The Sleuth Kit
4.12.1
|
Stores state information for an open file system. More...
#include <tsk_fs.h>
Public Attributes | |
struct { | |
TSK_IMG_INFO * img_info | |
Pointer to the image layer state. | |
TSK_OFF_T offset | |
Byte offset into img_info that fs starts. | |
}; | |
TSK_DADDR_T | block_count |
Number of blocks in fs. | |
TSK_FS_BLOCK_FLAG_ENUM(* | block_getflags )(TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr) |
unsigned int | block_post_size |
Number of bytes that follow each block (currently only used for RAW CDs) | |
unsigned int | block_pre_size |
Number of bytes that precede each block (currently only used for RAW CDs) | |
unsigned int | block_size |
Size of each block (in bytes) | |
uint8_t(* | block_walk )(TSK_FS_INFO *fs, TSK_DADDR_T start, TSK_DADDR_T end, TSK_FS_BLOCK_WALK_FLAG_ENUM flags, TSK_FS_BLOCK_WALK_CB cb, void *ptr) |
FS-specific function: Call tsk_fs_block_walk() instead. | |
void(* | close )(TSK_FS_INFO *fs) |
FS-specific function: Call tsk_fs_close() instead. | |
uint8_t(* | decrypt_block )(TSK_FS_INFO *fs, TSK_DADDR_T start, void *data) |
unsigned int | dev_bsize |
Size of device block (typically always 512) | |
TSK_RETVAL_ENUM(* | dir_open_meta )(TSK_FS_INFO *fs, TSK_FS_DIR **a_fs_dir, TSK_INUM_T inode, int recursion_depth) |
const char * | duname |
string "name" of data unit type | |
TSK_ENDIAN_ENUM | endian |
Endian order of data. | |
uint8_t(* | file_add_meta )(TSK_FS_INFO *fs, TSK_FS_FILE *fs_file, TSK_INUM_T addr) |
TSK_DADDR_T | first_block |
Address of first block. | |
TSK_INUM_T | first_inum |
First valid metadata address. | |
TSK_FS_INFO_FLAG_ENUM | flags |
flags for file system | |
uint8_t(* | fread_owner_sid )(TSK_FS_FILE *, char **) |
uint8_t | fs_id [TSK_FS_INFO_FS_ID_LEN] |
File system id (as reported in boot sector) | |
size_t | fs_id_used |
Number of bytes in fs_id that are being used. | |
uint8_t(* | fscheck )(TSK_FS_INFO *, FILE *) |
uint8_t(* | fsstat )(TSK_FS_INFO *fs, FILE *hFile) |
TSK_FS_TYPE_ENUM | ftype |
type of file system | |
TSK_FS_ATTR_TYPE_ENUM(* | get_default_attr_type )(const TSK_FS_FILE *) |
void * | impl |
uint8_t(* | inode_walk )(TSK_FS_INFO *fs, TSK_INUM_T start, TSK_INUM_T end, TSK_FS_META_FLAG_ENUM flags, TSK_FS_META_WALK_CB cb, void *ptr) |
FS-specific function: Call tsk_fs_meta_walk() instead. | |
TSK_INUM_T | inum_count |
Number of metadata addresses. | |
uint8_t(* | istat )(TSK_FS_INFO *fs, TSK_FS_ISTAT_FLAG_ENUM flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew) |
Pointer to file system specific function that prints details on a specific file to a file handle. More... | |
uint8_t(* | jblk_walk )(TSK_FS_INFO *, TSK_DADDR_T, TSK_DADDR_T, int, TSK_FS_JBLK_WALK_CB, void *) |
uint8_t(* | jentry_walk )(TSK_FS_INFO *, int, TSK_FS_JENTRY_WALK_CB, void *) |
uint8_t(* | jopen )(TSK_FS_INFO *, TSK_INUM_T) |
TSK_INUM_T | journ_inum |
Address of journal inode. | |
TSK_DADDR_T | last_block |
Address of last block as reported by file system (could be larger than last_block in image if end of image does not exist) | |
TSK_DADDR_T | last_block_act |
Address of last block – adjusted so that it is equal to the last block in the image or volume (if image is not complete) | |
TSK_INUM_T | last_inum |
Last valid metadata address. | |
TSK_LIST * | list_inum_named |
List of unallocated inodes that are pointed to by a file name – Used to find orphan files. More... | |
tsk_lock_t | list_inum_named_lock |
uint8_t(* | load_attrs )(TSK_FS_FILE *) |
int(* | name_cmp )(TSK_FS_INFO *, const char *, const char *) |
TSK_FS_DIR * | orphan_dir |
Files and dirs in the top level of the $OrphanFiles directory. NULL if orphans have not been hunted for yet. (r/w shared - lock) | |
tsk_lock_t | orphan_dir_lock |
TSK_INUM_T | root_inum |
Metadata address of root directory. | |
int | tag |
Stores state information for an open file system.
One of these are generated for each open files system and it contains file system-type specific data. These values are all filled in by the file system code and not the caller functions. This struct (and its subclasses) should be allocated only by tsk_fs_malloc and deallocated only by tsk_fs_free, which handle init/deinit of the locks.
uint8_t(* TSK_FS_INFO::istat) (TSK_FS_INFO *fs, TSK_FS_ISTAT_FLAG_ENUM flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew) |
Pointer to file system specific function that prints details on a specific file to a file handle.
fs | File system file is located in |
hFile | File handle to print text to |
inum | Address of file in file system |
numblock | The number of blocks in file to force print (can go beyond file size) |
sec_skew | Clock skew in seconds to also print times in |
Referenced by ntfs_open().
TSK_LIST* TSK_FS_INFO::list_inum_named |
List of unallocated inodes that are pointed to by a file name – Used to find orphan files.
Is filled after looking for orphans or afer a full name_walk is performed. (r/w shared - lock)
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.