Sleuth Kit Java Bindings (JNI)  4.11.0
Java bindings for using The Sleuth Kit
SleuthkitJNI.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2011-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.io.BufferedReader;
22 import java.io.FileReader;
23 import java.io.IOException;
24 import java.text.DateFormat;
25 import java.text.SimpleDateFormat;
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.GregorianCalendar;
29 import java.util.HashMap;
30 import java.util.HashSet;
31 import java.util.List;
32 import java.util.Map;
33 import java.util.Set;
34 import java.util.TimeZone;
35 import java.util.UUID;
36 import java.util.concurrent.locks.ReadWriteLock;
37 import java.util.concurrent.locks.ReentrantReadWriteLock;
38 import java.util.logging.Level;
39 import java.util.logging.Logger;
40 import org.apache.commons.lang3.StringUtils;
43 
52 public class SleuthkitJNI {
53 
54  private static final Logger logger = Logger.getLogger(SleuthkitJNI.class.getName());
55 
62  private static final ReadWriteLock tskLock = new ReentrantReadWriteLock();
63 
64  /*
65  * Loads the SleuthKit libraries.
66  */
67  static {
69  }
70 
75  private SleuthkitJNI() {
76  }
77 
81  private static class CaseHandles {
82  /*
83  * A SleuthKit image handle cache implemented as a mappng of
84  * concatenated image file paths to image handles.
85  */
86  private final Map<String, Long> imageHandleCache = new HashMap<>();
87 
88  /*
89  * A SleuthKit file system handles cache implemented as a mapping of
90  * image handles to image offset and file system handle pairs.
91  */
92  private final Map<Long, Map<Long, Long>> fsHandleCache = new HashMap<>();
93 
94  /*
95  * The collection of open file handles. We will only allow requests
96  * through to the C code if the file handle exists in this collection.
97  */
98  private final Set<Long> fileHandleCache = new HashSet<>();
99 
100  private final Map<Long, List<Long>> fileSystemToFileHandles = new HashMap<>();
101 
102  private final Map<Long, Map<Long, Long>> poolHandleCache = new HashMap<>();
103 
104  // The poolImgCache is only used to close the images later.
105  private final List<Long> poolImgCache = new ArrayList<>();
106 
107  /*
108  * Currently, our APFS code is not thread-safe and it is the only code
109  * that uses pools. To prevent crashes, we make any reads to a file system
110  * contained in a pool single-threaded. This cache keeps track of which
111  * open file system handles are contained in a pool so we can set the locks
112  * appropriately.
113  */
114  private final List<Long> poolFsList = new ArrayList<>();
115 
116  private CaseHandles() {
117  // Nothing to do here
118  }
119  }
120 
127  private static class HandleCache {
128 
129  /*
130  * A monitor used to guard access to cached Sleuthkit JNI handles.
131  */
132  private static final Object cacheLock = new Object();
133 
134  private static final Map<String, CaseHandles> caseHandlesCache = new HashMap<>();
135 
136  private static final String INVALID_FILE_HANDLE = "Invalid file handle."; //NON-NLS
137 
138  /*
139  * Currently, our APFS code is not thread-safe and it is the only code
140  * that uses pools. To prevent crashes, we make any reads to a file system
141  * contained in a pool single-threaded. This cache keeps track of which
142  * open file handles are contained in a pool so we can set the locks
143  * appropriately.
144  *
145  * Access to this list should be guarded by cacheLock.
146  */
147  private static final List<Long> poolFileHandles = new ArrayList<>();
148 
154  private static void createCaseHandleCache(String caseIdentifier) {
155  caseHandlesCache.put(caseIdentifier, new CaseHandles());
156  }
157 
166  private static String getDefaultCaseIdentifier() throws TskCoreException {
167  synchronized (cacheLock) {
168  if (caseHandlesCache.keySet().size() > 1) {
169  throw new TskCoreException("Can not get default case identifier with multiple open cases");
170  } else if (caseHandlesCache.keySet().isEmpty()) {
171  throw new TskCoreException("Can not get default case identifier with no open case");
172  }
173 
174  return (caseHandlesCache.keySet().iterator().next());
175  }
176  }
177 
187  private static CaseHandles getCaseHandles(String caseIdentifier) throws TskCoreException {
188  synchronized (cacheLock) {
189  if (caseHandlesCache.containsKey(caseIdentifier)) {
190  return caseHandlesCache.get(caseIdentifier);
191  }
192  // If the CaseHandles object isn't in there, it should mean the case has been closed.
