The Sleuth Kit  4.12.1
Classes | Public Member Functions | List of all members
TskAutoDb Class Reference
Inheritance diagram for TskAutoDb:
TskAuto

Public Member Functions

uint8_t addFilesInImgToDb ()
 Analyzes the open image and adds image info to a database. More...
 
virtual void closeImage ()
 Closes the handles to the open disk image. More...
 
int64_t commitAddImage ()
 Finish the transaction after the startAddImage is finished. More...
 
virtual void createBlockMap (bool flag)
 
virtual TSK_FILTER_ENUM filterFs (TSK_FS_INFO *fs_info)
 TskAuto calls this method before it processes each file system that is found in a volume. More...
 
virtual TSK_FILTER_ENUM filterPool (const TSK_POOL_INFO *pool_info)
 TskAuto calls this method before it processes each pool that is found. More...
 
virtual TSK_FILTER_ENUM filterPoolVol (const TSK_POOL_VOLUME_INFO *pool_vol)
 TskAuto calls this method before it processes each pool volume that is found in a pool. More...
 
virtual TSK_FILTER_ENUM filterVol (const TSK_VS_PART_INFO *vs_part)
 TskAuto calls this method before it processes each volume that is found in a volume system. More...
 
virtual TSK_FILTER_ENUM filterVs (const TSK_VS_INFO *vs_info)
 TskAuto calls this method before it processes the volume system that is found in an image. More...
 
const std::string getCurDir ()
 Returns the directory currently being analyzed by processFile(). More...
 
virtual void hashFiles (bool flag)
 Calculate hash values of files and add them to database. More...
 
bool isDbOpen ()
 Check if we can talk to the database. More...
 
virtual uint8_t openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize, const char *deviceId=NULL)
 Adds an image to the database. More...
 
virtual uint8_t openImage (const char *a_deviceId=NULL)
 Adds an image to the database. More...
 
virtual uint8_t openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize, const char *deviceId=NULL)
 Adds an image to the database. More...
 
virtual TSK_RETVAL_ENUM processFile (TSK_FS_FILE *fs_file, const char *path)
 TskAuto calls this method for each file and directory that it finds in an image. More...
 
int revertAddImage ()
 Revert all changes after the startAddImage() process has run successfully. More...
 
void setAddFileSystems (bool addFileSystems)
 Sets whether or not the file systems for an image should be added when the image is added to the case database. More...
 
virtual void setAddUnallocSpace (bool addUnallocSpace)
 When enabled, records for unallocated file system space will be added to the database. More...
 
virtual void setAddUnallocSpace (bool addUnallocSpace, int64_t minChunkSize)
 When enabled, records for unallocated file system space will be added to the database. More...
 
virtual void setAddUnallocSpace (int64_t minChunkSize, int64_t maxChunkSize)
 When enabled, records for unallocated file system space will be added to the database with the given parameters. More...
 
virtual void setNoFatFsOrphans (bool noFatFsOrphans)
 Skip processing of orphans on FAT filesystems. More...
 
virtual void setTz (std::string tzone)
 Set the current image's timezone.
 
uint8_t startAddImage (int numImg, const TSK_TCHAR *const imagePaths[], TSK_IMG_TYPE_ENUM imgType, unsigned int sSize, const char *deviceId=NULL)
 Start the process to add image/file metadata to database inside of a transaction. More...
 
uint8_t startAddImage (TSK_IMG_INFO *img_info, const char *deviceId=NULL)
 Start the process to add image/file metadata to database inside of a transaction. More...
 
void stopAddImage ()
 Cancel the running process. More...
 
 TskAutoDb (TskDb *a_db, TSK_HDB_INFO *a_NSRLDb, TSK_HDB_INFO *a_knownBadDb)
 
- Public Member Functions inherited from TskAuto
virtual void disableImageWriter ()
 Disables image writer.
 
virtual TSK_RETVAL_ENUM enableImageWriter (const char *imagePath)
 Enables image writer, which creates a copy of the image as it is being processed. More...
 
uint8_t findFilesInFs (TSK_OFF_T start)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_OFF_T start, TSK_INUM_T inum)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, TSK_INUM_T inum)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInFs (TSK_FS_INFO *a_fs_info)
 Processes the file system represented by the given TSK_FS_INFO pointer. More...
 
uint8_t findFilesInFs (TSK_FS_INFO *a_fs_info, TSK_INUM_T inum)
 Processes the file system represented by the given TSK_FS_INFO pointer. More...
 
