TSK_FS_META Struct Reference

TSK data structure to store general file and directory metadata. More...

#include <tsk_fs.h>

Public Attributes
TSK_INUM_T	addr
	Address of the meta data structure for this file.
time_t	atime
	last file content accessed time (stored in number of seconds since Jan 1, 1970 UTC)
uint32_t	atime_nano
	nano-second resolution in addition to a_time
TSK_FS_ATTRLIST *	attr
	Contains run data on the file content (specific locations where content is stored). More...
TSK_FS_META_ATTR_FLAG_ENUM	attr_state
	State of the data in the TSK_FS_META::attr structure.
size_t	content_len
	size of content buffer
void *	content_ptr
	Pointer to file system specific data that is used to store references to file content.
TSK_FS_META_CONTENT_TYPE_ENUM	content_type
	File system-specific and describes type of data in content_ptr in case file systems have multiple ways of storing things.
time_t	crtime
	Created time (stored in number of seconds since Jan 1, 1970 UTC)
uint32_t	crtime_nano
	nano-second resolution in addition to cr_time
time_t	ctime
	last file / metadata status change time (stored in number of seconds since Jan 1, 1970 UTC)
uint32_t	ctime_nano
	nano-second resolution in addition to c_time
TSK_FS_META_FLAG_ENUM	flags
	Flags for this file for its allocation status etc.
TSK_GID_T	gid
	group id
char *	link
	Name of target file if this is a symbolic link.
TSK_FS_META_MODE_ENUM	mode
	Unix-style permissions.
time_t	mtime
	last file content modification time (stored in number of seconds since Jan 1, 1970 UTC)
uint32_t	mtime_nano
	nano-second resolution in addition to m_time
TSK_FS_META_NAME_LIST *	name2
	Name of file stored in metadata (FATXX and NTFS Only)
int	nlink
	link count (number of file names pointing to this)
uint32_t	seq
	Sequence number for file (NTFS only, is incremented when entry is reallocated)
TSK_OFF_T	size
	file size (in bytes)
int	tag
union {
struct {
time_t   dtime
	Linux deletion time.
uint32_t   dtime_nano
	nano-second resolution in addition to d_time
}   ext2
struct {
time_t   bkup_time
	HFS+ backup time.
uint32_t   bkup_time_nano
	nano-second resolution in addition to bkup_time
}   hfs
struct {
time_t   fn_atime
	NTFS access time stored in FILE_NAME.
time_t   fn_atime_nano
	NTFS access time stored in FILE_NAME in nano-second resolution.
time_t   fn_crtime
	NTFS Created time stored in FILE_NAME.
time_t   fn_crtime_nano
	NTFS Created time stored in FILE_NAME in nano-second resolution.
time_t   fn_ctime
	NTFS change (MFT Entry) time stored in FILE_NAME.
time_t   fn_ctime_nano
	NTFS change (MFT Entry) time stored in FILE_NAME in nano-second resolution.
uint16_t   fn_id
	Attribute ID used to populate FN times.
time_t   fn_mtime
	NTFS mod (content) stored in FILE_NAME.
time_t   fn_mtime_nano
	NTFS mod time stored in FILE_NAME in nano-second resolution.
}   ntfs
}	time2
TSK_FS_META_TYPE_ENUM	type
	File type.
TSK_UID_T	uid
	owner id

Detailed Description

TSK data structure to store general file and directory metadata.

Note that the file in the file system may have more metadata than is stored here. For performance reasons, the run list of the file content is not always known when the file is loaded. It may be loaded only when needed by the internal code. The TSK_FS_META::content_ptr pointer contains file system-specific data that will be used to determine the full run. After it has been loaded, the TSK_FS_META::attr field will contain that info.

Member Data Documentation

TSK_FS_ATTRLIST* TSK_FS_META::attr

Contains run data on the file content (specific locations where content is stored).

Check attr_state to determine if data in here is valid because not all file systems load this data when a file is loaded. It may not be loaded until needed by one of the APIs. Most file systems will have only one attribute, but NTFS will have several.

Referenced by ntfs_open(), tsk_fs_file_attr_get(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_get_type(), and tsk_fs_file_attr_getsize().

---

The documentation for this struct was generated from the following file:

• tsk/fs/tsk_fs.h