FS_FILE *a_file, void *a_ptr)
 
int tsk_fs_parse_inum (const TSK_TCHAR *str, TSK_INUM_T *, TSK_FS_ATTR_TYPE_ENUM *, uint8_t *, uint16_t *, uint8_t *)
 Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there). More...
 

Generic File System Block Data Structure

#define TSK_FS_BLOCK_TAG   0x1b7c3f4a
 
enum  TSK_FS_BLOCK_FLAG_ENUM {
  TSK_FS_BLOCK_FLAG_UNUSED = 0x0000, TSK_FS_BLOCK_FLAG_ALLOC = 0x0001, TSK_FS_BLOCK_FLAG_UNALLOC = 0x0002, TSK_FS_BLOCK_FLAG_CONT = 0x0004,
  TSK_FS_BLOCK_FLAG_META = 0x0008, TSK_FS_BLOCK_FLAG_BAD = 0x0010, TSK_FS_BLOCK_FLAG_RAW = 0x0020, TSK_FS_BLOCK_FLAG_SPARSE = 0x0040,
  TSK_FS_BLOCK_FLAG_COMP = 0x0080, TSK_FS_BLOCK_FLAG_RES = 0x0100, TSK_FS_BLOCK_FLAG_AONLY = 0x0200
}
 Flags that are used in TSK_FS_BLOCK and in callback of file_walk. More...
 
enum  TSK_FS_BLOCK_WALK_FLAG_ENUM {
  TSK_FS_BLOCK_WALK_FLAG_NONE = 0x00, TSK_FS_BLOCK_WALK_FLAG_ALLOC = 0x01, TSK_FS_BLOCK_WALK_FLAG_UNALLOC = 0x02, TSK_FS_BLOCK_WALK_FLAG_CONT = 0x04,
  TSK_FS_BLOCK_WALK_FLAG_META = 0x08, TSK_FS_BLOCK_WALK_FLAG_AONLY = 0x10
}
 Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with. More...
 
typedef enum TSK_FS_BLOCK_FLAG_ENUM TSK_FS_BLOCK_FLAG_ENUM
 
typedef enum TSK_FS_BLOCK_WALK_FLAG_ENUM TSK_FS_BLOCK_WALK_FLAG_ENUM
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CB) (const TSK_FS_BLOCK *a_block, void *a_ptr)
 Function definition used for callback to tsk_fs_block_walk(). More...
 
void tsk_fs_block_free (TSK_FS_BLOCK *a_fs_block)
 Free the memory associated with the TSK_FS_BLOCK structure. More...
 
TSK_FS_BLOCKtsk_fs_block_get (TSK_FS_INFO *fs, TSK_FS_BLOCK *fs_block, TSK_DADDR_T addr)
 
TSK_FS_BLOCKtsk_fs_block_get_flag (TSK_FS_INFO *a_fs, TSK_FS_BLOCK *a_fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags)
 Get the contents and flags of a specific file system block. More...
 
uint8_t tsk_fs_block_walk (TSK_FS_INFO *a_fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr)
 Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each. More...
 

Generic File System File Content Data Structures

#define TSK_FS_ATTR_ID_DEFAULT   0
 Default Data ID used if file system does not assign one.
 
enum  TSK_FS_ATTR_RUN_FLAG_ENUM { TSK_FS_ATTR_RUN_FLAG_NONE = 0x00, TSK_FS_ATTR_RUN_FLAG_FILLER = 0x01, TSK_FS_ATTR_RUN_FLAG_SPARSE = 0x02, TSK_FS_ATTR_RUN_FLAG_ENCRYPTED = 0x04 }
 Flags used for a TSK_FS_ATTR_RUN entry. More...
 
enum  TSK_FS_ATTR_FLAG_ENUM {
  TSK_FS_ATTR_FLAG_NONE = 0x00, TSK_FS_ATTR_INUSE = 0x01, TSK_FS_ATTR_NONRES = 0x02, TSK_FS_ATTR_RES = 0x04,
  TSK_FS_ATTR_ENC = 0x10, TSK_FS_ATTR_COMP = 0x20, TSK_FS_ATTR_SPARSE = 0x40, TSK_FS_ATTR_RECOVERY = 0x80
}
 Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata. More...
 
enum  TSK_FS_FILE_WALK_FLAG_ENUM {
  TSK_FS_FILE_WALK_FLAG_NONE = 0x00, TSK_FS_FILE_WALK_FLAG_SLACK = 0x01, TSK_FS_FILE_WALK_FLAG_NOID = 0x02, TSK_FS_FILE_WALK_FLAG_AONLY = 0x04,
  TSK_FS_FILE_WALK_FLAG_NOSPARSE = 0x08
}
 Flags used by tsk_fs_file_walk to determine when the callback function should be used. More...
 
