The Sleuth Kit  4.11.1
Classes | Macros | Typedefs | Enumerations | Functions
tsk_vs.h File Reference

External header file for media management (volume system) support. More...

Classes

struct  TSK_VS_INFO
 Data structure used to store state and basic information for open volume systems. More...
 
struct  TSK_VS_PART_INFO
 Linked list entry that describes a volume in a generic way. More...
 
struct  TSK_VS_PART_WALK_CPP_DATA
 
class  TskVsInfo
 Stores information about an open volume system. More...
 
class  TskVsPartInfo
 Stores information about a volume / partition inside of an open volume system. More...
 

Macros

#define TSK_VS_INFO_TAG   0x52301642
 
#define TSK_VS_PART_INFO_TAG   0x40121253
 

Typedefs

typedef struct TSK_VS_INFO TSK_VS_INFO
 
typedef struct TSK_VS_PART_INFO TSK_VS_PART_INFO
 
typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CB) (TSK_VS_INFO *a_vs, const TSK_VS_PART_INFO *a_vs_part, void *a_ptr)
 Definition for callback function that vs_part_walk() calls for each partition that it walks. More...
 
typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CPP_CB) (TskVsInfo *a_vs, const TskVsPartInfo *a_vs_part, void *a_ptr)
 Definition for callback function that vs_part_walk() calls for each partition that it walks. More...
 

Enumerations

enum  TSK_VS_PART_FLAG_ENUM { TSK_VS_PART_FLAG_ALLOC = 0x01, TSK_VS_PART_FLAG_UNALLOC = 0x02, TSK_VS_PART_FLAG_META = 0x04, TSK_VS_PART_FLAG_ALL = 0x07 }
 Flag values that describe the partitions in the VS. More...
 
enum  TSK_VS_TYPE_ENUM {
  TSK_VS_TYPE_DETECT = 0x0000, TSK_VS_TYPE_DOS = 0x0001, TSK_VS_TYPE_BSD = 0x0002, TSK_VS_TYPE_SUN = 0x0004,
  TSK_VS_TYPE_MAC = 0x0008, TSK_VS_TYPE_GPT = 0x0010, TSK_VS_TYPE_APFS = 0x0020, TSK_VS_TYPE_DBFILLER = 0x00F0,
  TSK_VS_TYPE_UNSUPP = 0xffff
}
 Flags for the partition type. More...
 

Functions

void tsk_vs_close (TSK_VS_INFO *)
 Closes an open volume system. More...
 
TSK_VS_INFOtsk_vs_open (TSK_IMG_INFO *, TSK_DADDR_T, TSK_VS_TYPE_ENUM)
 Open a disk image and process the media management system data. More...
 
const TSK_VS_PART_INFOtsk_vs_part_get (const TSK_VS_INFO *, TSK_PNUM_T idx)
 Return handle to a volume in the volume system. More...
 
ssize_t tsk_vs_part_read (const TSK_VS_PART_INFO *a_vs_part, TSK_OFF_T a_off, char *buf, size_t len)
 Reads data starting at a byte address relative to the start of a VOLUME in a volume system. More...
 
ssize_t tsk_vs_part_read_block (const TSK_VS_PART_INFO *a_vs_part, TSK_DADDR_T a_addr, char *buf, size_t len)
 Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system. More...
 
uint8_t tsk_vs_part_walk (TSK_VS_INFO *vs, TSK_PNUM_T start, TSK_PNUM_T last, TSK_VS_PART_FLAG_ENUM flags, TSK_VS_PART_WALK_CB action, void *ptr)
 Walk a range of partitions and pass the data to a callback function. More...
 
TSK_WALK_RET_ENUM tsk_vs_part_walk_cpp_c_cb (TSK_VS_INFO *a_vs, const TSK_VS_PART_INFO *a_vs_part, void *a_ptr)
 
ssize_t tsk_vs_read_block (TSK_VS_INFO *a_vs, TSK_DADDR_T a_addr, char *buf, size_t len)
 Reads one or more blocks of data with an address relative to the start of the volume system. More...
 
void tsk_vs_type_print (FILE *)
 Print the supported volume system type names to an open handle. More...
 
TSK_VS_TYPE_ENUM tsk_vs_type_supported ()
 Return the supported volume system types. More...
 
const char * tsk_vs_type_todesc (TSK_VS_TYPE_ENUM)
 Return the string description of a partition type ID. More...
 
TSK_VS_TYPE_ENUM tsk_vs_type_toid (const TSK_TCHAR *)
 Parse a string with the volume system type and return its internal ID. More...
 
TSK_VS_TYPE_ENUM tsk_vs_type_toid_utf8 (const char *)
 Parse a string with the volume system type and return its internal ID. More...
 
const char * tsk_vs_type_toname (TSK_VS_TYPE_ENUM)
 Return the string name of a partition type ID. More...
 

Detailed Description

External header file for media management (volume system) support.

Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_vs_i.h.

Typedef Documentation

typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CB) (TSK_VS_INFO *a_vs, const TSK_VS_PART_INFO *a_vs_part, void *a_ptr)

Definition for callback function that vs_part_walk() calls for each partition that it walks.

Parameters
a_vsPointer to volume system being analyzed
a_vs_partPointer to current partition in the walk
a_ptrPointer that was passed to vs_part_walk by caller
Returns
Status on whether the vs_part_walk() function should continue, stop, or error.
typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CPP_CB) (TskVsInfo *a_vs, const TskVsPartInfo *a_vs_part, void *a_ptr)

Definition for callback function that vs_part_walk() calls for each partition that it walks.

Parameters
a_vsPointer to volume system being analyzed
a_vs_partPointer to current partition in the walk
a_ptrPointer that was passed to vs_part_walk by caller
Returns
Status on whether the vs_part_walk() function should continue, stop, or error.

Enumeration Type Documentation

enum TSK_VS_PART_FLAG_ENUM

Flag values that describe the partitions in the VS.

Refer to Accessing Individual Volumes for more details.

Enumerator
TSK_VS_PART_FLAG_ALLOC 

Sectors are allocated to a volume in the volume system.

TSK_VS_PART_FLAG_UNALLOC 

Sectors are not allocated to a volume.

TSK_VS_PART_FLAG_META 

Sectors contain volume system metadata and could also be ALLOC or UNALLOC.

TSK_VS_PART_FLAG_ALL 

Show all sectors in the walk.

enum TSK_VS_TYPE_ENUM

Flags for the partition type.

Enumerator
TSK_VS_TYPE_DETECT 

Use autodetection methods.

TSK_VS_TYPE_DOS 

DOS Partition table.

TSK_VS_TYPE_BSD 

BSD Partition table.

TSK_VS_TYPE_SUN 

Sun VTOC.

TSK_VS_TYPE_MAC 

Mac partition table.

TSK_VS_TYPE_GPT 

GPT partition table.

TSK_VS_TYPE_APFS 

APFS.

TSK_VS_TYPE_DBFILLER 

fake partition table type for loaddb (for images that do not have a volume system)

TSK_VS_TYPE_UNSUPP 

Unsupported.

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.