Stores information about a file attribute. More...

#include <tsk_fs.h>

Public Member Functions
TSK_OFF_T	getAllocSize () const
	get number of bytes that are allocated in all clusters of non-resident run (will be larger than size - does not include skiplen). More...

const uint8_t *	getBuf () const
	Pointer to buffer with resident data. More...

uint32_t	getCompSize () const
	get size of compression units (needed only if NTFS file is compressed) More...

TSK_FS_ATTR_FLAG_ENUM	getFlags () const
	get the attribute's flags More...

uint16_t	getId () const
	get id of attribute More...

TSK_OFF_T	getInitSize () const
	get number of bytes (starting from offset 0) that have data (including FILLER) saved for them (smaller then or equal to size). More...

const char *	getName () const
	get the attributes's name (in UTF-8). More...

const TskFsAttrRun *	getRun (int a_idx) const
	get a run for a non-resident attribute. More...

int	getRunCount () const
	gets the number of runs in a non-resident attribute. More...

TSK_OFF_T	getSize () const
	get size in bytes of attribute (does not include skiplen for non-resident) More...

uint32_t	getSkipLen () const
	get number of initial bytes in run to skip before content begins. More...

TSK_FS_ATTR_TYPE_ENUM	getType () const
	get type of attribute More...

ssize_t	read (TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags)
	Read the contents of this attribute using a typical read() type interface. More...

	TskFsAttribute (const TSK_FS_ATTR *a_fsAttr)
	construct a TskFsAttribute object More...

uint8_t	walk (TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CPP_CB a_action, void *a_ptr)
	Process an attribute and call a callback function with its contents. More...

Detailed Description

Stores information about a file attribute.

File attributes store data for a file. Most files have at least one attribute that stores the file content. See TSK_FS_ATTR for details on attributes.

Constructor & Destructor Documentation

TskFsAttribute::TskFsAttribute ( const TSK_FS_ATTR * a_fsAttr )

inline

construct a TskFsAttribute object

Parameters

a_fsAttr a pointer of TSK_FS_ATTR. If NULL, the getX() return values are undefi ned.

Member Function Documentation

TSK_OFF_T TskFsAttribute::getAllocSize ( ) const

inline

get number of bytes that are allocated in all clusters of non-resident run

(will be larger than size - does not include skiplen).

This is defined when the attribute is created and used to determine slack space.

Returns: number of bytes that are allocated in all clusters of non-resident run

References TSK_FS_ATTR::allocsize, and TSK_FS_ATTR::nrd.

const uint8_t* TskFsAttribute::getBuf ( ) const

inline

Pointer to buffer with resident data.

Only getSize() bytes will be valid.

Returns: pointer to buffer with resident data.

References TSK_FS_ATTR::buf, and TSK_FS_ATTR::rd.

uint32_t TskFsAttribute::getCompSize ( ) const

inline

get size of compression units (needed only if NTFS file is compressed)

Returns: size of compression units (needed only if NTFS file is compressed)

References TSK_FS_ATTR::compsize, and TSK_FS_ATTR::nrd.

TSK_FS_ATTR_FLAG_ENUM TskFsAttribute::getFlags ( ) const

inline

get the attribute's flags

Returns: flags for attribute

References TSK_FS_ATTR::flags.

uint16_t TskFsAttribute::getId ( ) const

inline

get id of attribute

Returns: id of attribute

References TSK_FS_ATTR::id.

TSK_OFF_T TskFsAttribute::getInitSize ( ) const

inline

get number of bytes (starting from offset 0) that have data

(including FILLER) saved for them (smaller then or equal to size).

This is defined when the attribute is created.

Returns: number of bytes (starting from offset 0) that have data

References TSK_FS_ATTR::initsize, and TSK_FS_ATTR::nrd.

const char* TskFsAttribute::getName ( ) const

inline

get the attributes's name (in UTF-8).

Returns: name of attribute (or NULL if attribute doesn't have one)

References TSK_FS_ATTR::name.

const TskFsAttrRun* TskFsAttribute::getRun ( int a_idx ) const

inline

get a run for a non-resident attribute.

It's caller's responsibility to free memory of TskFsAttrRun

Parameters

a_idx The index of the run to return.

Returns: A run in the attribute.

References TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, and TSK_FS_ATTR::run.

int TskFsAttribute::getRunCount ( ) const

inline

gets the number of runs in a non-resident attribute.

Returns: number of runs.

References TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, and TSK_FS_ATTR::run.

TSK_OFF_T TskFsAttribute::getSize ( ) const

inline

get size in bytes of attribute (does not include skiplen for non-resident)

Returns: size in bytes of attribute

References TSK_FS_ATTR::size.

uint32_t TskFsAttribute::getSkipLen ( ) const

inline

get number of initial bytes in run to skip before content begins.

The size field does not include this length.

Returns: number of initial bytes in run to skip before content begins

References TSK_FS_ATTR::nrd, and TSK_FS_ATTR::skiplen.

TSK_FS_ATTR_TYPE_ENUM TskFsAttribute::getType ( ) const

inline

get type of attribute

Returns: type of attribute

References TSK_FS_ATTR::type.

ssize_t TskFsAttribute::read	(	TSK_OFF_T	a_offset,
		char *	a_buf,
		size_t	a_len,
		TSK_FS_FILE_READ_FLAG_ENUM	a_flags
	)

inline

Read the contents of this attribute using a typical read() type interface.

0s are returned for missing runs.

See tsk_fs_attr_read() for details

Parameters

a_offset	The byte offset to start reading from.
a_buf	The buffer to read the data into.
a_len	The number of bytes to read from the file.
a_flags	Flags to use while reading

Returns: The number of bytes read or -1 on error (incl if offset is past end of file).

References tsk_fs_attr_read().

uint8_t TskFsAttribute::walk	(	TSK_FS_FILE_WALK_FLAG_ENUM	a_flags,
		TSK_FS_FILE_WALK_CPP_CB	a_action,
		void *	a_ptr
	)

inline

Process an attribute and call a callback function with its contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse attributes, the address may be zero.

See tsk_fs_attr_walk() for details

Parameters

a_flags	Flags to use while processing attribute
a_action	Callback action to call with content
a_ptr	Pointer that will passed to callback

Returns: 1 on error and 0 on success.

References tsk_fs_attr_walk().

The documentation for this class was generated from the following file:

tsk/fs/tsk_fs.h

Public Member Functions

Detailed Description

Constructor & Destructor Documentation

Member Function Documentation