|
The Sleuth Kit
4.2
|
Functions | |
| ssize_t | tsk_fs_attr_read (const TSK_FS_ATTR *a_fs_attr, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
| Read the contents of a given attribute using a typical read() type interface. More... | |
| uint8_t | tsk_fs_attr_walk (const TSK_FS_ATTR *a_fs_attr, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr) |
| Process an attribute and call a callback function with its contents. More... | |
| void | tsk_fs_block_free (TSK_FS_BLOCK *a_fs_block) |
| Free the memory associated with the TSK_FS_BLOCK structure. More... | |
| TSK_FS_BLOCK * | tsk_fs_block_get_flag (TSK_FS_INFO *a_fs, TSK_FS_BLOCK *a_fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags) |
| Get the contents and flags of a specific file system block. More... | |
| uint8_t | tsk_fs_block_walk (TSK_FS_INFO *a_fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr) |
| Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each. More... | |
| void | tsk_fs_close (TSK_FS_INFO *a_fs) |
| Close an open file system. More... | |
| void | tsk_fs_dir_close (TSK_FS_DIR *a_fs_dir) |
| Close the directory that was opened with tsk_fs_dir_open() More... | |
| TSK_FS_FILE * | tsk_fs_dir_get (const TSK_FS_DIR *a_fs_dir, size_t a_idx) |
| Return a specific file or subdirectory from an open directory. More... | |
| const TSK_FS_NAME * | tsk_fs_dir_get_name (const TSK_FS_DIR *a_fs_dir, size_t a_idx) |
| Return only the name for a file or subdirectory from an open directory. More... | |
| size_t | tsk_fs_dir_getsize (const TSK_FS_DIR *a_fs_dir) |
| Returns the number of files and subdirectories in a directory. More... | |
| TSK_FS_DIR * | tsk_fs_dir_open (TSK_FS_INFO *a_fs, const char *a_dir) |
| Open a directory (using its path) so that each of the files in it can be accessed. More... | |
| TSK_FS_DIR * | tsk_fs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr) |
| Open a directory (using its metadata addr) so that each of the files in it can be accessed. More... | |
| uint8_t | tsk_fs_dir_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr) |
| Walk the file names in a directory and obtain the details of the files via a callback. More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get (TSK_FS_FILE *a_fs_file) |
| Return the default attribute for the file. More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get_id (TSK_FS_FILE *a_fs_file, uint16_t a_id) |
| Return a specific attribute by its ID for the file. More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get_idx (TSK_FS_FILE *a_fs_file, int a_idx) |
| Get a file's attribute based on the 0-based index in the list (and not type, id pair). More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, uint8_t a_id_used) |
| Return a specific type and id attribute for the file. More... | |
| int | tsk_fs_file_attr_getsize (TSK_FS_FILE *a_fs_file) |
| Return the number of attributes in the file. More... | |
| void | tsk_fs_file_close (TSK_FS_FILE *a_fs_file) |
| Close an open file. More... | |
| TSK_FS_FILE * | tsk_fs_file_open (TSK_FS_INFO *a_fs, TSK_FS_FILE *a_fs_file, const char *a_path) |
| Return the handle structure for a specific file, given its full path. More... | |
| TSK_FS_FILE * | tsk_fs_file_open_meta (TSK_FS_INFO *a_fs, TSK_FS_FILE *a_fs_file, TSK_INUM_T a_addr) |
| Open a file given its metadata address. More... | |
| ssize_t | tsk_fs_file_read (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
| Read the contents of a specific attribute of a file using a typical read() type interface. More... | |
| ssize_t | tsk_fs_file_read_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
| Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS). More... | |
| uint8_t | tsk_fs_file_walk (TSK_FS_FILE *a_fs_file, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr) |
| Process a file and call a callback function with the file contents. More... | |
| uint8_t | tsk_fs_file_walk_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr) |
| Process a specific attribute in a file and call a callback function with the file contents. More... | |
| uint8_t | tsk_fs_meta_make_ls (const TSK_FS_META *a_fs_meta, char *a_buf, size_t a_len) |
| Makes the "ls -l" permissions string for a file. More... | |
| uint8_t | tsk_fs_meta_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_cb, void *a_ptr) |
| Walk a range of metadata structures and call a callback for each structure that matches the flags supplied. More... | |
| TSK_FS_INFO * | tsk_fs_open_img (TSK_IMG_INFO *a_img_info, TSK_OFF_T a_offset, TSK_FS_TYPE_ENUM a_ftype) |
| Tries to process data in a disk image at a given offset as a file system. More... | |