enum  TSK_FS_ATTR_TYPE_ENUM {
  TSK_FS_ATTR_TYPE_NOT_FOUND = 0x00, TSK_FS_ATTR_TYPE_DEFAULT = 0x01, TSK_FS_ATTR_TYPE_NTFS_SI = 0x10, TSK_FS_ATTR_TYPE_NTFS_ATTRLIST = 0x20,
  TSK_FS_ATTR_TYPE_NTFS_FNAME = 0x30, TSK_FS_ATTR_TYPE_NTFS_VVER = 0x40, TSK_FS_ATTR_TYPE_NTFS_OBJID = 0x40, TSK_FS_ATTR_TYPE_NTFS_SEC = 0x50,
  TSK_FS_ATTR_TYPE_NTFS_VNAME = 0x60, TSK_FS_ATTR_TYPE_NTFS_VINFO = 0x70, TSK_FS_ATTR_TYPE_NTFS_DATA = 0x80, TSK_FS_ATTR_TYPE_NTFS_IDXROOT = 0x90,
  TSK_FS_ATTR_TYPE_NTFS_IDXALLOC = 0xA0, TSK_FS_ATTR_TYPE_NTFS_BITMAP = 0xB0, TSK_FS_ATTR_TYPE_NTFS_SYMLNK = 0xC0, TSK_FS_ATTR_TYPE_NTFS_REPARSE = 0xC0,
  TSK_FS_ATTR_TYPE_NTFS_EAINFO = 0xD0, TSK_FS_ATTR_TYPE_NTFS_EA = 0xE0, TSK_FS_ATTR_TYPE_NTFS_PROP = 0xF0, TSK_FS_ATTR_TYPE_NTFS_LOG = 0x100,
  TSK_FS_ATTR_TYPE_UNIX_INDIR = 0x1001, TSK_FS_ATTR_TYPE_UNIX_EXTENT = 0x1002, TSK_FS_ATTR_TYPE_HFS_DEFAULT = 0x01, TSK_FS_ATTR_TYPE_HFS_DATA = 0x1100,
  TSK_FS_ATTR_TYPE_HFS_RSRC = 0x1101, TSK_FS_ATTR_TYPE_HFS_EXT_ATTR = 0x1102, TSK_FS_ATTR_TYPE_HFS_COMP_REC = 0x1103, TSK_FS_ATTR_TYPE_APFS_DATA = TSK_FS_ATTR_TYPE_HFS_DATA,
  TSK_FS_ATTR_TYPE_APFS_RSRC = TSK_FS_ATTR_TYPE_HFS_RSRC, TSK_FS_ATTR_TYPE_APFS_EXT_ATTR = TSK_FS_ATTR_TYPE_HFS_EXT_ATTR, TSK_FS_ATTR_TYPE_APFS_COMP_REC = TSK_FS_ATTR_TYPE_HFS_COMP_REC
}
 These are based on the NTFS type values. More...
 
typedef struct TSK_FS_ATTR_RUN TSK_FS_ATTR_RUN
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CB) (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)
 File walk callback function definition. More...
 
typedef struct TSK_FS_ATTR TSK_FS_ATTR
 
void tsk_fs_attr_run_free (TSK_FS_ATTR_RUN *)
 
uint8_t tsk_fs_attr_walk (const TSK_FS_ATTR *a_fs_attr, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr)
 Process an attribute and call a callback function with its contents. More...
 

Generic File System File Metadata Data Structures

#define TSK_FS_META_NAME_LIST_NSIZE   512
 Size of name array in TSK_FS_META_NAME_LIST structure.
 
#define TSK_FS_META_TYPE_STR_MAX   0x0c
 Number of file types in shortname array.
 
#define TSK_FS_IS_DIR_META(x)   ((x == TSK_FS_META_TYPE_DIR) || (x == TSK_FS_META_TYPE_VIRT_DIR))
 
#define TSK_FS_META_TAG   0x13524635
 
#define TSK_FS_ORPHAN_STR   "-ORPHAN_FILE-"
 String that is prepended to orphan FAT & NTFS files when the file name is known, but the parent is not.
 
#define TSK_FS_ORPHANDIR_INUM(fs_info)   (fs_info->last_inum)
 
enum  TSK_FS_META_FLAG_ENUM {
  TSK_FS_META_FLAG_ALLOC = 0x01, TSK_FS_META_FLAG_UNALLOC = 0x02, TSK_FS_META_FLAG_USED = 0x04, TSK_FS_META_FLAG_UNUSED = 0x08,
  TSK_FS_META_FLAG_COMP = 0x10, TSK_FS_META_FLAG_ORPHAN = 0x20
}
 Metadata flags used in TSK_FS_META.flags and in request to inode_walk. More...
 
enum  TSK_FS_META_ATTR_FLAG_ENUM { TSK_FS_META_ATTR_EMPTY, TSK_FS_META_ATTR_STUDIED, TSK_FS_META_ATTR_ERROR }
 
enum  TSK_FS_META_TYPE_ENUM {
  TSK_FS_META_TYPE_UNDEF = 0x00, TSK_FS_META_TYPE_REG = 0x01, TSK_FS_META_TYPE_DIR = 0x02, TSK_FS_META_TYPE_FIFO = 0x03,
  TSK_FS_META_TYPE_CHR = 0x04, TSK_FS_META_TYPE_BLK = 0x05, TSK_FS_META_TYPE_LNK = 0x06, TSK_FS_META_TYPE_SHAD = 0x07,
  TSK_FS_META_TYPE_SOCK = 0x08, TSK_FS_META_TYPE_WHT = 0x09, TSK_FS_META_TYPE_VIRT = 0x0a, TSK_FS_META_TYPE_VIRT_DIR = 0x0b
}
 Values for the mode field – which identifies the file type and permissions. More...
 
