|
The Sleuth Kit
4.2
|
External header file for file system support. More...
#include <sys/types.h>Classes | |
| struct | TSK_FS_ATTR |
| Holds information about the location of file content (or a file attribute). More... | |
| struct | TSK_FS_ATTR_RUN |
| Holds information about a single data run, which has a starting address and length. More... | |
| struct | TSK_FS_ATTRLIST |
| Structure used as the head of an attribute list. More... | |
| struct | TSK_FS_BLOCK |
| Generic data structure to hold block data with metadata. More... | |
| struct | TSK_FS_BLOCK_WALK_CPP_DATA |
| struct | TSK_FS_DIR |
| A handle to a directory so that its files can be individually accessed. More... | |
| struct | TSK_FS_DIR_WALK_CPP_DATA |
| struct | TSK_FS_FILE |
| Generic structure used to refer to files in the file system. More... | |
| struct | TSK_FS_FILE_WALK_CPP_DATA |
| struct | TSK_FS_HASH_RESULTS |
| struct | TSK_FS_INFO |
| Stores state information for an open file system. More... | |
| struct | TSK_FS_JBLK_WALK_CPP_DATA |
| struct | TSK_FS_JENTRY |
| struct | TSK_FS_JENTRY_WALK_CPP_DATA |
| struct | TSK_FS_META |
| TSK data structure to store general file and directory metadata. More... | |
| struct | TSK_FS_META_NAME_LIST |
| Relatively generic structure to hold file names that are stored with the file metadata. More... | |
| struct | TSK_FS_META_WALK_CPP_DATA |
| struct | TSK_FS_NAME |
| Generic structure to store the file name information that is stored in a directory. More... | |
| class | TskFsAttribute |
| Stores information about a file attribute. More... | |
| class | TskFsAttrRun |
| Contains information about a single data run, which has a starting address and length. More... | |
| class | TskFsBlock |
| Stores information about a file system block. More... | |
| class | TskFsDir |
| Stores information about a directory in the file system. More... | |
| class | TskFsFile |
| Class that represents an allocated or deleted file. More... | |
| class | TskFsInfo |
| Stores information about an open file system. More... | |
| class | TskFsJEntry |
| class | TskFsMeta |
| Stores metadata about a file. More... | |
| class | TskFsMetaName |
| Stores information about names that are located in metadata structures. More... | |
| class | TskFsName |
| Stores the file name information that is stored in a directory. More... | |
Macros | |
| #define | TSK_FS_ISDOT(str) |
Typedefs | |
| typedef enum TSK_FS_BLKCALC_FLAG_ENUM | TSK_FS_BLKCALC_FLAG_ENUM |
| typedef enum TSK_FS_BLKCAT_FLAG_ENUM | TSK_FS_BLKCAT_FLAG_ENUM |
| typedef enum TSK_FS_BLKLS_FLAG_ENUM | TSK_FS_BLKLS_FLAG_ENUM |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_BLOCK_WALK_CPP_CB) (const TskFsBlock *a_block, void *a_ptr) |
| Function definition used for callback to blockWalk(). More... | |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_DIR_WALK_CPP_CB) (TskFsFile *a_fs_file, const char *a_path, void *a_ptr) |
| Definition of callback function that is used by tsk_fs_dir_walk(). More... | |
| typedef enum TSK_FS_FFIND_FLAG_ENUM | TSK_FS_FFIND_FLAG_ENUM |
| typedef struct TSK_FS_FILE | TSK_FS_FILE |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_FILE_WALK_CPP_CB) (TskFsFile *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr) |
| File walk callback function definition. More... | |
| typedef enum TSK_FS_FLS_FLAG_ENUM | TSK_FS_FLS_FLAG_ENUM |
| typedef enum TSK_FS_IFIND_FLAG_ENUM | TSK_FS_IFIND_FLAG_ENUM |
| typedef enum TSK_FS_ILS_FLAG_ENUM | TSK_FS_ILS_FLAG_ENUM |
| typedef struct TSK_FS_INFO | TSK_FS_INFO |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_JBLK_WALK_CPP_CB) (TskFsInfo *a_fsInfo, char *a_string, int a_num, void *a_ptr) |
| Function definition for callback in TskFsInfo.jblkWalk(). More... | |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_JENTRY_WALK_CPP_CB) (TskFsInfo *a_fsInfo, TskFsJEntry *a_jentry, int a_num, void *a_ptr) |
| Function definition for callback in TskFsInfo.jentryWalk(). More... | |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_META_WALK_CPP_CB) (TskFsFile *a_fs_file, void *a_ptr) |
