The Sleuth Kit
4.2
|
This section describes the general disk image analysis concepts and corresponding APIs in TSK. In addition to this documentation, there are sample programs in the samples
directory in TSK that show these functions being used while processing a disk image.
Before the volume and file system structures can be analyzed, the disk image must be opened. The tsk_img_open() function is used to open one or more disk image files. The file format can be specified or auto-detection methods will be used. If the specific type cannot be determined, then the raw type will be assumed. Note that by default, TSK supports only single and split raw images. Other file formats, such as AFF and EWF, are supported only if the corresponding libraries existed and were configured when TSK was built and installed. If you are opening only a single disk image file (i.e. it is not split), then you can use the tsk_img_open_sing() function. It takes fewer arguments. The tsk_img_open() function returns a TSK_IMG_INFO structure. This structure has fields that contain the type and size (uncompressed, if applicable) of the disk image. When you are done analyzing the disk image, it can be closed with tsk_img_close(). Note that the tsk_img_open() and tsk_img_open_sing() functions use the TSK_TCHAR type to store the disk image paths. This type is system dependent and is a wchar_t on Windows and char on other sytems. See \ref basic_enc_t for more details. If you are in an environment where you will have UTF-8 text even in Windows, then you can use the tsk_img_open_utf8() and tsk_img_open_utf8_sing() functions. To use the C++ wrappers, create a TskImgInfo object and call one of the TskImgInfo::open() methods.
There are several functions that can be used to map between names and IDs of file format types. Internally, the TSK functions use a numerical ID for each type. The tsk_img_type_toname() function maps the ID to a single word name (such as "raw") and the tsk_img_type_todesc() function maps an ID to a longer description (such as "Single raw file"). The short name is used in the TSK command line tools when the user specifies a type and the tsk_img_type_toid() function maps the short name to an ID. There are also functions that identify which file formats are supported by the installation. The tsk_img_type_supported() function returns the IDs of the supported types. The tsk_img_type_print() prints the supported type names and descriptions to a handle. This function is used by the command line tools to print the supported types to the console.
To read data from the disk image, the tsk_img_read() function is used. This function can read an arbitrary amount of data from an arbitrary byte offset. The C++ class has a public read method, TskImgInfo::read().
Next to Volume Systems
Back to Table of Contents
Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.