| TSK_FS_INFO * | tsk_fs_open_vol (const TSK_VS_PART_INFO *a_part_info, TSK_FS_TYPE_ENUM a_ftype) |
| Tries to process data in a volume as a file system. More... | |
| int | tsk_fs_parse_inum (const TSK_TCHAR *str, TSK_INUM_T *inum, TSK_FS_ATTR_TYPE_ENUM *type, uint8_t *type_used, uint16_t *id, uint8_t *id_used) |
| Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there). More... | |
| int8_t | tsk_fs_path2inum (TSK_FS_INFO *a_fs, const char *a_path, TSK_INUM_T *a_result, TSK_FS_NAME *a_fs_name) |
| Find the meta data address for a given file name (UTF-8). More... | |
| ssize_t | tsk_fs_read (TSK_FS_INFO *a_fs, TSK_OFF_T a_off, char *a_buf, size_t a_len) |
| Read arbitrary data from inside of the file system. More... | |
| ssize_t | tsk_fs_read_block (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len) |
| Read a file system block into a char* buffer. More... | |
| char * | tsk_fs_time_to_str (time_t time, char buf[128]) |
| Converts a time value to a string representation. More... | |
| char * | tsk_fs_time_to_str_subsecs (time_t time, unsigned int subsecs, char buf[128]) |
| Converts a time value to a string representation. More... | |
| void | tsk_fs_type_print (FILE *hFile) |
| Print the supported file system types to a file handle. More... | |
| TSK_FS_TYPE_ENUM | tsk_fs_type_supported () |
| Return the supported file system types. More... | |
| TSK_FS_TYPE_ENUM | tsk_fs_type_toid (const TSK_TCHAR *str) |
| Parse a string with the file system type and return its internal ID. More... | |
| TSK_FS_TYPE_ENUM | tsk_fs_type_toid_utf8 (const char *str) |
| Parse a string with the file system type and return its internal ID. More... | |
| const char * | tsk_fs_type_toname (TSK_FS_TYPE_ENUM ftype) |
| Return the string name of a file system type id. More... | |
Generic File System Handle Data Structure | |
| #define | TSK_FS_TYPE_ISNTFS(ftype) (((ftype) & TSK_FS_TYPE_NTFS_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for an NTFS file system. More... | |
| #define | TSK_FS_TYPE_ISFAT(ftype) (((ftype) & TSK_FS_TYPE_FAT_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a FAT file system. More... | |
| #define | TSK_FS_TYPE_ISFFS(ftype) (((ftype) & TSK_FS_TYPE_FFS_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a FFS file system. More... | |
| #define | TSK_FS_TYPE_ISEXT(ftype) (((ftype) & TSK_FS_TYPE_EXT_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a ExtX file system. More... | |
| #define | TSK_FS_TYPE_ISISO9660(ftype) (((ftype) & TSK_FS_TYPE_ISO9660_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system. More... | |
| #define | TSK_FS_TYPE_ISHFS(ftype) (((ftype) & TSK_FS_TYPE_HFS_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a HFS file system. More... | |
| #define | TSK_FS_TYPE_ISSWAP(ftype) (((ftype) & TSK_FS_TYPE_SWAP_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a swap "file system". More... | |
| #define | TSK_FS_TYPE_ISYAFFS2(ftype) (((ftype) & TSK_FS_TYPE_YAFFS2_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system. More... | |
| #define | TSK_FS_TYPE_ISRAW(ftype) (((ftype) & TSK_FS_TYPE_RAW_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a raw "file system". More... | |
| #define | TSK_FS_INFO_TAG 0x10101010 |
| #define | TSK_FS_INFO_FS_ID_LEN 32 |
| enum | TSK_FS_TYPE_ENUM { TSK_FS_TYPE_DETECT = 0x00000000, TSK_FS_TYPE_NTFS = 0x00000001, TSK_FS_TYPE_NTFS_DETECT = 0x00000001, TSK_FS_TYPE_FAT12 = 0x00000002, TSK_FS_TYPE_FAT16 = 0x00000004, TSK_FS_TYPE_FAT32 = 0x00000008, TSK_FS_TYPE_EXFAT = 0x0000000a, TSK_FS_TYPE_FAT_DETECT = 0x0000000e, TSK_FS_TYPE_FFS1 = 0x00000010, TSK_FS_TYPE_FFS1B = 0x00000020, TSK_FS_TYPE_FFS2 = 0x00000040, TSK_FS_TYPE_FFS_DETECT = 0x00000070, TSK_FS_TYPE_EXT2 = 0x00000080, TSK_FS_TYPE_EXT3 = 0x00000100, TSK_FS_TYPE_EXT_DETECT = 0x00002180, TSK_FS_TYPE_SWAP = 0x00000200, TSK_FS_TYPE_SWAP_DETECT = 0x00000200, TSK_FS_TYPE_RAW = 0x00000400, TSK_FS_TYPE_RAW_DETECT = 0x00000400, TSK_FS_TYPE_ISO9660 = 0x00000800, TSK_FS_TYPE_ISO9660_DETECT = 0x00000800, TSK_FS_TYPE_HFS = 0x00001000, TSK_FS_TYPE_HFS_DETECT = 0x00001000, TSK_FS_TYPE_EXT4 = 0x00002000, TSK_FS_TYPE_YAFFS2 = 0x00004000, TSK_FS_TYPE_YAFFS2_DETECT = 0x00004000, TSK_FS_TYPE_UNSUPP = 0xffffffff } |
| Values for the file system type. More... | |
| enum | TSK_FS_INFO_FLAG_ENUM { TSK_FS_INFO_FLAG_NONE = 0x00, TSK_FS_INFO_FLAG_HAVE_SEQ = 0x01, TSK_FS_INFO_FLAG_HAVE_NANOSEC = 0x02 } |
| Flags for the FS_INFO structure. More... | |
| typedef enum TSK_FS_TYPE_ENUM | TSK_FS_TYPE_ENUM |
| typedef enum TSK_FS_INFO_FLAG_ENUM | TSK_FS_INFO_FLAG_ENUM |
| #define TSK_FS_TYPE_ISEXT | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_EXT_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a ExtX file system.