| inode walk callback function definition. More... | |
Generic File System Journal Data Structures | |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_JBLK_WALK_CB) (TSK_FS_INFO *, char *, int, void *) |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_JENTRY_WALK_CB) (TSK_FS_INFO *, TSK_FS_JENTRY *, int, void *) |
Functions | |
| int8_t | tsk_fs_blkcalc (TSK_FS_INFO *fs, TSK_FS_BLKCALC_FLAG_ENUM flags, TSK_DADDR_T cnt) |
| uint8_t | tsk_fs_blkcat (TSK_FS_INFO *fs, TSK_FS_BLKCAT_FLAG_ENUM flags, TSK_DADDR_T addr, TSK_DADDR_T read_num_units) |
| Read a specific number of blocks and print the contents to STDOUT. More... | |
| uint8_t | tsk_fs_blkls (TSK_FS_INFO *fs, TSK_FS_BLKLS_FLAG_ENUM lclflags, TSK_DADDR_T bstart, TSK_DADDR_T bend, TSK_FS_BLOCK_WALK_FLAG_ENUM flags) |
| uint8_t | tsk_fs_blkstat (TSK_FS_INFO *fs, TSK_DADDR_T addr) |
| TSK_WALK_RET_ENUM | tsk_fs_block_cpp_c_cb (const TSK_FS_BLOCK *a_block, void *a_ptr) |
| TSK_WALK_RET_ENUM | tsk_fs_dir_walk_cpp_c_cb (TSK_FS_FILE *a_file, const char *a_path, void *a_ptr) |
| uint8_t | tsk_fs_ffind (TSK_FS_INFO *fs, TSK_FS_FFIND_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_DIR_WALK_FLAG_ENUM flags) |
| TSK_WALK_RET_ENUM | tsk_fs_file_cpp_c_cb (TSK_FS_FILE *a_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr) |
| uint8_t | tsk_fs_fls (TSK_FS_INFO *fs, TSK_FS_FLS_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_DIR_WALK_FLAG_ENUM flags, TSK_TCHAR *pre, int32_t skew) |
| uint8_t | tsk_fs_icat (TSK_FS_INFO *fs, TSK_INUM_T inum, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_FILE_WALK_FLAG_ENUM flags) |
| uint8_t | tsk_fs_ifind_data (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM flags, TSK_DADDR_T blk) |
| uint8_t | tsk_fs_ifind_par (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM flags, TSK_INUM_T par) |
| Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME). More... | |
| int8_t | tsk_fs_ifind_path (TSK_FS_INFO *fs, TSK_TCHAR *path, TSK_INUM_T *result) |
| Find the meta data address for a given file TCHAR name. More... | |
| uint8_t | tsk_fs_ils (TSK_FS_INFO *fs, TSK_FS_ILS_FLAG_ENUM lclflags, TSK_INUM_T istart, TSK_INUM_T ilast, TSK_FS_META_FLAG_ENUM flags, int32_t skew, const TSK_TCHAR *img) |
| Library API for inode walking. More... | |
| TSK_WALK_RET_ENUM | tsk_fs_jblk_walk_cpp_c_cb (TSK_FS_INFO *a_fsInfo, char *a_string, int a_num, void *a_ptr) |
| TSK_WALK_RET_ENUM | tsk_fs_jentry_walk_cpp_c_cb (TSK_FS_INFO *a_fsInfo, TSK_FS_JENTRY *a_jentry, int a_num, void *a_ptr) |
| TSK_WALK_RET_ENUM | tsk_fs_meta_walk_cpp_c_cb (TSK_FS_FILE *a_file, void *a_ptr) |
| int | tsk_fs_parse_inum (const TSK_TCHAR *str, TSK_INUM_T *, TSK_FS_ATTR_TYPE_ENUM *, uint8_t *, uint16_t *, uint8_t *) |
| Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there). More... | |
Generic File System Block Data Structure | |
| #define | TSK_FS_BLOCK_TAG 0x1b7c3f4a |
| enum | TSK_FS_BLOCK_FLAG_ENUM { TSK_FS_BLOCK_FLAG_UNUSED = 0x0000, TSK_FS_BLOCK_FLAG_ALLOC = 0x0001, TSK_FS_BLOCK_FLAG_UNALLOC = 0x0002, TSK_FS_BLOCK_FLAG_CONT = 0x0004, TSK_FS_BLOCK_FLAG_META = 0x0008, TSK_FS_BLOCK_FLAG_BAD = 0x0010, TSK_FS_BLOCK_FLAG_RAW = 0x0020, TSK_FS_BLOCK_FLAG_SPARSE = 0x0040, TSK_FS_BLOCK_FLAG_COMP = 0x0080, TSK_FS_BLOCK_FLAG_RES = 0x0100, TSK_FS_BLOCK_FLAG_AONLY = 0x0200 } |
| Flags that are used in TSK_FS_BLOCK and in callback of file_walk. More... | |
| enum | TSK_FS_BLOCK_WALK_FLAG_ENUM { TSK_FS_BLOCK_WALK_FLAG_NONE = 0x00, TSK_FS_BLOCK_WALK_FLAG_ALLOC = 0x01, TSK_FS_BLOCK_WALK_FLAG_UNALLOC = 0x02, TSK_FS_BLOCK_WALK_FLAG_CONT = 0x04, TSK_FS_BLOCK_WALK_FLAG_META = 0x08, TSK_FS_BLOCK_WALK_FLAG_AONLY = 0x10 } |
| Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with. More... | |
| typedef enum TSK_FS_BLOCK_FLAG_ENUM | TSK_FS_BLOCK_FLAG_ENUM |
| typedef enum TSK_FS_BLOCK_WALK_FLAG_ENUM | TSK_FS_BLOCK_WALK_FLAG_ENUM |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_BLOCK_WALK_CB) (const TSK_FS_BLOCK *a_block, void *a_ptr) |
