The Sleuth Kit  4.12.1
Classes | Public Member Functions | Static Public Member Functions | Public Attributes | Protected Member Functions | Protected Attributes | List of all members
TskAuto Class Referenceabstract

C++ class that automatically analyzes a disk image to extract files from it. More...

#include <tsk_auto.h>

Inheritance diagram for TskAuto:
TskAutoDb TskIsImageSupported

Classes

struct  error_record
 

Public Member Functions

virtual void closeImage ()
 Closes the handles to the open disk image. More...
 
virtual void disableImageWriter ()
 Disables image writer.
 
virtual TSK_RETVAL_ENUM enableImageWriter (const char *imagePath)
 Enables image writer, which creates a copy of the image as it is being processed. More...
 
virtual TSK_FILTER_ENUM filterFs (TSK_FS_INFO *fs_info)
 TskAuto calls this method before it processes each file system that is found in a volume. More...
 
virtual TSK_FILTER_ENUM filterPool (const TSK_POOL_INFO *pool_info)
 TskAuto calls this method before it processes each pool that is found. More...
 
virtual TSK_FILTER_ENUM filterPoolVol (const TSK_POOL_VOLUME_INFO *pool_vol)
 TskAuto calls this method before it processes each pool volume that is found in a pool. More...
 
virtual TSK_FILTER_ENUM filterVol (const TSK_VS_PART_INFO *vs_part)
 TskAuto calls this method before it processes each volume that is found in a volume system. More...
 
virtual TSK_FILTER_ENUM filterVs (const TSK_VS_INFO *vs_info)
 TskAuto calls this method before it processes the volume system that is found in an image. More...
 
uint8_t findFilesInFs (TSK_OFF_T start)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_OFF_T start, TSK_INUM_T inum)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, TSK_INUM_T inum)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_FS_INFO *a_fs_info)
 Processes the file system represented by the given TSK_FS_INFO pointer. More...
 
uint8_t findFilesInFs (TSK_FS_INFO *a_fs_info, TSK_INUM_T inum)
 Processes the file system represented by the given TSK_FS_INFO pointer. More...
 
TSK_RETVAL_ENUM findFilesInFsRet (TSK_OFF_T start, TSK_FS_TYPE_ENUM a_ftype)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInImg ()
 Starts in sector 0 of the opened disk images and looks for a volume or file system. More...
 
uint8_t findFilesInPool (TSK_OFF_T start)
 Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More...
 
uint8_t findFilesInPool (TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype)
 Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More...
 
uint8_t findFilesInVs (TSK_OFF_T start)
 Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More...
 
uint8_t findFilesInVs (TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype)
 Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More...
 
std::string getCurVsPartDescr () const
 get volume description of the lastly processed volume More...
 
TSK_VS_PART_FLAG_ENUM getCurVsPartFlag () const
 get volume flags of the lastly processed volume. More...
 
const std::vector< error_recordgetErrorList ()
 Get the list of errors that were added to the internal list. More...
 
TSK_OFF_T getImageSize () const
 
bool getStopProcessing () const
 Returns true if all processing and recursion should stop.
 
virtual uint8_t handleError ()
 Override this method to get called for each error that is registered. More...
 
bool hasPool (TSK_OFF_T a_start)
 Checks whether a volume contains a pool. More...
 
bool isCurVsValid () const
 Determine if we are inside of a volume system and therefore we can trust the results of getCurVsPartFlag/Desc.
 
virtual uint8_t openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize)
 Opens the disk image to be analyzed. More...
 
virtual uint8_t openImageHandle (TSK_IMG_INFO *)
 Uses the already opened image for future analysis. More...
 
virtual uint8_t openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize)
 Opens the disk image to be analyzed. More...
 
virtual TSK_RETVAL_ENUM processFile (TSK_FS_FILE *fs_file, const char *path)=0
 TskAuto calls this method for each file and directory that it finds in an image. More...
 
uint8_t registerError ()
 Internal method that TskAuto calls when it encounters issues while processing an image. More...
 
void resetErrorList ()
 Remove the errors on the internal list.
 
void setExternalFileSystemList (const std::list< TSK_FS_INFO * > &exteralFsInfoList)
 Store a list of pointers to open file systems to use when calling findFilesInImg instead of opening a new copy.
 
void setFileFilterFlags (TSK_FS_DIR_WALK_FLAG_ENUM)
 Set the attributes for the files that should be processed. More...
 
void setVolFilterFlags (TSK_VS_PART_FLAG_ENUM)
 Set the attributes for the volumes that should be processed. More...
 

