19 package org.sleuthkit.datamodel;
21 import java.io.BufferedReader;
22 import java.io.FileReader;
23 import java.io.IOException;
24 import java.text.DateFormat;
25 import java.text.SimpleDateFormat;
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.GregorianCalendar;
29 import java.util.HashMap;
30 import java.util.HashSet;
31 import java.util.List;
34 import java.util.TimeZone;
35 import java.util.UUID;
36 import java.util.concurrent.locks.ReadWriteLock;
37 import java.util.concurrent.locks.ReentrantReadWriteLock;
38 import java.util.logging.Level;
39 import java.util.logging.Logger;
40 import org.apache.commons.lang3.StringUtils;
54 private static final Logger logger = Logger.getLogger(
SleuthkitJNI.class.getName());
62 private static final ReadWriteLock tskLock =
new ReentrantReadWriteLock();
81 private static class CaseHandles {
86 private final Map<String, Long> imageHandleCache =
new HashMap<>();
92 private final Map<Long, Map<Long, Long>> fsHandleCache =
new HashMap<>();
98 private final Set<Long> fileHandleCache =
new HashSet<>();
100 private final Map<Long, List<Long>> fileSystemToFileHandles =
new HashMap<>();
102 private final Map<Long, Map<Long, Long>> poolHandleCache =
new HashMap<>();
105 private final List<Long> poolImgCache =
new ArrayList<>();
114 private final List<Long> poolFsList =
new ArrayList<>();
116 private CaseHandles() {
127 private static class HandleCache {
132 private static final Object cacheLock =
new Object();
134 private static final Map<String, CaseHandles> caseHandlesCache =
new HashMap<>();
136 private static final String INVALID_FILE_HANDLE =
"Invalid file handle.";
147 private static final List<Long> poolFileHandles =
new ArrayList<>();
154 private static void createCaseHandleCache(String caseIdentifier) {
155 caseHandlesCache.put(caseIdentifier,
new CaseHandles());
167 synchronized (cacheLock) {
168 if (caseHandlesCache.keySet().size() > 1) {
169 throw new TskCoreException(
"Can not get default case identifier with multiple open cases");
170 }
else if (caseHandlesCache.keySet().isEmpty()) {
171 throw new TskCoreException(
"Can not get default case identifier with no open case");
174 return (caseHandlesCache.keySet().iterator().next());
187 private static CaseHandles getCaseHandles(String caseIdentifier)
throws TskCoreException {
188 synchronized (cacheLock) {
189 if (caseHandlesCache.containsKey(caseIdentifier)) {
190 return caseHandlesCache.get(caseIdentifier);
193 throw new TskCoreException(
"No entry for case " + caseIdentifier +
" in cache. Case may have been closed");
202 private static void removeCaseHandlesCache(String caseIdentifier) {
203 synchronized (cacheLock) {
204 if (caseHandlesCache.containsKey(caseIdentifier)) {
205 caseHandlesCache.get(caseIdentifier).fsHandleCache.clear();
206 caseHandlesCache.get(caseIdentifier).imageHandleCache.clear();
207 caseHandlesCache.get(caseIdentifier).fileHandleCache.clear();
208 caseHandlesCache.get(caseIdentifier).fileSystemToFileHandles.clear();
209 caseHandlesCache.get(caseIdentifier).poolHandleCache.clear();
210 caseHandlesCache.remove(caseIdentifier);
222 private static boolean isImageInAnyCache(
long imgHandle) {
223 synchronized (cacheLock) {
224 for (String caseIdentifier:caseHandlesCache.keySet()) {
225 if (caseHandlesCache.get(caseIdentifier).fsHandleCache.keySet().contains(imgHandle)) {
240 private static void addFileHandle(String caseIdentifier,
long fileHandle,
long fsHandle) {
242 synchronized (cacheLock) {
244 getCaseHandles(caseIdentifier).fileHandleCache.add(fileHandle);
247 if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
248 getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle).add(fileHandle);
250 getCaseHandles(caseIdentifier).fileSystemToFileHandles.put(fsHandle,
new ArrayList<>(Arrays.asList(fileHandle)));
254 logger.log(Level.WARNING,
"Error caching file handle for case {0}", caseIdentifier);
264 private static void removeFileHandle(
long fileHandle,
SleuthkitCase skCase) {
265 synchronized (cacheLock) {