enum  TSK_FS_META_MODE_ENUM {
  TSK_FS_META_MODE_UNSPECIFIED = 0000000, TSK_FS_META_MODE_ISUID = 0004000, TSK_FS_META_MODE_ISGID = 0002000, TSK_FS_META_MODE_ISVTX = 0001000,
  TSK_FS_META_MODE_IRUSR = 0000400, TSK_FS_META_MODE_IWUSR = 0000200, TSK_FS_META_MODE_IXUSR = 0000100, TSK_FS_META_MODE_IRGRP = 0000040,
  TSK_FS_META_MODE_IWGRP = 0000020, TSK_FS_META_MODE_IXGRP = 0000010, TSK_FS_META_MODE_IROTH = 0000004, TSK_FS_META_MODE_IWOTH = 0000002,
  TSK_FS_META_MODE_IXOTH = 0000001
}
 
enum  TSK_FS_META_CONTENT_TYPE_ENUM { TSK_FS_META_CONTENT_TYPE_DEFAULT = 0x0, TSK_FS_META_CONTENT_TYPE_EXT4_EXTENTS = 0x1, TSK_FS_META_CONTENT_TYPE_EXT4_INLINE = 0x02 }
 
typedef struct TSK_FS_META_NAME_LIST TSK_FS_META_NAME_LIST
 
typedef enum TSK_FS_META_FLAG_ENUM TSK_FS_META_FLAG_ENUM
 
typedef enum TSK_FS_META_ATTR_FLAG_ENUM TSK_FS_META_ATTR_FLAG_ENUM
 
typedef enum TSK_FS_META_TYPE_ENUM TSK_FS_META_TYPE_ENUM
 
typedef enum TSK_FS_META_MODE_ENUM TSK_FS_META_MODE_ENUM
 
typedef enum TSK_FS_META_CONTENT_TYPE_ENUM TSK_FS_META_CONTENT_TYPE_ENUM
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CB) (TSK_FS_FILE *a_fs_file, void *a_ptr)
 inode walk callback function definition. More...
 
char tsk_fs_meta_type_str [TSK_FS_META_TYPE_STR_MAX][2]
 Contains the short (1 character) name of the file type.
 
uint8_t tsk_fs_meta_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_cb, void *a_ptr)
 Walk a range of metadata structures and call a callback for each structure that matches the flags supplied. More...
 
uint8_t tsk_fs_meta_make_ls (const TSK_FS_META *a_fs_meta, char *a_buf, size_t a_len)
 Makes the "ls -l" permissions string for a file. More...
 

Generic File System File Name Data Structures

#define TSK_FS_NAME_TYPE_STR_MAX   12
 Number of types that have a short string name.
 
#define TSK_FS_IS_DIR_NAME(x)   ((x == TSK_FS_NAME_TYPE_DIR) || (x == TSK_FS_NAME_TYPE_VIRT_DIR))
 
#define TSK_FS_NAME_TAG   0x23147869
 
#define TSK_FS_DIR_TAG   0x57531246
 
enum  TSK_FS_NAME_FLAG_ENUM { TSK_FS_NAME_FLAG_ALLOC = 0x01, TSK_FS_NAME_FLAG_UNALLOC = 0x02 }
 File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure. More...
 
enum  TSK_FS_NAME_TYPE_ENUM {
  TSK_FS_NAME_TYPE_UNDEF = 0, TSK_FS_NAME_TYPE_FIFO = 1, TSK_FS_NAME_TYPE_CHR = 2, TSK_FS_NAME_TYPE_DIR = 3,
  TSK_FS_NAME_TYPE_BLK = 4, TSK_FS_NAME_TYPE_REG = 5, TSK_FS_NAME_TYPE_LNK = 6, TSK_FS_NAME_TYPE_SOCK = 7,
  TSK_FS_NAME_TYPE_SHAD = 8, TSK_FS_NAME_TYPE_WHT = 9, TSK_FS_NAME_TYPE_VIRT = 10, TSK_FS_NAME_TYPE_VIRT_DIR = 11
}
 File type values – as specified in the directory entry structure. More...
 
enum  TSK_FS_DIR_WALK_FLAG_ENUM {
  TSK_FS_DIR_WALK_FLAG_NONE = 0x00, TSK_FS_DIR_WALK_FLAG_ALLOC = 0x01, TSK_FS_DIR_WALK_FLAG_UNALLOC = 0x02, TSK_FS_DIR_WALK_FLAG_RECURSE = 0x04,
  TSK_FS_DIR_WALK_FLAG_NOORPHAN = 0x08
}
 Flags that are used when walking names in directories. More...
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CB) (TSK_FS_FILE *a_fs_file, const char *a_path, void *a_ptr)
 Definition of callback function that is used by tsk_fs_dir_walk(). More...
 
char tsk_fs_name_type_str [TSK_FS_NAME_TYPE_STR_MAX][2]
 
TSK_FS_DIRtsk_fs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr)
 Open a directory (using its metadata addr) so that each of the files in it can be accessed. More...
 
TSK_FS_DIRtsk_fs_dir_open (TSK_FS_INFO *a_fs, const char *a_dir)
 Open a directory (using its path) so that each of the files in it can be accessed. More...
 
uint8_t tsk_fs_dir_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_inode, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr)
 Walk the file names in a directory and obtain the details of the files via a callback. More...
 
size_t tsk_fs_dir_getsize (const TSK_FS_DIR *)
 Returns the number of files and subdirectories in a directory. More...
 
TSK_FS_FILEtsk_fs_dir_get (const TSK_FS_DIR *, size_t)
 Return a specific file or subdirectory from an open directory. More...
 
const TSK_FS_NAMEtsk_fs_dir_get_name (const TSK_FS_DIR *a_fs_dir, size_t a_idx)
 Return only the name for a file or subdirectory from an open directory. More...
 
void tsk_fs_dir_close (TSK_FS_DIR *)
 Close the directory that was opened with tsk_fs_dir_open() More...
 
int8_t tsk_fs_path2inum (TSK_FS_INFO *a_fs, const char *a_path, TSK_INUM_T *a_result, TSK_FS_NAME *a_fs_name)
 Find the meta data address for a given file name (UTF-8). More...
 

