Sleuth Kit Java Bindings (JNI)  4.10.0
Java bindings for using The Sleuth Kit
SleuthkitJNI.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2011-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.io.BufferedReader;
22 import java.io.FileReader;
23 import java.io.IOException;
24 import java.text.DateFormat;
25 import java.text.SimpleDateFormat;
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.GregorianCalendar;
29 import java.util.HashMap;
30 import java.util.HashSet;
31 import java.util.List;
32 import java.util.Map;
33 import java.util.Set;
34 import java.util.TimeZone;
35 import java.util.UUID;
36 import java.util.concurrent.locks.ReadWriteLock;
37 import java.util.concurrent.locks.ReentrantReadWriteLock;
38 import java.util.logging.Level;
39 import java.util.logging.Logger;
40 import org.apache.commons.lang3.StringUtils;
41 import org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM;
42 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
43 
52 public class SleuthkitJNI {
53 
54  private static final Logger logger = Logger.getLogger(SleuthkitJNI.class.getName());
55 
62  private static final ReadWriteLock tskLock = new ReentrantReadWriteLock();
63 
64  /*
65  * Loads the SleuthKit libraries.
66  */
67  static {
68  LibraryUtils.loadSleuthkitJNI();
69  }
70 
75  private SleuthkitJNI() {
76  }
77 
81  private static class CaseHandles {
82  /*
83  * A SleuthKit image handle cache implemented as a mappng of
84  * concatenated image file paths to image handles.
85  */
86  private final Map<String, Long> imageHandleCache = new HashMap<>();
87 
88  /*
89  * A SleuthKit file system handles cache implemented as a mapping of
90  * image handles to image offset and file system handle pairs.
91  */
92  private final Map<Long, Map<Long, Long>> fsHandleCache = new HashMap<>();
93 
94  /*
95  * The collection of open file handles. We will only allow requests
96  * through to the C code if the file handle exists in this collection.
97  */
98  private final Set<Long> fileHandleCache = new HashSet<>();
99 
100  private final Map<Long, List<Long>> fileSystemToFileHandles = new HashMap<>();
101 
102  private final Map<Long, Map<Long, Long>> poolHandleCache = new HashMap<>();
103 
104  // The poolImgCache is only used to close the images later.
105  private final List<Long> poolImgCache = new ArrayList<>();
106 
107  /*
108  * Currently, our APFS code is not thread-safe and it is the only code
109  * that uses pools. To prevent crashes, we make any reads to a file system
110  * contained in a pool single-threaded. This cache keeps track of which
111  * open file system handles are contained in a pool so we can set the locks
112  * appropriately.
113  */
114  private final List<Long> poolFsList = new ArrayList<>();
115 
116  private CaseHandles() {
117  // Nothing to do here
118  }
119  }
120 
127  private static class HandleCache {
128 
129  /*
130  * A monitor used to guard access to cached Sleuthkit JNI handles.
131  */
132  private static final Object cacheLock = new Object();
133 
134  private static final Map<String, CaseHandles> caseHandlesCache = new HashMap<>();
135 
136  private static final String INVALID_FILE_HANDLE = "Invalid file handle."; //NON-NLS
137 
138  /*
139  * Currently, our APFS code is not thread-safe and it is the only code
140  * that uses pools. To prevent crashes, we make any reads to a file system
141  * contained in a pool single-threaded. This cache keeps track of which
142  * open file handles are contained in a pool so we can set the locks
143  * appropriately.
144  *
145  * Access to this list should be guarded by cacheLock.
146  */
147  private static final List<Long> poolFileHandles = new ArrayList<>();
148 
154  private static void createCaseHandleCache(String caseIdentifier) {
155  caseHandlesCache.put(caseIdentifier, new CaseHandles());
156  }
157 
166  private static String getDefaultCaseIdentifier() throws TskCoreException {
167  synchronized (cacheLock) {
168  if (caseHandlesCache.keySet().size() > 1) {
169  throw new TskCoreException("Can not get default case identifier with multiple open cases");
170  } else if (caseHandlesCache.keySet().isEmpty()) {
171  throw new TskCoreException("Can not get default case identifier with no open case");
172  }
173 
174  return (caseHandlesCache.keySet().iterator().next());
175  }
176  }
177 
187  private static CaseHandles getCaseHandles(String caseIdentifier) throws TskCoreException {
188  synchronized (cacheLock) {
189  if (caseHandlesCache.containsKey(caseIdentifier)) {
190  return caseHandlesCache.get(caseIdentifier);
191  }
192  // If the CaseHandles object isn't in there, it should mean the case has been closed.
193  throw new TskCoreException("No entry for case " + caseIdentifier + " in cache. Case may have been closed");
194  }
195  }
196 
202  private static void removeCaseHandlesCache(String caseIdentifier) {
203  synchronized (cacheLock) {
204  if (caseHandlesCache.containsKey(caseIdentifier)) {
205  caseHandlesCache.get(caseIdentifier).fsHandleCache.clear();
206  caseHandlesCache.get(caseIdentifier).imageHandleCache.clear();
207  caseHandlesCache.get(caseIdentifier).fileHandleCache.clear();
208  caseHandlesCache.get(caseIdentifier).fileSystemToFileHandles.clear();
209  caseHandlesCache.get(caseIdentifier).poolHandleCache.clear();
210  caseHandlesCache.remove(caseIdentifier);
211  }
212  }
213  }
214 
222  private static boolean isImageInAnyCache(long imgHandle) {
223  synchronized (cacheLock) {
224  for (String caseIdentifier:caseHandlesCache.keySet()) {
225  if (caseHandlesCache.get(caseIdentifier).fsHandleCache.keySet().contains(imgHandle)) {
226  return true;
227  }
228  }
229  return false;
230  }
231  }
232 
240  private static void addFileHandle(String caseIdentifier, long fileHandle, long fsHandle) {
241  try {
242  synchronized (cacheLock) {
243  // Add to collection of open file handles.
244  getCaseHandles(caseIdentifier).fileHandleCache.add(fileHandle);
245 
246  // Add to map of file system to file handles.
247  if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
248  getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle).add(fileHandle);
249  } else {
250  getCaseHandles(caseIdentifier).fileSystemToFileHandles.put(fsHandle, new ArrayList<>(Arrays.asList(fileHandle)));
251  }
252  }
253  } catch (TskCoreException ex) {
254  logger.log(Level.WARNING, "Error caching file handle for case {0}", caseIdentifier);
255  }
256  }
257 
264  private static void removeFileHandle(long fileHandle, SleuthkitCase skCase) {
265  synchronized (cacheLock) {
266  // Remove from collection of open file handles.
267  if (skCase != null) {
268  try {
269  getCaseHandles(skCase.getCaseHandleIdentifier()).fileHandleCache.remove(fileHandle);
270  } catch (TskCoreException ex) {
271  // If the call to getCaseHandles() failed, we've already cleared the cache.
