Public Member Functions | |
| uint8_t | addFilesInImgToDb () |
| Analyzes the open image and adds image info to a database. More... | |
| virtual void | closeImage () |
| Closes the handles to the open disk image. More... | |
| int64_t | commitAddImage () |
| Finish the transaction after the startAddImage is finished. More... | |
| virtual void | createBlockMap (bool flag) |
| virtual TSK_FILTER_ENUM | filterFs (TSK_FS_INFO *fs_info) |
| TskAuto calls this method before it processes each file system that is found in a volume. More... | |
| virtual TSK_FILTER_ENUM | filterVol (const TSK_VS_PART_INFO *vs_part) |
| TskAuto calls this method before it processes each volume that is found in a volume system. More... | |
| virtual TSK_FILTER_ENUM | filterVs (const TSK_VS_INFO *vs_info) |
| TskAuto calls this method before it processes the volume system that is found in an image. More... | |
| const std::string | getCurDir () |
| Returns the directory currently being analyzed by processFile(). More... | |
| virtual void | hashFiles (bool flag) |
| Calculate hash values of files and add them to database. More... | |
| virtual uint8_t | openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| Opens the disk image to be analyzed. More... | |
| virtual uint8_t | openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| Opens the disk image to be analyzed. More... | |
| virtual TSK_RETVAL_ENUM | processFile (TSK_FS_FILE *fs_file, const char *path) |
| TskAuto calls this method for each file and directory that it finds in an image. More... | |
| int | revertAddImage () |
| Revert all changes after the startAddImage() process has run sucessfully. More... | |
| virtual void | setAddUnallocSpace (bool addUnallocSpace) |
| When enabled, records for unallocated file system space will be added to the database. More... | |
| virtual void | setAddUnallocSpace (bool addUnallocSpace, int64_t chunkSize) |
| When enabled, records for unallocated file system space will be added to the database. More... | |
| virtual void | setNoFatFsOrphans (bool noFatFsOrphans) |
| Skip processing of orphans on FAT filesystems. More... | |
| virtual void | setTz (string tzone) |
| Set the current image's timezone. | |
| uint8_t | startAddImage (int numImg, const TSK_TCHAR *const imagePaths[], TSK_IMG_TYPE_ENUM imgType, unsigned int sSize) |
| Start the process to add image/file metadata to database inside of a transaction. More... | |
| void | stopAddImage () |
| Cancel the running process. More... | |
| TskAutoDb (TskDbSqlite *a_db, TSK_HDB_INFO *a_NSRLDb, TSK_HDB_INFO *a_knownBadDb) | |
 Public Member Functions inherited from TskAuto | |
| uint8_t | findFilesInFs (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_INUM_T inum) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, TSK_INUM_T inum) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInFs (TSK_FS_INFO *a_fs_info) |
| Processes the file system represented by the given TSK_FS_INFO pointer. More... | |
| TSK_RETVAL_ENUM | findFilesInFsRet (TSK_OFF_T start, TSK_FS_TYPE_ENUM a_ftype) |
| Starts in a specified byte offset of the opened disk images and looks for a file system. More... | |
| uint8_t | findFilesInImg () |
| Starts in sector 0 of the opened disk images and looks for a volume or file system. More... | |
| uint8_t | findFilesInVs (TSK_OFF_T start) |
| Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More... | |
| uint8_t | findFilesInVs (TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype) |
| Starts in a specified byte offset of the opened disk images and looks for a volume system or file system. More... | |
| std::string | getCurVsPartDescr () const |
| get volume description of the lastly processed volume More... | |
| TSK_VS_PART_FLAG_ENUM | getCurVsPartFlag () const |
| get volume flags of the lastly processed volume. More... | |
| const std::vector< error_record > | getErrorList () |
| Get the list of errors that were added to the internal list. More... | |
| TSK_OFF_T | getImageSize () const |
| bool | getStopProcessing () const |
| Returns true if all processing and recursion should stop. | |
| virtual uint8_t | handleError () |
| Override this method to get called for each error that is registered. More... | |
| bool | isCurVsValid () const |
| Determine if we are inside of a volume system and therefore we can trust the results of getCurVsPartFlag/Desc. | |
| virtual uint8_t | openImageHandle (TSK_IMG_INFO *) |
| Uses the already opened image for future analysis. More... | |