Static Public Member Functions

static std::string errorRecordToString (error_record &rec)
 

Public Attributes

unsigned int m_tag
 

Protected Member Functions

uint8_t isDefaultType (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr)
 Utility method to help determine if an attribute is the default type for the file/dir. More...
 
uint8_t isDir (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a directory. More...
 
uint8_t isDotDir (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a . More...
 
uint8_t isFATSystemFiles (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a FAT file system file (such as $MBR). More...
 
uint8_t isFile (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a file (and not a directory). More...
 
uint8_t isNonResident (const TSK_FS_ATTR *fs_attr)
 Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data) More...
 
uint8_t isNtfsSystemFiles (TSK_FS_FILE *fs_file, const char *path)
 Utility method to help determine if a file is an NTFS file system file (such as $MFT). More...
 
virtual TSK_RETVAL_ENUM processAttribute (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr, const char *path)
 Method that is called from processAttributes() for each attribute that a file has. More...
 
TSK_RETVAL_ENUM processAttributes (TSK_FS_FILE *fs_file, const char *path)
 Method that can be used from within processFile() to look at each attribute that a file may have. More...
 
void setStopProcessing ()
 When called, will cause TskAuto to not continue to recurse into directories and volumes.
 

Protected Attributes

std::list< TSK_FS_INFO * > m_exteralFsInfoList
 
bool m_imageWriterEnabled
 
TSK_TCHARm_imageWriterPath
 
TSK_IMG_INFOm_img_info
 
bool m_internalOpen
 True if m_img_info was opened in TskAuto and false if passed in.
 
std::vector< const TSK_POOL_INFO * > m_poolInfos
 
bool m_stopAllProcessing
 True if no further processing should occur.
 

Detailed Description

C++ class that automatically analyzes a disk image to extract files from it.

This class hides many of the details that are required to use lower-level TSK APIs to analyze volume and file systems.

The processFile() method must be implemented and it will be called for each file and directory that is found.

An image file must be first opened using openImage(). It can then be analyzed using one of the findFilesInXXXX() methods. The filterXX() methods can be used to skip volumes and file systems.

This class, by default, will not stop if an error occurs. It registers the error into an internal list. Those can be retrieved with getErrorList(). If you want to deal with errors differently, you must implement handleError().

Member Function Documentation

void TskAuto::closeImage ( )
virtual

Closes the handles to the open disk image.

Should be called after you have completed analysis of the image.

Reimplemented in TskAutoDb.

References m_internalOpen, and tsk_img_close().

Referenced by TskAutoDb::closeImage(), openImage(), openImageHandle(), and openImageUtf8().

TSK_RETVAL_ENUM TskAuto::enableImageWriter ( const char *  imagePath)
virtual

Enables image writer, which creates a copy of the image as it is being processed.

Parameters
imagePathUTF8 version of path to write the image to

References TSK_ERR, tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, tsk_UTF8toUTF16(), TSKconversionOK, and TSKlenientConversion.

TSK_FILTER_ENUM TskAuto::filterFs ( TSK_FS_INFO fs_info)
virtual

TskAuto calls this method before it processes each file system that is found in a volume.

You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.

Parameters
fs_infofile system details
Returns
Value to show if FS should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_CONT.

TSK_FILTER_ENUM TskAuto::filterPool ( const TSK_POOL_INFO *  pool_info)
virtual

TskAuto calls this method before it processes each pool that is found.

You can use this to learn about each pool before it is processed and you can force TskAuto to skip this volume.