272  }
273  } else {
274  // If we don't know what case the handle is from, delete the first one we find
275  for (String caseIdentifier:caseHandlesCache.keySet()) {
276  if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
277  caseHandlesCache.get(caseIdentifier).fileHandleCache.remove(fileHandle);
278  return;
279  }
280  }
281  }
282  }
283  }
284 
292  private static boolean isValidFileHandle(long fileHandle) {
293  synchronized (cacheLock) {
294  for (String caseIdentifier:caseHandlesCache.keySet()) {
295  if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
296  return true;
297  }
298  }
299  return false;
300  }
301  }
302 
303  private static void closeHandlesAndClearCache(String caseIdentifier) throws TskCoreException {
304  synchronized (cacheLock) {
305  /*
306  * Close any cached file system handles.
307  */
308  for (Map<Long, Long> imageToFsMap : getCaseHandles(caseIdentifier).fsHandleCache.values()) {
309  for (Long fsHandle : imageToFsMap.values()) {
310  // First close all open file handles for the file system.
311  if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
312  for (Long fileHandle : getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle)) {
313  // Update the cache of file handles contained in pools
314  if (poolFileHandles.contains(fileHandle)) {
315  poolFileHandles.remove(fileHandle);
316  }
317  closeFile(fileHandle);
318  }
319  }
320  // Then close the file system handle.
321  closeFsNat(fsHandle);
322  }
323  }
324 
325  /*
326  * Clear out the list of pool file systems.
327  */
328  getCaseHandles(caseIdentifier).poolFsList.clear();
329 
330  /*
331  * Close any cached pools
332  */
333  for (Long imgHandle : getCaseHandles(caseIdentifier).poolHandleCache.keySet()) {
334  for (Long poolHandle : getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle).values()) {
335  closePoolNat(poolHandle);
336  }
337  }
338 
339  /*
340  * Close any open pool images
341  */
342  for (Long imageHandle : getCaseHandles(caseIdentifier).poolImgCache) {
343  closeImgNat(imageHandle);
344  }
345 
346  /*
347  * Close any cached image handles.
348  */
349  for (Long imageHandle : getCaseHandles(caseIdentifier).imageHandleCache.values()) {
350  closeImgNat(imageHandle);
351  }
352 
353  removeCaseHandlesCache(caseIdentifier);
354  }
355 
356  }
357  }
358 
363  public static class CaseDbHandle {
364 
365  /*
366  * A unique indentifier for a case
367  */
368  private final String caseDbIdentifier;
369 
376  private CaseDbHandle(String databaseName) {
377  this.caseDbIdentifier = "SingleUser:" + databaseName; // NON-NLS
378  HandleCache.createCaseHandleCache(caseDbIdentifier);
379  }
380 
388  private CaseDbHandle(String databaseName, CaseDbConnectionInfo info) {
389  this.caseDbIdentifier = "MultiUser:" + info.getHost() + ":" + databaseName;
390  HandleCache.createCaseHandleCache(caseDbIdentifier);
391  }
392 
398  String getCaseDbIdentifier() {
399  return caseDbIdentifier;
400  }
401 
408  void free() throws TskCoreException {
409  tskLock.writeLock().lock();
410  try {
411  HandleCache.closeHandlesAndClearCache(caseDbIdentifier);
412  //SleuthkitJNI.closeCaseDbNat(caseDbIdentifier);
413  } finally {
414  tskLock.writeLock().unlock();
415  }
416  }
417 
441  long addImageInfo(long deviceObjId, List<String> imageFilePaths, String timeZone, SleuthkitCase skCase) throws TskCoreException {
442  TskCaseDbBridge dbHelper = new TskCaseDbBridge(skCase, new DefaultAddDataSourceCallbacks());
443  try {
444  long tskAutoDbPointer = initializeAddImgNat(dbHelper, timezoneLongToShort(timeZone), false, false, false);
445  runOpenAndAddImgNat(tskAutoDbPointer, UUID.randomUUID().toString(), imageFilePaths.toArray(new String[0]), imageFilePaths.size(), timeZone);
446  long id = finishAddImgNat(tskAutoDbPointer);
447  dbHelper.finish();
448  skCase.addDataSourceToHasChildrenMap();
449  return id;
450  } catch (TskDataException ex) {
451  throw new TskCoreException("Error adding image to case database", ex);
452  }
453  }
454 
471  AddImageProcess initAddImageProcess(String timeZone, boolean addUnallocSpace, boolean skipFatFsOrphans, String imageCopyPath, SleuthkitCase skCase) {
472  return new AddImageProcess(timeZone, addUnallocSpace, skipFatFsOrphans, imageCopyPath, skCase);
473  }
474 
479  public class AddImageProcess {
480 
481  private final String timeZone;
482  private final boolean addUnallocSpace;
483  private final boolean skipFatFsOrphans;
484  private final String imageWriterPath;
485  private volatile long tskAutoDbPointer;
486  private long imageId = 0;
487  private boolean isCanceled;
488  private final SleuthkitCase skCase;
489  private TskCaseDbBridge dbHelper;
490 
504  private AddImageProcess(String timeZone, boolean addUnallocSpace, boolean skipFatFsOrphans, String imageWriterPath, SleuthkitCase skCase) {
505  this.timeZone = timeZone;
506  this.addUnallocSpace = addUnallocSpace;
507  this.skipFatFsOrphans = skipFatFsOrphans;
508  this.imageWriterPath = imageWriterPath;
509  tskAutoDbPointer = 0;
510  this.isCanceled = false;
511  this.skCase = skCase;
512 
513  }
514 
531  public void run(String deviceId, String[] imageFilePaths, int sectorSize) throws TskCoreException, TskDataException {
532  Image img = addImageToDatabase(skCase, imageFilePaths, sectorSize, "", "", "", "", deviceId);
533  run(deviceId, img, sectorSize, new DefaultAddDataSourceCallbacks());
534  }
535 
553  public void run(String deviceId, Image image, int sectorSize,
554  AddDataSourceCallbacks addDataSourceCallbacks) throws TskCoreException, TskDataException {
555  dbHelper = new TskCaseDbBridge(skCase, addDataSourceCallbacks);
556  getTSKReadLock();
557  try {
558  long imageHandle = 0;
559  synchronized (this) {
560  if (0 != tskAutoDbPointer) {
561  throw new TskCoreException("Add image process already started");
562  }
563  if (!isCanceled) { //with isCanceled being guarded by this it will have the same value everywhere in this synchronized block
564  imageHandle = image.getImageHandle();
565  tskAutoDbPointer = initAddImgNat(dbHelper, timezoneLongToShort(timeZone), addUnallocSpace, skipFatFsOrphans);
566  }
567  if (0 == tskAutoDbPointer) {
568  throw new TskCoreException("initAddImgNat returned a NULL TskAutoDb pointer");
569  }
570  }
571  if (imageHandle != 0) {
572  runAddImgNat(tskAutoDbPointer, deviceId, imageHandle, image.getId(), timeZone, imageWriterPath);
573  }
574  } finally {
575  finishAddImageProcess();
576  releaseTSKReadLock();
577  }
578  }
579 
589  public synchronized void stop() throws TskCoreException {
590  getTSKReadLock();
591  try {
592  isCanceled = true;
593  if (tskAutoDbPointer != 0) {
594  stopAddImgNat(tskAutoDbPointer);
595  }
596  } finally {
597  releaseTSKReadLock();
598  }
599  }
600 
611  private synchronized void finishAddImageProcess() throws TskCoreException {
612  if (tskAutoDbPointer == 0) {
613  return;
614  }
615 
616  // If the process wasn't cancelled, finish up processing the
617  // remaining files.
