An interface that is used to represent a file. More...
#include <TskFile.h>
Public Member Functions | |
| virtual void | addGenInfoAttribute (TskBlackboardAttribute attr) |
| Add an attribute to the general info artifact for this file. More... | |
| virtual void | close ()=0 |
| Closes the open file. | |
| virtual TskBlackboardArtifact | createArtifact (int artifactTypeID) |
| Create a new artifact with the given type id. More... | |
| virtual TskBlackboardArtifact | createArtifact (TSK_ARTIFACT_TYPE type) |
| Create a new artifact with the given type. More... | |
| virtual TskBlackboardArtifact | createArtifact (string artifactTypeName) |
| Create a new artifact with the given type name. More... | |
| virtual bool | exists () const =0 |
| Tests if a local copy of the file exists at the default location. More... | |
| virtual vector < TskBlackboardArtifact > | getAllArtifacts () |
| Get all artifacts associated with this file. More... | |
| virtual vector < TskBlackboardArtifact > | getArtifacts (string artifactTypeName) |
| Get all artifacts associated with this file with the given type name. More... | |
| virtual vector < TskBlackboardArtifact > | getArtifacts (int artifactTypeID) |
| Get all artifacts associated with this file with the given type id. More... | |
| virtual vector < TskBlackboardArtifact > | getArtifacts (TSK_ARTIFACT_TYPE type) |
| Get all artifacts associated with this file with the given type. More... | |
| time_t | getAtime () const |
| Get the last access time. More... | |
| time_t | getCrtime () const |
| Get the creation time. More... | |
| time_t | getCtime () const |
| Get the change time. More... | |
| TSK_FS_NAME_FLAG_ENUM | getDirFlags () const |
| Get the directory flags. More... | |
| TSK_FS_NAME_TYPE_ENUM | getDirType () const |
| Get the directory type. More... | |
| std::string | getExtension () const |
| Get the extension. More... | |
| std::string | getFullPath () const |
| Get the path of the file in the disk image. More... | |
| virtual TskBlackboardArtifact | getGenInfo () |
| Get the general info artifact for this file. More... | |
| TSK_GID_T | getGid () const |
| Get the group id. More... | |
| std::string | getHash (TskImgDB::HASH_TYPE hashType) const |
| Get the pre-calculated hash value of the specified type. More... | |
| uint64_t | getId () const |
| Returns the file id. More... | |
| TskImgDB::KNOWN_STATUS | getKnownStatus () const |
| Return the known status of the file. More... | |
| TSK_FS_META_FLAG_ENUM | getMetaFlags () const |
| Get the metadata flags. More... | |
| TSK_FS_META_TYPE_ENUM | getMetaType () const |
| Get the metadata flags. More... | |
| TSK_FS_META_MODE_ENUM | getMode () const |
| Get the mode. More... | |
| time_t | getMtime () const |
| Get the modify time. More... | |
| std::string | getName () const |
| Get the name. More... | |
| uint64_t | getParentFileId () const |
| Get the parent file id. More... | |
| virtual std::string | getPath () const =0 |
| Get the fully qualified path of where this file should be locally stored. More... | |
| TSK_OFF_T | getSize () const |
| Get the file size. More... | |
| TskImgDB::FILE_STATUS | getStatus () const |
| Get the analysis status of the file (where it is in the analysis life cycle) More... | |
| TskImgDB::FILE_TYPES | getTypeId () const |
| Get the high-level type (file system, local, carved, etc.) | |
| TSK_UID_T | getUid () const |
| Get the user id. More... | |
| std::string | getUniquePath () const |
| Get the path of the file in the disk image. More... | |
| virtual bool | isDirectory () const =0 |
| virtual bool | isVirtual () const =0 |
| virtual void | open ()=0 |
| Open the file. More... | |
| virtual ssize_t | read (char *buf, const size_t count)=0 |
| Read file content into a buffer. More... | |
| virtual void | save () |
| Save the file to the default location. More... | |
| virtual TSK_OFF_T | seek (const TSK_OFF_T off, std::ios::seekdir origin=std::ios::beg)=0 |
| Set the byte offset within the file. More... | |
| void | setHash (TskImgDB::HASH_TYPE hashType, const std::string hash) |
| Sets the file's hash value in the database. More... | |
| void | setStatus (TskImgDB::FILE_STATUS status) |
| Set the file status (where it is in its analysis life cycle) | |
| virtual TSK_OFF_T | tell () const =0 |
| Get the current byte offset within the file. More... | |
| virtual | ~TskFile () |
| Delete the TskFile object. | |
Protected Member Functions | |
| void | initialize () |
| Loads the raw file data from the database. More... | |
Protected Attributes | |
| TskFileRecord | m_fileRecord |
| uint64_t | m_id |
| bool | m_isOpen |
| TSK_OFF_T | m_offset |
Detailed Description
An interface that is used to represent a file.