Generic File System File Data Structures

#define TSK_FS_FILE_TAG   0x11212212
 
enum  TSK_FS_FILE_READ_FLAG_ENUM { TSK_FS_FILE_READ_FLAG_NONE = 0x00, TSK_FS_FILE_READ_FLAG_SLACK = 0x01, TSK_FS_FILE_READ_FLAG_NOID = 0x02 }
 Flags used by tsk_fs_file_read. More...
 
void tsk_fs_file_close (TSK_FS_FILE *a_fs_file)
 Close an open file. More...
 
TSK_FS_FILEtsk_fs_file_open (TSK_FS_INFO *a_fs, TSK_FS_FILE *a_fs_file, const char *a_path)
 Return the handle structure for a specific file, given its full path. More...
 
TSK_FS_FILEtsk_fs_file_open_meta (TSK_FS_INFO *fs, TSK_FS_FILE *fs_file, TSK_INUM_T addr)
 Open a file given its metadata address. More...
 
ssize_t tsk_fs_file_read (TSK_FS_FILE *, TSK_OFF_T, char *, size_t, TSK_FS_FILE_READ_FLAG_ENUM)
 Read the contents of a specific attribute of a file using a typical read() type interface. More...
 
ssize_t tsk_fs_file_read_type (TSK_FS_FILE *, TSK_FS_ATTR_TYPE_ENUM, uint16_t, TSK_OFF_T, char *, size_t, TSK_FS_FILE_READ_FLAG_ENUM)
 Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS). More...
 
const TSK_FS_ATTRtsk_fs_file_attr_get (TSK_FS_FILE *a_fs_file)
 Return the default attribute for the file. More...
 
int tsk_fs_file_attr_getsize (TSK_FS_FILE *a_fs_file)
 Return the number of attributes in the file. More...
 
const TSK_FS_ATTRtsk_fs_file_attr_get_idx (TSK_FS_FILE *a_fs_file, int a_idx)
 Get a file's attribute based on the 0-based index in the list (and not type, id pair). More...
 
const TSK_FS_ATTRtsk_fs_file_attr_get_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM, uint16_t, uint8_t)
 Return a specific type and id attribute for the file. More...
 
const TSK_FS_ATTRtsk_fs_file_attr_get_id (TSK_FS_FILE *a_fs_file, uint16_t)
 Return a specific attribute by its ID for the file. More...
 
uint8_t tsk_fs_file_walk (TSK_FS_FILE *a_fs_file, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr)
 Process a file and call a callback function with the file contents. More...
 
uint8_t tsk_fs_file_walk_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr)
 Process a specific attribute in a file and call a callback function with the file contents. More...
 
ssize_t tsk_fs_attr_read (const TSK_FS_ATTR *a_fs_attr, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags)
 Read the contents of a given attribute using a typical read() type interface. More...
 
uint8_t tsk_fs_file_get_owner_sid (TSK_FS_FILE *, char **)
 Returns a string representation of the security attributes of a file. More...
 
uint8_t tsk_fs_file_hash_calc (TSK_FS_FILE *, TSK_FS_HASH_RESULTS *, TSK_BASE_HASH_ENUM)
 Returns a string containing the md5 hash of the given file. More...
 

Generic File System Handle Data Structure

#define TSK_FS_TYPE_ISNTFS(ftype)   (((ftype) & TSK_FS_TYPE_NTFS_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for an NTFS file system. More...
 
#define TSK_FS_TYPE_ISFAT(ftype)   (((ftype) & TSK_FS_TYPE_FAT_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a FAT file system. More...
 
#define TSK_FS_TYPE_ISFFS(ftype)   (((ftype) & TSK_FS_TYPE_FFS_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a FFS file system. More...
 
#define TSK_FS_TYPE_ISEXT(ftype)   (((ftype) & TSK_FS_TYPE_EXT_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a ExtX file system. More...
 
#define TSK_FS_TYPE_ISISO9660(ftype)   (((ftype) & TSK_FS_TYPE_ISO9660_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system. More...
 
#define TSK_FS_TYPE_ISHFS(ftype)   (((ftype) & TSK_FS_TYPE_HFS_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a HFS file system. More...
 
#define TSK_FS_TYPE_ISSWAP(ftype)   (((ftype) & TSK_FS_TYPE_SWAP_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a swap "file system". More...
 
#define TSK_FS_TYPE_ISYAFFS2(ftype)   (((ftype) & TSK_FS_TYPE_YAFFS2_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system. More...
 
#define TSK_FS_TYPE_ISAPFS(ftype)   (((ftype) & TSK_FS_TYPE_APFS_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system. More...
 
#define TSK_FS_TYPE_ISRAW(ftype)   (((ftype) & TSK_FS_TYPE_RAW_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a raw "file system". More...
 
#define TSK_FS_TYPE_ISAPFS(ftype)   (((ftype) & TSK_FS_TYPE_APFS_DETECT)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system. More...
 
#define TSK_FS_TYPE_ISDIR(ftype)   (((ftype) & TSK_FS_TYPE_LOGICAL)?1:0)
 Macro that takes a file system type and returns 1 if the type is for a logical directory "file system". More...
 