618  if (! this.isCanceled && dbHelper != null) {
619  dbHelper.finish();
620  }
621 
622  // Free the auto DB pointer and get the image ID
623  imageId = finishAddImgNat(tskAutoDbPointer);
624  tskAutoDbPointer = 0;
625 
626  skCase.addDataSourceToHasChildrenMap();
627  }
628 
637  @Deprecated
638  public synchronized void revert() throws TskCoreException {
639  // No-op
640  }
641 
653  @Deprecated
654  public synchronized long commit() throws TskCoreException {
655  return imageId;
656  }
657 
664  public synchronized String currentDirectory() {
665  return tskAutoDbPointer == 0 ? "" : getCurDirNat(tskAutoDbPointer); //NON-NLS
666  }
667 
683  @Deprecated
684  public void run(String[] imageFilePaths) throws TskCoreException, TskDataException {
685  run(null, imageFilePaths, 0);
686  }
687 
703  public void run(String deviceId, String[] imageFilePaths) throws TskCoreException, TskDataException {
704  run(deviceId, imageFilePaths, 0);
705  }
706  }
707 
708  }
709 
721  static CaseDbHandle newCaseDb(String path) throws TskCoreException {
722  return new CaseDbHandle(path);
723  }
724 
737  static CaseDbHandle newCaseDb(String databaseName, CaseDbConnectionInfo info) throws TskCoreException {
738  return new CaseDbHandle(databaseName, info);
739  }
740 
752  static CaseDbHandle openCaseDb(String path) throws TskCoreException {
753  return new CaseDbHandle(path);
754  }
755 
768  static CaseDbHandle openCaseDb(String databaseName, CaseDbConnectionInfo info) throws TskCoreException {
769  return new CaseDbHandle(databaseName, info);
770  }
771 
777  public static String getVersion() {
778  return getVersionNat();
779  }
780 
786  public static void startVerboseLogging(String logPath) {
787  startVerboseLoggingNat(logPath);
788  }
789 
801  public static long openImage(String[] imageFiles, SleuthkitCase skCase) throws TskCoreException {
802  if (skCase == null) {
803  throw new TskCoreException("SleuthkitCase can not be null");
804  }
805  return openImage(imageFiles, 0, true, skCase.getCaseHandleIdentifier());
806  }
807 
821  public static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase) throws TskCoreException {
822  if (skCase == null) {
823  throw new TskCoreException("SleuthkitCase can not be null");
824  }
825  return openImage(imageFiles, sSize, true, skCase.getCaseHandleIdentifier());
826  }
827 
845  private static long openImage(String[] imageFiles, int sSize, boolean useCache, String caseIdentifer) throws TskCoreException {
846  getTSKReadLock();
847  try {
848  long imageHandle;
849 
850  StringBuilder keyBuilder = new StringBuilder();
851  for (int i = 0; i < imageFiles.length; ++i) {
852  keyBuilder.append(imageFiles[i]);
853  }
854  final String imageKey = keyBuilder.toString();
855 
856  synchronized (HandleCache.cacheLock) {
857  String nonNullCaseIdentifer = caseIdentifer;
858  if (nonNullCaseIdentifer == null) {
859  nonNullCaseIdentifer = HandleCache.getDefaultCaseIdentifier();
860  }
861 
862  // If we're getting a fresh copy and an image with this path is already
863  // in the cache, move the existing cache reference so it won't be used by
864  // any subsequent calls to openImage but will still be valid if any objects
865  // have it cached. This happens in the case where the user adds the same data
866  // source twice (see JIRA-5868).
867  if (!useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) {
868  long tempImageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
869 
870  // Store the old image handle in a fake path. This way it will no longer be found but will
871  // still be valid and the image and its file systems will be closed with the case.
872  String newPath = "Image_" + UUID.randomUUID().toString();
873  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(newPath, tempImageHandle);
874  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.remove(imageKey);
875  }
876 
877  if (useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) //get from cache
878  {
879  imageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
880  } else {
881  //open new handle and cache it
882  imageHandle = openImgNat(imageFiles, imageFiles.length, sSize);
883  HandleCache.getCaseHandles(nonNullCaseIdentifer).fsHandleCache.put(imageHandle, new HashMap<>());
884  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(imageKey, imageHandle);
885  }
886  }
887  return imageHandle;
888  } finally {
889  releaseTSKReadLock();
890  }
891  }
892 
906  private static void cacheImageHandle(SleuthkitCase skCase, List<String> imagePaths, long imageHandle) throws TskCoreException {
907 
908  // Construct the hash key from the image paths
909  StringBuilder keyBuilder = new StringBuilder();
910  for (int i = 0; i < imagePaths.size(); ++i) {
911  keyBuilder.append(imagePaths.get(i));
912  }
913  final String imageKey = keyBuilder.toString();
914 
915  // Get the case identifier
916  String caseIdentifier = skCase.getCaseHandleIdentifier();
917 
918  synchronized (HandleCache.cacheLock) {
919  HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.put(imageHandle, new HashMap<>());
920  HandleCache.getCaseHandles(caseIdentifier).imageHandleCache.put(imageKey, imageHandle);
921  }
922  }
923 
940  public static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize,
941  String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId) throws TskCoreException {
942 
943  // Open the image
944  long imageHandle = openImgNat(imagePaths, 1, sectorSize);
945 
946  // Get the fields stored in the native code
947  List<String> computedPaths = Arrays.asList(getPathsForImageNat(imageHandle));
948  long size = getSizeForImageNat(imageHandle);
949  long type = getTypeForImageNat(imageHandle);
950  long computedSectorSize = getSectorSizeForImageNat(imageHandle);
951  String md5 = md5fromSettings;
952  if (StringUtils.isEmpty(md5)) {
953  md5 = getMD5HashForImageNat(imageHandle);
954  }
955  String sha1 = sha1fromSettings;
956  if (StringUtils.isEmpty(sha1)) {
957  sha1 = getSha1HashForImageNat(imageHandle);
958  }
959  // Sleuthkit does not currently generate any SHA256 hashes. Set to empty
960  // string for consistency.