267 if (skCase != null) {
269 getCaseHandles(skCase.getCaseHandleIdentifier()).fileHandleCache.remove(fileHandle);
275 for (String caseIdentifier:caseHandlesCache.keySet()) {
276 if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
277 caseHandlesCache.get(caseIdentifier).fileHandleCache.remove(fileHandle);
292 private static boolean isValidFileHandle(
long fileHandle) {
293 synchronized (cacheLock) {
294 for (String caseIdentifier:caseHandlesCache.keySet()) {
295 if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
303 private static void closeHandlesAndClearCache(String caseIdentifier)
throws TskCoreException {
304 synchronized (cacheLock) {
308 for (Map<Long, Long> imageToFsMap : getCaseHandles(caseIdentifier).fsHandleCache.values()) {
309 for (Long fsHandle : imageToFsMap.values()) {
311 if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
312 for (Long fileHandle : getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle)) {
314 if (poolFileHandles.contains(fileHandle)) {
315 poolFileHandles.remove(fileHandle);
321 closeFsNat(fsHandle);
328 getCaseHandles(caseIdentifier).poolFsList.clear();
333 for (Long imgHandle : getCaseHandles(caseIdentifier).poolHandleCache.keySet()) {
334 for (Long poolHandle : getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle).values()) {
335 closePoolNat(poolHandle);
342 for (Long imageHandle : getCaseHandles(caseIdentifier).poolImgCache) {
343 closeImgNat(imageHandle);
349 for (Long imageHandle : getCaseHandles(caseIdentifier).imageHandleCache.values()) {
350 closeImgNat(imageHandle);
353 removeCaseHandlesCache(caseIdentifier);
368 private final String caseDbIdentifier;
377 this.caseDbIdentifier =
"SingleUser:" + databaseName;
378 HandleCache.createCaseHandleCache(caseDbIdentifier);
389 this.caseDbIdentifier =
"MultiUser:" + info.
getHost() +
":" + databaseName;
390 HandleCache.createCaseHandleCache(caseDbIdentifier);
398 String getCaseDbIdentifier() {
399 return caseDbIdentifier;
409 tskLock.writeLock().lock();
411 HandleCache.closeHandlesAndClearCache(caseDbIdentifier);
414 tskLock.writeLock().unlock();
444 long tskAutoDbPointer = initializeAddImgNat(dbHelper, timezoneLongToShort(timeZone),
false,
false,
false);
445 runOpenAndAddImgNat(tskAutoDbPointer, UUID.randomUUID().toString(), imageFilePaths.toArray(
new String[0]), imageFilePaths.size(), timeZone);
446 long id = finishAddImgNat(tskAutoDbPointer);
448 skCase.addDataSourceToHasChildrenMap();
471 AddImageProcess initAddImageProcess(String timeZone,
boolean addUnallocSpace,
boolean skipFatFsOrphans, String imageCopyPath,
SleuthkitCase skCase) {
472 return new AddImageProcess(timeZone, addUnallocSpace, skipFatFsOrphans, imageCopyPath, skCase);
481 private final String timeZone;
482 private final boolean addUnallocSpace;
483 private final boolean skipFatFsOrphans;
484 private final String imageWriterPath;
485 private volatile long tskAutoDbPointer;
486 private long imageId = 0;
487 private boolean isCanceled;
489 private TskCaseDbBridge dbHelper;
504 private AddImageProcess(String timeZone,
boolean addUnallocSpace,
boolean skipFatFsOrphans, String imageWriterPath,
SleuthkitCase skCase) {
505 this.timeZone = timeZone;
506 this.addUnallocSpace = addUnallocSpace;
507 this.skipFatFsOrphans = skipFatFsOrphans;
508 this.imageWriterPath = imageWriterPath;
509 tskAutoDbPointer = 0;
510 this.isCanceled =
false;
511 this.skCase = skCase;
553 public void run(String deviceId,
Image image,
int sectorSize,
555 dbHelper =
new TskCaseDbBridge(skCase, addDataSourceCallbacks);
558 long imageHandle = 0;
559 synchronized (
this) {
560 if (0 != tskAutoDbPointer) {
561 throw new TskCoreException(
"Add image process already started");
564 imageHandle = image.getImageHandle();
565 tskAutoDbPointer = initAddImgNat(dbHelper, timezoneLongToShort(timeZone), addUnallocSpace, skipFatFsOrphans);
567 if (0 == tskAutoDbPointer) {
568 throw new TskCoreException(
"initAddImgNat returned a NULL TskAutoDb pointer");
571 if (imageHandle != 0) {
