The Sleuth Kit
4.11.1
|
Contains the internal library definitions for the file system functions. More...
#include "tsk/base/tsk_base_i.h"
#include "tsk/img/tsk_img_i.h"
#include "tsk/vs/tsk_vs_i.h"
#include "tsk_fs.h"
#include <time.h>
#include <locale.h>
#include <sys/fcntl.h>
#include <sys/time.h>
Classes | |
struct | TSK_FS_LOAD_FILE |
struct | TSK_USN_RECORD_HEADER |
Macros | |
#define | isset(a, i) (((uint8_t *)(a))[(i)/NBBY] & (1<<((i)%NBBY))) |
#define | NBBY 8 |
#define | setbit(a, i) (((uint8_t *)(a))[(i)/NBBY] |= (1<<((i)%NBBY))) |
#define | TSK_USE_HFS 1 |
Functions | |
TSK_FS_INFO * | apfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *) |
TSK_FS_INFO * | apfs_open_auto_detect (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
TSK_FS_INFO * | ext2fs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
TSK_FS_INFO * | fatfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
TSK_FS_INFO * | ffs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
TSK_FS_INFO * | hfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
TSK_FS_INFO * | iso9660_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
TSK_FS_INFO * | logical_fs_open (TSK_IMG_INFO *) |
TSK_FS_INFO * | ntfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
Open part of a disk image as an NTFS file system. More... | |
TSK_FS_INFO * | rawfs_open (TSK_IMG_INFO *, TSK_OFF_T) |
TSK_FS_INFO * | swapfs_open (TSK_IMG_INFO *, TSK_OFF_T) |
uint8_t | tsk_fs_attr_add_run (TSK_FS_INFO *fs, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *data_run_new) |
TSK_FS_ATTR * | tsk_fs_attr_alloc (TSK_FS_ATTR_FLAG_ENUM) |
void | tsk_fs_attr_append_run (TSK_FS_INFO *fs, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *a_data_run) |
Append a data run to the end of the attribute and update its offset value. More... | |
void | tsk_fs_attr_clear (TSK_FS_ATTR *) |
void | tsk_fs_attr_free (TSK_FS_ATTR *) |
uint8_t | tsk_fs_attr_print (const TSK_FS_ATTR *a_fs_attr, FILE *hFile) |
TSK_FS_ATTR_RUN * | tsk_fs_attr_run_alloc () |
uint8_t | tsk_fs_attr_set_run (TSK_FS_FILE *, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *data_run_new, const char *name, TSK_FS_ATTR_TYPE_ENUM type, uint16_t id, TSK_OFF_T size, TSK_OFF_T initsize, TSK_OFF_T allocsize, TSK_FS_ATTR_FLAG_ENUM flags, uint32_t compsize) |
uint8_t | tsk_fs_attr_set_str (TSK_FS_FILE *, TSK_FS_ATTR *, const char *, TSK_FS_ATTR_TYPE_ENUM, uint16_t, void *, size_t) |
uint8_t | tsk_fs_attrlist_add (TSK_FS_ATTRLIST *, TSK_FS_ATTR *) |
TSK_FS_ATTRLIST * | tsk_fs_attrlist_alloc () |
void | tsk_fs_attrlist_free (TSK_FS_ATTRLIST *) |
const TSK_FS_ATTR * | tsk_fs_attrlist_get (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM) |
const TSK_FS_ATTR * | tsk_fs_attrlist_get_id (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM, uint16_t) |
const TSK_FS_ATTR * | tsk_fs_attrlist_get_idx (const TSK_FS_ATTRLIST *, int) |
int | tsk_fs_attrlist_get_len (const TSK_FS_ATTRLIST *a_fs_attrlist) |