This interface is used during the analysis of a file and is typically created based on data in TskImgDB, which was created by CarveExtract or TskImageFile. Different implementations of this class may retrieve file content and metadata in different ways. TskFile objects are obtained from TskFileManager.
Member Function Documentation
|
virtual |
Add an attribute to the general info artifact for this file.
- Parameters
-
attr attribute to be added
References TskBlackboardArtifact::addAttribute(), and getGenInfo().
Referenced by TskDBBlackboard::createGenInfoAttribute().
|
virtual |
Create a new artifact with the given type id.
- Parameters
-
artifactTypeID type id
- Returns
- the new artifact
- Exceptions
-
error if the artifact type does not exist
References TskBlackboard::createArtifact(), TskServices::getBlackboard(), and TskServices::Instance().
Referenced by getGenInfo().
|
virtual |
Create a new artifact with the given type.
- Parameters
-
type artifact type
- Returns
- the new artifact
- Exceptions
-
error if the artifact type does not exist
References TskBlackboard::createArtifact(), TskServices::getBlackboard(), and TskServices::Instance().
|
virtual |
Create a new artifact with the given type name.
- Parameters
-
artifactTypeName artifact type name
- Returns
- the new artifact
- Exceptions
-
error if the artifact type does not exist
References TskBlackboard::createArtifact(), TskServices::getBlackboard(), and TskServices::Instance().
|
pure virtual |
Tests if a local copy of the file exists at the default location.
- Returns
- True if a file exists, false otherwise
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::addFile(), TskFileManagerImpl::copyDirectory(), TskFileManagerImpl::copyFile(), TskFileManagerImpl::deleteFile(), TskFileAnalysisPipeline::run(), and save().
|
virtual |
Get all artifacts associated with this file.
- Returns
- all artifacts
References TskServices::getBlackboard(), TskBlackboard::getMatchingArtifacts(), and TskServices::Instance().
|
virtual |
Get all artifacts associated with this file with the given type name.
- Parameters
-
artifactTypeName type name
- Returns
- all matching artifacts will return an empty vector if there are no matches
References TskBlackboard::getArtifacts(), TskServices::getBlackboard(), and TskServices::Instance().
Referenced by getGenInfo().
|
virtual |
Get all artifacts associated with this file with the given type id.
- Parameters
-
artifactTypeID type id
- Returns
- all matching artifacts will return an empty vector if there are no matches
References TskBlackboard::getArtifacts(), TskServices::getBlackboard(), and TskServices::Instance().
|
virtual |
Get all artifacts associated with this file with the given type.
- Parameters
-
type artifact type
- Returns
- all matching artifacts will return an empty vector if there are no matches
References TskBlackboard::getArtifacts(), TskServices::getBlackboard(), and TskServices::Instance().
| time_t TskFile::getAtime | ( | ) | const |
Get the last access time.
What is this files access time?
| time_t TskFile::getCrtime | ( | ) | const |
Get the creation time.
What is this files creation time?
| time_t TskFile::getCtime | ( | ) | const |
Get the change time.
What is this files change time?
| TSK_FS_NAME_FLAG_ENUM TskFile::getDirFlags | ( | ) | const |
Get the directory flags.
What are this files directory flags?
| TSK_FS_NAME_TYPE_ENUM TskFile::getDirType | ( | ) | const |
Get the directory type.
What is this files directory type?
| std::string TskFile::getExtension | ( | ) | const |
Get the extension.
What is this files extension?
| std::string TskFile::getFullPath | ( | ) | const |
Get the path of the file in the disk image.
This will not include the file name and will not include any information about the file system or volume that it was found in (if there were multiple file systems in the image.
- Returns
- Original path of the file.
|
virtual |
Get the general info artifact for this file.
- Returns
- the general info artifact or creates it if it has not already been made
References createArtifact(), getArtifacts(), and TSK_GEN_INFO.
Referenced by addGenInfoAttribute().
| TSK_GID_T TskFile::getGid | ( | ) | const |
Get the group id.
What is this files group id?
| std::string TskFile::getHash | ( | TskImgDB::HASH_TYPE | hashType) | const |
Get the pre-calculated hash value of the specified type.
- Parameters
-
hashType Type of hash to lookup
- Returns
- String of hash value or empty string if the value has not been calculated.
References TskImgDB::MD5, TskImgDB::SHA1, TskImgDB::SHA2_256, and TskImgDB::SHA2_512.
| uint64_t TskFile::getId | ( | ) | const |
Returns the file id.
What is this files id?
Referenced by TskFileManagerImpl::copyDirectory(), getKnownStatus(), TskFileTsk::open(), TskFileAnalysisPipeline::run(), TskFileManagerImpl::saveFile(), and setStatus().
| TskImgDB::KNOWN_STATUS TskFile::getKnownStatus | ( | ) | const |
Return the known status of the file.
