The Sleuth Kit  4.11.1
Classes | Macros | Functions
tsk_fs_i.h File Reference

Contains the internal library definitions for the file system functions. More...

#include "tsk/base/tsk_base_i.h"
#include "tsk/img/tsk_img_i.h"
#include "tsk/vs/tsk_vs_i.h"
#include "tsk_fs.h"
#include <time.h>
#include <locale.h>
#include <sys/fcntl.h>
#include <sys/time.h>

Classes

struct  TSK_FS_LOAD_FILE
 
struct  TSK_USN_RECORD_HEADER
 

Macros

#define isset(a, i)   (((uint8_t *)(a))[(i)/NBBY] & (1<<((i)%NBBY)))
 
#define NBBY   8
 
#define setbit(a, i)   (((uint8_t *)(a))[(i)/NBBY] |= (1<<((i)%NBBY)))
 
#define TSK_USE_HFS   1
 

Functions

TSK_FS_INFOapfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *)
 
TSK_FS_INFOapfs_open_auto_detect (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 
TSK_FS_INFOext2fs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 
TSK_FS_INFOfatfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 
TSK_FS_INFOffs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 
TSK_FS_INFOhfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 
TSK_FS_INFOiso9660_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 
TSK_FS_INFOlogical_fs_open (TSK_IMG_INFO *)
 
TSK_FS_INFOntfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 Open part of a disk image as an NTFS file system. More...
 
TSK_FS_INFOrawfs_open (TSK_IMG_INFO *, TSK_OFF_T)
 
TSK_FS_INFOswapfs_open (TSK_IMG_INFO *, TSK_OFF_T)
 
uint8_t tsk_fs_attr_add_run (TSK_FS_INFO *fs, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *data_run_new)
 
TSK_FS_ATTRtsk_fs_attr_alloc (TSK_FS_ATTR_FLAG_ENUM)
 
void tsk_fs_attr_append_run (TSK_FS_INFO *fs, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *a_data_run)
 Append a data run to the end of the attribute and update its offset value. More...
 
void tsk_fs_attr_clear (TSK_FS_ATTR *)
 
void tsk_fs_attr_free (TSK_FS_ATTR *)
 
uint8_t tsk_fs_attr_print (const TSK_FS_ATTR *a_fs_attr, FILE *hFile)
 
TSK_FS_ATTR_RUNtsk_fs_attr_run_alloc ()
 
uint8_t tsk_fs_attr_set_run (TSK_FS_FILE *, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *data_run_new, const char *name, TSK_FS_ATTR_TYPE_ENUM type, uint16_t id, TSK_OFF_T size, TSK_OFF_T initsize, TSK_OFF_T allocsize, TSK_FS_ATTR_FLAG_ENUM flags, uint32_t compsize)
 
uint8_t tsk_fs_attr_set_str (TSK_FS_FILE *, TSK_FS_ATTR *, const char *, TSK_FS_ATTR_TYPE_ENUM, uint16_t, void *, size_t)
 
uint8_t tsk_fs_attrlist_add (TSK_FS_ATTRLIST *, TSK_FS_ATTR *)
 
TSK_FS_ATTRLISTtsk_fs_attrlist_alloc ()
 
void tsk_fs_attrlist_free (TSK_FS_ATTRLIST *)
 
const TSK_FS_ATTRtsk_fs_attrlist_get (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM)
 
const TSK_FS_ATTRtsk_fs_attrlist_get_id (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM, uint16_t)
 
const TSK_FS_ATTRtsk_fs_attrlist_get_idx (const TSK_FS_ATTRLIST *, int)
 
int tsk_fs_attrlist_get_len (const TSK_FS_ATTRLIST *a_fs_attrlist)
 
const TSK_FS_ATTRtsk_fs_attrlist_get_name_type (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM, const char *)
 
TSK_FS_ATTRtsk_fs_attrlist_getnew (TSK_FS_ATTRLIST *, TSK_FS_ATTR_FLAG_ENUM a_atype)
 
void tsk_fs_attrlist_markunused (TSK_FS_ATTRLIST *)
 
TSK_FS_BLOCKtsk_fs_block_alloc (TSK_FS_INFO *fs)
 
int tsk_fs_block_set (TSK_FS_INFO *fs, TSK_FS_BLOCK *fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags, char *a_buf)
 
uint8_t tsk_fs_dir_add (TSK_FS_DIR *a_fs_dir, const TSK_FS_NAME *a_fs_dent)
 
TSK_FS_DIRtsk_fs_dir_alloc (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, size_t a_cnt)
 
uint8_t tsk_fs_dir_contains (TSK_FS_DIR *a_fs_dir, TSK_INUM_T meta_addr, uint32_t hash)
 Test if a_fs_dir already contains an entry for the given meta data address. More...
 
uint8_t tsk_fs_dir_find_inum_named (TSK_FS_INFO *a_fs, TSK_INUM_T a_inum)
 
TSK_RETVAL_ENUM tsk_fs_dir_find_orphans (TSK_FS_INFO *a_fs, TSK_FS_DIR *a_fs_dir)
 
uint32_t tsk_fs_dir_hash (const char *str)
 