const TSK_FS_ATTR * | tsk_fs_attrlist_get_name_type (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM, const char *) |
TSK_FS_ATTR * | tsk_fs_attrlist_getnew (TSK_FS_ATTRLIST *, TSK_FS_ATTR_FLAG_ENUM a_atype) |
void | tsk_fs_attrlist_markunused (TSK_FS_ATTRLIST *) |
TSK_FS_BLOCK * | tsk_fs_block_alloc (TSK_FS_INFO *fs) |
int | tsk_fs_block_set (TSK_FS_INFO *fs, TSK_FS_BLOCK *fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags, char *a_buf) |
uint8_t | tsk_fs_dir_add (TSK_FS_DIR *a_fs_dir, const TSK_FS_NAME *a_fs_dent) |
TSK_FS_DIR * | tsk_fs_dir_alloc (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, size_t a_cnt) |
uint8_t | tsk_fs_dir_contains (TSK_FS_DIR *a_fs_dir, TSK_INUM_T meta_addr, uint32_t hash) |
Test if a_fs_dir already contains an entry for the given meta data address. More... | |
uint8_t | tsk_fs_dir_find_inum_named (TSK_FS_INFO *a_fs, TSK_INUM_T a_inum) |
TSK_RETVAL_ENUM | tsk_fs_dir_find_orphans (TSK_FS_INFO *a_fs, TSK_FS_DIR *a_fs_dir) |
uint32_t | tsk_fs_dir_hash (const char *str) |
TSK_RETVAL_ENUM | tsk_fs_dir_load_inum_named (TSK_FS_INFO *a_fs) |
uint8_t | tsk_fs_dir_make_orphan_dir_meta (TSK_FS_INFO *a_fs, TSK_FS_META *a_fs_meta) |
uint8_t | tsk_fs_dir_make_orphan_dir_name (TSK_FS_INFO *a_fs, TSK_FS_NAME *a_fs_name) |
uint8_t | tsk_fs_dir_realloc (TSK_FS_DIR *a_fs_dir, size_t a_cnt) |
void | tsk_fs_dir_reset (TSK_FS_DIR *a_fs_dir) |
uint8_t | tsk_fs_dir_walk_internal (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr, int macro_recursion_depth) |
TSK_FS_FILE * | tsk_fs_file_alloc (TSK_FS_INFO *) |
void | tsk_fs_free (TSK_FS_INFO *) |
TSK_WALK_RET_ENUM | tsk_fs_load_file_action (TSK_FS_FILE *fs_file, TSK_OFF_T, TSK_DADDR_T, char *, size_t, TSK_FS_BLOCK_FLAG_ENUM, void *) |
TSK_FS_INFO * | tsk_fs_malloc (size_t) |
TSK_FS_META * | tsk_fs_meta_alloc (size_t) |
void | tsk_fs_meta_close (TSK_FS_META *fs_meta) |
TSK_FS_META * | tsk_fs_meta_realloc (TSK_FS_META *, size_t) |
void | tsk_fs_meta_reset (TSK_FS_META *) |
TSK_FS_NAME * | tsk_fs_name_alloc (size_t, size_t) |
uint8_t | tsk_fs_name_copy (TSK_FS_NAME *a_fs_name_to, const TSK_FS_NAME *a_fs_name_from) |
void | tsk_fs_name_free (TSK_FS_NAME *) |
void | tsk_fs_name_print (FILE *, const TSK_FS_FILE *, const char *, TSK_FS_INFO *, const TSK_FS_ATTR *, uint8_t) |
void | tsk_fs_name_print_long (FILE *, const TSK_FS_FILE *, const char *, TSK_FS_INFO *, const TSK_FS_ATTR *, uint8_t, int32_t) |
void | tsk_fs_name_print_mac (FILE *, const TSK_FS_FILE *, const char *, const TSK_FS_ATTR *fs_attr, const char *, int32_t) |
void | tsk_fs_name_print_mac_md5 (FILE *, const TSK_FS_FILE *, const char *, const TSK_FS_ATTR *fs_attr, const char *, int32_t, const unsigned char *) |
uint8_t | tsk_fs_name_realloc (TSK_FS_NAME *, size_t) |
void | tsk_fs_name_reset (TSK_FS_NAME *a_fs_name) |
TSK_FS_BLOCK_FLAG_ENUM | tsk_fs_nofs_block_getflags (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr) |