Referenced by tsk_fs_open_img().
| #define TSK_FS_TYPE_ISFAT | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_FAT_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a FAT file system.
Referenced by TskAutoDb::filterFs(), tsk_fs_open_img(), and tsk_fs_path2inum().
| #define TSK_FS_TYPE_ISFFS | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_FFS_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a FFS file system.
Referenced by tsk_fs_open_img().
| #define TSK_FS_TYPE_ISHFS | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_HFS_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a HFS file system.
Referenced by tsk_fs_open_img().
| #define TSK_FS_TYPE_ISISO9660 | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_ISO9660_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system.
Referenced by tsk_fs_open_img().
| #define TSK_FS_TYPE_ISNTFS | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_NTFS_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for an NTFS file system.
Referenced by TskAuto::isNtfsSystemFiles(), ntfs_open(), tsk_fs_open_img(), and tsk_fs_path2inum().
| #define TSK_FS_TYPE_ISRAW | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_RAW_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a raw "file system".
Referenced by tsk_fs_open_img().
| #define TSK_FS_TYPE_ISSWAP | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_SWAP_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a swap "file system".
Referenced by tsk_fs_open_img().
| #define TSK_FS_TYPE_ISYAFFS2 | ( | ftype | ) | (((ftype) & TSK_FS_TYPE_YAFFS2_DETECT)?1:0) |
Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.
Referenced by tsk_fs_open_img().
| enum TSK_FS_TYPE_ENUM |
Values for the file system type.
Each bit corresponds to a file system.
| ssize_t tsk_fs_attr_read | ( | const TSK_FS_ATTR * | a_fs_attr, |
| TSK_OFF_T | a_offset, | ||
| char * | a_buf, | ||
| size_t | a_len, | ||
| TSK_FS_FILE_READ_FLAG_ENUM | a_flags | ||
| ) |
Read the contents of a given attribute using a typical read() type interface.
0s are returned for missing runs.
| a_fs_attr | The attribute to read. |
| a_offset | The byte offset to start reading from. |
| a_buf | The buffer to read the data into. |
| a_len | The number of bytes to read from the file. |
| a_flags | Flags to use while reading |
References TSK_FS_ATTR_RUN::addr, TSK_FS_ATTR::allocsize, TSK_FS_INFO::block_size, TSK_FS_ATTR::buf, TSK_FS_ATTR_RUN::flags, TSK_FS_ATTR::flags, TSK_FS_ATTR::fs_file, TSK_FS_FILE::fs_info, TSK_FS_ATTR::initsize, TSK_FS_ATTR_RUN::len, TSK_FS_FILE::meta, TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, TSK_FS_ATTR_RUN::offset, PRIuSIZE, TSK_FS_ATTR::rd, TSK_FS_ATTR::run, TSK_FS_ATTR::size, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_FS_ATTR_COMP, TSK_FS_ATTR_NONRES, TSK_FS_ATTR_RES, TSK_FS_ATTR_RUN_FLAG_FILLER, TSK_FS_ATTR_RUN_FLAG_SPARSE, tsk_fs_read(), and tsk_verbose.
Referenced by TskFsAttribute::read(), tsk_fs_file_read(), and tsk_fs_file_read_type().
| uint8_t tsk_fs_attr_walk | ( | const TSK_FS_ATTR * | a_fs_attr, |
| TSK_FS_FILE_WALK_FLAG_ENUM | a_flags, | ||
| TSK_FS_FILE_WALK_CB | a_action, | ||
| void * | a_ptr | ||
| ) |
Process an attribute and call a callback function with its contents.
The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse attributes, the address may be zero.
| a_fs_attr | Attribute to process |
| a_flags | Flags to use while processing attribute |
| a_action | Callback action to call with content |
| a_ptr | Pointer that will passed to callback |
References TSK_FS_ATTR::flags, TSK_FS_ATTR::fs_file, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_ATTR_COMP, TSK_FS_ATTR_NONRES, and TSK_FS_ATTR_RES.
