|
The Sleuth Kit
4.11.1
|
Contains the internal library definitions for the hash database functions. More...
#include "tsk/base/tsk_base_i.h"#include "tsk_hashdb.h"#include <string.h>#include <ctype.h>#include <wchar.h>#include <sys/types.h>#include <sys/stat.h>#include <locale.h>Macros | |
| #define | TSK_HDB_IDX_HEAD_NAME_STR "00000000000000000000000000000000000000001" |
| #define | TSK_HDB_IDX_HEAD_TYPE_STR "00000000000000000000000000000000000000000" |
| Strings used in index header. More... | |
| #define | TSK_HDB_IDX_LEN(x) ( TSK_HDB_HTYPE_LEN(x) + TSK_HDB_OFF_LEN + 2) |
| Get the length of an index file line - 2 for comma and newline. | |
| #define | TSK_HDB_MAXLEN 512 |
| Default buffer size used in many places. | |
| #define | TSK_HDB_OFF_LEN 16 |
| Number of digits used in offset field in index. | |
Functions | |
| uint8_t | encase_get_entry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| Find the entry at a given offset. More... | |
| uint8_t | encase_make_index (TSK_HDB_INFO *, TSK_TCHAR *htype) |
| Process the database to create a sorted index of it. More... | |
| TSK_HDB_INFO * | encase_open (FILE *, const TSK_TCHAR *) |
| uint8_t | encase_test (FILE *) |
| Test the file to see if it is an Encase database. More... | |
| uint8_t | hdb_base_accepts_updates () |
| uint8_t | hdb_base_add_entry (TSK_HDB_INFO *, const char *, const char *, const char *, const char *, const char *) |
| uint8_t | hdb_base_begin_transaction (TSK_HDB_INFO *) |
| uint8_t | hdb_base_commit_transaction (TSK_HDB_INFO *) |
| void | hdb_base_db_name_from_path (TSK_HDB_INFO *) |
| Sets hash database name in hdb_info based on database file path. More... | |
| const TSK_TCHAR * | hdb_base_get_db_path (TSK_HDB_INFO *) |
| const char * | hdb_base_get_display_name (TSK_HDB_INFO *) |
| const TSK_TCHAR * | hdb_base_get_index_path (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM) |
| uint8_t | hdb_base_has_index (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM) |
| int8_t | hdb_base_lookup_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| int8_t | hdb_base_lookup_str (TSK_HDB_INFO *, const char *, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| int8_t | hdb_base_lookup_verbose_str (TSK_HDB_INFO *, const char *, void *) |
| uint8_t | hdb_base_make_index (TSK_HDB_INFO *, TSK_TCHAR *) |
| uint8_t | hdb_base_open_index (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM) |
| uint8_t | hdb_base_rollback_transaction (TSK_HDB_INFO *) |
| uint8_t | hdb_base_uses_external_indexes () |
| uint8_t | hdb_binsrch_accepts_updates () |
| void | hdb_binsrch_close (TSK_HDB_INFO *) |
| const TSK_TCHAR * | hdb_binsrch_get_index_path (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM) |
| uint8_t | hdb_binsrch_has_index (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM) |
| uint8_t | hdb_binsrch_idx_add_entry_bin (TSK_HDB_BINSRCH_INFO *, unsigned char *, int, TSK_OFF_T) |
| Add a binary entry to the intermediate index file. More... | |
| uint8_t | hdb_binsrch_idx_add_entry_str (TSK_HDB_BINSRCH_INFO *, char *, TSK_OFF_T) |
| Add a string entry to the intermediate index file. More... | |
| uint8_t | hdb_binsrch_idx_finalize (TSK_HDB_BINSRCH_INFO *) |
| Finalize index creation process by sorting the index and removing the intermediate temp file. More... | |
| uint8_t | hdb_binsrch_idx_initialize (TSK_HDB_BINSRCH_INFO *, TSK_TCHAR *) |
| Initialize the TSK hash DB index file. More... | |
