The Sleuth Kit  4.12.1
Macros | Functions
ntfs.c File Reference

Contains the TSK internal general NTFS processing code. More...

#include "tsk_fs_i.h"
#include "tsk_ntfs.h"
#include <ctype.h>

Macros

#define NSEC_BTWN_1601_1970   (uint64_t)(116444736000000000ULL)
 
#define NTFS_PRINT_WIDTH   8
 
#define WITHNANO(x)   x, (unsigned int)x##_nano
 

Functions

uint32_t nt2nano (uint64_t ntdate)
 
uint32_t nt2unixtime (uint64_t ntdate)
 
uint8_t ntfs_attrname_lookup (TSK_FS_INFO *fs, uint16_t type, char *name, int len)
 
TSK_RETVAL_ENUM ntfs_dinode_lookup (NTFS_INFO *a_ntfs, char *a_buf, TSK_INUM_T a_mftnum)
 Read an MFT entry and save it in raw form in the given buffer. More...
 
TSK_FS_INFOntfs_open (TSK_IMG_INFO *img_info, TSK_OFF_T offset, TSK_FS_TYPE_ENUM ftype, uint8_t test)
 Open part of a disk image as an NTFS file system. More...
 

Detailed Description

Contains the TSK internal general NTFS processing code.

Function Documentation

TSK_RETVAL_ENUM ntfs_dinode_lookup ( NTFS_INFO a_ntfs,
char *  a_buf,
TSK_INUM_T  a_mftnum 
)

Read an MFT entry and save it in raw form in the given buffer.

NOTE: This will remove the update sequence integrity checks in the structure.

Parameters
a_ntfsFile system to read from
a_bufBuffer to save raw data to. Must be of size NTFS_INFO.mft_rsize_b
a_mftnumAddress of MFT entry to read
Returns
Error value

References TSK_FS_INFO::endian, TSK_FS_INFO::last_inum, TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, TSK_FS_ATTR::run, TSK_COR, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), tsk_fs_read(), TSK_OK, and tsk_verbose.

TSK_FS_INFO* ntfs_open ( TSK_IMG_INFO img_info,
TSK_OFF_T  offset,
TSK_FS_TYPE_ENUM  ftype,
uint8_t  test 
)

Open part of a disk image as an NTFS file system.

Parameters
img_infoDisk image to analyze
offsetByte offset where NTFS file system starts
ftypeSpecific type of NTFS file system
testNOT USED
Returns
NULL on error or if data is not an NTFS file system

References TSK_FS_META::attr, TSK_FS_INFO::block_count, TSK_FS_INFO::block_size, TSK_FS_INFO::block_walk, TSK_FS_INFO::close, TSK_FS_INFO::dev_bsize, TSK_FS_INFO::duname, TSK_FS_INFO::endian, TSK_FS_INFO::first_block, TSK_FS_INFO::first_inum, TSK_FS_INFO::flags, TSK_FS_INFO::fs_id, TSK_FS_INFO::fs_id_used, TSK_FS_INFO::ftype, TSK_FS_INFO::img_info, TSK_FS_INFO::inode_walk, TSK_FS_INFO::inum_count, TSK_FS_INFO::istat, TSK_FS_INFO::journ_inum, TSK_FS_INFO::last_block, TSK_FS_INFO::last_block_act, TSK_FS_INFO::last_inum, TSK_FS_FILE::meta, TSK_FS_INFO::offset, TSK_FS_INFO::root_inum, TSK_IMG_INFO::sector_size, TSK_IMG_INFO::size, TSK_FS_ATTR::size, tsk_error_errstr2_concat(), tsk_error_get(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), tsk_fs_file_open_meta(), TSK_FS_INFO_FLAG_HAVE_SEQ, tsk_fs_read(), TSK_FS_TYPE_ISNTFS, TSK_FS_TYPE_NTFS, and tsk_verbose.

Referenced by tsk_fs_open_img_decrypt().

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.