Referenced by tsk_fs_file_walk(), tsk_fs_file_walk_type(), and TskFsAttribute::walk().
| void tsk_fs_block_free | ( | TSK_FS_BLOCK * | a_fs_block | ) |
Free the memory associated with the TSK_FS_BLOCK structure.
| a_fs_block | Block to free |
References TSK_FS_BLOCK::buf.
Referenced by TskFsBlock::~TskFsBlock().
| TSK_FS_BLOCK* tsk_fs_block_get_flag | ( | TSK_FS_INFO * | a_fs, |
| TSK_FS_BLOCK * | a_fs_block, | ||
| TSK_DADDR_T | a_addr, | ||
| TSK_FS_BLOCK_FLAG_ENUM | a_flags | ||
| ) |
Get the contents and flags of a specific file system block.
Note that if the block contains compressed data, then this function will return the compressed data with the RAW flag set. The uncompressed data can be obtained only from the file-level functions.
| a_fs | The file system to read the block from. |
| a_fs_block | The structure to write the block data into or NULL to have one created. |
| a_addr | The file system address to read. |
| a_flags | Flag to assign to the returned TSK_FS_BLOCK (use if you already have it as part of a block_walk-type scenario) |
References TSK_FS_BLOCK::addr, TSK_FS_INFO::block_size, TSK_FS_BLOCK::buf, TSK_FS_BLOCK::fs_info, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_BLOCK_FLAG_RAW, and tsk_img_read().
| uint8_t tsk_fs_block_walk | ( | TSK_FS_INFO * | a_fs, |
| TSK_DADDR_T | a_start_blk, | ||
| TSK_DADDR_T | a_end_blk, | ||
| TSK_FS_BLOCK_WALK_FLAG_ENUM | a_flags, | ||
| TSK_FS_BLOCK_WALK_CB | a_action, | ||
| void * | a_ptr | ||
| ) |
Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each.
| a_fs | File system to analyze |
| a_start_blk | Block address to start walking from |
| a_end_blk | Block address to walk to |
| a_flags | Flags used during walk to determine which blocks to call callback with |
| a_action | Callback function |
| a_ptr | Pointer that will be passed to callback |
References TSK_FS_INFO::block_walk, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().
Referenced by TskFsInfo::blockWalk().
| void tsk_fs_close | ( | TSK_FS_INFO * | a_fs | ) |
Close an open file system.
| a_fs | File system to close. |
References TSK_FS_INFO::close.
Referenced by TskFsInfo::close(), TskAuto::findFilesInFs(), and TskAuto::findFilesInFsRet().
| void tsk_fs_dir_close | ( | TSK_FS_DIR * | a_fs_dir | ) |
Close the directory that was opened with tsk_fs_dir_open()
| a_fs_dir | Directory to close |
References TSK_FS_DIR::fs_file, TSK_FS_NAME::name, TSK_FS_NAME::name_size, TSK_FS_DIR::names, TSK_FS_DIR::names_used, TSK_FS_NAME::shrt_name, TSK_FS_NAME::shrt_name_size, and tsk_fs_file_close().
Referenced by tsk_fs_dir_open_meta(), and tsk_fs_path2inum().
| TSK_FS_FILE* tsk_fs_dir_get | ( | const TSK_FS_DIR * | a_fs_dir, |
| size_t | a_idx | ||
| ) |
Return a specific file or subdirectory from an open directory.
| a_fs_dir | Directory to analyze |
| a_idx | Index of file in directory to open (0-based) |
References TSK_FS_NAME::flags, TSK_FS_DIR::fs_info, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_NAME::meta_seq, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_DIR::names, TSK_FS_DIR::names_used, PRIuSIZE, TSK_FS_META::seq, TSK_FS_NAME::shrt_name, tsk_error_print(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_NAME_FLAG_ALLOC, and tsk_verbose.
Referenced by tsk_fs_path2inum().
| const TSK_FS_NAME* tsk_fs_dir_get_name | ( | const TSK_FS_DIR * | a_fs_dir, |
| size_t | a_idx | ||
| ) |
Return only the name for a file or subdirectory from an open directory.
Useful when wanting to find files of a given name and you don't need the additional metadata.
| a_fs_dir | Directory to analyze |
| a_idx | Index of file in directory to open (0-based) |
References TSK_FS_DIR::fs_info, TSK_FS_DIR::names, TSK_FS_DIR::names_used, PRIuSIZE, tsk_error_set_errno(), and tsk_error_set_errstr().
| size_t tsk_fs_dir_getsize | ( | const TSK_FS_DIR * | a_fs_dir | ) |
Returns the number of files and subdirectories in a directory.
| a_fs_dir | Directory to get information about |
References TSK_FS_DIR::names_used, tsk_error_set_errno(), and tsk_error_set_errstr().