572 runAddImgNat(tskAutoDbPointer, deviceId, imageHandle, image.getId(), timeZone, imageWriterPath);
575 finishAddImageProcess();
576 releaseTSKReadLock();
589 public synchronized void stop() throws TskCoreException {
593 if (tskAutoDbPointer != 0) {
594 stopAddImgNat(tskAutoDbPointer);
597 releaseTSKReadLock();
611 private synchronized void finishAddImageProcess() throws TskCoreException {
612 if (tskAutoDbPointer == 0) {
618 if (! this.isCanceled && dbHelper != null) {
623 imageId = finishAddImgNat(tskAutoDbPointer);
624 tskAutoDbPointer = 0;
626 skCase.addDataSourceToHasChildrenMap();
638 public synchronized void revert() throws TskCoreException {
654 public synchronized long commit() throws TskCoreException {
665 return tskAutoDbPointer == 0 ?
"" : getCurDirNat(tskAutoDbPointer);
685 run(null, imageFilePaths, 0);
704 run(deviceId, imageFilePaths, 0);
721 static CaseDbHandle newCaseDb(String path)
throws TskCoreException {
722 return new CaseDbHandle(path);
737 static CaseDbHandle newCaseDb(String databaseName, CaseDbConnectionInfo info)
throws TskCoreException {
738 return new CaseDbHandle(databaseName, info);
752 static CaseDbHandle openCaseDb(String path)
throws TskCoreException {
753 return new CaseDbHandle(path);
768 static CaseDbHandle openCaseDb(String databaseName, CaseDbConnectionInfo info)
throws TskCoreException {
769 return new CaseDbHandle(databaseName, info);
778 return getVersionNat();
787 startVerboseLoggingNat(logPath);
802 if (skCase == null) {
803 throw new TskCoreException(
"SleuthkitCase can not be null");
805 return openImage(imageFiles, 0,
true, skCase.getCaseHandleIdentifier());
822 if (skCase == null) {
823 throw new TskCoreException(
"SleuthkitCase can not be null");
825 return openImage(imageFiles, sSize,
true, skCase.getCaseHandleIdentifier());
845 private static long openImage(String[] imageFiles,
int sSize,
boolean useCache, String caseIdentifer)
throws TskCoreException {
850 StringBuilder keyBuilder =
new StringBuilder();
851 for (
int i = 0; i < imageFiles.length; ++i) {
852 keyBuilder.append(imageFiles[i]);
854 final String imageKey = keyBuilder.toString();
856 synchronized (HandleCache.cacheLock) {
857 String nonNullCaseIdentifer = caseIdentifer;
858 if (nonNullCaseIdentifer == null) {
859 nonNullCaseIdentifer = HandleCache.getDefaultCaseIdentifier();
867 if (!useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) {
868 long tempImageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
872 String newPath =
"Image_" + UUID.randomUUID().toString();
873 HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(newPath, tempImageHandle);
874 HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.remove(imageKey);
877 if (useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey))
879 imageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
882 imageHandle = openImgNat(imageFiles, imageFiles.length, sSize);
883 HandleCache.getCaseHandles(nonNullCaseIdentifer).fsHandleCache.put(imageHandle,
new HashMap<>());
884 HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(imageKey, imageHandle);
889 releaseTSKReadLock();
906 private static void cacheImageHandle(SleuthkitCase skCase, List<String> imagePaths,
long imageHandle)
throws TskCoreException {
909 StringBuilder keyBuilder =
new StringBuilder();
910 for (
int i = 0; i < imagePaths.size(); ++i) {
911 keyBuilder.append(imagePaths.get(i));
913 final String imageKey = keyBuilder.toString();
916 String caseIdentifier = skCase.getCaseHandleIdentifier();
918 synchronized (HandleCache.cacheLock) {
919 HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.put(imageHandle,
new HashMap<>());
920 HandleCache.getCaseHandles(caseIdentifier).imageHandleCache.put(imageKey, imageHandle);
941 String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
throws TskCoreException {
944 long imageHandle = openImgNat(imagePaths, 1, sectorSize);
947 List<String> computedPaths = Arrays.asList(getPathsForImageNat(imageHandle));
948 long size = getSizeForImageNat(imageHandle);
949 long type = getTypeForImageNat(imageHandle);