961  String sha256 = sha256fromSettings;
962  if (sha256 == null) {
963  sha256 = "";
964  }
965  String collectionDetails = getCollectionDetailsForImageNat(imageHandle);
966 
967  // Now save to database
968  CaseDbTransaction transaction = skCase.beginTransaction();
969  try {
970  Image img = skCase.addImage(TskData.TSK_IMG_TYPE_ENUM.valueOf(type), computedSectorSize,
971  size, null, computedPaths,
972  timeZone, md5, sha1, sha256,
973  deviceId, transaction);
974  if (!StringUtils.isEmpty(collectionDetails)) {
975  skCase.setAcquisitionDetails(img, collectionDetails);
976  }
977  transaction.commit();
978 
979  img.setImageHandle(imageHandle);
980  cacheImageHandle(skCase, computedPaths, imageHandle);
981  return img;
982  } catch (TskCoreException ex) {
983  transaction.rollback();
984  throw(ex);
985  }
986  }
987 
988 
989 
1002  public static long openVs(long imgHandle, long vsOffset) throws TskCoreException {
1003  getTSKReadLock();
1004  try {
1005  if(! imgHandleIsValid(imgHandle)) {
1006  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1007  }
1008  return openVsNat(imgHandle, vsOffset);
1009  } finally {
1010  releaseTSKReadLock();
1011  }
1012  }
1013 
1014  //get pointers
1026  public static long openVsPart(long vsHandle, long volId) throws TskCoreException {
1027  getTSKReadLock();
1028  try {
1029  //returned long is ptr to vs Handle object in tsk
1030  return openVolNat(vsHandle, volId);
1031  } finally {
1032  releaseTSKReadLock();
1033  }
1034  }
1035 
1047  static long openPool(long imgHandle, long offset, SleuthkitCase skCase) throws TskCoreException {
1048  getTSKReadLock();
1049  try {
1050  if(! imgHandleIsValid(imgHandle)) {
1051  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1052  }
1053 
1054  synchronized (HandleCache.cacheLock) {
1055  String caseIdentifier;
1056  if (skCase == null) {
1057  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1058  } else {
1059  caseIdentifier = skCase.getCaseHandleIdentifier();
1060  }
1061 
1062  // If a pool handle cache for this image does not exist, make one
1063  if (! HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.containsKey(imgHandle)) {
1064  HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.put(imgHandle, new HashMap<>());
1065  }
1066 
1067  // Get the pool handle cache for this image
1068  Map<Long, Long> poolCacheForImage = HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle);
1069 
1070  if (poolCacheForImage.containsKey(offset)) {
1071  return poolCacheForImage.get(offset);
1072  } else {
1073  //returned long is ptr to pool Handle object in tsk
1074  long poolHandle = openPoolNat(imgHandle, offset);
1075  poolCacheForImage.put(offset, poolHandle);
1076  return poolHandle;
1077  }
1078  }
1079  } finally {
1080  releaseTSKReadLock();
1081  }
1082  }
1083 
1097  public static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase) throws TskCoreException {
1098  getTSKReadLock();
1099  try {
1100  long fsHandle;
1101  synchronized (HandleCache.cacheLock) {
1102  String caseIdentifier;
1103  if (skCase == null) {
1104  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1105  } else {
1106  caseIdentifier = skCase.getCaseHandleIdentifier();
1107  }
1108  final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1109  if (imgOffSetToFsHandle == null) {
1110  throw new TskCoreException("Missing image offset to file system handle cache for image handle " + imgHandle);
1111  }
1112  if (imgOffSetToFsHandle.containsKey(fsOffset)) {
1113  //return cached
1114  fsHandle = imgOffSetToFsHandle.get(fsOffset);
1115  } else {
1116  fsHandle = openFsNat(imgHandle, fsOffset);
1117  //cache it
1118  imgOffSetToFsHandle.put(fsOffset, fsHandle);
1119  }
1120  }
1121  return fsHandle;
1122  } finally {
1123  releaseTSKReadLock();
1124  }
1125  }
1126 
1143  static long openFsPool(long imgHandle, long fsOffset, long poolHandle, long poolBlock, SleuthkitCase skCase) throws TskCoreException {
1144  /*
1145  * Currently, our APFS code is not thread-safe and it is the only code
1146  * that uses pools. To prevent crashes, we make any reads to a file system
1147  * contained in a pool single-threaded.
1148  */
1149  getTSKWriteLock();
1150  try {
1151  long fsHandle;
1152  synchronized (HandleCache.cacheLock) {
1153  String caseIdentifier;
1154  if (skCase == null) {
1155  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1156  } else {
1157  caseIdentifier = skCase.getCaseHandleIdentifier();
1158  }
1159  final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1160  if (imgOffSetToFsHandle == null) {
1161  throw new TskCoreException("Missing image offset to file system handle cache for image handle " + imgHandle);
1162  }
1163 
1164  if (imgOffSetToFsHandle.containsKey(poolBlock)) {
1165  //return cached
1166  fsHandle = imgOffSetToFsHandle.get(poolBlock);
1167  } else {
1168  long poolImgHandle = getImgInfoForPoolNat(poolHandle, poolBlock);
1169  HandleCache.getCaseHandles(caseIdentifier).poolImgCache.add(poolImgHandle);
1170  fsHandle = openFsNat(poolImgHandle, fsOffset);
1171  //cache it
1172  imgOffSetToFsHandle.put(poolBlock, fsHandle);
1173  HandleCache.getCaseHandles(caseIdentifier).poolFsList.add(fsHandle);
1174  }
1175  }
1176  return fsHandle;
1177  } finally {
1178  releaseTSKWriteLock();
1179  }
1180  }
1181 
1196  public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase) throws TskCoreException {
1197  /*
1198  * NOTE: previously attrId used to be stored in AbstractFile as (signed)
1199  * short even though it is stored as uint16 in TSK. In extremely rare
1200  * occurrences attrId can be larger than what a signed short can hold
1201  * (2^15). Changes were made to AbstractFile to store attrId as integer.
1202  * However, a depricated method still exists in AbstractFile to get
1203  * attrId as short. In that method we convert attribute ids that are
1204  * larger than 32K to a negative number. Therefore if encountered, we
1205  * need to convert negative attribute id to uint16 which is what TSK is
1206  * using to store attribute id.
1207  */
1208  boolean withinPool = false;
1209  synchronized (HandleCache.cacheLock) {
1210  String caseIdentifier;
1211  if (skCase == null) {
1212  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1213  } else {
1214  caseIdentifier = skCase.getCaseHandleIdentifier();
1215  }
1216  if (HandleCache.getCaseHandles(caseIdentifier).poolFsList.contains(fsHandle)) {
1217  withinPool = true;
1218  }
1219  }
1220 
1221  /*
1222  * The current APFS code is not thread-safe. To compensate, we make any
1223  * reads to the APFS pool single-threaded by obtaining a write
1224  * lock instead of a read lock.