Referenced by tsk_fs_path2inum().
| TSK_FS_DIR* tsk_fs_dir_open | ( | TSK_FS_INFO * | a_fs, |
| const char * | a_dir | ||
| ) |
Open a directory (using its path) so that each of the files in it can be accessed.
| a_fs | File system to analyze |
| a_dir | Path of the directory to open |
References TSK_FS_DIR::fs_file, TSK_FS_FILE::name, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_dir_open_meta(), and tsk_fs_path2inum().
| TSK_FS_DIR* tsk_fs_dir_open_meta | ( | TSK_FS_INFO * | a_fs, |
| TSK_INUM_T | a_addr | ||
| ) |
Open a directory (using its metadata addr) so that each of the files in it can be accessed.
| a_fs | File system to analyze |
| a_addr | Metadata address of the directory to open |
References tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_dir_close(), and TSK_OK.
Referenced by tsk_fs_dir_open(), and tsk_fs_path2inum().
| uint8_t tsk_fs_dir_walk | ( | TSK_FS_INFO * | a_fs, |
| TSK_INUM_T | a_addr, | ||
| TSK_FS_DIR_WALK_FLAG_ENUM | a_flags, | ||
| TSK_FS_DIR_WALK_CB | a_action, | ||
| void * | a_ptr | ||
| ) |
Walk the file names in a directory and obtain the details of the files via a callback.
| a_fs | File system to analyze |
| a_addr | Metadata address of the directory to analyze |
| a_flags | Flags used during analysis |
| a_action | Callback function that is called for each file name |
| a_ptr | Pointer to data that is passed to the callback function each time |
References TSK_FS_INFO::list_inum_named, TSK_FS_INFO::root_inum, tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_DIR_WALK_FLAG_ALLOC, TSK_FS_DIR_WALK_FLAG_UNALLOC, tsk_list_free(), tsk_stack_create(), tsk_stack_free(), TSK_WALK_CONT, and TSK_WALK_ERROR.
Referenced by fatfs_inode_walk(), and fatxxfs_dent_parse_buf().
| const TSK_FS_ATTR* tsk_fs_file_attr_get | ( | TSK_FS_FILE * | a_fs_file | ) |
Return the default attribute for the file.
| a_fs_file | File to get data from |
References TSK_FS_META::attr, TSK_FS_FILE::fs_info, and TSK_FS_FILE::meta.
Referenced by tsk_fs_file_read(), and tsk_fs_file_walk().
| const TSK_FS_ATTR* tsk_fs_file_attr_get_id | ( | TSK_FS_FILE * | a_fs_file, |
| uint16_t | a_id | ||
| ) |
Return a specific attribute by its ID for the file.
| a_fs_file | File to get data from |
| a_id | Id of attribute to load |
References TSK_FS_ATTR::id, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_attr_get_idx(), and tsk_fs_file_attr_getsize().
| const TSK_FS_ATTR* tsk_fs_file_attr_get_idx | ( | TSK_FS_FILE * | a_fs_file, |
| int | a_idx | ||
| ) |
Get a file's attribute based on the 0-based index in the list (and not type, id pair).
| a_fs_file | File to get attributes from. |
| a_idx | 0-based index of attribute to return. |
References TSK_FS_META::attr, and TSK_FS_FILE::meta.
Referenced by TskAuto::processAttributes(), tsk_fs_file_attr_get_id(), and tsk_fs_path2inum().
| const TSK_FS_ATTR* tsk_fs_file_attr_get_type | ( | TSK_FS_FILE * | a_fs_file, |
| TSK_FS_ATTR_TYPE_ENUM | a_type, | ||
| uint16_t | a_id, | ||
| uint8_t | a_id_used | ||
| ) |
Return a specific type and id attribute for the file.
| a_fs_file | File to get data from |
| a_type | Type of attribute to load |
| a_id | Id of attribute to load |
| a_id_used | Set to 1 if ID is actually set or 0 to use default |
References TSK_FS_META::attr, and TSK_FS_FILE::meta.
Referenced by tsk_fs_file_read_type(), and tsk_fs_file_walk_type().
| int tsk_fs_file_attr_getsize | ( | TSK_FS_FILE * | a_fs_file | ) |
Return the number of attributes in the file.
| a_fs_file | File to return attribute count for |
References TSK_FS_META::attr, TSK_FS_FILE::meta, and tsk_error_reset().
Referenced by TskAuto::processAttributes(), TskAutoDb::processFile(), tsk_fs_file_attr_get_id(), and tsk_fs_path2inum().
| void tsk_fs_file_close | ( | TSK_FS_FILE * | a_fs_file | ) |
Close an open file.
| a_fs_file | Pointer to open file |
References TSK_FS_FILE::meta, and TSK_FS_FILE::name.
Referenced by TskFsFile::close(), fatfs_inode_walk(), fatfs_istat(), TskAutoDb::filterFs(), ntfs_open(), tsk_fs_dir_close(), and tsk_fs_path2inum().
| TSK_FS_FILE* tsk_fs_file_open | ( | TSK_FS_INFO * | a_fs, |
| TSK_FS_FILE * | a_fs_file, | ||
| const char * | a_path | ||
| ) |
Return the handle structure for a specific file, given its full path.