Parameters
pool_volPool details
Returns
Value to show if pool should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_SKIP, and tsk_verbose.

Referenced by findFilesInPool().

TSK_FILTER_ENUM TskAuto::filterPoolVol ( const TSK_POOL_VOLUME_INFO *  pool_vol)
virtual

TskAuto calls this method before it processes each pool volume that is found in a pool.

You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume.

Parameters
pool_volPool volume details
Returns
Value to show if pool volume should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_SKIP, and tsk_verbose.

Referenced by findFilesInPool().

TSK_FILTER_ENUM TskAuto::filterVol ( const TSK_VS_PART_INFO vs_part)
virtual

TskAuto calls this method before it processes each volume that is found in a volume system.

You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.

Parameters
vs_partParition details
Returns
Value to show if volume should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_CONT.

TSK_FILTER_ENUM TskAuto::filterVs ( const TSK_VS_INFO vs_info)
virtual

TskAuto calls this method before it processes the volume system that is found in an image.

You can use this to learn about the volume system before it is processed and you can force TskAuto to skip this volume system.

Parameters
vs_infovolume system details
Returns
Value to show if Vs should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb.

References TSK_FILTER_CONT.

Referenced by findFilesInVs().

uint8_t TskAuto::findFilesInFs ( TSK_OFF_T  a_start)

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will call processFile() on each file that is found.

Parameters
a_startByte offset of file system starting location.
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References TSK_FS_TYPE_DETECT.

Referenced by findFilesInFs(), findFilesInImg(), and findFilesInVs().

uint8_t TskAuto::findFilesInFs ( TSK_OFF_T  a_start,
TSK_FS_TYPE_ENUM  a_ftype 
)

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will call processFile() on each file that is found.

Parameters
a_startByte offset of file system starting location.
a_ftypeType of file system that is located at the offset.
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References findFilesInFsRet().

uint8_t TskAuto::findFilesInFs ( TSK_OFF_T  a_start,
TSK_INUM_T  a_inum 
)

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will start processing the file system at a specified file system. Will call processFile() on each file that is found in that directory.

Parameters
a_startByte offset of file system starting location.
a_inuminum to start walking files system at.
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References findFilesInFs(), and TSK_FS_TYPE_DETECT.

uint8_t TskAuto::findFilesInFs ( TSK_OFF_T  a_start,
TSK_FS_TYPE_ENUM  a_ftype,
TSK_INUM_T  a_inum 
)

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will start processing the file system at a specified file system. Will call processFile() on each file that is found in that directory.

Parameters
a_startByte offset of file system starting location.
a_ftypeType of file system that will be analyzed.
a_inuminum to start walking files system at.
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References getCurVsPartDescr(), getCurVsPartFlag(), isCurVsValid(), registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fs_close(), tsk_fs_open_img(), and TSK_VS_PART_FLAG_ALLOC.

uint8_t TskAuto::findFilesInFs ( TSK_FS_INFO a_fs_info)

Processes the file system represented by the given TSK_FS_INFO pointer.

Will Call processFile() on each file that is found.

Parameters
a_fs_infoPointer to a previously opened file system.
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References registerError(), TSK_FS_INFO::root_inum, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

uint8_t TskAuto::findFilesInFs ( TSK_FS_INFO a_fs_info,
TSK_INUM_T  inum 
)

Processes the file system represented by the given TSK_FS_INFO pointer.

Will Call processFile() on each file that is found.

Parameters
a_fs_infoPointer to a previously opened file system.
a_inuminum to start walking files system at.
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References registerError(), tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

TSK_RETVAL_ENUM TskAuto::findFilesInFsRet ( TSK_OFF_T  a_start,
TSK_FS_TYPE_ENUM  a_ftype 
)

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will call processFile() on each file that is found. Same as findFilesInFs, but gives more detailed return values.

Parameters
a_startByte offset to start analyzing from.
a_ftypeFile system type.
Returns
Error (messages will have been registered), OK, or STOP.