1225  */
1226  if (withinPool) {
1227  getTSKWriteLock();
1228  } else {
1229  getTSKReadLock();
1230  }
1231  try {
1232  long fileHandle = openFileNat(fsHandle, fileId, attrType.getValue(), convertSignedToUnsigned(attrId));
1233  synchronized (HandleCache.cacheLock) {
1234  String caseIdentifier;
1235  if (skCase == null) {
1236  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1237  } else {
1238  caseIdentifier = skCase.getCaseHandleIdentifier();
1239  }
1240  HandleCache.addFileHandle(caseIdentifier, fileHandle, fsHandle);
1241 
1242  // If this file is in a pool file system, record it so the locks
1243  // can be set appropriately when reading it.
1244  if (withinPool) {
1245  HandleCache.poolFileHandles.add(fileHandle);
1246  }
1247  }
1248  return fileHandle;
1249  } finally {
1250  if (withinPool) {
1251  releaseTSKWriteLock();
1252  } else {
1253  releaseTSKReadLock();
1254  }
1255  }
1256  }
1257 
1265  private static int convertSignedToUnsigned(int val) {
1266  if (val >= 0) {
1267  return val;
1268  }
1269 
1270  return val & 0xffff; // convert negative value to positive value
1271  }
1272 
1278  private static boolean imgHandleIsValid(long imgHandle) {
1279  synchronized(HandleCache.cacheLock) {
1280  return HandleCache.isImageInAnyCache(imgHandle);
1281  }
1282  }
1283 
1284  //do reads
1299  public static int readImg(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1300  getTSKReadLock();
1301  try {
1302  if(! imgHandleIsValid(imgHandle)) {
1303  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1304  }
1305  //returned byte[] is the data buffer
1306  return readImgNat(imgHandle, readBuffer, offset, len);
1307  } finally {
1308  releaseTSKReadLock();
1309  }
1310  }
1311 
1326  public static int readVs(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1327  getTSKReadLock();
1328  try {
1329  return readVsNat(vsHandle, readBuffer, offset, len);
1330  } finally {
1331  releaseTSKReadLock();
1332  }
1333  }
1334 
1347  static int readPool(long poolHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1348  getTSKReadLock();
1349  try {
1350  return readPoolNat(poolHandle, readBuffer, offset, len);
1351  } finally {
1352  releaseTSKReadLock();
1353  }
1354  }
1355 
1370  public static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1371  getTSKReadLock();
1372  try {
1373  //returned byte[] is the data buffer
1374  return readVolNat(volHandle, readBuffer, offset, len);
1375  } finally {
1376  releaseTSKReadLock();
1377  }
1378  }
1379 
1394  public static int readFs(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1395  getTSKReadLock();
1396  try {
1397  //returned byte[] is the data buffer
1398  return readFsNat(fsHandle, readBuffer, offset, len);
1399  } finally {
1400  releaseTSKReadLock();
1401  }
1402  }
1403 
1408  private enum TSK_FS_FILE_READ_OFFSET_TYPE_ENUM {
1409  START_OF_FILE(0),
1410  START_OF_SLACK(1);
1411 
1412  private final int val;
1413 
1414  TSK_FS_FILE_READ_OFFSET_TYPE_ENUM(int val) {
1415  this.val = val;
1416  }
1417 
1418  int getValue() {
1419  return val;
1420  }
1421  }
1422 
1437  public static int readFile(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1438  boolean withinPool = false;
1439  synchronized (HandleCache.cacheLock) {
1440  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1441  withinPool = true;
1442  }
1443  }
1444 
1445  /*
1446  * The current APFS code is not thread-safe. To compensate, we make any
1447  * reads to the APFS pool single-threaded by obtaining a write
1448  * lock instead of a read lock.
1449  */
1450  if (withinPool) {
1451  getTSKWriteLock();
1452  } else {
1453  getTSKReadLock();
1454  }
1455  try {
1456  if (!HandleCache.isValidFileHandle(fileHandle)) {
1457  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1458  }
1459 
1460  return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_FILE.getValue(), len);
1461  } finally {
1462  if (withinPool) {
1463  releaseTSKWriteLock();
1464  } else {
1465  releaseTSKReadLock();
1466  }
1467  }
1468  }
1469 
1484  public static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1485  getTSKReadLock();
1486  try {
1487  if (!HandleCache.isValidFileHandle(fileHandle)) {
1488  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1489  }
1490 
1491  return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_SLACK.getValue(), len);
1492  } finally {
1493  releaseTSKReadLock();
1494  }
1495  }
1496 
1507  public static List<String> getFileMetaDataText(long fileHandle) throws TskCoreException {
1508  getTSKReadLock();
1509  try {
1510  if (!HandleCache.isValidFileHandle(fileHandle)) {
1511  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1512  }
1513 
1514  try {
1515  java.io.File tmp = java.io.File.createTempFile("tsk", ".txt");
1516 
1517  saveFileMetaDataTextNat(fileHandle, tmp.getAbsolutePath());
1518 
1519  FileReader fr = new FileReader(tmp.getAbsolutePath());
1520  BufferedReader textReader = new BufferedReader(fr);
1521 
1522  List<String> lines = new ArrayList<String>();
1523  while (true) {
1524  String line = textReader.readLine();
1525  if (line == null) {
1526  break;
1527  }
1528  lines.add(line);
1529  }
1530  textReader.close();
1531  fr.close();
1532  tmp.delete();
1533  return lines;
1534  } catch (IOException ex) {
1535  throw new TskCoreException("Error reading istat output: " + ex.getLocalizedMessage());
1536  }
1537  } finally {
1538  releaseTSKReadLock();
1539  }
1540  }
1541 
1547  public static void closeFile(long fileHandle) {
1548  closeFile(fileHandle, null);
1549  }
1550 
1557  public static void closeFile(long fileHandle, SleuthkitCase skCase) {
1558  boolean withinPool = false;
1559  synchronized (HandleCache.cacheLock) {
1560  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1561  withinPool = true;
1562  }
1563  }
1564 
1565  /*
1566  * The current APFS code is not thread-safe. To compensate, we make any
1567  * reads to the APFS pool single-threaded by obtaining a write
1568  * lock instead of a read lock.
1569  */
1570  if (withinPool) {
1571  getTSKWriteLock();
1572  } else {
1573  getTSKReadLock();
1574  }
1575  try {
1576  synchronized (HandleCache.cacheLock) {
1577  if (!HandleCache.isValidFileHandle(fileHandle)) {
1578  // File handle is not open so this is a no-op.
