The Sleuth Kit  4.2
Classes | Macros | Typedefs | Enumerations | Functions
tsk_db_sqlite.h File Reference

Contains the SQLite code for maintaining the case-level database. More...

#include <map>
#include <vector>
#include <string>
#include <ostream>
#include "sqlite3.h"
#include "tsk_auto_i.h"

Classes

struct  _TSK_DB_FILE_LAYOUT_RANGE
 Structure wrapping a single file_layout db entry. More...
 
struct  _TSK_DB_FS_INFO
 Structure wrapping a single fs info db entry. More...
 
struct  _TSK_DB_OBJECT
 Structure wrapping a single tsk objects db entry. More...
 
struct  _TSK_DB_VS_INFO
 Structure wrapping a single vs info db entry. More...
 
struct  _TSK_DB_VS_PART_INFO
 
class  TskDbSqlite
 

Macros

#define TSK_MAX_DB_VS_PART_INFO_DESC_LEN   512
 Structure wrapping a single vs part db entry.
 

Typedefs

typedef struct sqlite3 sqlite3
 
typedef struct _TSK_DB_FILE_LAYOUT_RANGE TSK_DB_FILE_LAYOUT_RANGE
 Structure wrapping a single file_layout db entry.
 
typedef struct _TSK_DB_FS_INFO TSK_DB_FS_INFO
 Structure wrapping a single fs info db entry.
 
typedef struct _TSK_DB_OBJECT TSK_DB_OBJECT
 Structure wrapping a single tsk objects db entry.
 
typedef struct _TSK_DB_VS_INFO TSK_DB_VS_INFO
 Structure wrapping a single vs info db entry.
 
typedef struct _TSK_DB_VS_PART_INFO TSK_DB_VS_PART_INFO
 

Enumerations

enum  TSK_DB_FILES_KNOWN_ENUM { TSK_DB_FILES_KNOWN_UNKNOWN = 0, TSK_DB_FILES_KNOWN_KNOWN = 1, TSK_DB_FILES_KNOWN_KNOWN_BAD = 2, TSK_DB_FILES_KNOWN_KNOWN_GOOD = 3 }
 Values for the "known" column of the tsk_files table. More...
 
enum  TSK_DB_FILES_TYPE_ENUM {
  TSK_DB_FILES_TYPE_FS = 0, TSK_DB_FILES_TYPE_CARVED, TSK_DB_FILES_TYPE_DERIVED, TSK_DB_FILES_TYPE_LOCAL,
  TSK_DB_FILES_TYPE_UNALLOC_BLOCKS, TSK_DB_FILES_TYPE_UNUSED_BLOCKS, TSK_DB_FILES_TYPE_VIRTUAL_DIR
}
 Values for the files type column in the tsk_files table. More...
 
enum  TSK_DB_OBJECT_TYPE_ENUM {
  TSK_DB_OBJECT_TYPE_IMG = 0, TSK_DB_OBJECT_TYPE_VS, TSK_DB_OBJECT_TYPE_VOL, TSK_DB_OBJECT_TYPE_FS,
  TSK_DB_OBJECT_TYPE_FILE
}
 Values for the type column in the tsk_objects table. More...
 

Functions

ostream & operator<< (ostream &os, const TSK_DB_OBJECT &dbObject)
 
ostream & operator<< (ostream &os, const TSK_DB_FILE_LAYOUT_RANGE &layoutRange)
 
ostream & operator<< (ostream &os, const TSK_DB_FS_INFO &fsInfo)
 
ostream & operator<< (ostream &os, const TSK_DB_VS_INFO &vsInfo)
 
ostream & operator<< (ostream &os, const TSK_DB_VS_PART_INFO &vsPartInfos)
 

Detailed Description

Contains the SQLite code for maintaining the case-level database.

In the future, an interface will be developed for these so that different databases can exist.

Enumeration Type Documentation

enum TSK_DB_FILES_KNOWN_ENUM

Values for the "known" column of the tsk_files table.

Enumerator
TSK_DB_FILES_KNOWN_UNKNOWN 

Not matched against an index.

TSK_DB_FILES_KNOWN_KNOWN 

Match found in a "known" file index (such as NIST NSRL)and could be good or bad.

TSK_DB_FILES_KNOWN_KNOWN_BAD 

Match found in a "known bad" index.

TSK_DB_FILES_KNOWN_KNOWN_GOOD 

Match found in a "known good" index.

enum TSK_DB_FILES_TYPE_ENUM

Values for the files type column in the tsk_files table.

Enumerator
TSK_DB_FILES_TYPE_FS 

File that can be found in file system tree.

TSK_DB_FILES_TYPE_CARVED 

Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS range.

TSK_DB_FILES_TYPE_DERIVED 

File derived from a parent file (i.e. from ZIP)

TSK_DB_FILES_TYPE_LOCAL 

Local file that was added (not from a disk image)

TSK_DB_FILES_TYPE_UNALLOC_BLOCKS 

Set of blocks not allocated by file system. Parent should be image, volume, or file system. Many columns in tsk_files will be NULL. Set layout in tsk_file_layout.

TSK_DB_FILES_TYPE_UNUSED_BLOCKS 

Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNALLOC_BLOCKS, many columns in tsk_files will be NULL, set layout in tsk_file_layout.

TSK_DB_FILES_TYPE_VIRTUAL_DIR 

Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other than TSK_DB_FILES_TYPE_FS. Its parent is either another TSK_DB_FILES_TYPE_FS or a root directory or type TSK_DB_FILES_TYPE_FS.

enum TSK_DB_OBJECT_TYPE_ENUM

Values for the type column in the tsk_objects table.

Enumerator
TSK_DB_OBJECT_TYPE_IMG 

Object is a disk image.

TSK_DB_OBJECT_TYPE_VS 

Object is a volume system.

TSK_DB_OBJECT_TYPE_VOL 

Object is a volume.

TSK_DB_OBJECT_TYPE_FS 

Object is a file system.

TSK_DB_OBJECT_TYPE_FILE 

Object is a file (exact type can be determined in the tsk_files table via TSK_DB_FILES_TYPE_ENUM)

Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.