tsk_base.h File Reference

Contains the type and function definitions that are needed by external programs to use the TSK library. More...

#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include "tsk/tsk_incs.h"
#include "tsk_os.h"

Classes
struct	TSK_ERROR_INFO
struct	TSK_LIST
	Linked list structure that holds a 'key' and optional 'length'. More...
struct	tsk_lock_t
struct	TSK_MD5_CTX
struct	TSK_SHA_CTX
struct	TSK_STACK
	Basic stack structure to push and pop (used for finding loops in recursion). More...
class	TskError
	Allows access to most recent error message and code in the thread. More...

Macros
#define	TSK_ERR_AUTO   0x20000000
#define	TSK_ERR_AUTO_CORRUPT   (TSK_ERR_AUTO | 1)
#define	TSK_ERR_AUTO_DB   (TSK_ERR_AUTO | 0)
#define	TSK_ERR_AUTO_MAX   4
#define	TSK_ERR_AUTO_NOTOPEN   (TSK_ERR_AUTO | 3)
#define	TSK_ERR_AUTO_UNICODE   (TSK_ERR_AUTO | 2)
#define	TSK_ERR_AUX   0x01000000
#define	TSK_ERR_AUX_GENERIC   (TSK_ERR_AUX | 2)
#define	TSK_ERR_AUX_MALLOC   (TSK_ERR_AUX | 0)
#define	TSK_ERR_AUX_MAX   2
#define	TSK_ERR_FS   0x08000000
#define	TSK_ERR_FS_ARG   (TSK_ERR_FS | 6)
#define	TSK_ERR_FS_ATTR_NOTFOUND   (TSK_ERR_FS | 17)
#define	TSK_ERR_FS_BLK_NUM   (TSK_ERR_FS | 7)
#define	TSK_ERR_FS_CORRUPT   (TSK_ERR_FS | 16)
#define	TSK_ERR_FS_FWALK   (TSK_ERR_FS | 11)
#define	TSK_ERR_FS_GENFS   (TSK_ERR_FS | 15)
#define	TSK_ERR_FS_INODE_COR   (TSK_ERR_FS | 9)
#define	TSK_ERR_FS_INODE_NUM   (TSK_ERR_FS | 8)
#define	TSK_ERR_FS_MAGIC   (TSK_ERR_FS | 10)
#define	TSK_ERR_FS_MAX   18
#define	TSK_ERR_FS_READ   (TSK_ERR_FS | 4)
#define	TSK_ERR_FS_READ_OFF   (TSK_ERR_FS | 5)
#define	TSK_ERR_FS_RECOVER   (TSK_ERR_FS | 14)
#define	TSK_ERR_FS_UNICODE   (TSK_ERR_FS | 13)
#define	TSK_ERR_FS_UNKTYPE   (TSK_ERR_FS | 0)
#define	TSK_ERR_FS_UNSUPFUNC   (TSK_ERR_FS | 2)
#define	TSK_ERR_FS_UNSUPTYPE   (TSK_ERR_FS | 1)
#define	TSK_ERR_FS_WALK_RNG   (TSK_ERR_FS | 3)
#define	TSK_ERR_FS_WRITE   (TSK_ERR_FS | 12)
#define	TSK_ERR_HDB   0x10000000
#define	TSK_ERR_HDB_ARG   (TSK_ERR_HDB | 4)
#define	TSK_ERR_HDB_CORRUPT   (TSK_ERR_HDB | 11)
#define	TSK_ERR_HDB_CREATE   (TSK_ERR_HDB | 6)
#define	TSK_ERR_HDB_DELETE   (TSK_ERR_HDB | 7)
#define	TSK_ERR_HDB_MAX   13
#define	TSK_ERR_HDB_MISSING   (TSK_ERR_HDB | 8)
#define	TSK_ERR_HDB_OPEN   (TSK_ERR_HDB | 10)
#define	TSK_ERR_HDB_PROC   (TSK_ERR_HDB | 9)
#define	TSK_ERR_HDB_READDB   (TSK_ERR_HDB | 2)
#define	TSK_ERR_HDB_READIDX   (TSK_ERR_HDB | 3)
#define	TSK_ERR_HDB_UNKTYPE   (TSK_ERR_HDB | 0)