Note that if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a more effecient approach.
| a_fs | File system to analyze |
| a_fs_file | Structure to store file data in or NULL to have one allocated. |
| a_path | Path of file to open |
References TSK_FS_FILE::meta, TSK_FS_NAME::meta_seq, TSK_FS_FILE::name, TSK_FS_META::seq, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_open_meta(), and tsk_fs_path2inum().
Referenced by TskAutoDb::filterFs(), and TskFsFile::open().
| TSK_FS_FILE* tsk_fs_file_open_meta | ( | TSK_FS_INFO * | a_fs, |
| TSK_FS_FILE * | a_fs_file, | ||
| TSK_INUM_T | a_addr | ||
| ) |
Open a file given its metadata address.
This function loads the metadata and returns a handle that can be used to read and process the file. Note that the returned TSK_FS_FILE structure will not have the file name set because it was not used to load the file and this function does not search the directory structure to find the name that points to the address. In general, if you know the metadata address of a file, this function is more effecient then tsk_fs_file_open, which first maps a file name to the metadata address and then opens the file using this function.
| a_fs | File system to analyze |
| a_fs_file | Structure to store file data in or NULL to have one allocated. |
| a_addr | Metadata address of file to lookup |
References TSK_FS_FILE::name, tsk_error_set_errno(), and tsk_error_set_errstr().
Referenced by fatfs_istat(), ntfs_open(), TskFsFile::open(), and tsk_fs_file_open().
| ssize_t tsk_fs_file_read | ( | TSK_FS_FILE * | a_fs_file, |
| TSK_OFF_T | a_offset, | ||
| char * | a_buf, | ||
| size_t | a_len, | ||
| TSK_FS_FILE_READ_FLAG_ENUM | a_flags | ||
| ) |
Read the contents of a specific attribute of a file using a typical read() type interface.
0s are returned for missing runs of files.
| a_fs_file | The inode structure of the file to read. |
| a_offset | The byte offset to start reading from. |
| a_buf | The buffer to read the data into. |
| a_len | The number of bytes to read from the file. |
| a_flags | Flags to use while reading |
References TSK_FS_FILE::fs_info, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_attr_read(), and tsk_fs_file_attr_get().
Referenced by TskFsFile::read().
| ssize_t tsk_fs_file_read_type | ( | TSK_FS_FILE * | a_fs_file, |
| TSK_FS_ATTR_TYPE_ENUM | a_type, | ||
| uint16_t | a_id, | ||
| TSK_OFF_T | a_offset, | ||
| char * | a_buf, | ||
| size_t | a_len, | ||
| TSK_FS_FILE_READ_FLAG_ENUM | a_flags | ||
| ) |
Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS).
0s are returned for missing runs of files.
| a_fs_file | The file to read from |
| a_type | The type of attribute to load |
| a_id | The id of attribute to load (use 0 and set a_flags if you do not care) |
| a_offset | The byte offset to start reading from. |
| a_buf | The buffer to read the data into. |
| a_len | The number of bytes to read from the file. |
| a_flags | Flags to use while reading |
References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_attr_read(), tsk_fs_file_attr_get_type(), and TSK_FS_FILE_READ_FLAG_NOID.
Referenced by TskFsFile::read().
| uint8_t tsk_fs_file_walk | ( | TSK_FS_FILE * | a_fs_file, |
| TSK_FS_FILE_WALK_FLAG_ENUM | a_flags, | ||
| TSK_FS_FILE_WALK_CB | a_action, | ||
| void * | a_ptr | ||
| ) |
Process a file and call a callback function with the file contents.
The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse files, the address may be zero. If a file has multiple attributes, such as NTFS files, this function uses the default one ($DATA for files, $IDX_ROOT for directories). Use tsk_fs_file_walk_type to specify an attribute.
| a_fs_file | File to process |
| a_flags | Flags to use while processing file |
| a_action | Callback action to call with content |
| a_ptr | Pointer that will passed to callback |
References TSK_FS_META::addr, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_attr_walk(), tsk_fs_file_attr_get(), and tsk_verbose.
Referenced by fatfs_inode_walk(), fatfs_istat(), tsk_fs_file_hash_calc(), and TskFsFile::walk().
| uint8_t tsk_fs_file_walk_type | ( | TSK_FS_FILE * | a_fs_file, |
| TSK_FS_ATTR_TYPE_ENUM | a_type, | ||
| uint16_t | a_id, | ||
| TSK_FS_FILE_WALK_FLAG_ENUM | a_flags, | ||
| TSK_FS_FILE_WALK_CB | a_action, | ||
| void * | a_ptr | ||
| ) |
Process a specific attribute in a file and call a callback function with the file contents.