uint8_t | tsk_fs_nofs_block_walk (TSK_FS_INFO *fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr) |
void | tsk_fs_nofs_close (TSK_FS_INFO *fs) |
TSK_RETVAL_ENUM | tsk_fs_nofs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_FS_DIR **a_fs_dir, TSK_INUM_T a_addr, int recursion_depth) |
uint8_t | tsk_fs_nofs_file_add_meta (TSK_FS_INFO *fs, TSK_FS_FILE *a_fs_file, TSK_INUM_T inum) |
uint8_t | tsk_fs_nofs_fsstat (TSK_FS_INFO *fs, FILE *hFile) |
TSK_FS_ATTR_TYPE_ENUM | tsk_fs_nofs_get_default_attr_type (const TSK_FS_FILE *a_file) |
uint8_t | tsk_fs_nofs_inode_walk (TSK_FS_INFO *fs, TSK_INUM_T a_start_inum, TSK_INUM_T a_end_inum, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_action, void *a_ptr) |
uint8_t | tsk_fs_nofs_istat (TSK_FS_INFO *a_fs, TSK_FS_ISTAT_FLAG_ENUM istat_flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew) |
uint8_t | tsk_fs_nofs_jblk_walk (TSK_FS_INFO *a_fs, TSK_INUM_T start, TSK_INUM_T end, int a_flags, TSK_FS_JBLK_WALK_CB a_action, void *a_ptr) |
uint8_t | tsk_fs_nofs_jentry_walk (TSK_FS_INFO *a_fs, int a_flags, TSK_FS_JENTRY_WALK_CB a_action, void *a_ptr) |
uint8_t | tsk_fs_nofs_jopen (TSK_FS_INFO *a_fs, TSK_INUM_T inum) |
uint8_t | tsk_fs_nofs_make_data_run (TSK_FS_FILE *) |
int | tsk_fs_nofs_name_cmp (TSK_FS_INFO *, const char *, const char *) |
char * | tsk_fs_time_to_str (time_t, char buf[128]) |
Converts a time value to a string representation. More... | |
char * | tsk_fs_time_to_str_subsecs (time_t, unsigned int subsecs, char buf[128]) |
Converts a time value to a string representation. More... | |
TSK_FS_ATTR_TYPE_ENUM | tsk_fs_unix_get_default_attr_type (const TSK_FS_FILE *a_file) |
uint8_t | tsk_fs_unix_make_data_run (TSK_FS_FILE *fs_file) |
int | tsk_fs_unix_name_cmp (TSK_FS_INFO *a_fs_info, const char *s1, const char *s2) |
TSK_FS_INFO * | yaffs2_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, uint8_t) |
NTFS Update Sequence Number Journal Data Structures | |
#define | tsk_fs_guessu16(fs, x, mag) tsk_guess_end_u16(&(fs->endian), (x), (mag)) |
#define | tsk_fs_guessu32(fs, x, mag) tsk_guess_end_u32(&(fs->endian), (x), (mag)) |
enum | TSK_FS_USNJLS_FLAG_ENUM { TSK_FS_USNJLS_NONE = 0x00, TSK_FS_USNJLS_LONG = 0x01, TSK_FS_USNJLS_MAC = 0x02 } |
typedef TSK_WALK_RET_ENUM(* | TSK_FS_USNJENTRY_WALK_CB) (TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr) |
Function definition used for callback to ntfs_usnjentry_walk(). More... | |
typedef enum TSK_FS_USNJLS_FLAG_ENUM | TSK_FS_USNJLS_FLAG_ENUM |
uint8_t | tsk_ntfs_usnjopen (TSK_FS_INFO *fs, TSK_INUM_T inum) |
Open the Update Sequence Number Journal stored at the inode inum. More... | |
uint8_t | tsk_ntfs_usnjentry_walk (TSK_FS_INFO *fs, TSK_FS_USNJENTRY_WALK_CB action, void *ptr) |
Walk through the Update Sequence Number journal file opened with ntfs_usnjopen. More... | |
uint8_t | tsk_fs_usnjls (TSK_FS_INFO *fs, TSK_INUM_T inode, TSK_FS_USNJLS_FLAG_ENUM flags) |
Contains the internal library definitions for the file system functions.