#define TSK_FS_INFO_TAG   0x10101010
 
#define TSK_FS_INFO_FS_ID_LEN   32
 
enum  TSK_FS_TYPE_ENUM {
  TSK_FS_TYPE_DETECT = 0x00000000, TSK_FS_TYPE_NTFS = 0x00000001, TSK_FS_TYPE_NTFS_DETECT = 0x00000001, TSK_FS_TYPE_FAT12 = 0x00000002,
  TSK_FS_TYPE_FAT16 = 0x00000004, TSK_FS_TYPE_FAT32 = 0x00000008, TSK_FS_TYPE_EXFAT = 0x0000000a, TSK_FS_TYPE_FAT_DETECT = 0x0000000e,
  TSK_FS_TYPE_FFS1 = 0x00000010, TSK_FS_TYPE_FFS1B = 0x00000020, TSK_FS_TYPE_FFS2 = 0x00000040, TSK_FS_TYPE_FFS_DETECT = 0x00000070,
  TSK_FS_TYPE_EXT2 = 0x00000080, TSK_FS_TYPE_EXT3 = 0x00000100, TSK_FS_TYPE_EXT_DETECT = 0x00002180, TSK_FS_TYPE_SWAP = 0x00000200,
  TSK_FS_TYPE_SWAP_DETECT = 0x00000200, TSK_FS_TYPE_RAW = 0x00000400, TSK_FS_TYPE_RAW_DETECT = 0x00000400, TSK_FS_TYPE_ISO9660 = 0x00000800,
  TSK_FS_TYPE_ISO9660_DETECT = 0x00000800, TSK_FS_TYPE_HFS = 0x00001000, TSK_FS_TYPE_HFS_DETECT = 0x00009000, TSK_FS_TYPE_EXT4 = 0x00002000,
  TSK_FS_TYPE_YAFFS2 = 0x00004000, TSK_FS_TYPE_YAFFS2_DETECT = 0x00004000, TSK_FS_TYPE_HFS_LEGACY = 0x00008000, TSK_FS_TYPE_APFS = 0x00010000,
  TSK_FS_TYPE_APFS_DETECT = 0x00010000, TSK_FS_TYPE_LOGICAL = 0x00020000, TSK_FS_TYPE_UNSUPP = 0xffffffff
}
 Values for the file system type. More...
 
enum  TSK_FS_INFO_FLAG_ENUM { TSK_FS_INFO_FLAG_NONE = 0x00, TSK_FS_INFO_FLAG_HAVE_SEQ = 0x01, TSK_FS_INFO_FLAG_HAVE_NANOSEC = 0x02, TSK_FS_INFO_FLAG_ENCRYPTED = 0x04 }
 Flags for the FS_INFO structure. More...
 
enum  TSK_FS_ISTAT_FLAG_ENUM { TSK_FS_ISTAT_NONE = 0x00, TSK_FS_ISTAT_RUNLIST = 0x01 }
 
typedef enum TSK_FS_TYPE_ENUM TSK_FS_TYPE_ENUM
 
typedef enum TSK_FS_INFO_FLAG_ENUM TSK_FS_INFO_FLAG_ENUM
 
typedef enum TSK_FS_ISTAT_FLAG_ENUM TSK_FS_ISTAT_FLAG_ENUM
 
TSK_FS_INFOtsk_fs_open_img (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM)
 Tries to process data in a disk image at a given offset as a file system. More...
 
TSK_FS_INFOtsk_fs_open_vol (const TSK_VS_PART_INFO *, TSK_FS_TYPE_ENUM)
 Tries to process data in a volume as a file system. More...
 
TSK_FS_INFOtsk_fs_open_pool (const TSK_POOL_INFO *, TSK_DADDR_T, TSK_FS_TYPE_ENUM)
 
TSK_FS_INFOtsk_fs_open_img_decrypt (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *password)
 Tries to process data in a disk image at a given offset as a file system. More...
 
TSK_FS_INFOtsk_fs_open_vol_decrypt (const TSK_VS_PART_INFO *, TSK_FS_TYPE_ENUM, const char *password)
 Tries to process data in a volume as a file system. More...
 
TSK_FS_INFOtsk_fs_open_pool_decrypt (const TSK_POOL_INFO *, TSK_DADDR_T, TSK_FS_TYPE_ENUM, const char *password)
 
void tsk_fs_close (TSK_FS_INFO *)
 Close an open file system. More...
 
TSK_FS_TYPE_ENUM tsk_fs_type_toid_utf8 (const char *)
 Parse a string with the file system type and return its internal ID. More...
 
TSK_FS_TYPE_ENUM tsk_fs_type_toid (const TSK_TCHAR *)
 Parse a string with the file system type and return its internal ID. More...
 
void tsk_fs_type_print (FILE *)
 Print the supported file system types to a file handle. More...
 
const char * tsk_fs_type_toname (TSK_FS_TYPE_ENUM)
 Return the string name of a file system type id. More...
 
TSK_FS_TYPE_ENUM tsk_fs_type_supported ()
 Return the supported file system types. More...
 
ssize_t tsk_fs_read (TSK_FS_INFO *a_fs, TSK_OFF_T a_off, char *a_buf, size_t a_len)
 Read arbitrary data from inside of the file system. More...
 
ssize_t tsk_fs_read_decrypt (TSK_FS_INFO *a_fs, TSK_OFF_T a_off, char *a_buf, size_t a_len, TSK_DADDR_T crypto_id)
 Read arbitrary data from inside of the file system. More...
 
ssize_t tsk_fs_read_block (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len)
 Read a file system block into a char* buffer. More...
 
ssize_t tsk_fs_read_block_decrypt (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_DADDR_T crypto_id)
 Read a file system block into a char* buffer. More...
 

Detailed Description

External header file for file system support.

Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_fs_i.h.

Macro Definition Documentation

#define TSK_FS_ISDOT (   str)
Value:
( ((str[0] == '.') && \
( ((str[1] == '.') && (str[2] == '\0')) || (str[1] == '\0') ) ) ? 1 : 0 )

Typedef Documentation

typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CB) (const TSK_FS_BLOCK *a_block, void *a_ptr)

Function definition used for callback to tsk_fs_block_walk().

