|
The Sleuth Kit
4.2
|
Public Member Functions | |
| TSK_RETVAL_ENUM | addCarvedFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId) |
| Adds information about a carved file with layout ranges into the database. More... | |
| int | addFileLayoutRange (const TSK_DB_FILE_LAYOUT_RANGE &fileLayoutRange) |
| Add file layout info to the database. More... | |
| int | addFileLayoutRange (int64_t a_fileObjId, uint64_t a_byteStart, uint64_t a_byteLen, int a_sequence) |
| Add file layout info to the database. More... | |
| int | addFsFile (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr, const char *path, const unsigned char *const md5, const TSK_DB_FILES_KNOWN_ENUM known, int64_t fsObjId, int64_t &objId) |
| Add a file system file to the database. More... | |
| int | addFsInfo (const TSK_FS_INFO *fs_info, int64_t parObjId, int64_t &objId) |
| int | addImageInfo (int type, int size, int64_t &objId, const string &timezone) |
| deprecated | |
| int | addImageInfo (int type, int size, int64_t &objId, const string &timezone, TSK_OFF_T, const string &md5) |
| int | addImageName (int64_t objId, char const *imgName, int sequence) |
| TSK_RETVAL_ENUM | addUnallocBlockFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId) |
| Adds information about a unallocated file with layout ranges into the database. More... | |
| TSK_RETVAL_ENUM | addUnallocFsBlockFilesParent (const int64_t fsObjId, int64_t &objId) |
| Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs. More... | |
| TSK_RETVAL_ENUM | addUnusedBlockFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId) |
| Adds information about a unused file with layout ranges into the database. More... | |
| TSK_RETVAL_ENUM | addVirtualDir (const int64_t fsObjId, const int64_t parentDirId, const char *const name, int64_t &objId) |
| Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them. More... | |
| int | addVolumeInfo (const TSK_VS_PART_INFO *vs_part, int64_t parObjId, int64_t &objId) |
| Adds the sector addresses of the volumes into the db. More... | |
| int | addVsInfo (const TSK_VS_INFO *vs_info, int64_t parObjId, int64_t &objId) |
| int | close () |
| int | createSavepoint (const char *name) |
| Create a savepoint. More... | |
| bool | dbExist () const |
| Returns true if database is opened. | |
| TSK_RETVAL_ENUM | getFileLayouts (vector< TSK_DB_FILE_LAYOUT_RANGE > &fileLayouts) |
| Query tsk_file_layout and return rows for every entry in tsk_file_layout table. More... | |
| TSK_RETVAL_ENUM | getFsInfos (int64_t imgId, vector< TSK_DB_FS_INFO > &fsInfos) |
| Query tsk_fs_info and return rows for every entry in tsk_fs_info table. More... | |
| TSK_RETVAL_ENUM | getFsRootDirObjectInfo (const int64_t fsObjId, TSK_DB_OBJECT &rootDirObjInfo) |
| Query tsk_objects and tsk_files given file system id and return the root directory object. More... | |
| TSK_RETVAL_ENUM | getObjectInfo (int64_t objId, TSK_DB_OBJECT &objectInfo) |
| Query tsk_objects with given id and returns object info entry. More... | |
| TSK_RETVAL_ENUM | getParentImageId (const int64_t objId, int64_t &imageId) |
| Query tsk_objects to find the root image id for the object. More... | |
| TSK_RETVAL_ENUM | getVsInfo (int64_t objId, TSK_DB_VS_INFO &vsInfo) |
| Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry. More... | |
| TSK_RETVAL_ENUM | getVsInfos (int64_t imgId, vector< TSK_DB_VS_INFO > &vsInfos) |
| Query tsk_vs_info and return rows for every entry in tsk_vs_info table. More... | |
| TSK_RETVAL_ENUM | getVsPartInfos (int64_t imgId, vector< TSK_DB_VS_PART_INFO > &vsPartInfos) |
| Query tsk_vs_part and return rows for every entry in tsk_vs_part table. More... | |
| bool | inTransaction () |
| int | open (bool) |
| int | releaseSavepoint (const char *name) |
| Release a savepoint. More... | |
| int | revertSavepoint (const char *name) |
| Rollback to specified savepoint and release. More... | |
| TskDbSqlite (const char *a_dbFilePathUtf8, bool a_blkMapFlag) | |
| Set the locations and logging object. More... | |
| TskDbSqlite::TskDbSqlite | ( | const char * | a_dbFilePathUtf8, |
| bool | a_blkMapFlag | ||
| ) |
Set the locations and logging object.
