A Sleuth Kit implementation of the TskImageFile interface. More...
#include <TskImageFileTsk.h>
Public Member Functions | |
| virtual void | close () |
| Close the disk image. | |
| virtual int | closeFile (const int handle) |
| Closes an opened file. More... | |
| virtual int | extractFiles () |
| Analyze the volume and file systems in the opened images and populate the TskImgDB instance registered with TskServices. More... | |
| virtual int | getByteData (const uint64_t byte_start, const uint64_t byte_len, char *buffer) |
| Return the data located at the given byte offset in the disk image. More... | |
| virtual std::vector< std::string > | getFileNames () const |
| Return the file name(s) that make up the image. | |
| virtual std::vector< std::wstring > | getFileNamesW () const |
| virtual int | getSectorData (const uint64_t sect_start, const uint64_t sect_len, char *buffer) |
| Return the data located at the given sector offset in the disk image. More... | |
| virtual int | open () |
| open the images at the paths saved in ImgDB More... | |
| virtual int | open (const TSK_TCHAR *imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0) |
| Opens a single (non-split) disk image file so that it can be read. More... | |
| virtual int | open (const int numberOfImages, const TSK_TCHAR *const imageFile[], const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0) |
| Opens one or more disk image files so that they can be read. More... | |
| virtual int | open (const std::string &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0) |
| Opens a single (non-split) disk image file so that it can be read. More... | |
| virtual int | open (const std::wstring &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0) |
| Opens a single (non-split) disk image file so that it can be read. More... | |
| virtual int | open (const std::vector< std::string > &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0) |
| Opens one or more disk image files so that they can be read. More... | |
| virtual int | open (const std::vector< std::wstring > &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0) |
| Opens one or more disk image files so that they can be read. More... | |
| virtual int | openFile (const uint64_t fileId) |
| Provides access to the content of a specific file that was extracted from the disk image. More... | |
| virtual int | readFile (const int handle, const TSK_OFF_T byte_offset, const size_t byte_len, char *buffer) |
| Reads content of a file that was opened with openFile(). More... | |
 Public Member Functions inherited from TskImageFile | |
| TskImageFile () | |
| You must call one of the open() methods after creating the object. | |
Detailed Description
A Sleuth Kit implementation of the TskImageFile interface.
TskImageFile defines an interface for interacting with disk images. TskImageFileTsk is an implementation of that interface that uses The Sleuth Kit
Member Function Documentation
|
virtual |
Closes an opened file.
- Parameters
-
handle File handle that was returned by an earlier call to openFile()
Implements TskImageFile.
References LOGERROR, openFile(), and tsk_fs_file_close().
Referenced by close().
|
virtual |
Analyze the volume and file systems in the opened images and populate the TskImgDB instance registered with TskServices.
This will not perform file carving.
- Returns
- 1 if there was a major error that prevented any extraction. 0 will be returned if there were minor errors during extraction or if there were no errors.
Implements TskImageFile.
References TskImgDB::addImageName(), TSKAutoImpl::extractFiles(), TSK_IMG_INFO::itype, LOGERROR, TSKAutoImpl::scanImgForFs(), TSK_IMG_INFO::sector_size, and tsk_error_get().
|
virtual |
Return the data located at the given byte offset in the disk image.
- Parameters
-
byte_start Byte offset into image from which to return data byte_len Number of bytes to read buffer A buffer into which data will be placed. Must be at least byte_len large
- Returns
- Number of bytes read or -1 on error
Implements TskImageFile.
References LOGERROR, open(), tsk_error_get(), and tsk_img_read().
Referenced by getSectorData().
|
virtual |
Return the data located at the given sector offset in the disk image.
- Parameters
-
sect_start Sector offset into image from which to return data sect_len Number of sectors to read buffer A buffer into which data will be placed. Must be at least len * 512 large
- Returns
- Number of sectors read or -1 on error
Implements TskImageFile.
References getByteData().
|
virtual |
open the images at the paths saved in ImgDB
- Returns
- 0 on success and -1 on error
Implements TskImageFile.
References close(), and LOGERROR.
Referenced by getByteData(), open(), and openFile().
|
virtual |
Opens a single (non-split) disk image file so that it can be read.
- Parameters
-
imageFile The path to the image file imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implements TskImageFile.
References close(), and TskUtilities::toUTF8().
|
virtual |
Opens one or more disk image files so that they can be read.
e UTF8, then consider
- Parameters
-
numberOfImages The number of images to open (will be > 1 for split images). imageFile The path to the image files (the number of files must be equal to num_img and they must be in a sorted order) imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implements TskImageFile.
References close(), and TskUtilities::toUTF8().
|
virtual |
Opens a single (non-split) disk image file so that it can be read.
This version always takes a UTF-8 encoding of the disk image.
- Parameters
-
imageFile The UTF-8 path to the image file imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implements TskImageFile.
References close().
|
virtual |
Opens a single (non-split) disk image file so that it can be read.
- Parameters
-
imageFile The path to the image file imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implements TskImageFile.
References open(), and TskUtilities::toUTF8().
|
virtual |
Opens one or more disk image files so that they can be read.
This version always takes a UTF-8 encoding of the image files.
- Parameters
-
imageFile A vector of UTF-8 encoded image files imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implements TskImageFile.
References close().
|
virtual |
Opens one or more disk image files so that they can be read.
- Parameters
-
imageFile A vector of image files imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implements TskImageFile.
References close(), and TskUtilities::toUTF8().
|
virtual |
Provides access to the content of a specific file that was extracted from the disk image.
- Parameters
-
fileId ID of the file (can be found in database)
- Returns
- A handle to the file or -1 on error.
Implements TskImageFile.
References LOGERROR, open(), tsk_error_get(), TSK_FS_ATTR_TYPE_NOT_FOUND, tsk_fs_file_attr_get_id(), tsk_fs_file_open_meta(), tsk_fs_open_img(), and TSK_FS_TYPE_DETECT.
Referenced by closeFile(), and readFile().
|
virtual |
Reads content of a file that was opened with openFile().
- Parameters
-
handle File handle that was returned by an earlier call to openFile() byte_offset Starting byte offset from which to read data byte_len The number of bytes to read buffer A buffer into which data will be placed. Must be at least byte_len bytes.
- Returns
- Number of bytes read or -1 on error
Implements TskImageFile.
References LOGERROR, openFile(), tsk_error_get(), tsk_fs_attr_read(), TSK_FS_FILE_READ_FLAG_NONE, and TSK_FS_META_FLAG_ALLOC.
The documentation for this class was generated from the following files:
- framework/tsk/framework/extraction/TskImageFileTsk.h
- framework/tsk/framework/extraction/TskImageFileTsk.cpp