1579  return;
1580  }
1581  closeFileNat(fileHandle);
1582  HandleCache.removeFileHandle(fileHandle, skCase);
1583  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1584  HandleCache.poolFileHandles.remove(fileHandle);
1585  }
1586  }
1587  } finally {
1588  if (withinPool) {
1589  releaseTSKWriteLock();
1590  } else {
1591  releaseTSKReadLock();
1592  }
1593  }
1594  }
1595 
1603  public static void createLookupIndexForHashDatabase(int dbHandle) throws TskCoreException {
1604  hashDbCreateIndexNat(dbHandle);
1605  }
1606 
1616  public static boolean hashDatabaseHasLookupIndex(int dbHandle) throws TskCoreException {
1617  return hashDbIndexExistsNat(dbHandle);
1618  }
1619 
1630  public static boolean hashDatabaseCanBeReindexed(int dbHandle) throws TskCoreException {
1631  return hashDbIsReindexableNat(dbHandle);
1632  }
1633 
1643  public static String getHashDatabasePath(int dbHandle) throws TskCoreException {
1644  return hashDbPathNat(dbHandle);
1645  }
1646 
1656  public static String getHashDatabaseIndexPath(int dbHandle) throws TskCoreException {
1657  return hashDbIndexPathNat(dbHandle);
1658  }
1659 
1666  public static int openHashDatabase(String path) throws TskCoreException {
1667  return hashDbOpenNat(path);
1668  }
1669 
1679  public static int createHashDatabase(String path) throws TskCoreException {
1680  return hashDbNewNat(path);
1681  }
1682 
1689  public static void closeAllHashDatabases() throws TskCoreException {
1690  hashDbCloseAll();
1691  }
1692 
1702  public static void closeHashDatabase(int dbHandle) throws TskCoreException {
1703  hashDbClose(dbHandle);
1704  }
1705 
1715  public static String getHashDatabaseDisplayName(int dbHandle) throws TskCoreException {
1716  return hashDbGetDisplayName(dbHandle);
1717  }
1718 
1729  public static boolean lookupInHashDatabase(String hash, int dbHandle) throws TskCoreException {
1730  return hashDbLookup(hash, dbHandle);
1731  }
1732 
1744  public static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle) throws TskCoreException {
1745  return hashDbLookupVerbose(hash, dbHandle);
1746  }
1747 
1760  public static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle) throws TskCoreException {
1761  hashDbAddEntryNat(filename, md5, sha1, sha256, comment, dbHandle);
1762  }
1763 
1764  public static void addToHashDatabase(List<HashEntry> hashes, int dbHandle) throws TskCoreException {
1765  hashDbBeginTransactionNat(dbHandle);
1766  try {
1767  for (HashEntry entry : hashes) {
1768  hashDbAddEntryNat(entry.getFileName(), entry.getMd5Hash(), entry.getSha1Hash(), entry.getSha256Hash(), entry.getComment(), dbHandle);
1769  }
1770  hashDbCommitTransactionNat(dbHandle);
1771  } catch (TskCoreException ex) {
1772  try {
1773  hashDbRollbackTransactionNat(dbHandle);
1774  } catch (TskCoreException ex2) {
1775  ex2.initCause(ex);
1776  throw ex2;
1777  }
1778  throw ex;
1779  }
1780  }
1781 
1782  public static boolean isUpdateableHashDatabase(int dbHandle) throws TskCoreException {
1783  return hashDbIsUpdateableNat(dbHandle);
1784  }
1785 
1786  public static boolean hashDatabaseIsIndexOnly(int dbHandle) throws TskCoreException {
1787  return hashDbIsIdxOnlyNat(dbHandle);
1788  }
1789 
1799  private static String timezoneLongToShort(String timezoneLongForm) {
1800  if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
1801  return "";
1802  }
1803 
1804  String timezoneShortForm;
1805  TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
1806  int offset = zone.getRawOffset() / 1000;
1807  int hour = offset / 3600;
1808  int min = (offset % 3600) / 60;
1809  DateFormat dfm = new SimpleDateFormat("z");
1810  dfm.setTimeZone(zone);
1811  boolean hasDaylight = zone.useDaylightTime();
1812  String first = dfm.format(new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3); // make it only 3 letters code
1813  String second = dfm.format(new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3); // make it only 3 letters code
1814  int mid = hour * -1;
1815  timezoneShortForm = first + Integer.toString(mid);
1816  if (min != 0) {
1817  timezoneShortForm = timezoneShortForm + ":" + (min < 10 ? "0" : "") + Integer.toString(min);
1818  }
1819  if (hasDaylight) {
1820  timezoneShortForm += second;
1821  }
1822  return timezoneShortForm;
1823  }
1824 
1835  public static int finishImageWriter(long imgHandle) throws TskCoreException {
1836  getTSKReadLock();
1837  try {
1838  if(! imgHandleIsValid(imgHandle)) {
1839  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1840  }
1841  return finishImageWriterNat(imgHandle);
1842  } finally {
1843  releaseTSKReadLock();
1844  }
1845  }
1846 
1854  public static int getFinishImageProgress(long imgHandle) {
1855  getTSKReadLock();
1856  try {
1857  if (imgHandleIsValid(imgHandle)) {
1858  return getFinishImageProgressNat(imgHandle);
1859  } else {
1860  return 0;
1861  }
1862  } finally {
1863  releaseTSKReadLock();
1864  }
1865  }
1866 
1872  public static void cancelFinishImage(long imgHandle) {
1873  getTSKReadLock();
1874  try {
1875  if (imgHandleIsValid(imgHandle)) {
1876  cancelFinishImageNat(imgHandle);
1877  }
1878  } finally {
1879  releaseTSKReadLock();
1880  }
1881  }
1882 
1894  public static long findDeviceSize(String devPath) throws TskCoreException {
1895  return findDeviceSizeNat(devPath);
1896  }
1897 
1898  public static boolean isImageSupported(String imagePath) {
1899  return isImageSupportedNat(imagePath);
1900  }
1901 
1915  static long getSleuthkitVersion() {
1916  return getSleuthkitVersionNat();
1917  }
1918 
1923  private static void getTSKReadLock() {
1924  tskLock.readLock().lock();
1925  }
1926 
1930  private static void releaseTSKReadLock() {
1931  tskLock.readLock().unlock();
1932  }
1933 
1941  private static void getTSKWriteLock() {
1942  tskLock.writeLock().lock();
1943  }
1944 
1948  private static void releaseTSKWriteLock() {
1949  tskLock.writeLock().unlock();
1950  }
1951 
1952  //free pointers
1959  @Deprecated
1960  public static void closeImg(long imgHandle) {
1961  //closeImgNat(imgHandle);
1962  }
1963 
1969  @Deprecated
1970  public static void closeVs(long vsHandle) {
1971  // closeVsNat(vsHandle); TODO JIRA-3829
1972  }
1973 
1980  @Deprecated
1981  public static void closeFs(long fsHandle) {
1982  //closeFsNat(fsHandle);
1983  }
1984 
1996  @Deprecated
1997  public static long openImage(String[] imageFiles) throws TskCoreException {
1998 
1999  return openImage(imageFiles, 0, true, null);
2000  }
2001 
2015  @Deprecated
2016  public static long openImage(String[] imageFiles, int sSize) throws TskCoreException {
2017  return openImage(imageFiles, sSize, true, null);
2018  }
2019 