193  throw new TskCoreException("No entry for case " + caseIdentifier + " in cache. Case may have been closed");
194  }
195  }
196 
202  private static void removeCaseHandlesCache(String caseIdentifier) {
203  synchronized (cacheLock) {
204  if (caseHandlesCache.containsKey(caseIdentifier)) {
205  caseHandlesCache.get(caseIdentifier).fsHandleCache.clear();
206  caseHandlesCache.get(caseIdentifier).imageHandleCache.clear();
207  caseHandlesCache.get(caseIdentifier).fileHandleCache.clear();
208  caseHandlesCache.get(caseIdentifier).fileSystemToFileHandles.clear();
209  caseHandlesCache.get(caseIdentifier).poolHandleCache.clear();
210  caseHandlesCache.remove(caseIdentifier);
211  }
212  }
213  }
214 
222  private static boolean isImageInAnyCache(long imgHandle) {
223  synchronized (cacheLock) {
224  for (String caseIdentifier:caseHandlesCache.keySet()) {
225  if (caseHandlesCache.get(caseIdentifier).fsHandleCache.keySet().contains(imgHandle)) {
226  return true;
227  }
228  }
229  return false;
230  }
231  }
232 
240  private static void addFileHandle(String caseIdentifier, long fileHandle, long fsHandle) {
241  try {
242  synchronized (cacheLock) {
243  // Add to collection of open file handles.
244  getCaseHandles(caseIdentifier).fileHandleCache.add(fileHandle);
245 
246  // Add to map of file system to file handles.
247  if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
248  getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle).add(fileHandle);
249  } else {
250  getCaseHandles(caseIdentifier).fileSystemToFileHandles.put(fsHandle, new ArrayList<>(Arrays.asList(fileHandle)));
251  }
252  }
253  } catch (TskCoreException ex) {
254  logger.log(Level.WARNING, "Error caching file handle for case {0}", caseIdentifier);
255  }
256  }
257 
264  private static void removeFileHandle(long fileHandle, SleuthkitCase skCase) {
265  synchronized (cacheLock) {
266  // Remove from collection of open file handles.
267  if (skCase != null) {
268  try {
269  getCaseHandles(skCase.getCaseHandleIdentifier()).fileHandleCache.remove(fileHandle);
270  } catch (TskCoreException ex) {
271  // If the call to getCaseHandles() failed, we've already cleared the cache.
272  }
273  } else {
274  // If we don't know what case the handle is from, delete the first one we find
275  for (String caseIdentifier:caseHandlesCache.keySet()) {
276  if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
277  caseHandlesCache.get(caseIdentifier).fileHandleCache.remove(fileHandle);
278  return;
279  }
280  }
281  }
282  }
283  }
284 
292  private static boolean isValidFileHandle(long fileHandle) {
293  synchronized (cacheLock) {
294  for (String caseIdentifier:caseHandlesCache.keySet()) {
295  if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
296  return true;
297  }
298  }
299  return false;
300  }
301  }
302 
303  private static void closeHandlesAndClearCache(String caseIdentifier) throws TskCoreException {
304  synchronized (cacheLock) {
305  /*
306  * Close any cached file system handles.
307  */
308  for (Map<Long, Long> imageToFsMap : getCaseHandles(caseIdentifier).fsHandleCache.values()) {
309  for (Long fsHandle : imageToFsMap.values()) {
310  // First close all open file handles for the file system.
311  if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
312  for (Long fileHandle : getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle)) {
313  // Update the cache of file handles contained in pools
314  if (poolFileHandles.contains(fileHandle)) {
315  poolFileHandles.remove(fileHandle);
316  }
317  closeFile(fileHandle);
318  }
319  }
320  // Then close the file system handle.
321  closeFsNat(fsHandle);
322  }
323  }
324 
325  /*
326  * Clear out the list of pool file systems.
327  */
328  getCaseHandles(caseIdentifier).poolFsList.clear();
329 
330  /*
331  * Close any cached pools
332  */
333  for (Long imgHandle : getCaseHandles(caseIdentifier).poolHandleCache.keySet()) {
334  for (Long poolHandle : getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle).values()) {
335  closePoolNat(poolHandle);
336  }
337  }
338 
339  /*
340  * Close any open pool images
341  */
342  for (Long imageHandle : getCaseHandles(caseIdentifier).poolImgCache) {
343  closeImgNat(imageHandle);
344  }
345 
346  /*
347  * Close any cached image handles.