950 long computedSectorSize = getSectorSizeForImageNat(imageHandle);
951 String md5 = md5fromSettings;
952 if (StringUtils.isEmpty(md5)) {
953 md5 = getMD5HashForImageNat(imageHandle);
955 String sha1 = sha1fromSettings;
956 if (StringUtils.isEmpty(sha1)) {
957 sha1 = getSha1HashForImageNat(imageHandle);
961 String sha256 = sha256fromSettings;
962 if (sha256 == null) {
965 String collectionDetails = getCollectionDetailsForImageNat(imageHandle);
971 size, null, computedPaths,
972 timeZone, md5, sha1, sha256,
973 deviceId, transaction);
974 if (!StringUtils.isEmpty(collectionDetails)) {
975 skCase.setAcquisitionDetails(img, collectionDetails);
979 img.setImageHandle(imageHandle);
980 cacheImageHandle(skCase, computedPaths, imageHandle);
982 }
catch (TskCoreException ex) {
1002 public static long openVs(
long imgHandle,
long vsOffset)
throws TskCoreException {
1005 if(! imgHandleIsValid(imgHandle)) {
1006 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1008 return openVsNat(imgHandle, vsOffset);
1010 releaseTSKReadLock();
1026 public static long openVsPart(
long vsHandle,
long volId)
throws TskCoreException {
1030 return openVolNat(vsHandle, volId);
1032 releaseTSKReadLock();
1047 static long openPool(
long imgHandle,
long offset,
SleuthkitCase skCase)
throws TskCoreException {
1050 if(! imgHandleIsValid(imgHandle)) {
1051 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1054 synchronized (HandleCache.cacheLock) {
1055 String caseIdentifier;
1056 if (skCase == null) {
1057 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1059 caseIdentifier = skCase.getCaseHandleIdentifier();
1063 if (! HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.containsKey(imgHandle)) {
1064 HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.put(imgHandle,
new HashMap<>());
1068 Map<Long, Long> poolCacheForImage = HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle);
1070 if (poolCacheForImage.containsKey(offset)) {
1071 return poolCacheForImage.get(offset);
1074 long poolHandle = openPoolNat(imgHandle, offset);
1075 poolCacheForImage.put(offset, poolHandle);
1080 releaseTSKReadLock();
1101 synchronized (HandleCache.cacheLock) {
1102 String caseIdentifier;
1103 if (skCase == null) {
1104 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1106 caseIdentifier = skCase.getCaseHandleIdentifier();
1108 final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1109 if (imgOffSetToFsHandle == null) {
1110 throw new TskCoreException(
"Missing image offset to file system handle cache for image handle " + imgHandle);
1112 if (imgOffSetToFsHandle.containsKey(fsOffset)) {
1114 fsHandle = imgOffSetToFsHandle.get(fsOffset);
1116 fsHandle = openFsNat(imgHandle, fsOffset);
1118 imgOffSetToFsHandle.put(fsOffset, fsHandle);
1123 releaseTSKReadLock();
1143 static long openFsPool(
long imgHandle,
long fsOffset,
long poolHandle,
long poolBlock,
SleuthkitCase skCase)
throws TskCoreException {
1152 synchronized (HandleCache.cacheLock) {
1153 String caseIdentifier;
1154 if (skCase == null) {
1155 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1157 caseIdentifier = skCase.getCaseHandleIdentifier();
1159 final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1160 if (imgOffSetToFsHandle == null) {
1161 throw new TskCoreException(
"Missing image offset to file system handle cache for image handle " + imgHandle);
1164 if (imgOffSetToFsHandle.containsKey(poolBlock)) {
1166 fsHandle = imgOffSetToFsHandle.get(poolBlock);
1168 long poolImgHandle = getImgInfoForPoolNat(poolHandle, poolBlock);
1169 HandleCache.getCaseHandles(caseIdentifier).poolImgCache.add(poolImgHandle);
1170 fsHandle = openFsNat(poolImgHandle, fsOffset);
1172 imgOffSetToFsHandle.put(poolBlock, fsHandle);
1173 HandleCache.getCaseHandles(caseIdentifier).poolFsList.add(fsHandle);
1178 releaseTSKWriteLock();
1208 boolean withinPool =
false;
1209 synchronized (HandleCache.cacheLock) {
1210 String caseIdentifier;
1211 if (skCase == null) {
1212 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1214 caseIdentifier = skCase.getCaseHandleIdentifier();