- Returns
- KNOWN_STATUS or -1 on error
References getId(), TskServices::getImgDB(), TskImgDB::getKnownStatus(), and TskServices::Instance().
| TSK_FS_META_FLAG_ENUM TskFile::getMetaFlags | ( | ) | const |
Get the metadata flags.
What are this files metadata flags?
| TSK_FS_META_TYPE_ENUM TskFile::getMetaType | ( | ) | const |
Get the metadata flags.
What is this files metadata type?
| TSK_FS_META_MODE_ENUM TskFile::getMode | ( | ) | const |
Get the mode.
What is this files mode?
| time_t TskFile::getMtime | ( | ) | const |
Get the modify time.
What is this files modify time?
| std::string TskFile::getName | ( | ) | const |
Get the name.
What is this files name?
Referenced by TskFileManagerImpl::copyDirectory(), and TskFileAnalysisPipeline::run().
| uint64_t TskFile::getParentFileId | ( | ) | const |
Get the parent file id.
What is this files parent file id?
|
pure virtual |
Get the fully qualified path of where this file should be locally stored.
It does not check if the file is locally stored. Use exists() for that.
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::copyDirectory(), TskFileManagerImpl::copyFile(), and TskFileManagerImpl::deleteFile().
| TSK_OFF_T TskFile::getSize | ( | ) | const |
Get the file size.
What is this files size?
Referenced by TskFileTsk::read(), and TskFileTsk::seek().
| TskImgDB::FILE_STATUS TskFile::getStatus | ( | ) | const |
Get the analysis status of the file (where it is in the analysis life cycle)
What is this files status?
Referenced by TskFileAnalysisPipeline::run().
| TSK_UID_T TskFile::getUid | ( | ) | const |
Get the user id.
What is this files user id?
| std::string TskFile::getUniquePath | ( | ) | const |
Get the path of the file in the disk image.
This will not include the file name but will include either information about the file system or volume that it was found in or an indicator that the file was produced by carving.
- Returns
- Original path of the file.
References TskImgDB::getFileRecord(), TskServices::getImgDB(), and TskServices::Instance().
|
protected |
Loads the raw file data from the database.
- Exceptions
-
TskException on error
References TskImgDB::getFileRecord(), TskServices::getImgDB(), and TskServices::Instance().
Referenced by TskFileTsk::TskFileTsk().
|
pure virtual |
- Returns
- True if this is a directory, false otherwise
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::copyDirectory(), TskFileManagerImpl::copyFile(), and TskPipeline::excludeFile().
|
pure virtual |
- Returns
- True if this is a "virtual" file, false otherwise
Implemented in TskFileTsk.
Referenced by TskPipeline::excludeFile().
|
pure virtual |
Open the file.
Must be called before reading. Implementations must support concept of open() being called multiple times even if file is already open.
- Exceptions
-
TskFileException on error
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::copyFile(), TskFileAnalysisPipeline::run(), and save().
|
pure virtual |
Read file content into a buffer.
Reads from end of last read.
- Parameters
-
buf Buffer into which file content will be placed. Must be at least "count" bytes in size. count The number of bytes to read from the file.
- Returns
- The number of bytes read or -1 on error.
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::copyFile().
|
virtual |
Save the file to the default location.
This is a simple wrapper around TskFileManager::saveFile.
- Exceptions
-
TskException if file id is zero along with exceptions thrown by TskFileManager::saveFile.
References exists(), TskServices::getFileManager(), TskServices::Instance(), LOGERROR, open(), and TskFileManager::saveFile().
|
pure virtual |
Set the byte offset within the file.
If the second parameter is not supplied the offset will be set relative to the beginning of the file.
- Parameters
-
off Number off bytes to offset from origin. origin The point from which the given offset is relative to. Defaults to beginning of file. If origin is std::ios::end the offset must be a negative number.
- Returns
- The absolute file offset resulting from the repositioning.
- Exceptions
-
TskFileException if file is not open or if you attempt to seek to an invalid offset.
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::copyFile(), and TskFileAnalysisPipeline::run().
| void TskFile::setHash | ( | TskImgDB::HASH_TYPE | hashType, |
| const std::string | hash | ||
| ) |
Sets the file's hash value in the database.
note that hash values are not stored in the blackboard.
- Parameters
-
hashType Type of hash value hash String value of hash.
References TskServices::Instance(), TskImgDB::MD5, TskImgDB::SHA1, TskImgDB::SHA2_256, and TskImgDB::SHA2_512.
|
pure virtual |
Get the current byte offset within the file.
- Returns
- Current byte offset.
- Exceptions
-
TskFileException if file is not open.
Implemented in TskFileTsk.
Referenced by TskFileManagerImpl::copyFile().
The documentation for this class was generated from the following files:
- framework/tsk/framework/file/TskFile.h
- framework/tsk/framework/file/TskFile.cpp