| Function definition used for callback to tsk_fs_block_walk(). More... | |
| void | tsk_fs_block_free (TSK_FS_BLOCK *a_fs_block) |
| Free the memory associated with the TSK_FS_BLOCK structure. More... | |
| TSK_FS_BLOCK * | tsk_fs_block_get (TSK_FS_INFO *fs, TSK_FS_BLOCK *fs_block, TSK_DADDR_T addr) |
| TSK_FS_BLOCK * | tsk_fs_block_get_flag (TSK_FS_INFO *a_fs, TSK_FS_BLOCK *a_fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags) |
| Get the contents and flags of a specific file system block. More... | |
| uint8_t | tsk_fs_block_walk (TSK_FS_INFO *a_fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr) |
| Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each. More... | |
Generic File System File Content Data Structures | |
| #define | TSK_FS_ATTR_ID_DEFAULT 0 |
| Default Data ID used if file system does not assign one. | |
| enum | TSK_FS_ATTR_RUN_FLAG_ENUM { TSK_FS_ATTR_RUN_FLAG_NONE = 0x00, TSK_FS_ATTR_RUN_FLAG_FILLER = 0x01, TSK_FS_ATTR_RUN_FLAG_SPARSE = 0x02 } |
| Flags used for a TSK_FS_ATTR_RUN entry. More... | |
| enum | TSK_FS_ATTR_FLAG_ENUM { TSK_FS_ATTR_FLAG_NONE = 0x00, TSK_FS_ATTR_INUSE = 0x01, TSK_FS_ATTR_NONRES = 0x02, TSK_FS_ATTR_RES = 0x04, TSK_FS_ATTR_ENC = 0x10, TSK_FS_ATTR_COMP = 0x20, TSK_FS_ATTR_SPARSE = 0x40, TSK_FS_ATTR_RECOVERY = 0x80 } |
| Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata. More... | |
| enum | TSK_FS_FILE_WALK_FLAG_ENUM { TSK_FS_FILE_WALK_FLAG_NONE = 0x00, TSK_FS_FILE_WALK_FLAG_SLACK = 0x01, TSK_FS_FILE_WALK_FLAG_NOID = 0x02, TSK_FS_FILE_WALK_FLAG_AONLY = 0x04, TSK_FS_FILE_WALK_FLAG_NOSPARSE = 0x08 } |
| Flags used by tsk_fs_file_walk to determine when the callback function should be used. More... | |
| enum | TSK_FS_ATTR_TYPE_ENUM { TSK_FS_ATTR_TYPE_NOT_FOUND = 0x00, TSK_FS_ATTR_TYPE_DEFAULT = 0x01, TSK_FS_ATTR_TYPE_NTFS_SI = 0x10, TSK_FS_ATTR_TYPE_NTFS_ATTRLIST = 0x20, TSK_FS_ATTR_TYPE_NTFS_FNAME = 0x30, TSK_FS_ATTR_TYPE_NTFS_VVER = 0x40, TSK_FS_ATTR_TYPE_NTFS_OBJID = 0x40, TSK_FS_ATTR_TYPE_NTFS_SEC = 0x50, TSK_FS_ATTR_TYPE_NTFS_VNAME = 0x60, TSK_FS_ATTR_TYPE_NTFS_VINFO = 0x70, TSK_FS_ATTR_TYPE_NTFS_DATA = 0x80, TSK_FS_ATTR_TYPE_NTFS_IDXROOT = 0x90, TSK_FS_ATTR_TYPE_NTFS_IDXALLOC = 0xA0, TSK_FS_ATTR_TYPE_NTFS_BITMAP = 0xB0, TSK_FS_ATTR_TYPE_NTFS_SYMLNK = 0xC0, TSK_FS_ATTR_TYPE_NTFS_REPARSE = 0xC0, TSK_FS_ATTR_TYPE_NTFS_EAINFO = 0xD0, TSK_FS_ATTR_TYPE_NTFS_EA = 0xE0, TSK_FS_ATTR_TYPE_NTFS_PROP = 0xF0, TSK_FS_ATTR_TYPE_NTFS_LOG = 0x100, TSK_FS_ATTR_TYPE_UNIX_INDIR = 0x1001, TSK_FS_ATTR_TYPE_UNIX_EXTENT = 0x1002, TSK_FS_ATTR_TYPE_HFS_DEFAULT = 0x01, TSK_FS_ATTR_TYPE_HFS_DATA = 0x1100, TSK_FS_ATTR_TYPE_HFS_RSRC = 0x1101, TSK_FS_ATTR_TYPE_HFS_EXT_ATTR = 0x1102, TSK_FS_ATTR_TYPE_HFS_COMP_REC = 0x1103 } |
| These are based on the NTFS type values. More... | |
| typedef struct TSK_FS_ATTR_RUN | TSK_FS_ATTR_RUN |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_FILE_WALK_CB) (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr) |
| File walk callback function definition. More... | |
| typedef struct TSK_FS_ATTR | TSK_FS_ATTR |
| uint8_t | tsk_fs_attr_walk (const TSK_FS_ATTR *a_fs_attr, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr) |
| Process an attribute and call a callback function with its contents. More... | |
Generic File System File Metadata Data Structures | |
| #define | TSK_FS_META_NAME_LIST_NSIZE 512 |
| Size of name array in TSK_FS_META_NAME_LIST structure. | |
| #define | TSK_FS_META_TYPE_STR_MAX 0x0b |
| Number of file types in shortname array. | |
| #define | TSK_FS_META_TAG 0x13524635 |
| #define | TSK_FS_ORPHAN_STR "-ORPHAN_FILE-" |
| String that is prepended to orphan FAT & NTFS files when the file name is known, but the parent is not. | |
| #define | TSK_FS_ORPHANDIR_INUM(fs_info) (fs_info->last_inum) |
| enum | TSK_FS_META_FLAG_ENUM { TSK_FS_META_FLAG_ALLOC = 0x01, TSK_FS_META_FLAG_UNALLOC = 0x02, TSK_FS_META_FLAG_USED = 0x04, TSK_FS_META_FLAG_UNUSED = 0x08, TSK_FS_META_FLAG_COMP = 0x10, TSK_FS_META_FLAG_ORPHAN = 0x20 } |