1216 if (HandleCache.getCaseHandles(caseIdentifier).poolFsList.contains(fsHandle)) {
1232 long fileHandle = openFileNat(fsHandle, fileId, attrType.getValue(), convertSignedToUnsigned(attrId));
1233 synchronized (HandleCache.cacheLock) {
1234 String caseIdentifier;
1235 if (skCase == null) {
1236 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1238 caseIdentifier = skCase.getCaseHandleIdentifier();
1240 HandleCache.addFileHandle(caseIdentifier, fileHandle, fsHandle);
1245 HandleCache.poolFileHandles.add(fileHandle);
1251 releaseTSKWriteLock();
1253 releaseTSKReadLock();
1265 private static int convertSignedToUnsigned(
int val) {
1270 return val & 0xffff;
1278 private static boolean imgHandleIsValid(
long imgHandle) {
1279 synchronized(HandleCache.cacheLock) {
1280 return HandleCache.isImageInAnyCache(imgHandle);
1299 public static int readImg(
long imgHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1302 if(! imgHandleIsValid(imgHandle)) {
1303 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1306 return readImgNat(imgHandle, readBuffer, offset, len);
1308 releaseTSKReadLock();
1326 public static int readVs(
long vsHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1329 return readVsNat(vsHandle, readBuffer, offset, len);
1331 releaseTSKReadLock();
1347 static int readPool(
long poolHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1350 return readPoolNat(poolHandle, readBuffer, offset, len);
1352 releaseTSKReadLock();
1370 public static int readVsPart(
long volHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1374 return readVolNat(volHandle, readBuffer, offset, len);
1376 releaseTSKReadLock();
1394 public static int readFs(
long fsHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1398 return readFsNat(fsHandle, readBuffer, offset, len);
1400 releaseTSKReadLock();
1408 private enum TSK_FS_FILE_READ_OFFSET_TYPE_ENUM {
1412 private final int val;
1414 TSK_FS_FILE_READ_OFFSET_TYPE_ENUM(
int val) {
1437 public static int readFile(
long fileHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1438 boolean withinPool =
false;
1439 synchronized (HandleCache.cacheLock) {
1440 if (HandleCache.poolFileHandles.contains(fileHandle)) {
1456 if (!HandleCache.isValidFileHandle(fileHandle)) {
1457 throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1460 return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_FILE.getValue(), len);
1463 releaseTSKWriteLock();
1465 releaseTSKReadLock();
1484 public static int readFileSlack(
long fileHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1487 if (!HandleCache.isValidFileHandle(fileHandle)) {
1488 throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1491 return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_SLACK.getValue(), len);
1493 releaseTSKReadLock();
1510 if (!HandleCache.isValidFileHandle(fileHandle)) {
1511 throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1515 java.io.File tmp = java.io.File.createTempFile(
"tsk",
".txt");
1517 saveFileMetaDataTextNat(fileHandle, tmp.getAbsolutePath());
1519 FileReader fr =
new FileReader(tmp.getAbsolutePath());
1520 BufferedReader textReader =
new BufferedReader(fr);
1522 List<String> lines =
new ArrayList<String>();
1524 String line = textReader.readLine();
1534 }
catch (IOException ex) {
1535 throw new TskCoreException(
"Error reading istat output: " + ex.getLocalizedMessage());
1538 releaseTSKReadLock();
1558 boolean withinPool =
false;
1559 synchronized (HandleCache.cacheLock) {
1560 if (HandleCache.poolFileHandles.contains(fileHandle)) {
1576 synchronized (HandleCache.cacheLock) {
1577 if (!HandleCache.isValidFileHandle(fileHandle)) {
1581 closeFileNat(fileHandle);
1582 HandleCache.removeFileHandle(fileHandle, skCase);
1583 if (HandleCache.poolFileHandles.contains(fileHandle)) {
1584 HandleCache.poolFileHandles.remove(fileHandle);
1589 releaseTSKWriteLock();
1591 releaseTSKReadLock();
1604 hashDbCreateIndexNat(dbHandle);
1617 return hashDbIndexExistsNat(dbHandle);