348  */
349  for (Long imageHandle : getCaseHandles(caseIdentifier).imageHandleCache.values()) {
350  closeImgNat(imageHandle);
351  }
352 
353  removeCaseHandlesCache(caseIdentifier);
354  }
355 
356  }
357  }
358 
363  public static class CaseDbHandle {
364 
365  /*
366  * A unique indentifier for a case
367  */
368  private final String caseDbIdentifier;
369 
376  private CaseDbHandle(String databaseName) {
377  this.caseDbIdentifier = "SingleUser:" + databaseName; // NON-NLS
378  HandleCache.createCaseHandleCache(caseDbIdentifier);
379  }
380 
388  private CaseDbHandle(String databaseName, CaseDbConnectionInfo info) {
389  this.caseDbIdentifier = "MultiUser:" + info.getHost() + ":" + databaseName;
390  HandleCache.createCaseHandleCache(caseDbIdentifier);
391  }
392 
398  String getCaseDbIdentifier() {
399  return caseDbIdentifier;
400  }
401 
408  void free() throws TskCoreException {
409  tskLock.writeLock().lock();
410  try {
411  HandleCache.closeHandlesAndClearCache(caseDbIdentifier);
412  //SleuthkitJNI.closeCaseDbNat(caseDbIdentifier);
413  } finally {
414  tskLock.writeLock().unlock();
415  }
416  }
417 
441  long addImageInfo(long deviceObjId, List<String> imageFilePaths, String timeZone, Host host, SleuthkitCase skCase) throws TskCoreException {
442 
443  try {
444  if (host == null) {
445  String hostName;
446  if (imageFilePaths.size() > 0) {
447  String path = imageFilePaths.get(0);
448  hostName = (new java.io.File(path)).getName() + " Host";
449  } else {
450  hostName = "Image_" + deviceObjId + " Host";
451  }
452  host = skCase.getHostManager().newHost(hostName);
453  }
454  TskCaseDbBridge dbHelper = new TskCaseDbBridge(skCase, new DefaultAddDataSourceCallbacks(), host);
455  long tskAutoDbPointer = initializeAddImgNat(dbHelper, timezoneLongToShort(timeZone), false, false, false);
456  runOpenAndAddImgNat(tskAutoDbPointer, UUID.randomUUID().toString(), imageFilePaths.toArray(new String[0]), imageFilePaths.size(), timeZone);
457  long id = finishAddImgNat(tskAutoDbPointer);
458  dbHelper.finish();
459  skCase.addDataSourceToHasChildrenMap();
460  return id;
461  } catch (TskDataException ex) {
462  throw new TskCoreException("Error adding image to case database", ex);
463  }
464  }
465 
482  AddImageProcess initAddImageProcess(String timeZone, boolean addUnallocSpace, boolean skipFatFsOrphans, String imageCopyPath, SleuthkitCase skCase) {
483  return new AddImageProcess(timeZone, addUnallocSpace, skipFatFsOrphans, imageCopyPath, skCase);
484  }
485 
490  public class AddImageProcess {
491 
492  private final String timeZone;
493  private final boolean addUnallocSpace;
494  private final boolean skipFatFsOrphans;
495  private final String imageWriterPath;
496  private volatile long tskAutoDbPointer;
497  private long imageId = 0;
498  private boolean isCanceled;
499  private final SleuthkitCase skCase;
500  private TskCaseDbBridge dbHelper;
501 
515  private AddImageProcess(String timeZone, boolean addUnallocSpace, boolean skipFatFsOrphans, String imageWriterPath, SleuthkitCase skCase) {
516  this.timeZone = timeZone;
517  this.addUnallocSpace = addUnallocSpace;
518  this.skipFatFsOrphans = skipFatFsOrphans;
519  this.imageWriterPath = imageWriterPath;
520  tskAutoDbPointer = 0;
521  this.isCanceled = false;
522  this.skCase = skCase;
523 
524  }
525 
542  public void run(String deviceId, String[] imageFilePaths, int sectorSize) throws TskCoreException, TskDataException {
543  Image img = addImageToDatabase(skCase, imageFilePaths, sectorSize, "", "", "", "", deviceId);
544  run(deviceId, img, sectorSize, new DefaultAddDataSourceCallbacks());
545  }
546 
564  public void run(String deviceId, Image image, int sectorSize,
565  AddDataSourceCallbacks addDataSourceCallbacks) throws TskCoreException, TskDataException {
566 
567  dbHelper = new TskCaseDbBridge(skCase, addDataSourceCallbacks, image.getHost());
568  getTSKReadLock();
569  try {
570  long imageHandle = 0;
571  synchronized (this) {
572  if (0 != tskAutoDbPointer) {
573  throw new TskCoreException("Add image process already started");
574  }
575  if (!isCanceled) { //with isCanceled being guarded by this it will have the same value everywhere in this synchronized block
576  imageHandle = image.getImageHandle();
577  tskAutoDbPointer = initAddImgNat(dbHelper, timezoneLongToShort(timeZone), addUnallocSpace, skipFatFsOrphans);
578  }
579  if (0 == tskAutoDbPointer) {
580  throw new TskCoreException("initAddImgNat returned a NULL TskAutoDb pointer");
581  }
582  }
583  if (imageHandle != 0) {
584  runAddImgNat(tskAutoDbPointer, deviceId, imageHandle, image.getId(), timeZone, imageWriterPath);
585  }
586  } finally {
587  finishAddImageProcess();
588  releaseTSKReadLock();
589  }
590  }
591 
601  public synchronized void stop() throws TskCoreException {
602  getTSKReadLock();
603  try {
604  isCanceled = true;
605  if (tskAutoDbPointer != 0) {
606  stopAddImgNat(tskAutoDbPointer);
607  }
608  } finally {
609  releaseTSKReadLock();
610  }
611  }
612 
623  private synchronized void finishAddImageProcess() throws TskCoreException {
624  if (tskAutoDbPointer == 0) {
625  return;
626  }
627 
628  // If the process wasn't cancelled, finish up processing the
629  // remaining files.
