|
The Sleuth Kit
4.2
|
Stores information about an open file system. More...
#include <tsk_fs.h>
Public Member Functions | |
| uint8_t | blockWalk (TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CPP_CB a_action, void *a_ptr) |
| Walk a range of file system blocks and call the callback function with the contents and allocation status of each. More... | |
| void | close () |
| Close an open file system. More... | |
| uint8_t | dirWalk (TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CPP_CB a_action, void *a_ptr) |
| TSK_DADDR_T | getBlockCount () const |
| return number of blocks in fs More... | |
| unsigned int | getBlockSize () const |
| return size of each file system block (in bytes) More... | |
| const char * | getDataUnitName () const |
| return the "name" of data unit type as a string ("Cluster", for example) More... | |
| unsigned int | getDeviceSize () const |
| return size of device block (typically always 512) More... | |
| TSK_DADDR_T | getFirstBlock () const |
| return address of first block More... | |
| TSK_INUM_T | getFirstINum () const |
| return first valid metadata address More... | |
| TSK_FS_INFO_FLAG_ENUM | getFlags () const |
| return flags for file system More... | |
| const uint8_t * | getFsId () const |
| return file system id (as reported in boot sector). More... | |
| size_t | getFsIdLen () const |
| return the number of bytes used in the buffer returned by getFsId(). More... | |
| TSK_FS_TYPE_ENUM | getFsType () const |
| return type of file system More... | |
| TSK_INUM_T | getINumCount () const |
| return number of metadata addresses in FS More... | |
| TSK_INUM_T | getJournalINum () const |
| return address of journal inode More... | |
| TSK_DADDR_T | getLastBlock () const |
return address of last block that is adjusted so that (could be larger than last_block in image if end of image does not exist) More... | |
| TSK_DADDR_T | getLastBlockAct () const |
return address of last block as reported by file system (it is equal to the last block in the image or volume (if image is not complete) More... | |
| TSK_INUM_T | getLastINum () const |
| return last valid metadata address More... | |
| TSK_OFF_T | getOffset () const |
| return byte offset in image that fs starts More... | |
| TSK_INUM_T | getRootINum () const |
| return metadata address of root directory More... | |
| uint8_t | jblkWalk (TSK_DADDR_T a_addr1, TSK_DADDR_T a_addr2, int a_num, TSK_FS_JBLK_WALK_CPP_CB a_action, void *a_ptr) |
| uint8_t | jentryWalk (int a_num, TSK_FS_JENTRY_WALK_CPP_CB a_action, void *a_ptr) |
| uint8_t | jopen (TSK_INUM_T a_inum) |
| uint8_t | metaWalk (TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CPP_CB a_cb, void *a_ptr) |
| Walk a range of metadata structures and call a callback for each structure that matches the flags supplied. More... | |
| uint8_t | open (const TskVsPartInfo *a_part_info, TSK_FS_TYPE_ENUM a_ftype) |
| Opens a file system that is inside of a Volume. More... | |
| uint8_t | open (TskImgInfo *a_img_info, TSK_OFF_T a_offset, TSK_FS_TYPE_ENUM a_ftype) |
| Opens a file system at a given offset in a disk image. More... | |
| int8_t | path2INum (const char *a_path, TSK_INUM_T *a_result, TskFsName *a_fs_name) |
| Find the meta data address for a given file name (UTF-8). More... | |
| ssize_t | read (TSK_OFF_T a_off, char *a_buf, size_t a_len) |
| Read arbitrary data from inside of the file system. More... | |
| ssize_t | readBlock (TSK_DADDR_T a_addr, char *a_buf, size_t a_len) |
| Read a file system block. More... | |
| TskFsInfo (TSK_FS_INFO *a_fsInfo) | |
Static Public Member Functions | |
| static int | parseINum (const TSK_TCHAR *a_str, TSK_INUM_T *a_inum, TSK_FS_ATTR_TYPE_ENUM *a_type, uint8_t *a_type_used, uint16_t *a_id, uint8_t *a_id_used) |
Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there). More... | |
| static void | typePrint (FILE *a_hFile) |
Print the supported file system types to a file handle See tsk_fs_type_print() for details More... | |
| static TSK_FS_TYPE_ENUM | typeSupported () |
| Return the supported file system types. More... | |
| static TSK_FS_TYPE_ENUM | typeToId (const TSK_TCHAR *a_str) |
| Parse a string with the file system type and return its internal ID. More... | |
| static const char * | typeToName (TSK_FS_TYPE_ENUM a_ftype) |
| Return the string name of a file system type id. More... | |
Friends | |
| class | TskFsBlock |
| class | TskFsDir |
| class | TskFsFile |
Stores information about an open file system.
One of the open() commands needs to be used before any of the getX() or read() methods will return valid data. See TSK_FS_INFO for more details.
|
inline |
Walk a range of file system blocks and call the callback function with the contents and allocation status of each.