Must call open() before the object can be used.
| TSK_RETVAL_ENUM TskDbSqlite::addCarvedFile | ( | const int64_t | parentObjId, |
| const int64_t | fsObjId, | ||
| const uint64_t | size, | ||
| vector< TSK_DB_FILE_LAYOUT_RANGE > & | ranges, | ||
| int64_t & | objId | ||
| ) |
Adds information about a carved file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
| parentObjId | Id of the parent object in the database (fs, volume, or image) |
| fsObjId | fs id associated with the file, or NULL |
| size | Number of bytes in file |
| ranges | vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in) |
| objId | object id of the file object created (output) |
References TSK_DB_FILES_TYPE_CARVED.
| int TskDbSqlite::addFileLayoutRange | ( | const TSK_DB_FILE_LAYOUT_RANGE & | fileLayoutRange | ) |
Add file layout info to the database.
This table stores the run information for each file so that we can map which parts of an image are used by what files.
| fileLayoutRange | TSK_DB_FILE_LAYOUT_RANGE object storing a single file layout range entry |
References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId.
| int TskDbSqlite::addFileLayoutRange | ( | int64_t | a_fileObjId, |
| uint64_t | a_byteStart, | ||
| uint64_t | a_byteLen, | ||
| int | a_sequence | ||
| ) |
Add file layout info to the database.
This table stores the run information for each file so that we can map which parts of an image are used by what files.
| a_fileObjId | ID of the file |
| a_byteStart | Byte address relative to the start of the image file |
| a_byteLen | Length of the run in bytes |
| a_sequence | Sequence of this run in the file |
| int TskDbSqlite::addFsFile | ( | TSK_FS_FILE * | fs_file, |
| const TSK_FS_ATTR * | fs_attr, | ||
| const char * | path, | ||
| const unsigned char *const | md5, | ||
| const TSK_DB_FILES_KNOWN_ENUM | known, | ||
| int64_t | fsObjId, | ||
| int64_t & | objId | ||
| ) |
Add a file system file to the database.
| fs_file | File structure to add |
| fs_attr | Specific attribute to add |
| path | Path of the file |
| md5 | Binary value of MD5 (i.e. 16 bytes) or NULL |
| known | Status regarding if it was found in hash databse or not |
| fsObjId | File system object of its file system |
| objId | ID that was assigned to it from the objects table |
References TSK_FS_FILE::fs_info, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_INFO::root_inum.
| int TskDbSqlite::addFsInfo | ( | const TSK_FS_INFO * | fs_info, |
| int64_t | parObjId, | ||
| int64_t & | objId | ||
| ) |
References TSK_FS_INFO::block_count, TSK_FS_INFO::block_size, TSK_FS_INFO::first_inum, TSK_FS_INFO::ftype, TSK_FS_INFO::last_inum, TSK_FS_INFO::offset, TSK_FS_INFO::root_inum, and TSK_DB_OBJECT_TYPE_FS.