This should be included by the code in the file system library.
typedef TSK_WALK_RET_ENUM(* TSK_FS_USNJENTRY_WALK_CB) (TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr) |
Function definition used for callback to ntfs_usnjentry_walk().
a_header | Pointer to USN header structure. |
a_record | Pointer USN record structure, its type can be deduced from the major version number in the header. |
a_ptr | Pointer that was supplied by the caller who called ntfs_usnjentry_walk. |
TSK_FS_INFO* ntfs_open | ( | TSK_IMG_INFO * | img_info, |
TSK_OFF_T | offset, | ||
TSK_FS_TYPE_ENUM | ftype, | ||
uint8_t | test | ||
) |
Open part of a disk image as an NTFS file system.
img_info | Disk image to analyze |
offset | Byte offset where NTFS file system starts |
ftype | Specific type of NTFS file system |
test | NOT USED |
References TSK_FS_META::attr, TSK_FS_INFO::block_count, TSK_FS_INFO::block_size, TSK_FS_INFO::block_walk, TSK_FS_INFO::close, TSK_FS_INFO::dev_bsize, TSK_FS_INFO::duname, TSK_FS_INFO::endian, TSK_FS_INFO::first_block, TSK_FS_INFO::first_inum, TSK_FS_INFO::flags, TSK_FS_INFO::fs_id, TSK_FS_INFO::fs_id_used, TSK_FS_INFO::ftype, TSK_FS_INFO::img_info, TSK_FS_INFO::inode_walk, TSK_FS_INFO::inum_count, TSK_FS_INFO::istat, TSK_FS_INFO::journ_inum, TSK_FS_INFO::last_block, TSK_FS_INFO::last_block_act, TSK_FS_INFO::last_inum, TSK_FS_FILE::meta, TSK_FS_INFO::offset, TSK_FS_INFO::root_inum, TSK_IMG_INFO::sector_size, TSK_IMG_INFO::size, TSK_FS_ATTR::size, tsk_error_errstr2_concat(), tsk_error_get(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), tsk_fs_file_open_meta(), TSK_FS_INFO_FLAG_HAVE_SEQ, tsk_fs_read(), TSK_FS_TYPE_ISNTFS, TSK_FS_TYPE_NTFS, and tsk_verbose.
Referenced by tsk_fs_open_img_decrypt().
void tsk_fs_attr_append_run | ( | TSK_FS_INFO * | a_fs, |
TSK_FS_ATTR * | a_fs_attr, | ||
TSK_FS_ATTR_RUN * | a_data_run | ||
) |
Append a data run to the end of the attribute and update its offset value.
This ignores the offset in the data run and blindly appends.
a_fs | File system run is from |
a_fs_attr | Data attribute to append to |
a_data_run | Data run to append. |
References TSK_FS_ATTR_RUN::len, TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, TSK_FS_ATTR_RUN::offset, TSK_FS_ATTR::run, and TSK_FS_ATTR::run_end.
uint8_t tsk_fs_dir_contains | ( | TSK_FS_DIR * | a_fs_dir, |
TSK_INUM_T | meta_addr, | ||
uint32_t | hash | ||
) |
Test if a_fs_dir already contains an entry for the given meta data address.
If so, return the allocation state.
References TSK_FS_NAME::flags, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_DIR::names, TSK_FS_DIR::names_used, and TSK_FS_NAME_FLAG_ALLOC.
uint8_t tsk_ntfs_usnjentry_walk | ( | TSK_FS_INFO * | fs, |
TSK_FS_USNJENTRY_WALK_CB | action, | ||
void * | ptr | ||
) |
Walk through the Update Sequence Number journal file opened with ntfs_usnjopen.
For each USN record, calls the callback action passing the USN record header, the USN record and the pointer ptr.
ntfs | File system where the journal is stored |
action | action to be called per each USN entry |
ptr | pointer to data passed to the action callback |
References TSK_FS_INFO::ftype, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_close(), and TSK_FS_TYPE_NTFS.
uint8_t tsk_ntfs_usnjopen | ( | TSK_FS_INFO * | fs, |
TSK_INUM_T | inum | ||
) |
Open the Update Sequence Number Journal stored at the inode inum.
ntfs | File system where the journal is stored |
inum | file reference number where the USN journal is located |
References TSK_FS_INFO::block_size, TSK_FS_INFO::ftype, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_file_open_meta(), TSK_FS_TYPE_NTFS, and tsk_verbose.
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.