630  if (! this.isCanceled && dbHelper != null) {
631  dbHelper.finish();
632  }
633 
634  // Free the auto DB pointer and get the image ID
635  imageId = finishAddImgNat(tskAutoDbPointer);
636  tskAutoDbPointer = 0;
637 
638  skCase.addDataSourceToHasChildrenMap();
639  }
640 
649  @Deprecated
650  public synchronized void revert() throws TskCoreException {
651  // No-op
652  }
653 
665  @Deprecated
666  public synchronized long commit() throws TskCoreException {
667  return imageId;
668  }
669 
676  public synchronized String currentDirectory() {
677  return tskAutoDbPointer == 0 ? "" : getCurDirNat(tskAutoDbPointer); //NON-NLS
678  }
679 
695  @Deprecated
696  public void run(String[] imageFilePaths) throws TskCoreException, TskDataException {
697  run(null, imageFilePaths, 0);
698  }
699 
715  public void run(String deviceId, String[] imageFilePaths) throws TskCoreException, TskDataException {
716  run(deviceId, imageFilePaths, 0);
717  }
718  }
719 
720  }
721 
733  static CaseDbHandle newCaseDb(String path) throws TskCoreException {
734  return new CaseDbHandle(path);
735  }
736 
749  static CaseDbHandle newCaseDb(String databaseName, CaseDbConnectionInfo info) throws TskCoreException {
750  return new CaseDbHandle(databaseName, info);
751  }
752 
764  static CaseDbHandle openCaseDb(String path) throws TskCoreException {
765  return new CaseDbHandle(path);
766  }
767 
780  static CaseDbHandle openCaseDb(String databaseName, CaseDbConnectionInfo info) throws TskCoreException {
781  return new CaseDbHandle(databaseName, info);
782  }
783 
789  public static String getVersion() {
790  return getVersionNat();
791  }
792 
798  public static void startVerboseLogging(String logPath) {
799  startVerboseLoggingNat(logPath);
800  }
801 
813  public static long openImage(String[] imageFiles, SleuthkitCase skCase) throws TskCoreException {
814  if (skCase == null) {
815  throw new TskCoreException("SleuthkitCase can not be null");
816  }
817  return openImage(imageFiles, 0, true, skCase.getCaseHandleIdentifier());
818  }
819 
833  public static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase) throws TskCoreException {
834  if (skCase == null) {
835  throw new TskCoreException("SleuthkitCase can not be null");
836  }
837  return openImage(imageFiles, sSize, true, skCase.getCaseHandleIdentifier());
838  }
839 
857  private static long openImage(String[] imageFiles, int sSize, boolean useCache, String caseIdentifer) throws TskCoreException {
858  getTSKReadLock();
859  try {
860  long imageHandle;
861 
862  StringBuilder keyBuilder = new StringBuilder();
863  for (int i = 0; i < imageFiles.length; ++i) {
864  keyBuilder.append(imageFiles[i]);
865  }
866  final String imageKey = keyBuilder.toString();
867 
868  synchronized (HandleCache.cacheLock) {
869  String nonNullCaseIdentifer = caseIdentifer;
870  if (nonNullCaseIdentifer == null) {
871  nonNullCaseIdentifer = HandleCache.getDefaultCaseIdentifier();
872  }
873 
874  // If we're getting a fresh copy and an image with this path is already
875  // in the cache, move the existing cache reference so it won't be used by
876  // any subsequent calls to openImage but will still be valid if any objects
877  // have it cached. This happens in the case where the user adds the same data
878  // source twice (see JIRA-5868).
879  if (!useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) {
880  long tempImageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
881 
882  // Store the old image handle in a fake path. This way it will no longer be found but will
883  // still be valid and the image and its file systems will be closed with the case.