#define	TSK_ERR_HDB_UNSUPFUNC   (TSK_ERR_HDB | 11)
#define	TSK_ERR_HDB_UNSUPTYPE   (TSK_ERR_HDB | 1)
#define	TSK_ERR_HDB_WRITE   (TSK_ERR_HDB | 5)
#define	TSK_ERR_IMG   0x02000000
#define	TSK_ERR_IMG_ARG   (TSK_ERR_IMG | 9)
#define	TSK_ERR_IMG_CONVERT   (TSK_ERR_IMG | 12)
#define	TSK_ERR_IMG_MAGIC   (TSK_ERR_IMG | 10)
#define	TSK_ERR_IMG_MAX   14
#define	TSK_ERR_IMG_NOFILE   (TSK_ERR_IMG | 0)
#define	TSK_ERR_IMG_OFFSET   (TSK_ERR_IMG | 1)
#define	TSK_ERR_IMG_OPEN   (TSK_ERR_IMG | 4)
#define	TSK_ERR_IMG_PASSWD   (TSK_ERR_IMG | 13)
#define	TSK_ERR_IMG_READ   (TSK_ERR_IMG | 7)
#define	TSK_ERR_IMG_READ_OFF   (TSK_ERR_IMG | 8)
#define	TSK_ERR_IMG_SEEK   (TSK_ERR_IMG | 6)
#define	TSK_ERR_IMG_STAT   (TSK_ERR_IMG | 5)
#define	TSK_ERR_IMG_UNKTYPE   (TSK_ERR_IMG | 2)
#define	TSK_ERR_IMG_UNSUPTYPE   (TSK_ERR_IMG | 3)
#define	TSK_ERR_IMG_WRITE   (TSK_ERR_IMG | 11)
#define	TSK_ERR_MASK   0x00ffffff
#define	TSK_ERR_VS   0x04000000
#define	TSK_ERR_VS_ARG   (TSK_ERR_VS | 7)
#define	TSK_ERR_VS_BLK_NUM   (TSK_ERR_VS | 6)
#define	TSK_ERR_VS_BUF   (TSK_ERR_VS | 5)
#define	TSK_ERR_VS_MAGIC   (TSK_ERR_VS | 3)
#define	TSK_ERR_VS_MAX   8
#define	TSK_ERR_VS_READ   (TSK_ERR_VS | 2)
#define	TSK_ERR_VS_UNKTYPE   (TSK_ERR_VS | 0)
#define	TSK_ERR_VS_UNSUPTYPE   (TSK_ERR_VS | 1)
#define	TSK_ERR_VS_WALK_RNG   (TSK_ERR_VS | 4)
#define	TSK_ERROR_FORMAT_ATTRIBUTE(n, m)
#define	TSK_ERROR_STRING_MAX_LENGTH   1024
#define	TSK_VERSION_NUM   0x040200ff
	Version of code in number form. More...
#define	TSK_VERSION_STR   "4.2.0"
	Version of code in string form. More...
printf macros if system does not define them
#define	PRIx64   "llx"
#define	PRIX64   "llX"
#define	PRIu64   "llu"
#define	PRId64   "lld"
#define	PRIo64   "llo"
#define	PRIx32   "x"
#define	PRIX32   "X"
#define	PRIu32   "u"
#define	PRId32   "d"
#define	PRIx16   "hx"
#define	PRIX16   "hX"
#define	PRIu16   "hu"
#define	PRIu8   "hhu"
#define	PRIx8   "hhx"

Typedefs
typedef struct TSK_LIST	TSK_LIST

Enumerations
enum	TSK_RETVAL_ENUM { TSK_OK, TSK_ERR, TSK_COR, TSK_STOP }
	Return values for some TSK functions that need to differentiate between errors and corrupt data. More...
enum	TSK_WALK_RET_ENUM { TSK_WALK_CONT = 0x0, TSK_WALK_STOP = 0x1, TSK_WALK_ERROR = 0x2 }
	Values that callback functions can return to calling walk function. More...
Endian Ordering Functions
enum	TSK_ENDIAN_ENUM { TSK_UNKNOWN_ENDIAN = 0x00, TSK_LIT_ENDIAN = 0x01, TSK_BIG_ENDIAN = 0x02 }
	Flag that identifies the endian ordering of the data being read. More...