Parameters
a_blockPointer to block structure that holds block content and flags
a_ptrPointer that was supplied by the caller who called tsk_fs_block_walk
Returns
Value to identify if walk should continue, stop, or stop because of error
typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CPP_CB) (const TskFsBlock *a_block, void *a_ptr)

Function definition used for callback to blockWalk().

Parameters
a_blockPointer to TskFsBlock object that holds block content and flags
a_ptrPointer that was supplied by the caller who called tsk_fs_block_walk
Returns
Value to identify if walk should continue, stop, or stop because of error
typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CB) (TSK_FS_FILE *a_fs_file, const char *a_path, void *a_ptr)

Definition of callback function that is used by tsk_fs_dir_walk().

This is is called for each file in a directory.

Parameters
a_fs_filePointer to the current file in the directory
a_pathPath of the file
a_ptrPointer that was originally passed by caller to tsk_fs_dir_walk.
Returns
Value to signal if tsk_fs_dir_walk should stop or continue.
typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CPP_CB) (TskFsFile *a_fs_file, const char *a_path, void *a_ptr)

Definition of callback function that is used by tsk_fs_dir_walk().

This is is called for each file in a directory.

Parameters
a_fs_filePointer to the current file in the directory
a_pathPath of the file
a_ptrPointer that was originally passed by caller to tsk_fs_dir_walk.
Returns
Value to signal if tsk_fs_dir_walk should stop or continue.
typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CB) (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)

File walk callback function definition.

This is called for chunks of content in the file being processed.

Parameters
a_fs_filePointer to file being processed
a_offByte offset in file that this data is for
a_addrAddress of data being passed (valid only if a_flags have RAW set)
a_bufPointer to buffer with file content
a_lenSize of data in buffer (in bytes)
a_flagsFlags about the file content
a_ptrPointer that was specified by caller to inode_walk
Returns
Value that tells file walk to continue or stop
typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CPP_CB) (TskFsFile *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)

File walk callback function definition.

This is called for chunks of content in the file being processed.

Parameters
a_fs_filePointer to file being processed
a_offByte offset in file that this data is for
a_addrAddress of data being passed (valid only if a_flags have RAW set)
a_bufPointer to buffer with file content
a_lenSize of data in buffer (in bytes)
a_flagsFlags about the file content
a_ptrPointer that was specified by caller to inode_walk
Returns
Value that tells file walk to continue or stop
typedef TSK_WALK_RET_ENUM(* TSK_FS_JBLK_WALK_CPP_CB) (TskFsInfo *a_fsInfo, char *a_string, int a_num, void *a_ptr)

Function definition for callback in TskFsInfo.jblkWalk().

Parameters
a_fsInfoFile system being analyzed
a_string
a_num
a_ptrPointer that was supplied by the caller
Returns
Value to identify if walk should continue, stop, or stop because of error
typedef TSK_WALK_RET_ENUM(* TSK_FS_JENTRY_WALK_CPP_CB) (TskFsInfo *a_fsInfo, TskFsJEntry *a_jentry, int a_num, void *a_ptr)

Function definition for callback in TskFsInfo.jentryWalk().

Parameters
a_fsInfoFile system being analyzed
a_jentryjournal entry
a_num
a_ptrPointer that was supplied by the caller.
Returns
Value to identify if walk should continue, stop, or stop because of error
typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CB) (TSK_FS_FILE *a_fs_file, void *a_ptr)

inode walk callback function definition.

This is called for every file that meets the criteria specified when inode_walk was called.

Parameters
a_fs_filePointer to the current file
a_ptrPointer that was specified by caller to inode_walk
Returns
Value that tells inode walk to continue or stop
typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CPP_CB) (TskFsFile *a_fs_file, void *a_ptr)

inode walk callback function definition.

This is called for every file that meets the criteria specified when inode_walk was called.

Parameters
a_fs_filePointer to the current file
a_ptrPointer that was specified by caller to inode_walk
Returns
Value that tells inode walk to continue or stop

Enumeration Type Documentation

Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata.

Enumerator
TSK_FS_ATTR_FLAG_NONE 

No Flag.

TSK_FS_ATTR_INUSE 

data structure is in use

TSK_FS_ATTR_NONRES 

Contains non-resident data (i.e. located in blocks)

TSK_FS_ATTR_RES 

Contains resident data (i.e. in a small buffer)

TSK_FS_ATTR_ENC 

Contains encrypted data.

TSK_FS_ATTR_COMP 

Contains compressed data.

TSK_FS_ATTR_SPARSE 

Contains sparse data.

TSK_FS_ATTR_RECOVERY 

Data was determined in file recovery mode.

Flags used for a TSK_FS_ATTR_RUN entry.

Enumerator
TSK_FS_ATTR_RUN_FLAG_NONE 

No Flag.

TSK_FS_ATTR_RUN_FLAG_FILLER 

Entry is a filler for a run that has not been seen yet in the processing (or has been lost)

TSK_FS_ATTR_RUN_FLAG_SPARSE 

Entry is a sparse run where all data in the run is zeros.

TSK_FS_ATTR_RUN_FLAG_ENCRYPTED 

Entry is arun where the data is encrypted.

These are based on the NTFS type values.

Added types for HFS+. NOTE: Update bindings/java/src/org/sleuthkit/datamodel/TskData.java with any changes.

Flags that are used in TSK_FS_BLOCK and in callback of file_walk.

Note that some of these are dependent. A block can be either TSK_FS_BLOCK_FLAG_ALLOC or TSK_FS_BLOCK_FLAG_UNALLOC. It can be one of TSK_FS_BLOCK_FLAG_RAW, TSK_FS_BLOCK_FLAG_BAD, TSK_FS_BLOCK_FLAG_RES, TSK_FS_BLOCK_FLAG_SPARSE, or TSK_FS_BLOCK_FLAG_COMP. Note that some of these are set only by file_walk because they are file-level details, such as compression and sparse.