| Metadata flags used in TSK_FS_META.flags and in request to inode_walk. More... | |
| enum | TSK_FS_META_ATTR_FLAG_ENUM { TSK_FS_META_ATTR_EMPTY, TSK_FS_META_ATTR_STUDIED, TSK_FS_META_ATTR_ERROR } |
| enum | TSK_FS_META_TYPE_ENUM { TSK_FS_META_TYPE_UNDEF = 0x00, TSK_FS_META_TYPE_REG = 0x01, TSK_FS_META_TYPE_DIR = 0x02, TSK_FS_META_TYPE_FIFO = 0x03, TSK_FS_META_TYPE_CHR = 0x04, TSK_FS_META_TYPE_BLK = 0x05, TSK_FS_META_TYPE_LNK = 0x06, TSK_FS_META_TYPE_SHAD = 0x07, TSK_FS_META_TYPE_SOCK = 0x08, TSK_FS_META_TYPE_WHT = 0x09, TSK_FS_META_TYPE_VIRT = 0x0a } |
| Values for the mode field – which identifies the file type and permissions. More... | |
| enum | TSK_FS_META_MODE_ENUM { TSK_FS_META_MODE_UNSPECIFIED = 0000000, TSK_FS_META_MODE_ISUID = 0004000, TSK_FS_META_MODE_ISGID = 0002000, TSK_FS_META_MODE_ISVTX = 0001000, TSK_FS_META_MODE_IRUSR = 0000400, TSK_FS_META_MODE_IWUSR = 0000200, TSK_FS_META_MODE_IXUSR = 0000100, TSK_FS_META_MODE_IRGRP = 0000040, TSK_FS_META_MODE_IWGRP = 0000020, TSK_FS_META_MODE_IXGRP = 0000010, TSK_FS_META_MODE_IROTH = 0000004, TSK_FS_META_MODE_IWOTH = 0000002, TSK_FS_META_MODE_IXOTH = 0000001 } |
| enum | TSK_FS_META_CONTENT_TYPE_ENUM { TSK_FS_META_CONTENT_TYPE_DEFAULT = 0x0, TSK_FS_META_CONTENT_TYPE_EXT4_EXTENTS = 0x1 } |
| typedef struct TSK_FS_META_NAME_LIST | TSK_FS_META_NAME_LIST |
| typedef enum TSK_FS_META_FLAG_ENUM | TSK_FS_META_FLAG_ENUM |
| typedef enum TSK_FS_META_ATTR_FLAG_ENUM | TSK_FS_META_ATTR_FLAG_ENUM |
| typedef enum TSK_FS_META_TYPE_ENUM | TSK_FS_META_TYPE_ENUM |
| typedef enum TSK_FS_META_MODE_ENUM | TSK_FS_META_MODE_ENUM |
| typedef enum TSK_FS_META_CONTENT_TYPE_ENUM | TSK_FS_META_CONTENT_TYPE_ENUM |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_META_WALK_CB) (TSK_FS_FILE *a_fs_file, void *a_ptr) |
| inode walk callback function definition. More... | |
| char | tsk_fs_meta_type_str [TSK_FS_META_TYPE_STR_MAX][2] |
| Contains the short (1 character) name of the file type. | |
| uint8_t | tsk_fs_meta_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_cb, void *a_ptr) |
| Walk a range of metadata structures and call a callback for each structure that matches the flags supplied. More... | |
| uint8_t | tsk_fs_meta_make_ls (const TSK_FS_META *a_fs_meta, char *a_buf, size_t a_len) |
| Makes the "ls -l" permissions string for a file. More... | |
Generic File System File Name Data Structures | |
| #define | TSK_FS_NAME_TYPE_STR_MAX 11 |
| Number of types that have a short string name. | |
| #define | TSK_FS_NAME_TAG 0x23147869 |
| #define | TSK_FS_DIR_TAG 0x97531246 |
| enum | TSK_FS_NAME_FLAG_ENUM { TSK_FS_NAME_FLAG_ALLOC = 0x01, TSK_FS_NAME_FLAG_UNALLOC = 0x02 } |
| File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure. More... | |
| enum | TSK_FS_NAME_TYPE_ENUM { TSK_FS_NAME_TYPE_UNDEF = 0, TSK_FS_NAME_TYPE_FIFO = 1, TSK_FS_NAME_TYPE_CHR = 2, TSK_FS_NAME_TYPE_DIR = 3, TSK_FS_NAME_TYPE_BLK = 4, TSK_FS_NAME_TYPE_REG = 5, TSK_FS_NAME_TYPE_LNK = 6, TSK_FS_NAME_TYPE_SOCK = 7, TSK_FS_NAME_TYPE_SHAD = 8, TSK_FS_NAME_TYPE_WHT = 9, TSK_FS_NAME_TYPE_VIRT = 10 } |
| File type values – as specified in the directory entry structure. More... | |
| enum | TSK_FS_DIR_WALK_FLAG_ENUM { TSK_FS_DIR_WALK_FLAG_NONE = 0x00, TSK_FS_DIR_WALK_FLAG_ALLOC = 0x01, TSK_FS_DIR_WALK_FLAG_UNALLOC = 0x02, TSK_FS_DIR_WALK_FLAG_RECURSE = 0x04, TSK_FS_DIR_WALK_FLAG_NOORPHAN = 0x08 } |
| Flags that are used when walking names in directories. More... | |
| typedef TSK_WALK_RET_ENUM(* | TSK_FS_DIR_WALK_CB) (TSK_FS_FILE *a_fs_file, const char *a_path, void *a_ptr) |
| Definition of callback function that is used by tsk_fs_dir_walk(). More... | |
| char | tsk_fs_name_type_str [TSK_FS_NAME_TYPE_STR_MAX][2] |
| TSK_FS_DIR * | tsk_fs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr) |
| Open a directory (using its metadata addr) so that each of the files in it can be accessed. More... | |
| TSK_FS_DIR * | tsk_fs_dir_open (TSK_FS_INFO *a_fs, const char *a_dir) |