Referenced by TskAutoDb::filterFs().
| int TskDbSqlite::addImageInfo | ( | int | type, |
| int | ssize, | ||
| int64_t & | objId, | ||
| const string & | timezone, | ||
| TSK_OFF_T | size, | ||
| const string & | md5 | ||
| ) |
References TSK_DB_OBJECT_TYPE_IMG.
| int TskDbSqlite::addImageName | ( | int64_t | objId, |
| char const * | imgName, | ||
| int | sequence | ||
| ) |
| TSK_RETVAL_ENUM TskDbSqlite::addUnallocBlockFile | ( | const int64_t | parentObjId, |
| const int64_t | fsObjId, | ||
| const uint64_t | size, | ||
| vector< TSK_DB_FILE_LAYOUT_RANGE > & | ranges, | ||
| int64_t & | objId | ||
| ) |
Adds information about a unallocated file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
| parentObjId | Id of the parent object in the database (fs, volume, or image) |
| fsObjId | parent fs, or NULL if the file is not associated with fs |
| size | Number of bytes in file |
| ranges | vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in) |
| objId | object id of the file object created (output) |
References TSK_DB_FILES_TYPE_UNALLOC_BLOCKS.
| TSK_RETVAL_ENUM TskDbSqlite::addUnallocFsBlockFilesParent | ( | const int64_t | fsObjId, |
| int64_t & | objId | ||
| ) |
Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs.
The dir has is associated with its root dir parent for the fs.
| fsObjId | (in) fs id to find root dir for and create $Unalloc dir for |
| objId | (out) object id of the $Unalloc dir created |
References addVirtualDir(), getFsRootDirObjectInfo(), _TSK_DB_OBJECT::objId, and TSK_ERR.
| TSK_RETVAL_ENUM TskDbSqlite::addUnusedBlockFile | ( | const int64_t | parentObjId, |
| const int64_t | fsObjId, | ||
| const uint64_t | size, | ||
| vector< TSK_DB_FILE_LAYOUT_RANGE > & | ranges, | ||
| int64_t & | objId | ||
| ) |
Adds information about a unused file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
| parentObjId | Id of the parent object in the database (fs, volume, or image) |
| fsObjId | parent fs, or NULL if the file is not associated with fs |
| size | Number of bytes in file |
| ranges | vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in) |
| objId | object id of the file object created (output) |
References TSK_DB_FILES_TYPE_UNUSED_BLOCKS.
| TSK_RETVAL_ENUM TskDbSqlite::addVirtualDir | ( | const int64_t | fsObjId, |
| const int64_t | parentDirId, | ||
| const char *const | name, | ||
| int64_t & | objId | ||
| ) |
Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them.
| fsObjId | (in) file system object id to associate with the virtual directory. |
| parentDirId | (in) parent dir object id of the new directory: either another virtual directory or root fs directory |
| name | name (int) of the new virtual directory |
| objId | (out) object id of the created virtual directory object |
References TSK_DB_FILES_TYPE_VIRTUAL_DIR, TSK_DB_OBJECT_TYPE_FILE, TSK_ERR, TSK_FS_META_FLAG_ALLOC, TSK_FS_META_FLAG_USED, TSK_FS_META_TYPE_DIR, TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, and TSK_OK.
Referenced by addUnallocFsBlockFilesParent().
| int TskDbSqlite::addVolumeInfo | ( | const TSK_VS_PART_INFO * | vs_part, |
| int64_t | parObjId, | ||
| int64_t & | objId | ||
| ) |
Adds the sector addresses of the volumes into the db.
References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::desc, TSK_VS_PART_INFO::flags, TSK_VS_PART_INFO::len, TSK_VS_PART_INFO::start, and TSK_DB_OBJECT_TYPE_VOL.
Referenced by TskAutoDb::filterVol().
| int TskDbSqlite::addVsInfo | ( | const TSK_VS_INFO * | vs_info, |
| int64_t | parObjId, | ||
| int64_t & | objId | ||
| ) |
References TSK_VS_INFO::block_size, TSK_VS_INFO::offset, TSK_DB_OBJECT_TYPE_VS, and TSK_VS_INFO::vstype.
Referenced by TskAutoDb::filterVs().
| int TskDbSqlite::createSavepoint | ( | const char * | name | ) |
Create a savepoint.