| uint8_t | registerError () |
| Internal method that TskAuto calls when it encounters issues while processing an image. More... | |
| void | resetErrorList () |
| Remove the errors on the internal list. | |
| void | setFileFilterFlags (TSK_FS_DIR_WALK_FLAG_ENUM) |
| Set the attributes for the files that should be processed. More... | |
| void | setVolFilterFlags (TSK_VS_PART_FLAG_ENUM) |
| Set the attributes for the volumes that should be processed. More... | |
Additional Inherited Members | |
| Static Public Member Functions inherited from TskAuto | |
| static std::string | errorRecordToString (error_record &rec) |
| Public Attributes inherited from TskAuto | |
| unsigned int | m_tag |
| Protected Member Functions inherited from TskAuto | |
| uint8_t | isDefaultType (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr) |
| Utility method to help determine if an attribute is the default type for the file/dir. More... | |
| uint8_t | isDir (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a directory. More... | |
| uint8_t | isDotDir (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a . More... | |
| uint8_t | isFATSystemFiles (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a FAT file system file (such as $MBR). More... | |
| uint8_t | isFile (TSK_FS_FILE *fs_file) |
| Utility method to help determine if a file is a file (and not a directory). More... | |
| uint8_t | isNonResident (const TSK_FS_ATTR *fs_attr) |
| Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data) More... | |
| uint8_t | isNtfsSystemFiles (TSK_FS_FILE *fs_file, const char *path) |
| Utility method to help determine if a file is an NTFS file system file (such as $MFT). More... | |
| TSK_RETVAL_ENUM | processAttributes (TSK_FS_FILE *fs_file, const char *path) |
| Method that can be used from within processFile() to look at each attribute that a file may have. More... | |
| void | setStopProcessing () |
| When called, will cause TskAuto to not continue to recurse into directories and volumes. | |
| Protected Attributes inherited from TskAuto | |
| TSK_IMG_INFO * | m_img_info |
| bool | m_internalOpen |
| True if m_img_info was opened in TskAuto and false if passed in. | |
| bool | m_stopAllProcessing |
| True if no further processing should occur. | |
Constructor & Destructor Documentation
| TskAutoDb::TskAutoDb | ( | TskDbSqlite * | a_db, |
| TSK_HDB_INFO * | a_NSRLDb, | ||
| TSK_HDB_INFO * | a_knownBadDb | ||
| ) |
- Parameters
-
a_db Database to add an image to a_NSRLDb Database of "known" files (can be NULL) a_knownBadDb Database of "known bad" files (can be NULL)
Member Function Documentation
| uint8_t TskAutoDb::addFilesInImgToDb | ( | ) |
Analyzes the open image and adds image info to a database.
Does not deal with transactions and such. Refer to startAddImage() for more control.
- Returns
- 1 if a critical error occured (DB doesn't exist, no file system, etc.), 2 if errors occured at some point adding files to the DB (corrupt file, etc.), and 0 otherwise. Errors will have been registered.
References TskDbSqlite::dbExist(), TskAuto::findFilesInImg(), TskAuto::registerError(), TskAuto::setVolFilterFlags(), TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, TSK_VS_PART_FLAG_ALLOC, and TSK_VS_PART_FLAG_UNALLOC.
Referenced by startAddImage().
|
virtual |
Closes the handles to the open disk image.
Should be called after you have completed analysis of the image.
Reimplemented from TskAuto.
References TskAuto::closeImage().
| int64_t TskAutoDb::commitAddImage | ( | ) |
Finish the transaction after the startAddImage is finished.
- Returns
- Id of the image that was added or -1 on error (error was NOT registered in list)
References TskDbSqlite::releaseSavepoint(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage().
|
virtual |
TskAuto calls this method before it processes each file system that is found in a volume.
You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.
- Parameters
-
fs_info file system details
- Returns
- Value to show if FS should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskDbSqlite::addFsInfo(), TSK_FS_INFO::ftype, processFile(), TskAuto::registerError(), TskAuto::setFileFilterFlags(), TSK_FILTER_CONT, TSK_FILTER_STOP, TSK_FS_DIR_WALK_FLAG_ALLOC, TSK_FS_DIR_WALK_FLAG_NOORPHAN, TSK_FS_DIR_WALK_FLAG_UNALLOC, tsk_fs_file_close(), tsk_fs_file_open(), and TSK_FS_TYPE_ISFAT.
|
virtual |
TskAuto calls this method before it processes each volume that is found in a volume system.
You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.