TSK_RETVAL_ENUM findFilesInFsRet (TSK_OFF_T start, TSK_FS_TYPE_ENUM a_ftype)
 Starts in a specified byte offset of the opened disk images and looks for a file system. More...
 
uint8_t findFilesInImg ()
 Starts in sector 0 of the opened disk images and looks for a volume or file system. More...
 
uint8_t findFilesInPool (TSK_OFF_T start)
 Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More...
 
uint8_t findFilesInPool (TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype)
 Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool. More...
 
uint8_t findFilesInVs (TSK_OFF_T start)
 Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More...
 
uint8_t findFilesInVs (TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype)
 Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More...
 
std::string getCurVsPartDescr () const
 get volume description of the lastly processed volume More...
 
TSK_VS_PART_FLAG_ENUM getCurVsPartFlag () const
 get volume flags of the lastly processed volume. More...
 
const std::vector< error_recordgetErrorList ()
 Get the list of errors that were added to the internal list. More...
 
TSK_OFF_T getImageSize () const
 
bool getStopProcessing () const
 Returns true if all processing and recursion should stop.
 
virtual uint8_t handleError ()
 Override this method to get called for each error that is registered. More...
 
bool hasPool (TSK_OFF_T a_start)
 Checks whether a volume contains a pool. More...
 
bool isCurVsValid () const
 Determine if we are inside of a volume system and therefore we can trust the results of getCurVsPartFlag/Desc.
 
virtual uint8_t openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize)
 Opens the disk image to be analyzed. More...
 
virtual uint8_t openImageHandle (TSK_IMG_INFO *)
 Uses the already opened image for future analysis. More...
 
virtual uint8_t openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize)
 Opens the disk image to be analyzed. More...
 
uint8_t registerError ()
 Internal method that TskAuto calls when it encounters issues while processing an image. More...
 
void resetErrorList ()
 Remove the errors on the internal list.
 
void setExternalFileSystemList (const std::list< TSK_FS_INFO * > &exteralFsInfoList)
 Store a list of pointers to open file systems to use when calling findFilesInImg instead of opening a new copy.
 
void setFileFilterFlags (TSK_FS_DIR_WALK_FLAG_ENUM)
 Set the attributes for the files that should be processed. More...
 
void setVolFilterFlags (TSK_VS_PART_FLAG_ENUM)
 Set the attributes for the volumes that should be processed. More...
 

Additional Inherited Members

- Static Public Member Functions inherited from TskAuto
static std::string errorRecordToString (error_record &rec)
 
- Public Attributes inherited from TskAuto
unsigned int m_tag
 
- Protected Member Functions inherited from TskAuto
uint8_t isDefaultType (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr)
 Utility method to help determine if an attribute is the default type for the file/dir. More...
 
uint8_t isDir (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a directory. More...
 
uint8_t isDotDir (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a . More...
 
uint8_t isFATSystemFiles (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a FAT file system file (such as $MBR). More...
 
uint8_t isFile (TSK_FS_FILE *fs_file)
 Utility method to help determine if a file is a file (and not a directory). More...
 
uint8_t isNonResident (const TSK_FS_ATTR *fs_attr)
 Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data) More...
 
uint8_t isNtfsSystemFiles (TSK_FS_FILE *fs_file, const char *path)
 Utility method to help determine if a file is an NTFS file system file (such as $MFT). More...
 
TSK_RETVAL_ENUM processAttributes (TSK_FS_FILE *fs_file, const char *path)
 Method that can be used from within processFile() to look at each attribute that a file may have. More...
 
void setStopProcessing ()
 When called, will cause TskAuto to not continue to recurse into directories and volumes.
 
- Protected Attributes inherited from TskAuto
std::list< TSK_FS_INFO * > m_exteralFsInfoList
 
bool m_imageWriterEnabled
 
TSK_TCHARm_imageWriterPath
 
TSK_IMG_INFOm_img_info
 
bool m_internalOpen
 True if m_img_info was opened in TskAuto and false if passed in.
 
std::vector< const TSK_POOL_INFO * > m_poolInfos
 
bool m_stopAllProcessing
 True if no further processing should occur.
 

Constructor & Destructor Documentation

TskAutoDb::TskAutoDb ( TskDb a_db,
TSK_HDB_INFO a_NSRLDb,
TSK_HDB_INFO a_knownBadDb 
)
Parameters
a_dbDatabase to add an image to
a_NSRLDbDatabase of "known" files (can be NULL)
a_knownBadDbDatabase of "known bad" files (can be NULL)

Member Function Documentation

uint8_t TskAutoDb::addFilesInImgToDb ( )

Analyzes the open image and adds image info to a database.