| int8_t | hdb_binsrch_lookup_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| Search the index for the given hash value given (in binary form). More... | |
| int8_t | hdb_binsrch_lookup_str (TSK_HDB_INFO *, const char *, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| Search the index for a text/ASCII hash value. More... | |
| int8_t | hdb_binsrch_lookup_verbose_str (TSK_HDB_INFO *, const char *, void *) |
| TSK_HDB_BINSRCH_INFO * | hdb_binsrch_open (FILE *, const TSK_TCHAR *) |
| Called by the various text-based databases to setup the TSK_HDB_BINSRCH_INFO struct. More... | |
| uint8_t | hdb_binsrch_open_idx (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM) |
| uint8_t | hdb_binsrch_uses_external_indexes () |
| void | hdb_info_base_close (TSK_HDB_INFO *) |
| De-initializes struct representation of a hash database. More... | |
| uint8_t | hdb_info_base_open (TSK_HDB_INFO *, const TSK_TCHAR *) |
| uint8_t | hk_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| Find the corresponding name at the given offset. More... | |
| uint8_t | hk_makeindex (TSK_HDB_INFO *, TSK_TCHAR *htype) |
| Process the database to create a sorted index of it. More... | |
| TSK_HDB_INFO * | hk_open (FILE *, const TSK_TCHAR *) |
| uint8_t | hk_test (FILE *) |
| Test the file to see if it is a hashkeeper database. More... | |
| const TSK_TCHAR * | idxonly_get_db_path (TSK_HDB_INFO *) |
| uint8_t | idxonly_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| uint8_t | idxonly_makeindex (TSK_HDB_INFO *, TSK_TCHAR *) |
| TSK_HDB_INFO * | idxonly_open (const TSK_TCHAR *, const TSK_TCHAR *) |
| uint8_t | md5sum_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| Find the corresponding name at a given offset. More... | |
| uint8_t | md5sum_makeindex (TSK_HDB_INFO *, TSK_TCHAR *htype) |
| Process the database to create a sorted index of it. More... | |
| TSK_HDB_INFO * | md5sum_open (FILE *, const TSK_TCHAR *) |
| uint8_t | md5sum_test (FILE *) |
| Test the file to see if it is a md5sum database. More... | |
| uint8_t | nsrl_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| Find the corresponding name at a given offset. More... | |
| uint8_t | nsrl_makeindex (TSK_HDB_INFO *, TSK_TCHAR *htype) |
| Process the database to create a sorted index of it. More... | |
| TSK_HDB_INFO * | nsrl_open (FILE *, const TSK_TCHAR *) |
| uint8_t | nsrl_test (FILE *) |
| Test the file to see if it is an NSRL database. More... | |
| uint8_t | sqlite_hdb_add_entry (TSK_HDB_INFO *, const char *, const char *, const char *, const char *, const char *) |
| uint8_t | sqlite_hdb_begin_transaction (TSK_HDB_INFO *) |
| void | sqlite_hdb_close (TSK_HDB_INFO *) |
| uint8_t | sqlite_hdb_commit_transaction (TSK_HDB_INFO *) |
| uint8_t | sqlite_hdb_create_db (TSK_TCHAR *) |
| uint8_t | sqlite_hdb_is_sqlite_file (FILE *) |
| int8_t | sqlite_hdb_lookup_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| int8_t | sqlite_hdb_lookup_str (TSK_HDB_INFO *, const char *, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *) |
| int8_t | sqlite_hdb_lookup_verbose_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, void *) |
| int8_t | sqlite_hdb_lookup_verbose_str (TSK_HDB_INFO *, const char *, void *) |
| TSK_HDB_INFO * | sqlite_hdb_open (TSK_TCHAR *) |
| uint8_t | sqlite_hdb_rollback_transaction (TSK_HDB_INFO *) |
Contains the internal library definitions for the hash database functions.