- Parameters
-
vs_part Parition details
- Returns
- Value to show if volume should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskDbSqlite::addVolumeInfo(), TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.
|
virtual |
TskAuto calls this method before it processes the volume system that is found in an image.
You can use this to learn about the volume system before it is processed and you can force TskAuto to skip this volume system.
- Parameters
-
vs_info volume system details
- Returns
- Value to show if Vs should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TskDbSqlite::addVsInfo(), TskAuto::registerError(), TSK_FILTER_CONT, and TSK_FILTER_STOP.
| const std::string TskAutoDb::getCurDir | ( | ) |
Returns the directory currently being analyzed by processFile().
Safe to use from another thread than processFile().
- Returns
- curDirPath string representing currently analyzed directory
|
virtual |
Calculate hash values of files and add them to database.
Default is false. Will be set to true if a Hash DB is configured.
- Parameters
-
flag True to calculate hash values and look them up.
|
virtual |
Opens the disk image to be analyzed.
This must be called before any of the findFilesInXXX() methods.
- Parameters
-
a_numImg The number of images to open (will be > 1 for split images). a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order) a_imgType The disk image type (can be autodetection) a_sSize Size of device sector in bytes (or 0 for default)
- Returns
- 1 on error (messages were NOT registered), 0 on success
Reimplemented from TskAuto.
References TskAuto::openImage(), openImageUtf8(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_UTF16toUTF8_lclorder(), TSKconversionOK, and TSKlenientConversion.
Referenced by startAddImage().
|
virtual |
Opens the disk image to be analyzed.
This must be called before any of the findFilesInXXX() methods. Always uses the utf8 tsk_img_open even in windows.
- Parameters
-
a_numImg The number of images to open (will be > 1 for split images). a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order) a_imgType The disk image type (can be autodetection) a_sSize Size of device sector in bytes (or 0 for default)
- Returns
- 1 on error (messages were NOT registered), 0 on success
Reimplemented from TskAuto.
References TskAuto::openImageUtf8().
Referenced by openImage().
|
virtual |
TskAuto calls this method for each file and directory that it finds in an image.
The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().
- Parameters
-
fs_file file details path full path of parent directory
- Returns
- STOP or OK. All error must have been registered.
Implements TskAuto.
References TSK_FS_FILE::name, TSK_FS_NAME::par_addr, TskAuto::processAttributes(), TSK_DB_FILES_KNOWN_UNKNOWN, tsk_fprintf(), tsk_fs_file_attr_getsize(), TSK_OK, TSK_STOP, and tsk_verbose.
Referenced by filterFs().
| int TskAutoDb::revertAddImage | ( | ) |
Revert all changes after the startAddImage() process has run sucessfully.
- Returns
- 1 on error (error was NOT registered in list), 0 on success
References TskDbSqlite::revertSavepoint(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage(), and startAddImage().
|
virtual |
When enabled, records for unallocated file system space will be added to the database.
Default value is false.
- Parameters
-
addUnallocSpace If true, create records for contigious unallocated file system sectors.
|
virtual |
When enabled, records for unallocated file system space will be added to the database.
Default value is false.
- Parameters
-
addUnallocSpace If true, create records for contigious unallocated file system sectors. chunkSize the number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk.
|
virtual |
Skip processing of orphans on FAT filesystems.
This will make the loading of the database much faster but you will not have all deleted files. Default value is false.
- Parameters
-
noFatFsOrphans flag set to true if to skip processing orphans on FAT fs
| uint8_t TskAutoDb::startAddImage | ( | int | numImg, |
| const TSK_TCHAR *const | imagePaths[], | ||
| TSK_IMG_TYPE_ENUM | imgType, | ||
| unsigned int | sSize | ||
| ) |
Start the process to add image/file metadata to database inside of a transaction.
Same functionality as addFilesInImgToDb(). Reverts all changes on error. User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.
- Returns
- 1 if critical system error occcured (data does not exist in DB), 2 if error occured while adding files to DB (but it finished), and 0 otherwise. All errors will have been registered.
References addFilesInImgToDb(), TskDbSqlite::createSavepoint(), openImage(), TskAuto::registerError(), TskDbSqlite::releaseSavepoint(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage().
| void TskAutoDb::stopAddImage | ( | ) |
Cancel the running process.
Will not be handled immediately.
References TskAuto::setStopProcessing(), tsk_fprintf(), and tsk_verbose.
The documentation for this class was generated from the following files:
- tsk/auto/tsk_case_db.h
- tsk/auto/auto_db.cpp