The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse files, the address may be zero. If the file system you are analyzing does not have multiple attributes per file, then you can use tsk_fs_file_walk(). For incomplete or corrupt files, some missing runs will be identified as SPARSE and zeros will be returned in the content.
| a_fs_file | File to process |
| a_type | Attribute type to process |
| a_id | Id if attribute to process |
| a_flags | Flags to use while processing file |
| a_action | Callback action to call with content |
| a_ptr | Pointer that will passed to callback |
References TSK_FS_META::addr, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_attr_walk(), tsk_fs_file_attr_get_type(), TSK_FS_FILE_WALK_FLAG_NOID, and tsk_verbose.
Referenced by TskFsFile::walk().
| uint8_t tsk_fs_meta_make_ls | ( | const TSK_FS_META * | a_fs_meta, |
| char * | a_buf, | ||
| size_t | a_len | ||
| ) |
Makes the "ls -l" permissions string for a file.
| a_fs_meta | File to be processed |
| a_buf | [out] Buffer to write results to (must be 12 bytes or longer) |
| a_len | Length of buffer |
References TSK_FS_META::mode, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_ISGID, TSK_FS_META_MODE_ISUID, TSK_FS_META_MODE_ISVTX, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IXOTH, TSK_FS_META_MODE_IXUSR, tsk_fs_meta_type_str, TSK_FS_META_TYPE_STR_MAX, and TSK_FS_META::type.
Referenced by TskFsMeta::getLs().
| uint8_t tsk_fs_meta_walk | ( | TSK_FS_INFO * | a_fs, |
| TSK_INUM_T | a_start, | ||
| TSK_INUM_T | a_end, | ||
| TSK_FS_META_FLAG_ENUM | a_flags, | ||
| TSK_FS_META_WALK_CB | a_cb, | ||
| void * | a_ptr | ||
| ) |
Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.
For example, it can call the callback on only allocated or unallocated entries.
| a_fs | File system to process |
| a_start | Metadata address to start walking from |
| a_end | Metadata address to walk to |
| a_flags | Flags that specify the desired metadata features |
| a_cb | Callback function to call |
| a_ptr | Pointer to pass to the callback |
References TSK_FS_INFO::inode_walk.
Referenced by TskFsInfo::metaWalk().
| TSK_FS_INFO* tsk_fs_open_img | ( | TSK_IMG_INFO * | a_img_info, |
| TSK_OFF_T | a_offset, | ||
| TSK_FS_TYPE_ENUM | a_ftype | ||
| ) |
Tries to process data in a disk image at a given offset as a file system.
Returns a structure that can be used for analysis and reporting.
| a_img_info | Disk image to analyze |
| a_offset | Byte offset to start analyzing from |
| a_ftype | Type of file system (or autodetect) |
References TSK_FS_INFO::close, ntfs_open(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), TSK_FS_TYPE_DETECT, TSK_FS_TYPE_EXT_DETECT, TSK_FS_TYPE_FAT_DETECT, TSK_FS_TYPE_FFS_DETECT, TSK_FS_TYPE_HFS_DETECT, TSK_FS_TYPE_ISEXT, TSK_FS_TYPE_ISFAT, TSK_FS_TYPE_ISFFS, TSK_FS_TYPE_ISHFS, TSK_FS_TYPE_ISISO9660, TSK_FS_TYPE_ISNTFS, TSK_FS_TYPE_ISO9660_DETECT, TSK_FS_TYPE_ISRAW, TSK_FS_TYPE_ISSWAP, TSK_FS_TYPE_ISYAFFS2, TSK_FS_TYPE_NTFS_DETECT, TSK_FS_TYPE_YAFFS2_DETECT, and tsk_verbose.
Referenced by TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), TskFsInfo::open(), and tsk_fs_open_vol().
| TSK_FS_INFO* tsk_fs_open_vol | ( | const TSK_VS_PART_INFO * | a_part_info, |
| TSK_FS_TYPE_ENUM | a_ftype | ||
| ) |
Tries to process data in a volume as a file system.
Returns a structure that can be used for analysis and reporting.
| a_part_info | Open volume to read from and analyze |
| a_ftype | Type of file system (or autodetect) |
References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_open_img(), and TSK_VS_PART_INFO::vs.
Referenced by TskFsInfo::open().
| int tsk_fs_parse_inum | ( | const TSK_TCHAR * | str, |
| TSK_INUM_T * | inum, | ||
| TSK_FS_ATTR_TYPE_ENUM * | type, | ||
| uint8_t * | type_used, | ||
| uint16_t * | id, | ||
| uint8_t * | id_used | ||
| ) |
Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there).
This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID. Return the values in integer form.
| [in] | str | Input string to parse |
| [out] | inum | Pointer to location where inode can be stored. |
| [out] | type | Pointer to location where type can be stored (or NULL) |
| [out] | type_used | Pointer to location where the value can be set to 1 if the type was set (to differentiate between meanings of 0) (or NULL). |
| [out] | id | Pointer to location where id can be stored (or NULL) |
| [out] | id_used | Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0) (or NULL). |
References TSK_FS_ATTR_ID_DEFAULT.