See tsk_fs_block_walk() for details.
| a_start_blk | Block address to start walking from |
| a_end_blk | Block address to walk to |
| a_flags | Flags used during walk to determine which blocks to call callback with |
| a_action | Callback function |
| a_ptr | Pointer that will be passed to callback |
References tsk_fs_block_walk().
|
inline |
|
inline |
|
inline |
return size of each file system block (in bytes)
References TSK_FS_INFO::block_size.
|
inline |
return the "name" of data unit type as a string ("Cluster", for example)
References TSK_FS_INFO::duname.
|
inline |
return size of device block (typically always 512)
References TSK_FS_INFO::dev_bsize.
|
inline |
|
inline |
return first valid metadata address
References TSK_FS_INFO::first_inum.
|
inline |
|
inline |
return file system id (as reported in boot sector).
Use getFsIdLen() to determine how many byts in buffer are used.
References TSK_FS_INFO::fs_id.
|
inline |
return the number of bytes used in the buffer returned by getFsId().
References TSK_FS_INFO::fs_id_used.
|
inline |
|
inline |
return number of metadata addresses in FS
References TSK_FS_INFO::inum_count.
|
inline |
|
inline |
return address of last block that is adjusted so that
(could be larger than last_block in image if end of image does not exist)
References TSK_FS_INFO::last_block.
|
inline |
return address of last block as reported by file system
(it is equal to the last block in the image or volume (if image is not complete)
References TSK_FS_INFO::last_block_act.
|
inline |
return last valid metadata address
References TSK_FS_INFO::last_inum.
|
inline |
|
inline |
return metadata address of root directory
References TSK_FS_INFO::root_inum.
|
inline |
Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.
For example, it can call the callback on only allocated or unallocated entries. See tsk_fs_meta_walk() for details
| a_start | Metadata address to start walking from |
| a_end | Metadata address to walk to |
| a_flags | Flags that specify the desired metadata features |
| a_cb | Callback function to call |
| a_ptr | Pointer to pass to the callback |
References tsk_fs_meta_walk().
|
inline |
Opens a file system that is inside of a Volume.
Returns a structure that can be used for analysis and reporting. See tsk_fs_open_vol() for details
| a_part_info | Open volume to read from and analyze |
| a_ftype | Type of file system (or autodetect) |
References tsk_fs_open_vol().
|
inline |
Opens a file system at a given offset in a disk image.
Returns a structure that can be used for analysis and reporting. See tsk_fs_open_img() for details
| a_img_info | Disk image to analyze |
| a_offset | Byte offset to start analyzing from |
| a_ftype | Type of file system (or autodetect) |
References tsk_fs_open_img().
|
inlinestatic |
Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts
need to be there).
This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID. Return the values in integer form. See tsk_fs_parse_inum() for details
| [in] | a_str | Input string to parse |
| [out] | a_inum | Pointer to location where inode can be stored. |
| [out] | a_type | Pointer to location where type can be stored (or NULL) |
| [out] | a_type_used | Pointer to location where the value can be set to 1 if the type was set (to differentiate between meanings of 0) (or NULL). |
| [out] | a_id | Pointer to location where id can be stored (or NULL) |
| [out] | a_id_used | Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0) (or NULL). |
References tsk_fs_parse_inum().
|
inline |
Find the meta data address for a given file name (UTF-8).
See tsk_fs_path2inum() for details
| a_path | UTF-8 path of file to search for | |
| [out] | a_result | Meta data address of file |
| [out] | a_fs_name | Copy of name details (or NULL if details not wanted) |
References tsk_fs_path2inum().
|
inline |
Read arbitrary data from inside of the file system.
See tsk_fs_block_free() for details
| a_off | The byte offset to start reading from (relative to start of file system) |
| a_buf | The buffer to store the block in. |
| a_len | The number of bytes to read |
References tsk_fs_read().
|
inline |
Read a file system block.
See tsk_fs_read_block() for details
| a_addr | The starting block file system address. |
| a_buf | The char * buffer to store the block data in. |
| a_len | The number of bytes to read (must be a multiple of the block size) |
References tsk_fs_read_block().
|
inlinestatic |
Print the supported file system types to a file handle
See tsk_fs_type_print() for details
| a_hFile | File handle to print to |
References tsk_fs_type_print().
|
inlinestatic |
Return the supported file system types.
See tsk_fs_type_supported() for details
References tsk_fs_type_supported().
|
inlinestatic |
Parse a string with the file system type and return its internal ID.
See tsk_fs_type_toid() for details
| a_str | String to parse. |
References tsk_fs_type_toid().
|
inlinestatic |
Return the string name of a file system type id.
See tsk_fs_type_toname() for details
| a_ftype | File system type id |
References tsk_fs_type_toname().
Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.