884  String newPath = "Image_" + UUID.randomUUID().toString();
885  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(newPath, tempImageHandle);
886  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.remove(imageKey);
887  }
888 
889  if (useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) //get from cache
890  {
891  imageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
892  } else {
893  //open new handle and cache it
894  imageHandle = openImgNat(imageFiles, imageFiles.length, sSize);
895  HandleCache.getCaseHandles(nonNullCaseIdentifer).fsHandleCache.put(imageHandle, new HashMap<>());
896  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(imageKey, imageHandle);
897  }
898  }
899  return imageHandle;
900  } finally {
901  releaseTSKReadLock();
902  }
903  }
904 
918  private static void cacheImageHandle(SleuthkitCase skCase, List<String> imagePaths, long imageHandle) throws TskCoreException {
919 
920  // Construct the hash key from the image paths
921  StringBuilder keyBuilder = new StringBuilder();
922  for (int i = 0; i < imagePaths.size(); ++i) {
923  keyBuilder.append(imagePaths.get(i));
924  }
925  final String imageKey = keyBuilder.toString();
926 
927  // Get the case identifier
928  String caseIdentifier = skCase.getCaseHandleIdentifier();
929 
930  synchronized (HandleCache.cacheLock) {
931  HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.put(imageHandle, new HashMap<>());
932  HandleCache.getCaseHandles(caseIdentifier).imageHandleCache.put(imageKey, imageHandle);
933  }
934  }
935 
952  public static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize,
953  String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId) throws TskCoreException {
954 
955  return addImageToDatabase(skCase, imagePaths, sectorSize, timeZone, md5fromSettings, sha1fromSettings, sha256fromSettings, deviceId, null);
956  }
957 
975  public static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize,
976  String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId, Host host) throws TskCoreException {
977 
978  // Open the image
979  long imageHandle = openImgNat(imagePaths, 1, sectorSize);
980 
981  // Get the fields stored in the native code
982  List<String> computedPaths = Arrays.asList(getPathsForImageNat(imageHandle));
983  long size = getSizeForImageNat(imageHandle);
984  long type = getTypeForImageNat(imageHandle);
985  long computedSectorSize = getSectorSizeForImageNat(imageHandle);
986  String md5 = md5fromSettings;
987  if (StringUtils.isEmpty(md5)) {
988  md5 = getMD5HashForImageNat(imageHandle);
989  }
990  String sha1 = sha1fromSettings;
991  if (StringUtils.isEmpty(sha1)) {
992  sha1 = getSha1HashForImageNat(imageHandle);
993  }
994  // Sleuthkit does not currently generate any SHA256 hashes. Set to empty
995  // string for consistency.
996  String sha256 = sha256fromSettings;
997  if (sha256 == null) {
998  sha256 = "";
999  }
1000  String collectionDetails = getCollectionDetailsForImageNat(imageHandle);
1001 
1002  // Now save to database
1003  CaseDbTransaction transaction = skCase.beginTransaction();
1004  try {
1005  Image img = skCase.addImage(TskData.TSK_IMG_TYPE_ENUM.valueOf(type), computedSectorSize,
1006  size, null, computedPaths,
1007  timeZone, md5, sha1, sha256,
1008  deviceId, host, transaction);
1009  if (!StringUtils.isEmpty(collectionDetails)) {
1010  skCase.setAcquisitionDetails(img, collectionDetails);
1011  }
1012  transaction.commit();
1013 
1014  img.setImageHandle(imageHandle);
1015  cacheImageHandle(skCase, computedPaths, imageHandle);
1016  return img;
1017  } catch (TskCoreException ex) {
1018  transaction.rollback();
1019  throw(ex);
1020  }
1021  }
1022 
1023 
1024 
1037  public static long openVs(long imgHandle, long vsOffset) throws TskCoreException {
1038  getTSKReadLock();
1039  try {
1040  if(! imgHandleIsValid(imgHandle)) {
1041  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1042  }
1043  return openVsNat(imgHandle, vsOffset);
1044  } finally {
1045  releaseTSKReadLock();
1046  }
1047  }
1048 
1049  //get pointers
1061  public static long openVsPart(long vsHandle, long volId) throws TskCoreException {
1062  getTSKReadLock();
1063  try {
1064  //returned long is ptr to vs Handle object in tsk
1065  return openVolNat(vsHandle, volId);
1066  } finally {
1067  releaseTSKReadLock();
1068  }
1069  }
1070 
1082  static long openPool(long imgHandle, long offset, SleuthkitCase skCase) throws TskCoreException {
1083  getTSKReadLock();
1084  try {
1085  if(! imgHandleIsValid(imgHandle)) {
1086  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1087  }
1088 
1089  synchronized (HandleCache.cacheLock) {
1090  String caseIdentifier;
1091  if (skCase == null) {
1092  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1093  } else {
1094  caseIdentifier = skCase.getCaseHandleIdentifier();
1095  }
1096 
1097  // If a pool handle cache for this image does not exist, make one
1098  if (! HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.containsKey(imgHandle)) {
1099  HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.put(imgHandle, new HashMap<>());
