The Sleuth Kit
4.12.1
|
Stores information about a file attribute. More...
#include <tsk_fs.h>
Public Member Functions | |
TSK_OFF_T | getAllocSize () const |
get number of bytes that are allocated in all clusters of non-resident run (will be larger than size - does not include skiplen). More... | |
const uint8_t * | getBuf () const |
Pointer to buffer with resident data. More... | |
uint32_t | getCompSize () const |
get size of compression units (needed only if NTFS file is compressed) More... | |
TSK_FS_ATTR_FLAG_ENUM | getFlags () const |
get the attribute's flags More... | |
uint16_t | getId () const |
get id of attribute More... | |
TSK_OFF_T | getInitSize () const |
get number of bytes (starting from offset 0) that have data (including FILLER) saved for them (smaller then or equal to size). More... | |
const char * | getName () const |
get the attributes's name (in UTF-8). More... | |
const TskFsAttrRun * | getRun (int a_idx) const |
get a run for a non-resident attribute. More... | |
int | getRunCount () const |
gets the number of runs in a non-resident attribute. More... | |
TSK_OFF_T | getSize () const |
get size in bytes of attribute (does not include skiplen for non-resident) More... | |
uint32_t | getSkipLen () const |
get number of initial bytes in run to skip before content begins. More... | |
TSK_FS_ATTR_TYPE_ENUM | getType () const |
get type of attribute More... | |
ssize_t | read (TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
Read the contents of this attribute using a typical read() type interface. More... | |
TskFsAttribute (const TSK_FS_ATTR *a_fsAttr) | |
construct a TskFsAttribute object More... | |
uint8_t | walk (TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CPP_CB a_action, void *a_ptr) |
Process an attribute and call a callback function with its contents. More... | |
Stores information about a file attribute.
File attributes store data for a file. Most files have at least one attribute that stores the file content. See TSK_FS_ATTR for details on attributes.
|
inline |
construct a TskFsAttribute object
a_fsAttr | a pointer of TSK_FS_ATTR. If NULL, the getX() return values are undefi ned. |
|
inline |
get number of bytes that are allocated in all clusters of non-resident run
(will be larger than size - does not include skiplen).
This is defined when the attribute is created and used to determine slack space.
References TSK_FS_ATTR::allocsize, and TSK_FS_ATTR::nrd.
|
inline |
Pointer to buffer with resident data.
Only getSize() bytes will be valid.
References TSK_FS_ATTR::buf, and TSK_FS_ATTR::rd.
|
inline |
get size of compression units (needed only if NTFS file is compressed)
References TSK_FS_ATTR::compsize, and TSK_FS_ATTR::nrd.
|
inline |
|
inline |
|
inline |
get number of bytes (starting from offset 0) that have data
(including FILLER) saved for them (smaller then or equal to size).
This is defined when the attribute is created.
References TSK_FS_ATTR::initsize, and TSK_FS_ATTR::nrd.
|
inline |
get the attributes's name (in UTF-8).
References TSK_FS_ATTR::name.
|
inline |
get a run for a non-resident attribute.
It's caller's responsibility to free memory of TskFsAttrRun
a_idx | The index of the run to return. |
References TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, and TSK_FS_ATTR::run.
|
inline |
gets the number of runs in a non-resident attribute.
References TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, and TSK_FS_ATTR::run.
|
inline |
get size in bytes of attribute (does not include skiplen for non-resident)
References TSK_FS_ATTR::size.
|
inline |
get number of initial bytes in run to skip before content begins.
The size field does not include this length.
References TSK_FS_ATTR::nrd, and TSK_FS_ATTR::skiplen.
|
inline |
|
inline |
Read the contents of this attribute using a typical read() type interface.
0s are returned for missing runs.
See tsk_fs_attr_read() for details
a_offset | The byte offset to start reading from. |
a_buf | The buffer to read the data into. |
a_len | The number of bytes to read from the file. |
a_flags | Flags to use while reading |
References tsk_fs_attr_read().
|
inline |
Process an attribute and call a callback function with its contents.
The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse attributes, the address may be zero.
See tsk_fs_attr_walk() for details
a_flags | Flags to use while processing attribute |
a_action | Callback action to call with content |
a_ptr | Pointer that will passed to callback |
References tsk_fs_attr_walk().
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.