References getCurVsPartDescr(), getCurVsPartFlag(), isCurVsValid(), registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fs_close(), tsk_fs_open_img(), TSK_OK, and TSK_VS_PART_FLAG_ALLOC.

Referenced by findFilesInFs().

uint8_t TskAuto::findFilesInImg ( )

Starts in sector 0 of the opened disk images and looks for a volume or file system.

Will call processFile() on each file that is found.

Returns
1 if an error occurred (message will have been registered) and 0 on success

References findFilesInFs(), findFilesInVs(), TSK_IMG_INFO::itype, registerError(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_TYPE_LOGICAL, and TSK_IMG_TYPE_LOGICAL.

Referenced by TskAutoDb::addFilesInImgToDb().

uint8_t TskAuto::findFilesInPool ( TSK_OFF_T  start)

Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.

Will call processFile() on each file that is found.

Parameters
startByte offset to start analyzing from.
Returns
1 if an error occurred (message will have been registered), 0 on success

Referenced by findFilesInVs().

uint8_t TskAuto::findFilesInPool ( TSK_OFF_T  start,
TSK_POOL_TYPE_ENUM  ptype 
)

Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.

Will call processFile() on each file that is found.

Parameters
startByte offset to start analyzing from.
ptypeThe type of pool
Returns
1 if an error occurred (message will have been registered), 0 on success

References filterPool(), filterPoolVol(), m_stopAllProcessing, registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_FILTER_SKIP, TSK_FILTER_STOP, tsk_fs_close(), TSK_FS_TYPE_APFS, tsk_img_close(), TSK_OK, and TSK_STOP.

uint8_t TskAuto::findFilesInVs ( TSK_OFF_T  a_start)

Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.

Will call processFile() on each file that is found.

Parameters
a_startByte offset to start analyzing from.
Returns
1 if an error occurred (message will have been registered), 0 on success

References TSK_VS_TYPE_DETECT.

Referenced by findFilesInImg().

uint8_t TskAuto::findFilesInVs ( TSK_OFF_T  a_start,
TSK_VS_TYPE_ENUM  a_vtype 
)

Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.

Will call processFile() on each file that is found.

Parameters
a_startByte offset to start analyzing from.
a_vtypeVolume system type to analyze
Returns
1 if an error occurred (messages will have been registered) and 0 on success

References filterVs(), findFilesInFs(), findFilesInPool(), hasPool(), m_stopAllProcessing, TSK_VS_INFO::part_count, registerError(), tsk_error_get_errno(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FILTER_SKIP, TSK_FILTER_STOP, tsk_verbose, tsk_vs_close(), tsk_vs_open(), and tsk_vs_part_walk().

std::string TskAuto::getCurVsPartDescr ( ) const

get volume description of the lastly processed volume

Returns
volume description string of the lastly processed volume

Referenced by findFilesInFs(), and findFilesInFsRet().

TSK_VS_PART_FLAG_ENUM TskAuto::getCurVsPartFlag ( ) const

get volume flags of the lastly processed volume.

Returns
flags for lastly processed volume.

Referenced by findFilesInFs(), and findFilesInFsRet().

const std::vector< TskAuto::error_record > TskAuto::getErrorList ( )

Get the list of errors that were added to the internal list.

This list could be empty if the implementing class already acted on the errors or never called addToErrorList().

Returns
list of errors.
TSK_OFF_T TskAuto::getImageSize ( ) const
Returns
The size of the image in bytes or -1 if the image is not open.

References TSK_IMG_INFO::size.

uint8_t TskAuto::handleError ( )
virtual

Override this method to get called for each error that is registered.

This method allows you to log the message or stop processing. Use setStopProcessing() to do that.

Returns
1 to stop the processing flow and 0 to continue.

Reimplemented in TskIsImageSupported.

Referenced by registerError().

bool TskAuto::hasPool ( TSK_OFF_T  a_start)

Checks whether a volume contains a pool.

Parameters
a_startByte offset to start analyzing from.
Returns
true if a pool is found, false if not or on error

References registerError(), tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by findFilesInVs().

uint8_t TskAuto::isDefaultType ( TSK_FS_FILE a_fs_file,
const TSK_FS_ATTR a_fs_attr 
)
protected

Utility method to help determine if an attribute is the default type for the file/dir.