1100  }
1101 
1102  // Get the pool handle cache for this image
1103  Map<Long, Long> poolCacheForImage = HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle);
1104 
1105  if (poolCacheForImage.containsKey(offset)) {
1106  return poolCacheForImage.get(offset);
1107  } else {
1108  //returned long is ptr to pool Handle object in tsk
1109  long poolHandle = openPoolNat(imgHandle, offset);
1110  poolCacheForImage.put(offset, poolHandle);
1111  return poolHandle;
1112  }
1113  }
1114  } finally {
1115  releaseTSKReadLock();
1116  }
1117  }
1118 
1132  public static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase) throws TskCoreException {
1133  getTSKReadLock();
1134  try {
1135  long fsHandle;
1136  synchronized (HandleCache.cacheLock) {
1137  String caseIdentifier;
1138  if (skCase == null) {
1139  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1140  } else {
1141  caseIdentifier = skCase.getCaseHandleIdentifier();
1142  }
1143  final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1144  if (imgOffSetToFsHandle == null) {
1145  throw new TskCoreException("Missing image offset to file system handle cache for image handle " + imgHandle);
1146  }
1147  if (imgOffSetToFsHandle.containsKey(fsOffset)) {
1148  //return cached
1149  fsHandle = imgOffSetToFsHandle.get(fsOffset);
1150  } else {
1151  fsHandle = openFsNat(imgHandle, fsOffset);
1152  //cache it
1153  imgOffSetToFsHandle.put(fsOffset, fsHandle);
1154  }
1155  }
1156  return fsHandle;
1157  } finally {
1158  releaseTSKReadLock();
1159  }
1160  }
1161 
1178  static long openFsPool(long imgHandle, long fsOffset, long poolHandle, long poolBlock, SleuthkitCase skCase) throws TskCoreException {
1179  /*
1180  * Currently, our APFS code is not thread-safe and it is the only code
1181  * that uses pools. To prevent crashes, we make any reads to a file system
1182  * contained in a pool single-threaded.
1183  */
1184  getTSKWriteLock();
1185  try {
1186  long fsHandle;
1187  synchronized (HandleCache.cacheLock) {
1188  String caseIdentifier;
1189  if (skCase == null) {
1190  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1191  } else {
1192  caseIdentifier = skCase.getCaseHandleIdentifier();
1193  }
1194  final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1195  if (imgOffSetToFsHandle == null) {
1196  throw new TskCoreException("Missing image offset to file system handle cache for image handle " + imgHandle);
1197  }
1198 
1199  if (imgOffSetToFsHandle.containsKey(poolBlock)) {
1200  //return cached
1201  fsHandle = imgOffSetToFsHandle.get(poolBlock);
1202  } else {
1203  long poolImgHandle = getImgInfoForPoolNat(poolHandle, poolBlock);
1204  HandleCache.getCaseHandles(caseIdentifier).poolImgCache.add(poolImgHandle);
1205  fsHandle = openFsNat(poolImgHandle, fsOffset);
1206  //cache it
1207  imgOffSetToFsHandle.put(poolBlock, fsHandle);
1208  HandleCache.getCaseHandles(caseIdentifier).poolFsList.add(fsHandle);
1209  }
1210  }
1211  return fsHandle;
1212  } finally {
1213  releaseTSKWriteLock();
1214  }
1215  }
1216 
1231  public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase) throws TskCoreException {
1232  /*
1233  * NOTE: previously attrId used to be stored in AbstractFile as (signed)
1234  * short even though it is stored as uint16 in TSK. In extremely rare
1235  * occurrences attrId can be larger than what a signed short can hold
1236  * (2^15). Changes were made to AbstractFile to store attrId as integer.
1237  * However, a depricated method still exists in AbstractFile to get
1238  * attrId as short. In that method we convert attribute ids that are
1239  * larger than 32K to a negative number. Therefore if encountered, we
1240  * need to convert negative attribute id to uint16 which is what TSK is
1241  * using to store attribute id.
1242  */
1243  boolean withinPool = false;
1244  synchronized (HandleCache.cacheLock) {
1245  String caseIdentifier;
1246  if (skCase == null) {
1247  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1248  } else {
1249  caseIdentifier = skCase.getCaseHandleIdentifier();
1250  }
1251  if (HandleCache.getCaseHandles(caseIdentifier).poolFsList.contains(fsHandle)) {
1252  withinPool = true;
1253  }
1254  }
1255 
1256  /*
1257  * The current APFS code is not thread-safe. To compensate, we make any
1258  * reads to the APFS pool single-threaded by obtaining a write
1259  * lock instead of a read lock.
1260  */
1261  if (withinPool) {
1262  getTSKWriteLock();
1263  } else {
1264  getTSKReadLock();
1265  }
1266  try {
1267  long fileHandle = openFileNat(fsHandle, fileId, attrType.getValue(), convertSignedToUnsigned(attrId));
1268  synchronized (HandleCache.cacheLock) {
1269  String caseIdentifier;
1270  if (skCase == null) {
1271  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1272  } else {
1273  caseIdentifier = skCase.getCaseHandleIdentifier();
1274  }
1275  HandleCache.addFileHandle(caseIdentifier, fileHandle, fsHandle);
1276 
1277  // If this file is in a pool file system, record it so the locks
1278  // can be set appropriately when reading it.