Does not deal with transactions and such. Refer to startAddImage() for more control.

Returns
1 if a critical error occurred (DB doesn't exist, no file system, etc.), 2 if errors occurred at some point adding files to the DB (corrupt file, etc.), and 0 otherwise. Errors will have been registered.

References TskAuto::findFilesInImg(), TskAuto::registerError(), TskAuto::setVolFilterFlags(), TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, TSK_VS_PART_FLAG_ALLOC, and TSK_VS_PART_FLAG_UNALLOC.

Referenced by startAddImage().

void TskAutoDb::closeImage ( )
virtual

Closes the handles to the open disk image.

Should be called after you have completed analysis of the image.

Reimplemented from TskAuto.

References TskAuto::closeImage().

int64_t TskAutoDb::commitAddImage ( )

Finish the transaction after the startAddImage is finished.

Returns
Id of the image that was added or -1 on error (error was NOT registered in list)

References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), and tsk_verbose.

Referenced by TskCaseDb::addImage().

TSK_FILTER_ENUM TskAutoDb::filterFs ( TSK_FS_INFO fs_info)
virtual

TskAuto calls this method before it processes each file system that is found in a volume.

You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.

Parameters
fs_infofile system details
Returns
Value to show if FS should be processed, skipped, or process should stop.

Reimplemented from TskAuto.

References TSK_FS_INFO::ftype, processFile(), TskAuto::registerError(), TskAuto::setFileFilterFlags(), TSK_FILTER_CONT, TSK_FILTER_STOP, TSK_FS_DIR_WALK_FLAG_ALLOC, TSK_FS_DIR_WALK_FLAG_NOORPHAN, TSK_FS_DIR_WALK_FLAG_UNALLOC, tsk_fs_file_close(), tsk_fs_file_open(), and TSK_FS_TYPE_ISFAT.

TSK_FILTER_ENUM TskAutoDb::filterPool ( const TSK_POOL_INFO *  pool_info)
virtual

TskAuto calls this method before it processes each pool that is found.

You can use this to learn about each pool before it is processed and you can force TskAuto to skip this volume.

Parameters
pool_volPool details
Returns
Value to show if pool should be processed, skipped, or process should stop.

Reimplemented from TskAuto.

References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.

TSK_FILTER_ENUM TskAutoDb::filterPoolVol ( const TSK_POOL_VOLUME_INFO *  pool_vol)
virtual

TskAuto calls this method before it processes each pool volume that is found in a pool.

You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume.

Parameters
pool_volPool volume details
Returns
Value to show if pool volume should be processed, skipped, or process should stop.

Reimplemented from TskAuto.

References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.

TSK_FILTER_ENUM TskAutoDb::filterVol ( const TSK_VS_PART_INFO vs_part)
virtual

TskAuto calls this method before it processes each volume that is found in a volume system.

You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.

Parameters
vs_partParition details
Returns
Value to show if volume should be processed, skipped, or process should stop.

Reimplemented from TskAuto.

References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.

TSK_FILTER_ENUM TskAutoDb::filterVs ( const TSK_VS_INFO vs_info)
virtual

TskAuto calls this method before it processes the volume system that is found in an image.

You can use this to learn about the volume system before it is processed and you can force TskAuto to skip this volume system.

Parameters
vs_infovolume system details
Returns
Value to show if Vs should be processed, skipped, or process should stop.

Reimplemented from TskAuto.

References TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.

const std::string TskAutoDb::getCurDir ( )

Returns the directory currently being analyzed by processFile().

Safe to use from another thread than processFile().

Returns
curDirPath string representing currently analyzed directory
void TskAutoDb::hashFiles ( bool  flag)
virtual

Calculate hash values of files and add them to database.

Default is false. Will be set to true if a Hash DB is configured.

Parameters
flagTrue to calculate hash values and look them up.
bool TskAutoDb::isDbOpen ( )

Check if we can talk to the database.

Returns true if the database is reachable with current credentials, false otherwise.

uint8_t TskAutoDb::openImage ( int  a_num,
const TSK_TCHAR *const  a_images[],
TSK_IMG_TYPE_ENUM  a_type,
unsigned int  a_ssize,
const char *  a_deviceId = NULL 
)
virtual

Adds an image to the database.

Parameters
a_numNumber of image parts
a_imagesArray of paths to the image parts
a_typeImage type
a_ssizeSize of device sector in bytes (or 0 for default)
a_deviceIdAn ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
Returns
0 for success, 1 for failure

References TskAuto::openImage(), and openImageUtf8().