| Open a directory (using its path) so that each of the files in it can be accessed. More... | |
| uint8_t | tsk_fs_dir_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_inode, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr) |
| Walk the file names in a directory and obtain the details of the files via a callback. More... | |
| size_t | tsk_fs_dir_getsize (const TSK_FS_DIR *) |
| Returns the number of files and subdirectories in a directory. More... | |
| TSK_FS_FILE * | tsk_fs_dir_get (const TSK_FS_DIR *, size_t) |
| Return a specific file or subdirectory from an open directory. More... | |
| const TSK_FS_NAME * | tsk_fs_dir_get_name (const TSK_FS_DIR *a_fs_dir, size_t a_idx) |
| Return only the name for a file or subdirectory from an open directory. More... | |
| void | tsk_fs_dir_close (TSK_FS_DIR *) |
| Close the directory that was opened with tsk_fs_dir_open() More... | |
| int8_t | tsk_fs_path2inum (TSK_FS_INFO *a_fs, const char *a_path, TSK_INUM_T *a_result, TSK_FS_NAME *a_fs_name) |
| Find the meta data address for a given file name (UTF-8). More... | |
Generic File System File Data Structures | |
| #define | TSK_FS_FILE_TAG 0x11212212 |
| enum | TSK_FS_FILE_READ_FLAG_ENUM { TSK_FS_FILE_READ_FLAG_NONE = 0x00, TSK_FS_FILE_READ_FLAG_SLACK = 0x01, TSK_FS_FILE_READ_FLAG_NOID = 0x02 } |
| Flags used by tsk_fs_file_read. More... | |
| void | tsk_fs_file_close (TSK_FS_FILE *a_fs_file) |
| Close an open file. More... | |
| TSK_FS_FILE * | tsk_fs_file_open (TSK_FS_INFO *a_fs, TSK_FS_FILE *a_fs_file, const char *a_path) |
| Return the handle structure for a specific file, given its full path. More... | |
| TSK_FS_FILE * | tsk_fs_file_open_meta (TSK_FS_INFO *fs, TSK_FS_FILE *fs_file, TSK_INUM_T addr) |
| Open a file given its metadata address. More... | |
| ssize_t | tsk_fs_file_read (TSK_FS_FILE *, TSK_OFF_T, char *, size_t, TSK_FS_FILE_READ_FLAG_ENUM) |
| Read the contents of a specific attribute of a file using a typical read() type interface. More... | |
| ssize_t | tsk_fs_file_read_type (TSK_FS_FILE *, TSK_FS_ATTR_TYPE_ENUM, uint16_t, TSK_OFF_T, char *, size_t, TSK_FS_FILE_READ_FLAG_ENUM) |
| Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS). More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get (TSK_FS_FILE *a_fs_file) |
| Return the default attribute for the file. More... | |
| int | tsk_fs_file_attr_getsize (TSK_FS_FILE *a_fs_file) |
| Return the number of attributes in the file. More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get_idx (TSK_FS_FILE *a_fs_file, int a_idx) |
| Get a file's attribute based on the 0-based index in the list (and not type, id pair). More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM, uint16_t, uint8_t) |
| Return a specific type and id attribute for the file. More... | |
| const TSK_FS_ATTR * | tsk_fs_file_attr_get_id (TSK_FS_FILE *a_fs_file, uint16_t) |
| Return a specific attribute by its ID for the file. More... | |
| uint8_t | tsk_fs_file_walk (TSK_FS_FILE *a_fs_file, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr) |
| Process a file and call a callback function with the file contents. More... | |
| uint8_t | tsk_fs_file_walk_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr) |
| Process a specific attribute in a file and call a callback function with the file contents. More... | |
| ssize_t | tsk_fs_attr_read (const TSK_FS_ATTR *a_fs_attr, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags) |
| Read the contents of a given attribute using a typical read() type interface. More... | |
| uint8_t | tsk_fs_file_get_owner_sid (TSK_FS_FILE *, char **) |
| Returns a string representation of the security attributes of a file. More... | |
| uint8_t | tsk_fs_file_hash_calc (TSK_FS_FILE *, TSK_FS_HASH_RESULTS *, TSK_BASE_HASH_ENUM) |
| Returns a string containing the md5 hash of the given file. More... | |
Generic File System Handle Data Structure | |
| #define | TSK_FS_TYPE_ISNTFS(ftype) (((ftype) & TSK_FS_TYPE_NTFS_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for an NTFS file system. More... | |