2020 
2034  @Deprecated
2035  public static long openFs(long imgHandle, long fsOffset) throws TskCoreException {
2036  return openFs(imgHandle, fsOffset, null);
2037  }
2038 
2053  @Deprecated
2054  public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId) throws TskCoreException {
2055  return openFile(fsHandle, fileId, attrType, attrId, null);
2056  }
2057 
2058 
2059  private static native String getVersionNat();
2060 
2061  private static native void startVerboseLoggingNat(String logPath);
2062 
2063  private static native int hashDbOpenNat(String hashDbPath) throws TskCoreException;
2064 
2065  private static native int hashDbNewNat(String hashDbPath) throws TskCoreException;
2066 
2067  private static native int hashDbBeginTransactionNat(int dbHandle) throws TskCoreException;
2068 
2069  private static native int hashDbCommitTransactionNat(int dbHandle) throws TskCoreException;
2070 
2071  private static native int hashDbRollbackTransactionNat(int dbHandle) throws TskCoreException;
2072 
2073  private static native int hashDbAddEntryNat(String filename, String hashMd5, String hashSha1, String hashSha256, String comment, int dbHandle) throws TskCoreException;
2074 
2075  private static native boolean hashDbIsUpdateableNat(int dbHandle);
2076 
2077  private static native boolean hashDbIsReindexableNat(int dbHandle);
2078 
2079  private static native String hashDbPathNat(int dbHandle);
2080 
2081  private static native String hashDbIndexPathNat(int dbHandle);
2082 
2083  private static native String hashDbGetDisplayName(int dbHandle) throws TskCoreException;
2084 
2085  private static native void hashDbCloseAll() throws TskCoreException;
2086 
2087  private static native void hashDbClose(int dbHandle) throws TskCoreException;
2088 
2089  private static native void hashDbCreateIndexNat(int dbHandle) throws TskCoreException;
2090 
2091  private static native boolean hashDbIndexExistsNat(int dbHandle) throws TskCoreException;
2092 
2093  private static native boolean hashDbIsIdxOnlyNat(int dbHandle) throws TskCoreException;
2094 
2095  private static native boolean hashDbLookup(String hash, int dbHandle) throws TskCoreException;
2096 
2097  private static native HashHitInfo hashDbLookupVerbose(String hash, int dbHandle) throws TskCoreException;
2098 
2099  private static native long initAddImgNat(TskCaseDbBridge dbHelperObj, String timezone, boolean addUnallocSpace, boolean skipFatFsOrphans) throws TskCoreException;
2100 
2101  private static native long initializeAddImgNat(TskCaseDbBridge dbHelperObj, String timezone, boolean addFileSystems, boolean addUnallocSpace, boolean skipFatFsOrphans) throws TskCoreException;
2102 
2103  private static native void runOpenAndAddImgNat(long process, String deviceId, String[] imgPath, int splits, String timezone) throws TskCoreException, TskDataException;
2104 
2105  private static native void runAddImgNat(long process, String deviceId, long a_img_info, long image_id, String timeZone, String imageWriterPath) throws TskCoreException, TskDataException;
2106 
2107  private static native void stopAddImgNat(long process) throws TskCoreException;
2108 
2109  private static native long finishAddImgNat(long process) throws TskCoreException;
2110 
2111  private static native long openImgNat(String[] imgPath, int splits, int sSize) throws TskCoreException;
2112 
2113  private static native long openVsNat(long imgHandle, long vsOffset) throws TskCoreException;
2114 
2115  private static native long openVolNat(long vsHandle, long volId) throws TskCoreException;
2116 
2117  private static native long openPoolNat(long imgHandle, long offset) throws TskCoreException;
2118 
2119  private static native long getImgInfoForPoolNat(long poolHandle, long poolOffset) throws TskCoreException;
2120 
2121  private static native long openFsNat(long imgHandle, long fsId) throws TskCoreException;
2122 
2123  private static native long openFileNat(long fsHandle, long fileId, int attrType, int attrId) throws TskCoreException;
2124 
2125  private static native int readImgNat(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2126 
2127  private static native int readVsNat(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2128 
2129  private static native int readPoolNat(long poolHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2130 
2131  private static native int readVolNat(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2132 
2133  private static native int readFsNat(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2134 
2135  private static native int readFileNat(long fileHandle, byte[] readBuffer, long offset, int offset_type, long len) throws TskCoreException;
2136 
2137  private static native int saveFileMetaDataTextNat(long fileHandle, String fileName) throws TskCoreException;
2138 
2139  private static native String[] getPathsForImageNat(long imgHandle);
2140 
2141  private static native long getSizeForImageNat(long imgHandle);
2142 
2143  private static native long getTypeForImageNat(long imgHandle);
2144 
2145  private static native long getSectorSizeForImageNat(long imgHandle);
2146 
2147  private static native String getMD5HashForImageNat(long imgHandle);
2148 
2149  private static native String getSha1HashForImageNat(long imgHandle);
2150 
2151  private static native String getCollectionDetailsForImageNat(long imgHandle);
2152 
2153  private static native void closeImgNat(long imgHandle);
2154 
2155  private static native void closePoolNat(long poolHandle);
2156 
2157  private static native void closeVsNat(long vsHandle);
2158 
2159  private static native void closeFsNat(long fsHandle);
2160 
2161  private static native void closeFileNat(long fileHandle);
2162 
2163  private static native long findDeviceSizeNat(String devicePath) throws TskCoreException;
2164 
2165  private static native String getCurDirNat(long process);
2166 
2167  private static native boolean isImageSupportedNat(String imagePath);
2168 
2169  private static native long getSleuthkitVersionNat();
2170 
2171  private static native int finishImageWriterNat(long a_img_info);
2172 
2173  private static native int getFinishImageProgressNat(long a_img_info);
2174 
2175  private static native void cancelFinishImageNat(long a_img_info);
2176 
2177 }
org.sleuthkit.datamodel.SleuthkitJNI.readImg
static int readImg(long imgHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1299
org.sleuthkit.datamodel.SleuthkitJNI.getHashDatabaseIndexPath
static String getHashDatabaseIndexPath(int dbHandle)
Definition: SleuthkitJNI.java:1656
org.sleuthkit.datamodel.SleuthkitJNI.readVs
static int readVs(long vsHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1326