Functions
void	tsk_error_errstr2_concat (const char *format,...) TSK_ERROR_FORMAT_ATTRIBUTE(1
void const char *	tsk_error_get ()
	Return a human-readable form of tsk_error_get_errno. More...
uint32_t	tsk_error_get_errno ()
	Return the current error number. More...
char *	tsk_error_get_errstr ()
	Retrieve the current, basic error string. More...
char *	tsk_error_get_errstr2 ()
	Retrieve the current error string #2. More...
TSK_ERROR_INFO *	tsk_error_get_info ()
void	tsk_error_print (FILE *)
	Print the current fully formed error message to a file. More...
void	tsk_error_reset ()
	Clear the error number and error message.
void	tsk_error_set_errno (uint32_t t_errno)
	Set the current TSK error number. More...
void	tsk_error_set_errstr (const char *format,...) TSK_ERROR_FORMAT_ATTRIBUTE(1
void	tsk_error_set_errstr2 (const char *format,...) TSK_ERROR_FORMAT_ATTRIBUTE(1
void void	tsk_error_vset_errstr (const char *format, va_list args)
	Set the error string. More...
void void	tsk_error_vset_errstr2 (const char *format, va_list args)
	Set the error string. More...
void	tsk_fprintf (FILE *fd, const char *msg,...)
	fprintf wrapper function that takes UTF-8 strings as input (on all platforms) and does what is necessary to output strings in the correct encoding (UTF-8 on Unix and UTF-16 on Windows). More...
uint8_t	tsk_list_add (TSK_LIST **list, uint64_t key)
	Add an entry to a TSK_LIST (and create one if one does not exist) More...
uint8_t	tsk_list_find (TSK_LIST *list, uint64_t key)
	Search a TSK_LIST for the existence of a value. More...
void	tsk_list_free (TSK_LIST *list)
	Free a TSK_LIST. More...
TSK_OFF_T	tsk_parse_offset (const TSK_TCHAR *)
	Parse a TSK_TCHAR block address string. More...
int	tsk_parse_pnum (const TSK_TCHAR *a_pnum_str, TSK_PNUM_T *a_pnum)
	Parse a TSK_TCHAR string of a partition byte offset and the integer version of it. More...
void	tsk_printf (const char *msg,...)
	printf wrapper function that takes UTF-8 strings as input (on all platforms) and does what is necessary to output strings in the correct encoding (UTF-8 on Unix and UTF-16 on Windows). More...
TSK_STACK *	tsk_stack_create ()
	Create a TSK_STACK structure. More...
uint8_t	tsk_stack_find (TSK_STACK *stack, uint64_t key)
	Search a TSK_STACK for a given value. More...
void	tsk_stack_free (TSK_STACK *stack)
	Free an allocated TSK_STACK structure. More...
void	tsk_stack_pop (TSK_STACK *stack)
	Pop a value from the top of the stack. More...
uint8_t	tsk_stack_push (TSK_STACK *stack, uint64_t key)
	Push a value to the top of TSK_STACK. More...
const char *	tsk_version_get_str ()
	Return the library version as a string. More...
void	tsk_version_print (FILE *)
	Print the library name and version to a handle (such as "The Sleuth Kit ver 1.00"). More...

Variables
int	tsk_verbose
	Set to 1 to have verbose debug messages printed to stderr.