| #define | TSK_FS_TYPE_ISFAT(ftype) (((ftype) & TSK_FS_TYPE_FAT_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a FAT file system. More... | |
| #define | TSK_FS_TYPE_ISFFS(ftype) (((ftype) & TSK_FS_TYPE_FFS_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a FFS file system. More... | |
| #define | TSK_FS_TYPE_ISEXT(ftype) (((ftype) & TSK_FS_TYPE_EXT_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a ExtX file system. More... | |
| #define | TSK_FS_TYPE_ISISO9660(ftype) (((ftype) & TSK_FS_TYPE_ISO9660_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system. More... | |
| #define | TSK_FS_TYPE_ISHFS(ftype) (((ftype) & TSK_FS_TYPE_HFS_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a HFS file system. More... | |
| #define | TSK_FS_TYPE_ISSWAP(ftype) (((ftype) & TSK_FS_TYPE_SWAP_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a swap "file system". More... | |
| #define | TSK_FS_TYPE_ISYAFFS2(ftype) (((ftype) & TSK_FS_TYPE_YAFFS2_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system. More... | |
| #define | TSK_FS_TYPE_ISRAW(ftype) (((ftype) & TSK_FS_TYPE_RAW_DETECT)?1:0) |
| Macro that takes a file system type and returns 1 if the type is for a raw "file system". More... | |
| #define | TSK_FS_INFO_TAG 0x10101010 |
| #define | TSK_FS_INFO_FS_ID_LEN 32 |
| enum | TSK_FS_TYPE_ENUM { TSK_FS_TYPE_DETECT = 0x00000000, TSK_FS_TYPE_NTFS = 0x00000001, TSK_FS_TYPE_NTFS_DETECT = 0x00000001, TSK_FS_TYPE_FAT12 = 0x00000002, TSK_FS_TYPE_FAT16 = 0x00000004, TSK_FS_TYPE_FAT32 = 0x00000008, TSK_FS_TYPE_EXFAT = 0x0000000a, TSK_FS_TYPE_FAT_DETECT = 0x0000000e, TSK_FS_TYPE_FFS1 = 0x00000010, TSK_FS_TYPE_FFS1B = 0x00000020, TSK_FS_TYPE_FFS2 = 0x00000040, TSK_FS_TYPE_FFS_DETECT = 0x00000070, TSK_FS_TYPE_EXT2 = 0x00000080, TSK_FS_TYPE_EXT3 = 0x00000100, TSK_FS_TYPE_EXT_DETECT = 0x00002180, TSK_FS_TYPE_SWAP = 0x00000200, TSK_FS_TYPE_SWAP_DETECT = 0x00000200, TSK_FS_TYPE_RAW = 0x00000400, TSK_FS_TYPE_RAW_DETECT = 0x00000400, TSK_FS_TYPE_ISO9660 = 0x00000800, TSK_FS_TYPE_ISO9660_DETECT = 0x00000800, TSK_FS_TYPE_HFS = 0x00001000, TSK_FS_TYPE_HFS_DETECT = 0x00001000, TSK_FS_TYPE_EXT4 = 0x00002000, TSK_FS_TYPE_YAFFS2 = 0x00004000, TSK_FS_TYPE_YAFFS2_DETECT = 0x00004000, TSK_FS_TYPE_UNSUPP = 0xffffffff } |
| Values for the file system type. More... | |
| enum | TSK_FS_INFO_FLAG_ENUM { TSK_FS_INFO_FLAG_NONE = 0x00, TSK_FS_INFO_FLAG_HAVE_SEQ = 0x01, TSK_FS_INFO_FLAG_HAVE_NANOSEC = 0x02 } |
| Flags for the FS_INFO structure. More... | |
| typedef enum TSK_FS_TYPE_ENUM | TSK_FS_TYPE_ENUM |
| typedef enum TSK_FS_INFO_FLAG_ENUM | TSK_FS_INFO_FLAG_ENUM |
| TSK_FS_INFO * | tsk_fs_open_img (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM) |
| Tries to process data in a disk image at a given offset as a file system. More... | |
| TSK_FS_INFO * | tsk_fs_open_vol (const TSK_VS_PART_INFO *, TSK_FS_TYPE_ENUM) |
| Tries to process data in a volume as a file system. More... | |
| void | tsk_fs_close (TSK_FS_INFO *) |
| Close an open file system. More... | |
| TSK_FS_TYPE_ENUM | tsk_fs_type_toid_utf8 (const char *) |
| Parse a string with the file system type and return its internal ID. More... | |
| TSK_FS_TYPE_ENUM | tsk_fs_type_toid (const TSK_TCHAR *) |
| Parse a string with the file system type and return its internal ID. More... | |
| void | tsk_fs_type_print (FILE *) |
| Print the supported file system types to a file handle. More... | |
| const char * | tsk_fs_type_toname (TSK_FS_TYPE_ENUM) |
| Return the string name of a file system type id. More... | |
| TSK_FS_TYPE_ENUM | tsk_fs_type_supported () |
| Return the supported file system types. More... | |
| ssize_t | tsk_fs_read (TSK_FS_INFO *a_fs, TSK_OFF_T a_off, char *a_buf, size_t a_len) |
| Read arbitrary data from inside of the file system. More... | |
| ssize_t | tsk_fs_read_block (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len) |
| Read a file system block into a char* buffer. More... | |
External header file for file system support.
Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_fs_i.h.
| #define TSK_FS_ISDOT | ( | str | ) |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CB) (const TSK_FS_BLOCK *a_block, void *a_ptr) |
Function definition used for callback to tsk_fs_block_walk().
| a_block | Pointer to block structure that holds block content and flags |
| a_ptr | Pointer that was supplied by the caller who called tsk_fs_block_walk |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CPP_CB) (const TskFsBlock *a_block, void *a_ptr) |
Function definition used for callback to blockWalk().
| a_block | Pointer to TskFsBlock object that holds block content and flags |
| a_ptr | Pointer that was supplied by the caller who called tsk_fs_block_walk |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CB) (TSK_FS_FILE *a_fs_file, const char *a_path, void *a_ptr) |
Definition of callback function that is used by tsk_fs_dir_walk().
This is is called for each file in a directory.
| a_fs_file | Pointer to the current file in the directory |
| a_path | Path of the file |
| a_ptr | Pointer that was originally passed by caller to tsk_fs_dir_walk. |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CPP_CB) (TskFsFile *a_fs_file, const char *a_path, void *a_ptr) |
Definition of callback function that is used by tsk_fs_dir_walk().
This is is called for each file in a directory.
| a_fs_file | Pointer to the current file in the directory |
| a_path | Path of the file |
| a_ptr | Pointer that was originally passed by caller to tsk_fs_dir_walk. |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CB) (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr) |
File walk callback function definition.
This is called for chunks of content in the file being processed.
| a_fs_file | Pointer to file being processed |
| a_off | Byte offset in file that this data is for |
| a_addr | Address of data being passed (valid only if a_flags have RAW set) |
| a_buf | Pointer to buffer with file content |
| a_len | Size of data in buffer (in bytes) |
| a_flags | Flags about the file content |
| a_ptr | Pointer that was specified by caller to inode_walk |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CPP_CB) (TskFsFile *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr) |
File walk callback function definition.
This is called for chunks of content in the file being processed.
| a_fs_file | Pointer to file being processed |
| a_off | Byte offset in file that this data is for |
| a_addr | Address of data being passed (valid only if a_flags have RAW set) |
| a_buf | Pointer to buffer with file content |
| a_len | Size of data in buffer (in bytes) |
| a_flags | Flags about the file content |
| a_ptr | Pointer that was specified by caller to inode_walk |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_JBLK_WALK_CPP_CB) (TskFsInfo *a_fsInfo, char *a_string, int a_num, void *a_ptr) |
Function definition for callback in TskFsInfo.jblkWalk().
| a_fsInfo | File system being analyzed |
| a_string | |
| a_num | |
| a_ptr | Pointer that was supplied by the caller |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_JENTRY_WALK_CPP_CB) (TskFsInfo *a_fsInfo, TskFsJEntry *a_jentry, int a_num, void *a_ptr) |
Function definition for callback in TskFsInfo.jentryWalk().
| a_fsInfo | File system being analyzed |
| a_jentry | journal entry |
| a_num | |
| a_ptr | Pointer that was supplied by the caller. |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CB) (TSK_FS_FILE *a_fs_file, void *a_ptr) |
inode walk callback function definition.
This is called for every file that meets the critera specified when inode_walk was called.
| a_fs_file | Pointer to the current file |
| a_ptr | Pointer that was specified by caller to inode_walk |
| typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CPP_CB) (TskFsFile *a_fs_file, void *a_ptr) |
inode walk callback function definition.
This is called for every file that meets the critera specified when inode_walk was called.
| a_fs_file | Pointer to the current file |
| a_ptr | Pointer that was specified by caller to inode_walk |
Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata.
Flags used for a TSK_FS_ATTR_RUN entry.
These are based on the NTFS type values.
Added types for HFS+. NOTE: Update bindings/java/src/org/sleuthkit/datamodel/TskData.java with any changes.
Flags that are used in TSK_FS_BLOCK and in callback of file_walk.
Note that some of these are dependent. A block can be either TSK_FS_BLOCK_FLAG_ALLOC or TSK_FS_BLOCK_FLAG_UNALLOC. It can be one of TSK_FS_BLOCK_FLAG_RAW, TSK_FS_BLOCK_FLAG_BAD, TSK_FS_BLOCK_FLAG_RES, TSK_FS_BLOCK_FLAG_SPARSE, or TSK_FS_BLOCK_FLAG_COMP. Note that some of these are set only by file_walk because they are file-level details, such as compression and sparse.