TSK_RETVAL_ENUM tsk_fs_dir_load_inum_named (TSK_FS_INFO *a_fs)
 
uint8_t tsk_fs_dir_make_orphan_dir_meta (TSK_FS_INFO *a_fs, TSK_FS_META *a_fs_meta)
 
uint8_t tsk_fs_dir_make_orphan_dir_name (TSK_FS_INFO *a_fs, TSK_FS_NAME *a_fs_name)
 
uint8_t tsk_fs_dir_realloc (TSK_FS_DIR *a_fs_dir, size_t a_cnt)
 
void tsk_fs_dir_reset (TSK_FS_DIR *a_fs_dir)
 
uint8_t tsk_fs_dir_walk_internal (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr, int macro_recursion_depth)
 
TSK_FS_FILEtsk_fs_file_alloc (TSK_FS_INFO *)
 
void tsk_fs_free (TSK_FS_INFO *)
 
TSK_WALK_RET_ENUM tsk_fs_load_file_action (TSK_FS_FILE *fs_file, TSK_OFF_T, TSK_DADDR_T, char *, size_t, TSK_FS_BLOCK_FLAG_ENUM, void *)
 
TSK_FS_INFOtsk_fs_malloc (size_t)
 
TSK_FS_METAtsk_fs_meta_alloc (size_t)
 
void tsk_fs_meta_close (TSK_FS_META *fs_meta)
 
TSK_FS_METAtsk_fs_meta_realloc (TSK_FS_META *, size_t)
 
void tsk_fs_meta_reset (TSK_FS_META *)
 
TSK_FS_NAMEtsk_fs_name_alloc (size_t, size_t)
 
uint8_t tsk_fs_name_copy (TSK_FS_NAME *a_fs_name_to, const TSK_FS_NAME *a_fs_name_from)
 
void tsk_fs_name_free (TSK_FS_NAME *)
 
void tsk_fs_name_print (FILE *, const TSK_FS_FILE *, const char *, TSK_FS_INFO *, const TSK_FS_ATTR *, uint8_t)
 
void tsk_fs_name_print_long (FILE *, const TSK_FS_FILE *, const char *, TSK_FS_INFO *, const TSK_FS_ATTR *, uint8_t, int32_t)
 
void tsk_fs_name_print_mac (FILE *, const TSK_FS_FILE *, const char *, const TSK_FS_ATTR *fs_attr, const char *, int32_t)
 
void tsk_fs_name_print_mac_md5 (FILE *, const TSK_FS_FILE *, const char *, const TSK_FS_ATTR *fs_attr, const char *, int32_t, const unsigned char *)
 
uint8_t tsk_fs_name_realloc (TSK_FS_NAME *, size_t)
 
void tsk_fs_name_reset (TSK_FS_NAME *a_fs_name)
 
TSK_FS_BLOCK_FLAG_ENUM tsk_fs_nofs_block_getflags (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr)
 
uint8_t tsk_fs_nofs_block_walk (TSK_FS_INFO *fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr)
 
void tsk_fs_nofs_close (TSK_FS_INFO *fs)
 
TSK_RETVAL_ENUM tsk_fs_nofs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_FS_DIR **a_fs_dir, TSK_INUM_T a_addr, int recursion_depth)
 
uint8_t tsk_fs_nofs_file_add_meta (TSK_FS_INFO *fs, TSK_FS_FILE *a_fs_file, TSK_INUM_T inum)
 
uint8_t tsk_fs_nofs_fsstat (TSK_FS_INFO *fs, FILE *hFile)
 
TSK_FS_ATTR_TYPE_ENUM tsk_fs_nofs_get_default_attr_type (const TSK_FS_FILE *a_file)
 
uint8_t tsk_fs_nofs_inode_walk (TSK_FS_INFO *fs, TSK_INUM_T a_start_inum, TSK_INUM_T a_end_inum, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_action, void *a_ptr)
 
uint8_t tsk_fs_nofs_istat (TSK_FS_INFO *a_fs, TSK_FS_ISTAT_FLAG_ENUM istat_flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew)
 
uint8_t tsk_fs_nofs_jblk_walk (TSK_FS_INFO *a_fs, TSK_INUM_T start, TSK_INUM_T end, int a_flags, TSK_FS_JBLK_WALK_CB a_action, void *a_ptr)
 
uint8_t tsk_fs_nofs_jentry_walk (TSK_FS_INFO *a_fs, int a_flags, TSK_FS_JENTRY_WALK_CB a_action, void *a_ptr)
 
uint8_t tsk_fs_nofs_jopen (TSK_FS_INFO *a_fs, TSK_INUM_T inum)
 
uint8_t tsk_fs_nofs_make_data_run (TSK_FS_FILE *)
 
int tsk_fs_nofs_name_cmp (TSK_FS_INFO *, const char *, const char *)
 
char * tsk_fs_time_to_str (time_t, char buf[128])
 Converts a time value to a string representation. More...
 
char * tsk_fs_time_to_str_subsecs (time_t, unsigned int subsecs, char buf[128])
 Converts a time value to a string representation. More...
 