Referenced by startAddImage().

uint8_t TskAutoDb::openImage ( const char *  a_deviceId = NULL)
virtual

Adds an image to the database.

Requires that m_img_info is already initialized

Parameters
a_deviceIdAn ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
Returns
0 for success, 1 for failure
uint8_t TskAutoDb::openImageUtf8 ( int  a_num,
const char *const  a_images[],
TSK_IMG_TYPE_ENUM  a_type,
unsigned int  a_ssize,
const char *  a_deviceId = NULL 
)
virtual

Adds an image to the database.

Parameters
a_numNumber of image parts
a_imagesArray of paths to the image parts
a_typeImage type
a_ssizeSize of device sector in bytes (or 0 for default)
a_deviceIdAn ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
Returns
0 for success, 1 for failure

References TskAuto::openImageUtf8().

Referenced by openImage().

TSK_RETVAL_ENUM TskAutoDb::processFile ( TSK_FS_FILE fs_file,
const char *  path 
)
virtual

TskAuto calls this method for each file and directory that it finds in an image.

The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().

Parameters
fs_filefile details
pathfull path of parent directory
Returns
STOP or OK. All error must have been registered.

Implements TskAuto.

References TskAuto::isDir(), TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_NAME::par_addr, TskAuto::processAttributes(), TSK_DB_FILES_KNOWN_UNKNOWN, tsk_fprintf(), tsk_fs_file_attr_getsize(), TSK_OK, TSK_STOP, and tsk_verbose.

Referenced by filterFs().

int TskAutoDb::revertAddImage ( )

Revert all changes after the startAddImage() process has run successfully.

Returns
1 on error (error was NOT registered in list), 0 on success

References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), and tsk_verbose.

Referenced by TskCaseDb::addImage(), and startAddImage().

void TskAutoDb::setAddFileSystems ( bool  addFileSystems)

Sets whether or not the file systems for an image should be added when the image is added to the case database.

The default value is true.

void TskAutoDb::setAddUnallocSpace ( bool  addUnallocSpace)
virtual

When enabled, records for unallocated file system space will be added to the database.

Default value is false.

Parameters
addUnallocSpaceIf true, create records for contiguous unallocated file system sectors.
void TskAutoDb::setAddUnallocSpace ( bool  addUnallocSpace,
int64_t  minChunkSize 
)
virtual

When enabled, records for unallocated file system space will be added to the database.

Default value is false.

Parameters
addUnallocSpaceIf true, create records for contiguous unallocated file system sectors.
minChunkSizethe number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk.
void TskAutoDb::setAddUnallocSpace ( int64_t  minChunkSize,
int64_t  maxChunkSize 
)
virtual

When enabled, records for unallocated file system space will be added to the database with the given parameters.

Automatically sets the flag to create records for contiguous unallocated file system sectors.

Parameters
minChunkSizethe number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk.
maxChunkSizethe maximum number of bytes in one record of unallocated data. A value of -1 will not split the records based on size
void TskAutoDb::setNoFatFsOrphans ( bool  noFatFsOrphans)
virtual

Skip processing of orphans on FAT filesystems.

This will make the loading of the database much faster but you will not have all deleted files. Default value is false.

Parameters
noFatFsOrphansflag set to true if to skip processing orphans on FAT fs
uint8_t TskAutoDb::startAddImage ( int  numImg,
const TSK_TCHAR *const  imagePaths[],
TSK_IMG_TYPE_ENUM  imgType,
unsigned int  sSize,
const char *  deviceId = NULL 
)

Start the process to add image/file metadata to database inside of a transaction.

User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.

Parameters
numImgNumber of image parts
imagePathsArray of paths to the image parts
imgTypeImage type
sSizeSize of device sector in bytes (or 0 for default)
deviceIdAn ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID)
Returns
0 for success, 1 for failure

References addFilesInImgToDb(), openImage(), TskAuto::registerError(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.

Referenced by TskCaseDb::addImage().

uint8_t TskAutoDb::startAddImage ( TSK_IMG_INFO img_info,
const char *  deviceId = NULL 
)

Start the process to add image/file metadata to database inside of a transaction.

User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.

Parameters
img_infoPreviously initialized TSK_IMG_INFO object
deviceIdAn ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID)
Returns
0 for success, 1 for failure

References addFilesInImgToDb(), openImage(), TskAuto::openImageHandle(), TskAuto::registerError(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.

void TskAutoDb::stopAddImage ( )

Cancel the running process.

Will not be handled immediately.

References TskAuto::setStopProcessing(), tsk_fprintf(), and tsk_verbose.


The documentation for this class was generated from the following files:

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.