Enumerator
TSK_FS_BLOCK_FLAG_UNUSED 

Used to show that TSK_FS_BLOCK structure has no data in it.

TSK_FS_BLOCK_FLAG_ALLOC 

Block is allocated (and not TSK_FS_BLOCK_FLAG_UNALLOC)

TSK_FS_BLOCK_FLAG_UNALLOC 

Block is unallocated (and not TSK_FS_BLOCK_FLAG_ALLOC)

TSK_FS_BLOCK_FLAG_CONT 

Block (could) contain file content (and not TSK_FS_BLOCK_FLAG_META)

TSK_FS_BLOCK_FLAG_META 

Block (could) contain file system metadata (and not TSK_FS_BLOCK_FLAG_CONT)

TSK_FS_BLOCK_FLAG_BAD 

Block has been marked as bad by the file system.

TSK_FS_BLOCK_FLAG_RAW 

The data has been read raw from the disk (and not COMP or SPARSE)

TSK_FS_BLOCK_FLAG_SPARSE 

The data passed in the file_walk callback was stored as sparse (all zeros) (and not RAW or COMP)

TSK_FS_BLOCK_FLAG_COMP 

The data passed in the file_walk callback was stored in a compressed form (and not RAW or SPARSE)

TSK_FS_BLOCK_FLAG_RES 

The data passed in the file_walk callback is from an NTFS resident file.

Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with.

Enumerator
TSK_FS_BLOCK_WALK_FLAG_NONE 

No Flags.

TSK_FS_BLOCK_WALK_FLAG_ALLOC 

Allocated blocks.

TSK_FS_BLOCK_WALK_FLAG_UNALLOC 

Unallocated blocks.

TSK_FS_BLOCK_WALK_FLAG_CONT 

Blocks that could store file content.

TSK_FS_BLOCK_WALK_FLAG_META 

Blocks that could store file system metadata.

TSK_FS_BLOCK_WALK_FLAG_AONLY 

Do not include content in callback only address and allocation status.

Flags that are used when walking names in directories.

These are used to identify which files to call the callback function on.

Enumerator
TSK_FS_DIR_WALK_FLAG_NONE 

No Flags.

TSK_FS_DIR_WALK_FLAG_ALLOC 

Return allocated names in callback.

TSK_FS_DIR_WALK_FLAG_UNALLOC 

Return unallocated names in callback.

TSK_FS_DIR_WALK_FLAG_RECURSE 

Recurse into sub-directories.

TSK_FS_DIR_WALK_FLAG_NOORPHAN 

Do not return (or recurse into) the special Orphan directory.

Flags used by tsk_fs_file_read.

Enumerator
TSK_FS_FILE_READ_FLAG_NONE 

No Flags.

TSK_FS_FILE_READ_FLAG_SLACK 

Allow read access into slack space.

TSK_FS_FILE_READ_FLAG_NOID 

Ignore the Id argument given in the API (use only the type)

Flags used by tsk_fs_file_walk to determine when the callback function should be used.

Enumerator
TSK_FS_FILE_WALK_FLAG_NONE 

No Flag.

TSK_FS_FILE_WALK_FLAG_SLACK 

Include the file's slack space in the callback.

TSK_FS_FILE_WALK_FLAG_NOID 

Ignore the Id argument given in the API (use only the type)

TSK_FS_FILE_WALK_FLAG_AONLY 

Provide callback with only addresses and no file content.

TSK_FS_FILE_WALK_FLAG_NOSPARSE 

Do not include sparse blocks in the callback.

Enumerator
TSK_FS_META_ATTR_EMPTY 

The data in the attributes (if any) is not for this file.

TSK_FS_META_ATTR_STUDIED 

The data in the attributes are for this file.

TSK_FS_META_ATTR_ERROR 

The attributes for this file could not be loaded.

Enumerator
TSK_FS_META_CONTENT_TYPE_EXT4_EXTENTS 

Ext4 with extents instead of individual pointers.

TSK_FS_META_CONTENT_TYPE_EXT4_INLINE 

Ext4 with inline data.

Metadata flags used in TSK_FS_META.flags and in request to inode_walk.

Enumerator
TSK_FS_META_FLAG_ALLOC 

Metadata structure is currently in an allocated state.

TSK_FS_META_FLAG_UNALLOC 

Metadata structure is currently in an unallocated state.

TSK_FS_META_FLAG_USED 

Metadata structure has been allocated at least once.

TSK_FS_META_FLAG_UNUSED 

Metadata structure has never been allocated.

TSK_FS_META_FLAG_COMP 

The file contents are compressed.

TSK_FS_META_FLAG_ORPHAN 

Return only metadata structures that have no file name pointing to the (inode_walk flag only)

Enumerator
TSK_FS_META_MODE_UNSPECIFIED 

unspecified

TSK_FS_META_MODE_ISUID 

set user id on execution

TSK_FS_META_MODE_ISGID 

set group id on execution

TSK_FS_META_MODE_ISVTX 

sticky bit

TSK_FS_META_MODE_IRUSR 

R for owner.

TSK_FS_META_MODE_IWUSR 

W for owner.

TSK_FS_META_MODE_IXUSR 

X for owner.

TSK_FS_META_MODE_IRGRP 

R for group.

TSK_FS_META_MODE_IWGRP 

W for group.

TSK_FS_META_MODE_IXGRP 

X for group.

TSK_FS_META_MODE_IROTH 

R for other.

TSK_FS_META_MODE_IWOTH 

W for other.