Call revertSavepoint() or releaseSavepoint() to revert or commit.
| name | Name to call savepoint |
Referenced by TskAutoDb::startAddImage().
| TSK_RETVAL_ENUM TskDbSqlite::getFileLayouts | ( | vector< TSK_DB_FILE_LAYOUT_RANGE > & | fileLayouts | ) |
Query tsk_file_layout and return rows for every entry in tsk_file_layout table.
| fileLayouts | (out) TSK_DB_FILE_LAYOUT_RANGE row representations to return |
References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId, TSK_ERR, and TSK_OK.
| TSK_RETVAL_ENUM TskDbSqlite::getFsInfos | ( | int64_t | imgId, |
| vector< TSK_DB_FS_INFO > & | fsInfos | ||
| ) |
Query tsk_fs_info and return rows for every entry in tsk_fs_info table.
| imgId | the object id of the image to get filesystems for |
| fsInfos | (out) TSK_DB_FS_INFO row representations to return |
References getParentImageId(), _TSK_DB_FS_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_OK.
| TSK_RETVAL_ENUM TskDbSqlite::getFsRootDirObjectInfo | ( | const int64_t | fsObjId, |
| TSK_DB_OBJECT & | rootDirObjInfo | ||
| ) |
Query tsk_objects and tsk_files given file system id and return the root directory object.
| fsObjId | (int) file system id to query root dir object for |
| rootDirObjInfo | (out) TSK_DB_OBJECT root dir entry representation to return |
References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by addUnallocFsBlockFilesParent().
| TSK_RETVAL_ENUM TskDbSqlite::getObjectInfo | ( | int64_t | objId, |
| TSK_DB_OBJECT & | objectInfo | ||
| ) |
Query tsk_objects with given id and returns object info entry.
| objId | object id to query |
| objectInfo | (out) TSK_DB_OBJECT entry representation to return |
References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by getParentImageId().
| TSK_RETVAL_ENUM TskDbSqlite::getParentImageId | ( | const int64_t | objId, |
| int64_t & | imageId | ||
| ) |
Query tsk_objects to find the root image id for the object.
| objId | (in) object id to query |
| imageId | (out) root parent image id returned |
References getObjectInfo(), _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by getFsInfos(), getVsInfos(), and getVsPartInfos().
| TSK_RETVAL_ENUM TskDbSqlite::getVsInfo | ( | int64_t | objId, |
| TSK_DB_VS_INFO & | vsInfo | ||
| ) |
Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry.
| objId | vs id to query |
| vsInfo | (out) TSK_DB_VS_INFO entry representation to return |
References _TSK_DB_VS_INFO::objId, TSK_ERR, and TSK_OK.
| TSK_RETVAL_ENUM TskDbSqlite::getVsInfos | ( | int64_t | imgId, |
| vector< TSK_DB_VS_INFO > & | vsInfos | ||
| ) |
Query tsk_vs_info and return rows for every entry in tsk_vs_info table.
| imgId | the object id of the image to get volumesystems for |
| vsInfos | (out) TSK_DB_VS_INFO row representations to return |
References getParentImageId(), _TSK_DB_VS_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_OK.
| TSK_RETVAL_ENUM TskDbSqlite::getVsPartInfos | ( | int64_t | imgId, |
| vector< TSK_DB_VS_PART_INFO > & | vsPartInfos | ||
| ) |
Query tsk_vs_part and return rows for every entry in tsk_vs_part table.
| imgId | the object id of the image to get vs parts for |
| vsPartInfos | (out) TSK_DB_VS_PART_INFO row representations to return |
References getParentImageId(), _TSK_DB_VS_PART_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_MAX_DB_VS_PART_INFO_DESC_LEN, and TSK_OK.
| int TskDbSqlite::releaseSavepoint | ( | const char * | name | ) |
Release a savepoint.
Commits if savepoint was not rollbacked.
| name | Name of savepoint |
Referenced by TskAutoDb::commitAddImage(), revertSavepoint(), and TskAutoDb::startAddImage().
| int TskDbSqlite::revertSavepoint | ( | const char * | name | ) |
Rollback to specified savepoint and release.
| name | Name of savepoint |
References releaseSavepoint().
Referenced by TskAutoDb::revertAddImage().
Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.