| Enumerator | |
|---|---|
| TSK_FS_BLOCK_FLAG_UNUSED |
Used to show that TSK_FS_BLOCK structure has no data in it. |
| TSK_FS_BLOCK_FLAG_ALLOC |
Block is allocated (and not TSK_FS_BLOCK_FLAG_UNALLOC) |
| TSK_FS_BLOCK_FLAG_UNALLOC |
Block is unallocated (and not TSK_FS_BLOCK_FLAG_ALLOC) |
| TSK_FS_BLOCK_FLAG_CONT |
Block (could) contain file content (and not TSK_FS_BLOCK_FLAG_META) |
| TSK_FS_BLOCK_FLAG_META |
Block (could) contain file system metadata (and not TSK_FS_BLOCK_FLAG_CONT) |
| TSK_FS_BLOCK_FLAG_BAD |
Block has been marked as bad by the file system. |
| TSK_FS_BLOCK_FLAG_RAW |
The data has been read raw from the disk (and not COMP or SPARSE) |
| TSK_FS_BLOCK_FLAG_SPARSE |
The data passed in the file_walk calback was stored as sparse (all zeros) (and not RAW or COMP) |
| TSK_FS_BLOCK_FLAG_COMP |
The data passed in the file_walk callback was stored in a compressed form (and not RAW or SPARSE) |
| TSK_FS_BLOCK_FLAG_RES |
The data passed in the file_walk callback is from an NTFS resident file. |
Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with.
Flags that are used when walking names in directories.
These are used to identify which files to call the callback function on.
Flags used by tsk_fs_file_walk to determine when the callback function should be used.
Metadata flags used in TSK_FS_META.flags and in request to inode_walk.
Values for the mode field – which identifies the file type and permissions.
File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure.
| Enumerator | |
|---|---|
| TSK_FS_NAME_FLAG_ALLOC |
Name is in an allocated state. |
| TSK_FS_NAME_FLAG_UNALLOC |
Name is in an unallocated state. |
File type values – as specified in the directory entry structure.
| uint8_t tsk_fs_blkcat | ( | TSK_FS_INFO * | fs, |
| TSK_FS_BLKCAT_FLAG_ENUM | lclflags, | ||
| TSK_DADDR_T | addr, | ||
| TSK_DADDR_T | read_num_units | ||
| ) |
Read a specific number of blocks and print the contents to STDOUT.
| fs | File system to analyze |
| lclflags | flags |
| addr | Starting block address to read from |
| read_num_units | Number of blocks to read |
References TSK_FS_INFO::block_size, TSK_FS_INFO::last_block, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_read_block(), and tsk_printf().
| uint8_t tsk_fs_file_get_owner_sid | ( | TSK_FS_FILE * | a_fs_file, |
| char ** | sid_str | ||
| ) |
Returns a string representation of the security attributes of a file.
| a_fs_file | The file to get security info about. |
| sid_str | A pointer to a pointer that will contain the SID string. This function will allocate the string and the caller must free it. |
References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().
| uint8_t tsk_fs_file_hash_calc | ( | TSK_FS_FILE * | a_fs_file, |
| TSK_FS_HASH_RESULTS * | a_hash_results, | ||
| TSK_BASE_HASH_ENUM | a_flags | ||
| ) |
Returns a string containing the md5 hash of the given file.
| a_fs_file | The file to calculate the hash of |
| a_hash_results | The results will be stored here (must be allocated beforehand) |
| a_flags | Indicates which hash algorithm(s) to use |
References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_hash_calc_callback(), tsk_fs_file_walk(), TSK_FS_FILE_WALK_FLAG_NONE, TSK_MD5_Final(), TSK_MD5_Init(), TSK_SHA_Final(), and TSK_SHA_Init().
| uint8_t tsk_fs_ifind_par | ( | TSK_FS_INFO * | fs, |
| TSK_FS_IFIND_FLAG_ENUM | lclflags, | ||
| TSK_INUM_T | par | ||
| ) |
Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME).
| fs | File system to search |
| lclflags | Flags |
| par | Parent directory MFT entry address |
References TSK_FS_INFO::first_inum, TSK_FS_INFO::inode_walk, TSK_FS_INFO::last_inum, and TSK_FS_META_FLAG_UNALLOC.
| int8_t tsk_fs_ifind_path | ( | TSK_FS_INFO * | fs, |
| TSK_TCHAR * | tpath, | ||
| TSK_INUM_T * | result | ||
| ) |
Find the meta data address for a given file TCHAR name.
| fs | FS to analyze | |
| tpath | Path of file to search for | |
| [out] | result | Meta data address of file |
References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_path2inum(), tsk_UTF16toUTF8_lclorder(), TSKconversionOK, and TSKlenientConversion.
| uint8_t tsk_fs_ils | ( | TSK_FS_INFO * | fs, |
| TSK_FS_ILS_FLAG_ENUM | lclflags, | ||
| TSK_INUM_T | istart, | ||
| TSK_INUM_T | ilast, | ||
| TSK_FS_META_FLAG_ENUM | flags, | ||
| int32_t | skew, | ||
| const TSK_TCHAR * | img | ||
| ) |
Library API for inode walking.
| fs | File system to analyze |
| lclflags | TSK_FS_ILS_XXX flag settings |
| istart | Starting inode address |
| ilast | Ending inode address |
| flags | Inode walk flags |
| skew | clock skew in seconds |
| img | Path to disk image name for header |
References TSK_FS_INFO::inode_walk, TSK_FS_META_FLAG_ALLOC, TSK_FS_META_FLAG_ORPHAN, and TSK_FS_META_FLAG_UNALLOC.
Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.