Returns
1 if the attribute is a default type, 0 if not.

References TSK_FS_FILE::fs_info, and TSK_FS_ATTR::type.

uint8_t TskAuto::isDir ( TSK_FS_FILE a_fs_file)
protected

Utility method to help determine if a file is a directory.

Returns
1 if the file is a directory, 0 if not.

References TSK_FS_FILE::meta, TSK_FS_FILE::name, TSK_FS_NAME_TYPE_UNDEF, TSK_FS_META::type, and TSK_FS_NAME::type.

Referenced by TskAutoDb::processFile().

uint8_t TskAuto::isDotDir ( TSK_FS_FILE a_fs_file)
protected

Utility method to help determine if a file is a .

or .. directory.

Parameters
a_fs_fileFile to evaluate
Returns
1 if the file is a dot directory, 0 if not.

References TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_NAME::name_size, TSK_FS_NAME_TYPE_DIR, and TSK_FS_NAME::type.

uint8_t TskAuto::isFATSystemFiles ( TSK_FS_FILE a_fs_file)
protected

Utility method to help determine if a file is a FAT file system file (such as $MBR).

Returns
1 if the file is an FAT System file, 0 if not.

References TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_NAME::meta_addr, TSK_FS_FILE::name, and TSK_FS_TYPE_ISFAT.

uint8_t TskAuto::isFile ( TSK_FS_FILE a_fs_file)
protected

Utility method to help determine if a file is a file (and not a directory).

Returns
1 if the file is a file, 0 if not.

References TSK_FS_FILE::meta, TSK_FS_FILE::name, TSK_FS_META_TYPE_REG, TSK_FS_NAME_TYPE_REG, TSK_FS_NAME_TYPE_UNDEF, TSK_FS_META::type, and TSK_FS_NAME::type.

uint8_t TskAuto::isNonResident ( const TSK_FS_ATTR a_fs_attr)
protected

Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data)

Returns
1 if the attribute is non-resident, 0 if not.

References TSK_FS_ATTR::flags, and TSK_FS_ATTR_NONRES.

uint8_t TskAuto::isNtfsSystemFiles ( TSK_FS_FILE a_fs_file,
const char *  path 
)
protected

Utility method to help determine if a file is an NTFS file system file (such as $MFT).

Returns
1 if the file is an NTFS System file, 0 if not.

References TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_TYPE_ISNTFS.

uint8_t TskAuto::openImage ( int  a_numImg,
const TSK_TCHAR *const  a_images[],
TSK_IMG_TYPE_ENUM  a_imgType,
unsigned int  a_sSize 
)
virtual

Opens the disk image to be analyzed.

This must be called before any of the findFilesInXXX() methods.

Parameters
a_numImgThe number of images to open (will be > 1 for split images).
a_imagesThe path to the image files (the number of files must be equal to num_img and they must be in a sorted order)
a_imgTypeThe disk image type (can be autodetection)
a_sSizeSize of device sector in bytes (or 0 for default)
Returns
1 on error (messages were NOT registered), 0 on success

References closeImage(), m_internalOpen, resetErrorList(), and tsk_img_open().

Referenced by TskAutoDb::openImage().

uint8_t TskAuto::openImageHandle ( TSK_IMG_INFO a_img_info)
virtual

Uses the already opened image for future analysis.

This must be called before any of the findFilesInXXX() methods. Note that the TSK_IMG_INFO will not be freed when the TskAuto class is closed.

Parameters
a_img_infoHandle to an already opened disk image.
Returns
1 on error (messages were NOT registered) and 0 on success

References closeImage(), m_internalOpen, and resetErrorList().

Referenced by TskAutoDb::startAddImage().

uint8_t TskAuto::openImageUtf8 ( int  a_numImg,
const char *const  a_images[],
TSK_IMG_TYPE_ENUM  a_imgType,
unsigned int  a_sSize 
)
virtual

Opens the disk image to be analyzed.