1631 return hashDbIsReindexableNat(dbHandle);
1644 return hashDbPathNat(dbHandle);
1657 return hashDbIndexPathNat(dbHandle);
1667 return hashDbOpenNat(path);
1680 return hashDbNewNat(path);
1703 hashDbClose(dbHandle);
1716 return hashDbGetDisplayName(dbHandle);
1730 return hashDbLookup(hash, dbHandle);
1745 return hashDbLookupVerbose(hash, dbHandle);
1760 public static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment,
int dbHandle)
throws TskCoreException {
1761 hashDbAddEntryNat(filename, md5, sha1, sha256, comment, dbHandle);
1764 public static void addToHashDatabase(List<HashEntry> hashes,
int dbHandle)
throws TskCoreException {
1765 hashDbBeginTransactionNat(dbHandle);
1768 hashDbAddEntryNat(entry.getFileName(), entry.getMd5Hash(), entry.getSha1Hash(), entry.getSha256Hash(), entry.getComment(), dbHandle);
1770 hashDbCommitTransactionNat(dbHandle);
1771 }
catch (TskCoreException ex) {
1773 hashDbRollbackTransactionNat(dbHandle);
1774 }
catch (TskCoreException ex2) {
1783 return hashDbIsUpdateableNat(dbHandle);
1787 return hashDbIsIdxOnlyNat(dbHandle);
1799 private static String timezoneLongToShort(String timezoneLongForm) {
1800 if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
1804 String timezoneShortForm;
1805 TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
1806 int offset = zone.getRawOffset() / 1000;
1807 int hour = offset / 3600;
1808 int min = (offset % 3600) / 60;
1809 DateFormat dfm =
new SimpleDateFormat(
"z");
1810 dfm.setTimeZone(zone);
1811 boolean hasDaylight = zone.useDaylightTime();
1812 String first = dfm.format(
new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3);
1813 String second = dfm.format(
new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3);
1814 int mid = hour * -1;
1815 timezoneShortForm = first + Integer.toString(mid);
1817 timezoneShortForm = timezoneShortForm +
":" + (min < 10 ?
"0" :
"") + Integer.toString(min);
1820 timezoneShortForm += second;
1822 return timezoneShortForm;
1838 if(! imgHandleIsValid(imgHandle)) {
1839 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1841 return finishImageWriterNat(imgHandle);
1843 releaseTSKReadLock();
1857 if (imgHandleIsValid(imgHandle)) {
1858 return getFinishImageProgressNat(imgHandle);
1863 releaseTSKReadLock();
1875 if (imgHandleIsValid(imgHandle)) {
1876 cancelFinishImageNat(imgHandle);
1879 releaseTSKReadLock();
1895 return findDeviceSizeNat(devPath);
1899 return isImageSupportedNat(imagePath);
1915 static long getSleuthkitVersion() {
1916 return getSleuthkitVersionNat();
1923 private static void getTSKReadLock() {
1924 tskLock.readLock().lock();
1930 private static void releaseTSKReadLock() {
1931 tskLock.readLock().unlock();
1941 private static void getTSKWriteLock() {
1942 tskLock.writeLock().lock();
1948 private static void releaseTSKWriteLock() {
1949 tskLock.writeLock().unlock();
1997 public static long openImage(String[] imageFiles)
throws TskCoreException {
1999 return openImage(imageFiles, 0,
true, null);
2016 public static long openImage(String[] imageFiles,
int sSize)
throws TskCoreException {
2017 return openImage(imageFiles, sSize,
true, null);
2035 public static long openFs(
long imgHandle,
long fsOffset)
throws TskCoreException {
2036 return openFs(imgHandle, fsOffset, null);
2055 return openFile(fsHandle, fileId, attrType, attrId, null);
2059 private static native String getVersionNat();
2061 private static native
void startVerboseLoggingNat(String logPath);
2063 private static native
int hashDbOpenNat(String hashDbPath)
throws TskCoreException;
2065 private static native
int hashDbNewNat(String hashDbPath)
throws TskCoreException;
2067 private static native
int hashDbBeginTransactionNat(
int dbHandle)
throws TskCoreException;
2069 private static native
int hashDbCommitTransactionNat(
int dbHandle)
throws TskCoreException;
2071 private static native
int hashDbRollbackTransactionNat(
int dbHandle)
throws TskCoreException;
2073 private static native
int hashDbAddEntryNat(String filename, String hashMd5, String hashSha1, String hashSha256, String comment,