This should be included by the code in the hash database library.
| #define TSK_HDB_IDX_HEAD_TYPE_STR "00000000000000000000000000000000000000000" |
Strings used in index header.
It is one longer than a sha-1 hash - so that it always sorts to the top
Referenced by hdb_binsrch_idx_initialize().
| uint8_t encase_get_entry | ( | TSK_HDB_INFO * | hdb_info, |
| const char * | hash, | ||
| TSK_OFF_T | offset, | ||
| TSK_HDB_FLAG_ENUM | flags, | ||
| TSK_HDB_LOOKUP_FN | action, | ||
| void * | cb_ptr | ||
| ) |
Find the entry at a given offset.
The offset was likely determined from the index. The callback is called for each entry. EnCase does not store names, so the callback is called with just the hash value.
| hdb_info | Hash database to get data from |
| hash | MD5 hash value that was searched for |
| offset | Byte offset where hash value should be located in db_file |
| flags | (not used) |
| action | Callback used for each entry found in lookup |
| cb_ptr | Pointer to data passed to callback |
References TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_HTYPE_MD5_LEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.
| uint8_t encase_make_index | ( | TSK_HDB_INFO * | hdb_info_base, |
| TSK_TCHAR * | dbtype | ||
| ) |
Process the database to create a sorted index of it.
Consecutive entries with the same hash value are not added to the index, but will be found during lookup.
| hdb_info_base | Hash database to make index of. |
| dbtype | Type of hash database (should always be TSK_HDB_DBTYPE_ENCASE_STR) |
References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_bin(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), and tsk_verbose.
| uint8_t encase_test | ( | FILE * | hFile | ) |
Test the file to see if it is an Encase database.
| hFile | File handle to hash database |
| uint8_t hdb_binsrch_idx_add_entry_bin | ( | TSK_HDB_BINSRCH_INFO * | hdb_binsrch_info, |
| unsigned char * | hvalue, | ||
| int | hlen, | ||
| TSK_OFF_T | offset | ||
| ) |
Add a binary entry to the intermediate index file.
| hdb_binsrch_info | Hash database state info |
| hvalue | Array of integers of hash value to add |
| hlen | Number of bytes in hvalue |
| offset | Byte offset of hash entry in original database. |
References TSK_HDB_BINSRCH_INFO::hIdxTmp.
Referenced by encase_make_index().
| uint8_t hdb_binsrch_idx_add_entry_str | ( | TSK_HDB_BINSRCH_INFO * | hdb_binsrch_info, |
| char * | hvalue, | ||
| TSK_OFF_T | offset | ||
| ) |
Add a string entry to the intermediate index file.
Will not add an all-zero hash since this creates errors in the final index file, but does not return an error in this case.
| hdb_binsrch_info | Hash database state info |
| hvalue | String of hash value to add |
| offset | Byte offset of hash entry in original database. |
References TSK_HDB_BINSRCH_INFO::hIdxTmp.
Referenced by hk_makeindex(), md5sum_makeindex(), and nsrl_makeindex().
| uint8_t hdb_binsrch_idx_finalize | ( | TSK_HDB_BINSRCH_INFO * | hdb_binsrch_info | ) |
Finalize index creation process by sorting the index and removing the intermediate temp file.
| hdb_binsrch_info | Hash database state info structure. |
References TSK_HDB_BINSRCH_INFO::hIdx, TSK_HDB_BINSRCH_INFO::hIdxTmp, TSK_HDB_BINSRCH_INFO::idx_fname, TSK_HDB_BINSRCH_INFO::idx_lbuf, TSK_HDB_BINSRCH_INFO::idx_llen, TSK_HDB_BINSRCH_INFO::idx_off, TSK_HDB_BINSRCH_INFO::idx_size, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), TSK_HDB_MAXLEN, tsk_verbose, and TSK_HDB_BINSRCH_INFO::uns_fname.
