Implements TskAuto and is used to analyze the data in a disk image and populate TskImgDB with the results. More...
#include <TskAutoImpl.h>
Public Member Functions | |
| virtual void | closeImage () |
| uint8_t | extractFiles () |
| Main method to call for this class after image has been opened as it takes care of the transactions. | |
| virtual TSK_FILTER_ENUM | filterFs (TSK_FS_INFO *fs_info) |
| virtual TSK_FILTER_ENUM | filterVol (const TSK_VS_PART_INFO *vs_part) |
| virtual uint8_t | handleError () |
| virtual uint8_t | openImage (TSK_IMG_INFO *) |
| virtual TSK_RETVAL_ENUM | processFile (TSK_FS_FILE *fs_file, const char *path) |
| uint8_t | scanImgForFs (const uint64_t sect_start, const uint64_t sect_count=1024) |
| Scan the image for file systems creating allocated volumes for file systems found and unallocated volumes for areas in the image that do not contain file systems. More... | |
 Public Member Functions inherited from TskAuto | |
| virtual TSK_FILTER_ENUM | filterVs (const TSK_VS_INFO *vs_info) |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, TSK_INUM_T inum) |
| uint8_t | findFilesInFs (TSK_FS_INFO *a_fs_info) |
| uint8_t | findFilesInFs (TSK_OFF_T start) |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype) |
| uint8_t | findFilesInFs (TSK_OFF_T start, TSK_INUM_T inum) |
| TSK_RETVAL_ENUM | findFilesInFsRet (TSK_OFF_T start, TSK_FS_TYPE_ENUM a_ftype) |
| uint8_t | findFilesInImg () |
| uint8_t | findFilesInVs (TSK_OFF_T start) |
| uint8_t | findFilesInVs (TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype) |
| std::string | getCurVsPartDescr () const |
| TSK_VS_PART_FLAG_ENUM | getCurVsPartFlag () const |
| const std::vector< error_record > | getErrorList () |
| TSK_OFF_T | getImageSize () const |
| bool | getStopProcessing () const |
| bool | isCurVsValid () const |
| virtual uint8_t | openImage (int, const TSK_TCHAR *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| virtual uint8_t | openImageHandle (TSK_IMG_INFO *) |
| virtual uint8_t | openImageUtf8 (int, const char *const images[], TSK_IMG_TYPE_ENUM, unsigned int a_ssize) |
| uint8_t | registerError () |
| void | resetErrorList () |
| void | setFileFilterFlags (TSK_FS_DIR_WALK_FLAG_ENUM) |
| void | setVolFilterFlags (TSK_VS_PART_FLAG_ENUM) |
Additional Inherited Members | |
| Protected Member Functions inherited from TskAuto | |
| uint8_t | isDefaultType (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr) |
| uint8_t | isDir (TSK_FS_FILE *fs_file) |
| uint8_t | isDotDir (TSK_FS_FILE *fs_file) |
| uint8_t | isFATSystemFiles (TSK_FS_FILE *fs_file) |
| uint8_t | isFile (TSK_FS_FILE *fs_file) |
| uint8_t | isNonResident (const TSK_FS_ATTR *fs_attr) |
| uint8_t | isNtfsSystemFiles (TSK_FS_FILE *fs_file, const char *path) |
| TSK_RETVAL_ENUM | processAttributes (TSK_FS_FILE *fs_file, const char *path) |
| void | setStopProcessing () |
| Protected Attributes inherited from TskAuto | |
| bool | m_internalOpen |
| bool | m_stopAllProcessing |
Detailed Description
Implements TskAuto and is used to analyze the data in a disk image and populate TskImgDB with the results.
Call extractFiles() after image has been opened. Will queue up files and submit them after m_numOfFilesToQueue files are added to the queue.
Member Function Documentation
| uint8_t TSKAutoImpl::scanImgForFs | ( | const uint64_t | sect_start, |
| const uint64_t | sect_count = 1024 |
||
| ) |
Scan the image for file systems creating allocated volumes for file systems found and unallocated volumes for areas in the image that do not contain file systems.
Will initially look for file system in first sect_count sectors. If a file system is found then it will continue to process the remainder of the image for other file systems.
- Parameters
-
sect_start Start looking for file systems starting at this sector. sect_count The initial number of sectors to scan for file systems.
- Returns
- 0 on success, 1 on failure
References TSK_FS_INFO::block_count, TSK_FS_INFO::block_size, TskAuto::findFilesInFs(), LOGERROR, LOGINFO, TSK_FS_INFO::offset, tsk_fs_close(), tsk_fs_open_img(), TSK_FS_TYPE_DETECT, and TSK_VS_PART_FLAG_UNALLOC.
Referenced by TskImageFileTsk::extractFiles().
The documentation for this class was generated from the following files:
- framework/tsk/framework/extraction/TskAutoImpl.h
- framework/tsk/framework/extraction/TskAutoImpl.cpp