This must be called before any of the findFilesInXXX() methods. Always uses the utf8 tsk_img_open even in windows.

Parameters
a_numImgThe number of images to open (will be > 1 for split images).
a_imagesThe path to the image files (the number of files must be equal to num_img and they must be in a sorted order)
a_imgTypeThe disk image type (can be autodetection)
a_sSizeSize of device sector in bytes (or 0 for default)
Returns
1 on error (messages were NOT registered), 0 on success

References closeImage(), m_internalOpen, resetErrorList(), and tsk_img_open_utf8().

Referenced by TskAutoDb::openImageUtf8().

TSK_RETVAL_ENUM TskAuto::processAttribute ( TSK_FS_FILE fs_file,
const TSK_FS_ATTR fs_attr,
const char *  path 
)
protectedvirtual

Method that is called from processAttributes() for each attribute that a file has.

processAttributes() is not called by default. It exists so that implementations of processFile() can choose to call it if they want to look at all of the attributes. You must implement this method to see each attribute and modify processFile() so that it calls processAttributes().

Parameters
fs_fileFile being analyzed.
fs_attrAttribute of the file.
pathfull path of parent directory
Returns
STOP or OK. All error must have been registered.

References TSK_OK.

Referenced by processAttributes().

TSK_RETVAL_ENUM TskAuto::processAttributes ( TSK_FS_FILE fs_file,
const char *  path 
)
protected

Method that can be used from within processFile() to look at each attribute that a file may have.

This will call the processAttribute() method (which you must implement) on each of the attributes in the file.

Parameters
fs_filefile details
pathfull path of parent directory
Returns
STOP if the file system processing should stop and not process more files or OK.

References m_stopAllProcessing, processAttribute(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_getsize(), TSK_OK, and TSK_STOP.

Referenced by TskAutoDb::processFile().

virtual TSK_RETVAL_ENUM TskAuto::processFile ( TSK_FS_FILE fs_file,
const char *  path 
)
pure virtual

TskAuto calls this method for each file and directory that it finds in an image.

The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().

Parameters
fs_filefile details
pathfull path of parent directory
Returns
STOP or OK. All error must have been registered.

Implemented in TskAutoDb, and TskIsImageSupported.

uint8_t TskAuto::registerError ( )

Internal method that TskAuto calls when it encounters issues while processing an image.

It will add the error to an internal list and then call handleError() to allow the sub-class to decide what to do with the error. The tsk global error values must be set before this is called (tsk_error_set_errno, etc.). This method will reset the error values before it returns.

Returns
1 if the caller should stop processing (registerError() implementation should also call setStopProcessing() to ensure all processes stop) or 0 if they should continue.

References handleError(), tsk_error_get_errno(), tsk_error_get_errstr(), tsk_error_get_errstr2(), and tsk_error_reset().

Referenced by TskAutoDb::addFilesInImgToDb(), TskAutoDb::filterFs(), TskAutoDb::filterPool(), TskAutoDb::filterPoolVol(), TskAutoDb::filterVol(), TskAutoDb::filterVs(), findFilesInFs(), findFilesInFsRet(), findFilesInImg(), findFilesInPool(), findFilesInVs(), hasPool(), and TskAutoDb::startAddImage().

void TskAuto::setFileFilterFlags ( TSK_FS_DIR_WALK_FLAG_ENUM  file_flags)

Set the attributes for the files that should be processed.

The default settings are for all files (allocated and deleted). This must be called before the findFilesInXX() method.

Parameters
file_flagsFlags to use for filtering

Referenced by TskAutoDb::filterFs().

void TskAuto::setVolFilterFlags ( TSK_VS_PART_FLAG_ENUM  vs_flags)

Set the attributes for the volumes that should be processed.

The default settings are for Allocated Non-Meta volumes only. This must be called before the findFilesInXX() method.

Parameters
vs_flagsFlags to use for filtering

Referenced by TskAutoDb::addFilesInImgToDb().


The documentation for this class was generated from the following files:

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.