Internal integer types and printf macros
#define	PRIuINUM   PRIu64
#define	PRIxINUM   PRIx64
#define	PRIdINUM   PRId64
#define	PRIuUID   PRIu32
#define	PRIxUID   PRIx32
#define	PRIdUID   PRId32
#define	PRIuGID   PRIu32
#define	PRIxGID   PRIx32
#define	PRIdGID   PRId32
#define	PRIuDADDR   PRIu64
#define	PRIxDADDR   PRIx64
#define	PRIdDADDR   PRId64
#define	PRIuOFF   PRIu64
#define	PRIxOFF   PRIx64
#define	PRIdOFF   PRId64
#define	PRIuPNUM   PRIu32
#define	PRIxPNUM   PRIx32
#define	PRIdPNUM   PRId32
typedef uint64_t	TSK_INUM_T
	Data type used to internally store metadata / inode addresses.
typedef uint32_t	TSK_UID_T
	Data type used to internally store User IDs.
typedef uint32_t	TSK_GID_T
	Data type used to internally store Group IDs.
typedef uint64_t	TSK_DADDR_T
	Data type used to internally store sector and block addresses.
typedef int64_t	TSK_OFF_T
	Data type used to internally store volume, file, etc. sizes and offsets.
typedef uint32_t	TSK_PNUM_T
	Data type used to internally store partition addresses.

MD5 and SHA-1 hashing
#define	FALSE   0
#define	TRUE   ( !FALSE )
#define	TSK_MD5_DIGEST_LENGTH   16
#define	TSK_SHA_DIGEST_LENGTH   32
enum	TSK_BASE_HASH_ENUM { TSK_BASE_HASH_INVALID_ID = 0, TSK_BASE_HASH_MD5 = 0x01, TSK_BASE_HASH_SHA1 = 0x02 }
typedef unsigned char *	POINTER
typedef uint16_t	UINT2
typedef uint32_t	UINT4
typedef uint8_t	BYTE
void	TSK_MD5_Init (TSK_MD5_CTX *)
	Initialize a MD5 context structure so that data can be added to it. More...
void	TSK_MD5_Update (TSK_MD5_CTX *, unsigned char *, unsigned int)
	Add data to an initialized MD5 operation. More...
void	TSK_MD5_Final (unsigned char[16], TSK_MD5_CTX *)
	Cacluate the MD5 hash of the data added to this context. More...
void	TSK_SHA_Init (TSK_SHA_CTX *)
	Initialize a SHA-1 context so that data can be added to it. More...
void	TSK_SHA_Update (TSK_SHA_CTX *, BYTE *buffer, int count)
	Add data to an initialized SHA-1 context. More...
void	TSK_SHA_Final (BYTE *output, TSK_SHA_CTX *)

Detailed Description

Contains the type and function definitions that are needed by external programs to use the TSK library.

Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_base_i.h.

Macro Definition Documentation

#define TSK_VERSION_NUM   0x040200ff

Version of code in number form.

Upper byte is A, next is B, and next byte is C in version A.B.C. Lowest byte is 0xff, except in beta releases, in which case it increments from 1. Nightly snapshots will have upper byte as 0xff and next bytes with year, month, and date, respectively. Note that you will not be able to differentiate between snapshots from the trunk or branches with this method... For example, 3.1.2 would be stored as 0x030102FF. 3.1.2b1 would be 0x03010201. Snapshot from Jan 2, 2003 would be 0xFF030102. See TSK_VERSION_STR for string form.

#define TSK_VERSION_STR   "4.2.0"

Version of code in string form.

See TSK_VERSION_NUM for integer form.

Referenced by tsk_version_get_str(), and tsk_version_print().

Enumeration Type Documentation

enum TSK_ENDIAN_ENUM

Flag that identifies the endian ordering of the data being read.

Enumerator
TSK_UNKNOWN_ENDIAN	Endianness is unknown.
TSK_LIT_ENDIAN	Data is in little endian.
TSK_BIG_ENDIAN	Data is in big endian.

enum TSK_RETVAL_ENUM

Return values for some TSK functions that need to differentiate between errors and corrupt data.

Enumerator
TSK_OK	Ok – success.
TSK_ERR	System error – should abort.
TSK_COR	Data is corrupt, can still process another set of data.
TSK_STOP	Stop further processing, not an error though.

enum TSK_WALK_RET_ENUM

Values that callback functions can return to calling walk function.

Enumerator
TSK_WALK_CONT	Walk function should continue to next object.
TSK_WALK_STOP	Walk function should stop processing units and return OK.
TSK_WALK_ERROR	Walk function should stop processing units and return error.