int dbHandle)
throws TskCoreException;
2075 private static native
boolean hashDbIsUpdateableNat(
int dbHandle);
2077 private static native
boolean hashDbIsReindexableNat(
int dbHandle);
2079 private static native String hashDbPathNat(
int dbHandle);
2081 private static native String hashDbIndexPathNat(
int dbHandle);
2083 private static native String hashDbGetDisplayName(
int dbHandle)
throws TskCoreException;
2085 private static native
void hashDbCloseAll() throws TskCoreException;
2087 private static native
void hashDbClose(
int dbHandle) throws TskCoreException;
2089 private static native
void hashDbCreateIndexNat(
int dbHandle) throws TskCoreException;
2091 private static native
boolean hashDbIndexExistsNat(
int dbHandle) throws TskCoreException;
2093 private static native
boolean hashDbIsIdxOnlyNat(
int dbHandle) throws TskCoreException;
2095 private static native
boolean hashDbLookup(String hash,
int dbHandle) throws TskCoreException;
2097 private static native
HashHitInfo hashDbLookupVerbose(String hash,
int dbHandle) throws TskCoreException;
2099 private static native
long initAddImgNat(TskCaseDbBridge dbHelperObj, String timezone,
boolean addUnallocSpace,
boolean skipFatFsOrphans) throws TskCoreException;
2101 private static native
long initializeAddImgNat(TskCaseDbBridge dbHelperObj, String timezone,
boolean addFileSystems,
boolean addUnallocSpace,
boolean skipFatFsOrphans) throws TskCoreException;
2103 private static native
void runOpenAndAddImgNat(
long process, String deviceId, String[] imgPath,
int splits, String timezone) throws TskCoreException,
TskDataException;
2105 private static native
void runAddImgNat(
long process, String deviceId,
long a_img_info,
long image_id, String timeZone, String imageWriterPath) throws TskCoreException, TskDataException;
2107 private static native
void stopAddImgNat(
long process) throws TskCoreException;
2109 private static native
long finishAddImgNat(
long process) throws TskCoreException;
2111 private static native
long openImgNat(String[] imgPath,
int splits,
int sSize) throws TskCoreException;
2113 private static native
long openVsNat(
long imgHandle,
long vsOffset) throws TskCoreException;
2115 private static native
long openVolNat(
long vsHandle,
long volId) throws TskCoreException;
2117 private static native
long openPoolNat(
long imgHandle,
long offset) throws TskCoreException;
2119 private static native
long getImgInfoForPoolNat(
long poolHandle,
long poolOffset) throws TskCoreException;
2121 private static native
long openFsNat(
long imgHandle,
long fsId) throws TskCoreException;
2123 private static native
long openFileNat(
long fsHandle,
long fileId,
int attrType,
int attrId) throws TskCoreException;
2125 private static native
int readImgNat(
long imgHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2127 private static native
int readVsNat(
long vsHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2129 private static native
int readPoolNat(
long poolHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2131 private static native
int readVolNat(
long volHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2133 private static native
int readFsNat(
long fsHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2135 private static native
int readFileNat(
long fileHandle, byte[] readBuffer,
long offset,
int offset_type,
long len) throws TskCoreException;
2137 private static native
int saveFileMetaDataTextNat(
long fileHandle, String fileName) throws TskCoreException;
2139 private static native String[] getPathsForImageNat(
long imgHandle);
2141 private static native
long getSizeForImageNat(
long imgHandle);
2143 private static native
long getTypeForImageNat(
long imgHandle);
2145 private static native
long getSectorSizeForImageNat(
long imgHandle);
2147 private static native String getMD5HashForImageNat(
long imgHandle);
2149 private static native String getSha1HashForImageNat(
long imgHandle);
2151 private static native String getCollectionDetailsForImageNat(