TSK_FS_ATTR_TYPE_ENUM tsk_fs_unix_get_default_attr_type (const TSK_FS_FILE *a_file)
 
uint8_t tsk_fs_unix_make_data_run (TSK_FS_FILE *fs_file)
 
int tsk_fs_unix_name_cmp (TSK_FS_INFO *a_fs_info, const char *s1, const char *s2)
 
TSK_FS_INFOyaffs2_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t)
 

NTFS Update Sequence Number Journal Data Structures

#define tsk_fs_guessu16(fs, x, mag)   tsk_guess_end_u16(&(fs->endian), (x), (mag))
 
#define tsk_fs_guessu32(fs, x, mag)   tsk_guess_end_u32(&(fs->endian), (x), (mag))
 
enum  TSK_FS_USNJLS_FLAG_ENUM { TSK_FS_USNJLS_NONE = 0x00, TSK_FS_USNJLS_LONG = 0x01, TSK_FS_USNJLS_MAC = 0x02 }
 
typedef TSK_WALK_RET_ENUM(* TSK_FS_USNJENTRY_WALK_CB) (TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr)
 Function definition used for callback to ntfs_usnjentry_walk(). More...
 
typedef enum TSK_FS_USNJLS_FLAG_ENUM TSK_FS_USNJLS_FLAG_ENUM
 
uint8_t tsk_ntfs_usnjopen (TSK_FS_INFO *fs, TSK_INUM_T inum)
 Open the Update Sequence Number Journal stored at the inode inum. More...
 
uint8_t tsk_ntfs_usnjentry_walk (TSK_FS_INFO *fs, TSK_FS_USNJENTRY_WALK_CB action, void *ptr)
 Walk through the Update Sequence Number journal file opened with ntfs_usnjopen. More...
 
uint8_t tsk_fs_usnjls (TSK_FS_INFO *fs, TSK_INUM_T inode, TSK_FS_USNJLS_FLAG_ENUM flags)
 

Detailed Description

Contains the internal library definitions for the file system functions.

This should be included by the code in the file system library.

Typedef Documentation

typedef TSK_WALK_RET_ENUM(* TSK_FS_USNJENTRY_WALK_CB) (TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr)

Function definition used for callback to ntfs_usnjentry_walk().

Parameters
a_headerPointer to USN header structure.
a_recordPointer USN record structure, its type can be deduced from the major version number in the header.
a_ptrPointer that was supplied by the caller who called ntfs_usnjentry_walk.
Returns
Value to identify if walk should continue, stop, or stop because of error

Function Documentation

TSK_FS_INFO* ntfs_open ( TSK_IMG_INFO img_info,
TSK_OFF_T  offset,
TSK_FS_TYPE_ENUM  ftype,
uint8_t  test 
)
void tsk_fs_attr_append_run ( TSK_FS_INFO a_fs,
TSK_FS_ATTR a_fs_attr,
TSK_FS_ATTR_RUN a_data_run 
)

Append a data run to the end of the attribute and update its offset value.

This ignores the offset in the data run and blindly appends.

Parameters
a_fsFile system run is from
a_fs_attrData attribute to append to
a_data_runData run to append.

References TSK_FS_ATTR_RUN::len, TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, TSK_FS_ATTR_RUN::offset, TSK_FS_ATTR::run, and TSK_FS_ATTR::run_end.

uint8_t tsk_fs_dir_contains ( TSK_FS_DIR a_fs_dir,
TSK_INUM_T  meta_addr,
uint32_t  hash 
)

Test if a_fs_dir already contains an entry for the given meta data address.

If so, return the allocation state.

Returns
TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_FLAG_UNALLOC, or 0 if not found.

References TSK_FS_NAME::flags, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_DIR::names, TSK_FS_DIR::names_used, and TSK_FS_NAME_FLAG_ALLOC.

uint8_t tsk_ntfs_usnjentry_walk ( TSK_FS_INFO fs,
TSK_FS_USNJENTRY_WALK_CB  action,
void *  ptr 
)

Walk through the Update Sequence Number journal file opened with ntfs_usnjopen.

For each USN record, calls the callback action passing the USN record header, the USN record and the pointer ptr.

Parameters
ntfsFile system where the journal is stored
actionaction to be called per each USN entry
ptrpointer to data passed to the action callback
Returns
0 on success, 1 otherwise

References TSK_FS_INFO::ftype, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_close(), and TSK_FS_TYPE_NTFS.

uint8_t tsk_ntfs_usnjopen ( TSK_FS_INFO fs,
TSK_INUM_T  inum 
)

Open the Update Sequence Number Journal stored at the inode inum.

Parameters
ntfsFile system where the journal is stored
inumfile reference number where the USN journal is located
Returns
0 on success, 1 otherwise

References TSK_FS_INFO::block_size, TSK_FS_INFO::ftype, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_file_open_meta(), TSK_FS_TYPE_NTFS, and tsk_verbose.


Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.