TSK_FS_META_MODE_IXOTH 

X for other.

Values for the mode field – which identifies the file type and permissions.

Enumerator
TSK_FS_META_TYPE_REG 

Regular file.

TSK_FS_META_TYPE_DIR 

Directory file.

TSK_FS_META_TYPE_FIFO 

Named pipe (fifo)

TSK_FS_META_TYPE_CHR 

Character device.

TSK_FS_META_TYPE_BLK 

Block device.

TSK_FS_META_TYPE_LNK 

Symbolic link.

TSK_FS_META_TYPE_SHAD 

SOLARIS ONLY.

TSK_FS_META_TYPE_SOCK 

UNIX domain socket.

TSK_FS_META_TYPE_WHT 

Whiteout.

TSK_FS_META_TYPE_VIRT 

"Virtual File" created by TSK for file system areas

TSK_FS_META_TYPE_VIRT_DIR 

"Virtual Directory" created by TSK to hold data like orphan files

File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure.

Enumerator
TSK_FS_NAME_FLAG_ALLOC 

Name is in an allocated state.

TSK_FS_NAME_FLAG_UNALLOC 

Name is in an unallocated state.

File type values – as specified in the directory entry structure.

Enumerator
TSK_FS_NAME_TYPE_UNDEF 

Unknown type.

TSK_FS_NAME_TYPE_FIFO 

Named pipe.

TSK_FS_NAME_TYPE_CHR 

Character device.

TSK_FS_NAME_TYPE_DIR 

Directory.

TSK_FS_NAME_TYPE_BLK 

Block device.

TSK_FS_NAME_TYPE_REG 

Regular file.

TSK_FS_NAME_TYPE_LNK 

Symbolic link.

TSK_FS_NAME_TYPE_SOCK 

Socket.

TSK_FS_NAME_TYPE_SHAD 

Shadow inode (solaris)

TSK_FS_NAME_TYPE_WHT 

Whiteout (openbsd)

TSK_FS_NAME_TYPE_VIRT 

Special (TSK added "Virtual" files)

TSK_FS_NAME_TYPE_VIRT_DIR 

Special (TSK added "Virtual" directories)

Function Documentation

uint8_t tsk_fs_blkcat ( TSK_FS_INFO fs,
TSK_FS_BLKCAT_FLAG_ENUM  lclflags,
TSK_DADDR_T  addr,
TSK_DADDR_T  read_num_units 
)

Read a specific number of blocks and print the contents to STDOUT.

Parameters
fsFile system to analyze
lclflagsflags
addrStarting block address to read from
read_num_unitsNumber of blocks to read
Returns
1 on error and 0 on success

References TSK_FS_INFO::block_size, TSK_FS_INFO::last_block, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_read_block(), and tsk_printf().

uint8_t tsk_fs_file_get_owner_sid ( TSK_FS_FILE a_fs_file,
char **  sid_str 
)

Returns a string representation of the security attributes of a file.

Parameters
a_fs_fileThe file to get security info about.
sid_strA pointer to a pointer that will contain the SID string. This function will allocate the string and the caller must free it.
Returns
0 on success or 1 on error.

References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

uint8_t tsk_fs_file_hash_calc ( TSK_FS_FILE a_fs_file,
TSK_FS_HASH_RESULTS a_hash_results,
TSK_BASE_HASH_ENUM  a_flags 
)

Returns a string containing the md5 hash of the given file.

Parameters
a_fs_fileThe file to calculate the hash of
a_hash_resultsThe results will be stored here (must be allocated beforehand)
a_flagsIndicates which hash algorithm(s) to use
Returns
0 on success or 1 on error

References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_hash_calc_callback(), tsk_fs_file_walk(), TSK_FS_FILE_WALK_FLAG_NONE, TSK_MD5_Final(), TSK_MD5_Init(), TSK_SHA_Final(), and TSK_SHA_Init().

uint8_t tsk_fs_ifind_par ( TSK_FS_INFO fs,
TSK_FS_IFIND_FLAG_ENUM  lclflags,
TSK_INUM_T  par 
)

Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME).

Parameters
fsFile system to search
lclflagsFlags
parParent directory MFT entry address
Returns
1 on error and 0 on success

References TSK_FS_INFO::first_inum, TSK_FS_INFO::inode_walk, TSK_FS_INFO::last_inum, and TSK_FS_META_FLAG_UNALLOC.

int8_t tsk_fs_ifind_path ( TSK_FS_INFO fs,
TSK_TCHAR tpath,
TSK_INUM_T result 
)

Find the meta data address for a given file TCHAR name.

Parameters
fsFS to analyze
tpathPath of file to search for
[out]resultMeta data address of file
Returns
-1 on error, 0 if found, and 1 if not found

References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_path2inum(), tsk_UTF16toUTF8_lclorder(), TSKconversionOK, and TSKlenientConversion.

uint8_t tsk_fs_ils ( TSK_FS_INFO fs,
TSK_FS_ILS_FLAG_ENUM  lclflags,
TSK_INUM_T  istart,
TSK_INUM_T  ilast,
TSK_FS_META_FLAG_ENUM  flags,
int32_t  skew,
const TSK_TCHAR img 
)

Library API for inode walking.

Parameters
fsFile system to analyze
lclflagsTSK_FS_ILS_XXX flag settings
istartStarting inode address
ilastEnding inode address
flagsInode walk flags
skewclock skew in seconds
imgPath to disk image name for header
Returns
1 on error and 0 on success

References TSK_FS_INFO::inode_walk, TSK_FS_META_FLAG_ALLOC, TSK_FS_META_FLAG_ORPHAN, and TSK_FS_META_FLAG_UNALLOC.


Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.