Referenced by encase_make_index(), hk_makeindex(), md5sum_makeindex(), and nsrl_makeindex().
| uint8_t hdb_binsrch_idx_initialize | ( | TSK_HDB_BINSRCH_INFO * | hdb_binsrch_info, |
| TSK_TCHAR * | htype | ||
| ) |
Initialize the TSK hash DB index file.
This creates the intermediate file, which will have entries added to it. This file must be sorted before the process is finished.
| hdb_binsrch_info | Hash database state structure |
| htype | String of index type to create |
References TSK_HDB_INFO::db_fname, TSK_HDB_INFO::db_name, TSK_HDB_INFO::db_type, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hIdxTmp, PRIcTSK, PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_DBTYPE_ENCASE_ID, TSK_HDB_DBTYPE_ENCASE_STR, TSK_HDB_DBTYPE_HK_ID, TSK_HDB_DBTYPE_HK_STR, TSK_HDB_DBTYPE_IDXONLY_ID, TSK_HDB_DBTYPE_MD5SUM_ID, TSK_HDB_DBTYPE_MD5SUM_STR, TSK_HDB_DBTYPE_NSRL_ID, TSK_HDB_DBTYPE_NSRL_MD5_STR, TSK_HDB_DBTYPE_NSRL_SHA1_STR, TSK_HDB_DBTYPE_NSRL_STR, TSK_HDB_HTYPE_INVALID_ID, TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_STR, TSK_HDB_IDX_HEAD_TYPE_STR, and TSK_HDB_BINSRCH_INFO::uns_fname.
Referenced by encase_make_index(), hk_makeindex(), md5sum_makeindex(), and nsrl_makeindex().
| TSK_HDB_BINSRCH_INFO* hdb_binsrch_open | ( | FILE * | hDb, |
| const TSK_TCHAR * | db_path | ||
| ) |
Called by the various text-based databases to setup the TSK_HDB_BINSRCH_INFO struct.
This will setup the basic function pointers, that will be overwritten by the more specific methods.
References TSK_HDB_INFO::db_type, TSK_HDB_BINSRCH_INFO::hash_len, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_lookup_bin(), hdb_binsrch_lookup_str(), TSK_HDB_DBTYPE_INVALID_ID, and TSK_HDB_HTYPE_INVALID_ID.
Referenced by idxonly_open().
| uint8_t hk_getentry | ( | TSK_HDB_INFO * | hdb_info, |
| const char * | hash, | ||
| TSK_OFF_T | offset, | ||
| TSK_HDB_FLAG_ENUM | flags, | ||
| TSK_HDB_LOOKUP_FN | action, | ||
| void * | cb_ptr | ||
| ) |
Find the corresponding name at the given offset.
The offset was likely determined from the index. The entries in the DB following the one specified are also processed if they have the same hash value and their name is different. The callback is called for each entry.
Note: This routine assumes that &hdb_info->lock is locked by the caller.
| hdb_info | Data base to get data from. |
| hash | MD5 hash value that was searched for |
| offset | Byte offset where hash value should be located in db_file |
| flags | |
| action | Callback used for each entry found in lookup |
| cb_ptr | Pointer to data passed to callback |
References TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_FLAG_EXT, TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_MAXLEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.
| uint8_t hk_makeindex | ( | TSK_HDB_INFO * | hdb_info_base, |
| TSK_TCHAR * | dbtype | ||
| ) |
Process the database to create a sorted index of it.