1279  if (withinPool) {
1280  HandleCache.poolFileHandles.add(fileHandle);
1281  }
1282  }
1283  return fileHandle;
1284  } finally {
1285  if (withinPool) {
1286  releaseTSKWriteLock();
1287  } else {
1288  releaseTSKReadLock();
1289  }
1290  }
1291  }
1292 
1300  private static int convertSignedToUnsigned(int val) {
1301  if (val >= 0) {
1302  return val;
1303  }
1304 
1305  return val & 0xffff; // convert negative value to positive value
1306  }
1307 
1313  private static boolean imgHandleIsValid(long imgHandle) {
1314  synchronized(HandleCache.cacheLock) {
1315  return HandleCache.isImageInAnyCache(imgHandle);
1316  }
1317  }
1318 
1319  //do reads
1334  public static int readImg(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1335  getTSKReadLock();
1336  try {
1337  if(! imgHandleIsValid(imgHandle)) {
1338  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1339  }
1340  //returned byte[] is the data buffer
1341  return readImgNat(imgHandle, readBuffer, offset, len);
1342  } finally {
1343  releaseTSKReadLock();
1344  }
1345  }
1346 
1361  public static int readVs(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1362  getTSKReadLock();
1363  try {
1364  return readVsNat(vsHandle, readBuffer, offset, len);
1365  } finally {
1366  releaseTSKReadLock();
1367  }
1368  }
1369 
1382  static int readPool(long poolHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1383  getTSKReadLock();
1384  try {
1385  return readPoolNat(poolHandle, readBuffer, offset, len);
1386  } finally {
1387  releaseTSKReadLock();
1388  }
1389  }
1390 
1405  public static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1406  getTSKReadLock();
1407  try {
1408  //returned byte[] is the data buffer
1409  return readVolNat(volHandle, readBuffer, offset, len);
1410  } finally {
1411  releaseTSKReadLock();
1412  }
1413  }
1414 
1429  public static int readFs(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1430  getTSKReadLock();
1431  try {
1432  //returned byte[] is the data buffer
1433  return readFsNat(fsHandle, readBuffer, offset, len);
1434  } finally {
1435  releaseTSKReadLock();
1436  }
1437  }
1438 
1443  private enum TSK_FS_FILE_READ_OFFSET_TYPE_ENUM {
1444  START_OF_FILE(0),
1445  START_OF_SLACK(1);
1446 
1447  private final int val;
1448 
1449  TSK_FS_FILE_READ_OFFSET_TYPE_ENUM(int val) {
1450  this.val = val;
1451  }
1452 
1453  int getValue() {
1454  return val;
1455  }
1456  }
1457 
1472  public static int readFile(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1473  boolean withinPool = false;
1474  synchronized (HandleCache.cacheLock) {
1475  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1476  withinPool = true;
1477  }
1478  }
1479 
1480  /*
1481  * The current APFS code is not thread-safe. To compensate, we make any
1482  * reads to the APFS pool single-threaded by obtaining a write
1483  * lock instead of a read lock.
1484  */
1485  if (withinPool) {
1486  getTSKWriteLock();
1487  } else {
1488  getTSKReadLock();
1489  }
1490  try {
1491  if (!HandleCache.isValidFileHandle(fileHandle)) {
1492  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1493  }
1494 
1495  return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_FILE.getValue(), len);
1496  } finally {
1497  if (withinPool) {
1498  releaseTSKWriteLock();
1499  } else {
1500  releaseTSKReadLock();
1501  }
1502  }
1503  }
1504 
1519  public static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1520  getTSKReadLock();
1521  try {
1522  if (!HandleCache.isValidFileHandle(fileHandle)) {
1523  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1524  }
1525 
1526  return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_SLACK.getValue(), len);
1527  } finally {
1528  releaseTSKReadLock();
1529  }
1530  }
1531 
1542  public static List<String> getFileMetaDataText(long fileHandle) throws TskCoreException {
1543  getTSKReadLock();
1544  try {
1545  if (!HandleCache.isValidFileHandle(fileHandle)) {
1546  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1547  }
1548 
1549  try {
1550  java.io.File tmp = java.io.File.createTempFile("tsk", ".txt");
1551 
1552  saveFileMetaDataTextNat(fileHandle, tmp.getAbsolutePath());
1553 
1554  FileReader fr = new FileReader(tmp.getAbsolutePath());
1555  BufferedReader textReader = new BufferedReader(fr);
1556 
1557  List<String> lines = new ArrayList<String>();
1558  while (true) {
1559  String line = textReader.readLine();
1560  if (line == null) {
1561  break;
1562  }
1563  lines.add(line);
1564  }
1565  textReader.close();
1566  fr.close();
1567  tmp.delete();
1568  return lines;
1569  } catch (IOException ex) {
1570  throw new TskCoreException("Error reading istat output: " + ex.getLocalizedMessage());
1571  }
1572  } finally {
1573  releaseTSKReadLock();
1574  }
1575  }
1576 
1582  public static void closeFile(long fileHandle) {
1583  closeFile(fileHandle, null);
1584  }
1585 
1592  public static void closeFile(long fileHandle, SleuthkitCase skCase) {
1593  boolean withinPool = false;
1594  synchronized (HandleCache.cacheLock) {
1595  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1596  withinPool = true;
1597  }
1598  }
1599 
1600  /*
1601  * The current APFS code is not thread-safe. To compensate, we make any
1602  * reads to the APFS pool single-threaded by obtaining a write
1603  * lock instead of a read lock.