Referenced by TskFsInfo::parseINum().
| int8_t tsk_fs_path2inum | ( | TSK_FS_INFO * | a_fs, |
| const char * | a_path, | ||
| TSK_INUM_T * | a_result, | ||
| TSK_FS_NAME * | a_fs_name | ||
| ) |
Find the meta data address for a given file name (UTF-8).
The basic idea of the function is to break the given name into its subdirectories and start looking for each (starting in the root directory).
| a_fs | FS to analyze | |
| a_path | UTF-8 path of file to search for | |
| [out] | a_result | Meta data address of file |
| [out] | a_fs_name | Copy of name details (or NULL if details not wanted) |
References TSK_FS_NAME::flags, TSK_FS_DIR::fs_file, TSK_FS_INFO::ftype, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_ATTR::name, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_INFO::root_inum, TSK_FS_NAME::shrt_name, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_dir_close(), tsk_fs_dir_get(), tsk_fs_dir_getsize(), tsk_fs_dir_open_meta(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_getsize(), tsk_fs_file_close(), TSK_FS_META_TYPE_DIR, TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, TSK_FS_TYPE_ISFAT, TSK_FS_TYPE_ISNTFS, tsk_verbose, TSK_FS_META::type, and TSK_FS_NAME::type.
Referenced by TskFsInfo::path2INum(), tsk_fs_dir_open(), tsk_fs_file_open(), and tsk_fs_ifind_path().
| ssize_t tsk_fs_read | ( | TSK_FS_INFO * | a_fs, |
| TSK_OFF_T | a_off, | ||
| char * | a_buf, | ||
| size_t | a_len | ||
| ) |
Read arbitrary data from inside of the file system.
| a_fs | The file system handle. |
| a_off | The byte offset to start reading from (relative to start of file system) |
| a_buf | The buffer to store the block in. |
| a_len | The number of bytes to read |
References TSK_FS_INFO::block_post_size, TSK_FS_INFO::block_pre_size, TSK_FS_INFO::block_size, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and tsk_img_read().
Referenced by ntfs_dinode_lookup(), ntfs_open(), TskFsInfo::read(), and tsk_fs_attr_read().
| ssize_t tsk_fs_read_block | ( | TSK_FS_INFO * | a_fs, |
| TSK_DADDR_T | a_addr, | ||
| char * | a_buf, | ||
| size_t | a_len | ||
| ) |
Read a file system block into a char* buffer.
This is actually a wrapper around the fs_read_random function, but it allows the starting location to be specified as a block address.
| a_fs | The file system structure. |
| a_addr | The starting block file system address. |
| a_buf | The char * buffer to store the block data in. |
| a_len | The number of bytes to read (must be a multiple of the block size) |
References TSK_FS_INFO::block_post_size, TSK_FS_INFO::block_pre_size, TSK_FS_INFO::block_size, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, PRIuSIZE, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and tsk_img_read().
Referenced by fatfs_inode_walk(), TskFsInfo::readBlock(), and tsk_fs_blkcat().
| char* tsk_fs_time_to_str | ( | time_t | time, |
| char | buf[128] | ||
| ) |
Converts a time value to a string representation.
Prints all zero values instead of 1970 if time is 0.
| time | Time to be displayed. |
| buf | Buffer to print into (must be 128 byes or larger) |
Referenced by fatfs_istat().
| char* tsk_fs_time_to_str_subsecs | ( | time_t | time, |
| unsigned int | subsecs, | ||
| char | buf[128] | ||
| ) |
Converts a time value to a string representation.
Prints all zero values instead of 1970 if time is 0.
| time | Time to be displayed. |
| buf | Buffer to print into (must b 64 bytes or larger) |
| subsecs | Subseconds to be printed |
| void tsk_fs_type_print | ( | FILE * | hFile | ) |
Print the supported file system types to a file handle.
| hFile | File handle to print to |
References tsk_fprintf().
Referenced by TskFsInfo::typePrint().
| TSK_FS_TYPE_ENUM tsk_fs_type_supported | ( | ) |
Return the supported file system types.
Referenced by TskFsInfo::typeSupported().
| TSK_FS_TYPE_ENUM tsk_fs_type_toid | ( | const TSK_TCHAR * | str | ) |
Parse a string with the file system type and return its internal ID.
| str | String to parse. |
References tsk_fs_type_toid_utf8().
Referenced by TskFsInfo::typeToId().
| TSK_FS_TYPE_ENUM tsk_fs_type_toid_utf8 | ( | const char * | str | ) |
Parse a string with the file system type and return its internal ID.
| str | String to parse, always UTF-8. |
References TSK_FS_TYPE_UNSUPP.
Referenced by tsk_fs_type_toid().
| const char* tsk_fs_type_toname | ( | TSK_FS_TYPE_ENUM | ftype | ) |
Return the string name of a file system type id.
| ftype | File system type id |
Referenced by TskFsInfo::typeToName().
Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.