long imgHandle);
2153 private static native
void closeImgNat(
long imgHandle);
2155 private static native
void closePoolNat(
long poolHandle);
2157 private static native
void closeVsNat(
long vsHandle);
2159 private static native
void closeFsNat(
long fsHandle);
2161 private static native
void closeFileNat(
long fileHandle);
2163 private static native
long findDeviceSizeNat(String devicePath) throws TskCoreException;
2165 private static native String getCurDirNat(
long process);
2167 private static native
boolean isImageSupportedNat(String imagePath);
2169 private static native
long getSleuthkitVersionNat();
2171 private static native
int finishImageWriterNat(
long a_img_info);
2173 private static native
int getFinishImageProgressNat(
long a_img_info);
2175 private static native
void cancelFinishImageNat(
long a_img_info);
static int readImg(long imgHandle, byte[] readBuffer, long offset, long len)
static String getHashDatabaseIndexPath(int dbHandle)
static int readVs(long vsHandle, byte[] readBuffer, long offset, long len)
static void createLookupIndexForHashDatabase(int dbHandle)
CaseDbTransaction beginTransaction()
void run(String deviceId, Image image, int sectorSize, AddDataSourceCallbacks addDataSourceCallbacks)
static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle)
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase)
static int createHashDatabase(String path)
static void closeFs(long fsHandle)
static void cancelFinishImage(long imgHandle)
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId)
void run(String deviceId, String[] imageFilePaths)
static int readFile(long fileHandle, byte[] readBuffer, long offset, long len)
static int finishImageWriter(long imgHandle)
static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle)
static long openVs(long imgHandle, long vsOffset)
synchronized long commit()
static long openImage(String[] imageFiles, SleuthkitCase skCase)
static boolean hashDatabaseIsIndexOnly(int dbHandle)
synchronized void revert()
static boolean isImageSupported(String imagePath)
static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len)
static boolean loadSleuthkitJNI()
static void closeFile(long fileHandle, SleuthkitCase skCase)
static long openImage(String[] imageFiles, int sSize)
static void closeVs(long vsHandle)
static long openImage(String[] imageFiles)
static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase)
static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase)
void run(String deviceId, String[] imageFilePaths, int sectorSize)
static long findDeviceSize(String devPath)
static String getHashDatabaseDisplayName(int dbHandle)
static List< String > getFileMetaDataText(long fileHandle)
static void closeImg(long imgHandle)
static long openFs(long imgHandle, long fsOffset)
void run(String[] imageFilePaths)
synchronized String currentDirectory()
Image addImage(TskData.TSK_IMG_TYPE_ENUM type, long sectorSize, long size, String displayName, List< String > imagePaths, String timezone, String md5, String sha1, String sha256, String deviceId, CaseDbTransaction transaction)
static int getFinishImageProgress(long imgHandle)
static int openHashDatabase(String path)
static void closeFile(long fileHandle)
static boolean lookupInHashDatabase(String hash, int dbHandle)
static TSK_IMG_TYPE_ENUM valueOf(long imgType)
static boolean hashDatabaseHasLookupIndex(int dbHandle)
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
static long openVsPart(long vsHandle, long volId)
static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len)
static boolean isUpdateableHashDatabase(int dbHandle)
static void addToHashDatabase(List< HashEntry > hashes, int dbHandle)
static void closeAllHashDatabases()
static boolean hashDatabaseCanBeReindexed(int dbHandle)
static String getVersion()
static void startVerboseLogging(String logPath)
static int readFs(long fsHandle, byte[] readBuffer, long offset, long len)
static String getHashDatabasePath(int dbHandle)
static void closeHashDatabase(int dbHandle)