org.sleuthkit.datamodel.SleuthkitJNI.createLookupIndexForHashDatabase
static void createLookupIndexForHashDatabase(int dbHandle)
Definition: SleuthkitJNI.java:1603
org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess.run
void run(String deviceId, Image image, int sectorSize, AddDataSourceCallbacks addDataSourceCallbacks)
Definition: SleuthkitJNI.java:553
org.sleuthkit.datamodel.SleuthkitJNI.addToHashDatabase
static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle)
Definition: SleuthkitJNI.java:1760
org.sleuthkit.datamodel.SleuthkitJNI.openFile
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:1196
org.sleuthkit.datamodel.SleuthkitJNI.createHashDatabase
static int createHashDatabase(String path)
Definition: SleuthkitJNI.java:1679
org.sleuthkit.datamodel.SleuthkitJNI.closeFs
static void closeFs(long fsHandle)
Definition: SleuthkitJNI.java:1981
org.sleuthkit.datamodel.SleuthkitJNI.cancelFinishImage
static void cancelFinishImage(long imgHandle)
Definition: SleuthkitJNI.java:1872
org.sleuthkit.datamodel.SleuthkitJNI.openFile
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId)
Definition: SleuthkitJNI.java:2054
org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess.run
void run(String deviceId, String[] imageFilePaths)
Definition: SleuthkitJNI.java:703
org.sleuthkit.datamodel.SleuthkitJNI.readFile
static int readFile(long fileHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1437
org.sleuthkit.datamodel.SleuthkitJNI.finishImageWriter
static int finishImageWriter(long imgHandle)
Definition: SleuthkitJNI.java:1835
org.sleuthkit.datamodel.SleuthkitJNI.lookupInHashDatabaseVerbose
static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle)
Definition: SleuthkitJNI.java:1744
org.sleuthkit.datamodel.SleuthkitJNI.openVs
static long openVs(long imgHandle, long vsOffset)
Definition: SleuthkitJNI.java:1002
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:801
org.sleuthkit.datamodel.SleuthkitJNI.hashDatabaseIsIndexOnly
static boolean hashDatabaseIsIndexOnly(int dbHandle)
Definition: SleuthkitJNI.java:1786
org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM
Definition: TskData.java:275
org.sleuthkit.datamodel.SleuthkitJNI.isImageSupported
static boolean isImageSupported(String imagePath)
Definition: SleuthkitJNI.java:1898
org.sleuthkit.datamodel.SleuthkitJNI.readVsPart
static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1370
org.sleuthkit.datamodel.SleuthkitJNI.closeFile
static void closeFile(long fileHandle, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:1557
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles, int sSize)
Definition: SleuthkitJNI.java:2016
org.sleuthkit.datamodel.SleuthkitJNI.closeVs
static void closeVs(long vsHandle)
Definition: SleuthkitJNI.java:1970
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles)
Definition: SleuthkitJNI.java:1997
org.sleuthkit.datamodel.SleuthkitJNI.openFs
static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:1097
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:821
org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess.run
void run(String deviceId, String[] imageFilePaths, int sectorSize)
Definition: SleuthkitJNI.java:531
org.sleuthkit.datamodel.HashEntry
Definition: HashEntry.java:25
org.sleuthkit.datamodel.SleuthkitJNI.findDeviceSize
static long findDeviceSize(String devPath)
Definition: SleuthkitJNI.java:1894
org.sleuthkit.datamodel.SleuthkitJNI.getHashDatabaseDisplayName
static String getHashDatabaseDisplayName(int dbHandle)
Definition: SleuthkitJNI.java:1715
org.sleuthkit.datamodel.SleuthkitJNI.getFileMetaDataText
static List< String > getFileMetaDataText(long fileHandle)
Definition: SleuthkitJNI.java:1507
org.sleuthkit.datamodel.SleuthkitJNI.closeImg
static void closeImg(long imgHandle)
Definition: SleuthkitJNI.java:1960
org.sleuthkit.datamodel.SleuthkitJNI.openFs
static long openFs(long imgHandle, long fsOffset)
Definition: SleuthkitJNI.java:2035
org.sleuthkit.datamodel.SleuthkitCase.addImage
Image addImage(TskData.TSK_IMG_TYPE_ENUM type, long sectorSize, long size, String displayName, List< String > imagePaths, String timezone, String md5, String sha1, String sha256, String deviceId, CaseDbTransaction transaction)
Definition: SleuthkitCase.java:5906
org.sleuthkit.datamodel.SleuthkitJNI.getFinishImageProgress
static int getFinishImageProgress(long imgHandle)
Definition: SleuthkitJNI.java:1854
org.sleuthkit.datamodel.SleuthkitJNI.openHashDatabase
static int openHashDatabase(String path)
Definition: SleuthkitJNI.java:1666
org.sleuthkit.datamodel.SleuthkitJNI.closeFile
static void closeFile(long fileHandle)
Definition: SleuthkitJNI.java:1547
org.sleuthkit.datamodel.SleuthkitJNI.lookupInHashDatabase
static boolean lookupInHashDatabase(String hash, int dbHandle)
Definition: SleuthkitJNI.java:1729
org.sleuthkit.datamodel.TskData.TSK_IMG_TYPE_ENUM.valueOf
static TSK_IMG_TYPE_ENUM valueOf(long imgType)
Definition: TskData.java:540
org.sleuthkit.datamodel.SleuthkitJNI.hashDatabaseHasLookupIndex
static boolean hashDatabaseHasLookupIndex(int dbHandle)
Definition: SleuthkitJNI.java:1616
org.sleuthkit.datamodel.SleuthkitJNI.addImageToDatabase
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
Definition: SleuthkitJNI.java:940
org.sleuthkit.datamodel.SleuthkitJNI.openVsPart
static long openVsPart(long vsHandle, long volId)
Definition: SleuthkitJNI.java:1026
org.sleuthkit.datamodel.SleuthkitJNI.readFileSlack
static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1484
org.sleuthkit.datamodel.SleuthkitJNI.isUpdateableHashDatabase
static boolean isUpdateableHashDatabase(int dbHandle)
Definition: SleuthkitJNI.java:1782
org.sleuthkit.datamodel.SleuthkitJNI.addToHashDatabase
static void addToHashDatabase(List< HashEntry > hashes, int dbHandle)
Definition: SleuthkitJNI.java:1764
org.sleuthkit.datamodel.SleuthkitJNI.hashDatabaseCanBeReindexed
static boolean hashDatabaseCanBeReindexed(int dbHandle)
Definition: SleuthkitJNI.java:1630
org.sleuthkit.datamodel.SleuthkitJNI.startVerboseLogging
static void startVerboseLogging(String logPath)
Definition: SleuthkitJNI.java:786
org.sleuthkit.datamodel.TskData.TSK_IMG_TYPE_ENUM
Definition: TskData.java:517
org.sleuthkit.datamodel.SleuthkitJNI.readFs
static int readFs(long fsHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1394
org.sleuthkit.datamodel.SleuthkitJNI.getHashDatabasePath
static String getHashDatabasePath(int dbHandle)
Definition: SleuthkitJNI.java:1643
org.sleuthkit.datamodel.SleuthkitJNI.closeHashDatabase
static void closeHashDatabase(int dbHandle)
Definition: SleuthkitJNI.java:1702

Copyright © 2011-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.