Consecutive entries with the same hash value are not added to the index, but will be found during lookup.
| hdb_info_base | Hash database to make index of |
| dbtype | Text of database type (should always be TSK_HDB_DBTYPE_HK_STR) |
References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_str(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_MAXLEN, and tsk_verbose.
| uint8_t hk_test | ( | FILE * | hFile | ) |
Test the file to see if it is a hashkeeper database.
| hFile | File handle to hash database |
References TSK_HDB_MAXLEN.
| TSK_HDB_INFO* idxonly_open | ( | const TSK_TCHAR * | db_path, |
| const TSK_TCHAR * | idx_path | ||
| ) |
| db_path | Path to DB, which probably does not exist. But it gets passed in because we need it in a bunch of places. |
| idx_path | Path to index file (should be superset of db_path) |
References TSK_HDB_INFO::db_type, TSK_HDB_BINSRCH_INFO::hash_type, hdb_binsrch_open(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_DBTYPE_IDXONLY_ID, TSK_HDB_HTYPE_MD5_ID, and TSK_HDB_HTYPE_SHA1_ID.
Referenced by tsk_hdb_open().
| uint8_t md5sum_getentry | ( | TSK_HDB_INFO * | hdb_info, |
| const char * | hash, | ||
| TSK_OFF_T | offset, | ||
| TSK_HDB_FLAG_ENUM | flags, | ||
| TSK_HDB_LOOKUP_FN | action, | ||
| void * | cb_ptr | ||
| ) |
Find the corresponding name at a given offset.
The offset was likely determined from the index. The entries in the DB following the one specified are also processed if they have the same hash value and their name is different. The callback is called for each entry.
| hdb_info | Hash database to get data from |
| hash | MD5 hash value that was searched for |
| offset | Byte offset where hash value should be located in db_file |
| flags | (not used) |
| action | Callback used for each entry found in lookup |
| cb_ptr | Pointer to data passed to callback |
References TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_MAXLEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.
| uint8_t md5sum_makeindex | ( | TSK_HDB_INFO * | hdb_info_base, |
| TSK_TCHAR * | dbtype | ||
| ) |
Process the database to create a sorted index of it.
Consecutive entries with the same hash value are not added to the index, but will be found during lookup.
| hdb_info_base | Hash database to make index of. |
| dbtype | Type of hash database (should always be TSK_HDB_DBTYPE_MD5SUM_STR) |
References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_str(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_MAXLEN, and tsk_verbose.
| uint8_t md5sum_test | ( | FILE * | hFile | ) |
Test the file to see if it is a md5sum database.
| hFile | File handle to hash database |
References TSK_HDB_HTYPE_MD5_LEN, and TSK_HDB_MAXLEN.
| uint8_t nsrl_getentry | ( | TSK_HDB_INFO * | hdb_info_base, |
| const char * | hash, | ||
| TSK_OFF_T | offset, | ||
| TSK_HDB_FLAG_ENUM | flags, | ||
| TSK_HDB_LOOKUP_FN | action, | ||
| void * | cb_ptr | ||
| ) |
Find the corresponding name at a given offset.
The offset was likely determined from the index. The entries in the DB following the one specified are also processed if they have the same hash value and their name is different. The callback is called for each entry.
| hdb_info_base | Database to get data from. |
| hash | MD5/SHA-1 hash value that was searched for |
| offset | Byte offset where hash value should be located in db_file |
| flags | (not used) |
| action | Callback used for each entry found in lookup |
| cb_ptr | Pointer to data passed to callback |
References TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_SHA1_LEN, TSK_HDB_MAXLEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.
| uint8_t nsrl_makeindex | ( | TSK_HDB_INFO * | hdb_info_base, |
| TSK_TCHAR * | dbtype | ||
| ) |
Process the database to create a sorted index of it.
Consecutive entries with the same hash value are not added to the index, but will be found during lookup.
| hdb_info_base | Hash database to make index of. |
| dbtype | Type of database |
References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hash_len, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_str(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_SHA1_LEN, TSK_HDB_MAXLEN, and tsk_verbose.
| uint8_t nsrl_test | ( | FILE * | hFile | ) |
Test the file to see if it is an NSRL database.
| hFile | File handle to hash database |
References TSK_HDB_MAXLEN.
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.