1604  */
1605  if (withinPool) {
1606  getTSKWriteLock();
1607  } else {
1608  getTSKReadLock();
1609  }
1610  try {
1611  synchronized (HandleCache.cacheLock) {
1612  if (!HandleCache.isValidFileHandle(fileHandle)) {
1613  // File handle is not open so this is a no-op.
1614  return;
1615  }
1616  closeFileNat(fileHandle);
1617  HandleCache.removeFileHandle(fileHandle, skCase);
1618  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1619  HandleCache.poolFileHandles.remove(fileHandle);
1620  }
1621  }
1622  } finally {
1623  if (withinPool) {
1624  releaseTSKWriteLock();
1625  } else {
1626  releaseTSKReadLock();
1627  }
1628  }
1629  }
1630 
1638  public static void createLookupIndexForHashDatabase(int dbHandle) throws TskCoreException {
1639  hashDbCreateIndexNat(dbHandle);
1640  }
1641 
1651  public static boolean hashDatabaseHasLookupIndex(int dbHandle) throws TskCoreException {
1652  return hashDbIndexExistsNat(dbHandle);
1653  }
1654 
1665  public static boolean hashDatabaseCanBeReindexed(int dbHandle) throws TskCoreException {
1666  return hashDbIsReindexableNat(dbHandle);
1667  }
1668 
1678  public static String getHashDatabasePath(int dbHandle) throws TskCoreException {
1679  return hashDbPathNat(dbHandle);
1680  }
1681 
1691  public static String getHashDatabaseIndexPath(int dbHandle) throws TskCoreException {
1692  return hashDbIndexPathNat(dbHandle);
1693  }
1694 
1701  public static int openHashDatabase(String path) throws TskCoreException {
1702  return hashDbOpenNat(path);
1703  }
1704 
1714  public static int createHashDatabase(String path) throws TskCoreException {
1715  return hashDbNewNat(path);
1716  }
1717 
1724  public static void closeAllHashDatabases() throws TskCoreException {
1725  hashDbCloseAll();
1726  }
1727 
1737  public static void closeHashDatabase(int dbHandle) throws TskCoreException {
1738  hashDbClose(dbHandle);
1739  }
1740 
1750  public static String getHashDatabaseDisplayName(int dbHandle) throws TskCoreException {
1751  return hashDbGetDisplayName(dbHandle);
1752  }
1753 
1764  public static boolean lookupInHashDatabase(String hash, int dbHandle) throws TskCoreException {
1765  return hashDbLookup(hash, dbHandle);
1766  }
1767 
1779  public static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle) throws TskCoreException {
1780  return hashDbLookupVerbose(hash, dbHandle);
1781  }
1782 
1795  public static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle) throws TskCoreException {
1796  hashDbAddEntryNat(filename, md5, sha1, sha256, comment, dbHandle);
1797  }
1798 
1799  public static void addToHashDatabase(List<HashEntry> hashes, int dbHandle) throws TskCoreException {
1800  hashDbBeginTransactionNat(dbHandle);
1801  try {
1802  for (HashEntry entry : hashes) {
1803  hashDbAddEntryNat(entry.getFileName(), entry.getMd5Hash(), entry.getSha1Hash(), entry.getSha256Hash(), entry.getComment(), dbHandle);
1804  }
1805  hashDbCommitTransactionNat(dbHandle);
1806  } catch (TskCoreException ex) {
1807  try {
1808  hashDbRollbackTransactionNat(dbHandle);
1809  } catch (TskCoreException ex2) {
1810  ex2.initCause(ex);
1811  throw ex2;
1812  }
1813  throw ex;
1814  }
1815  }
1816 
1817  public static boolean isUpdateableHashDatabase(int dbHandle) throws TskCoreException {
1818  return hashDbIsUpdateableNat(dbHandle);
1819  }
1820 
1821  public static boolean hashDatabaseIsIndexOnly(int dbHandle) throws TskCoreException {
1822  return hashDbIsIdxOnlyNat(dbHandle);
1823  }
1824 
1834  private static String timezoneLongToShort(String timezoneLongForm) {
1835  if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
1836  return "";
1837  }
1838 
1839  String timezoneShortForm;
1840  TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
1841  int offset = zone.getRawOffset() / 1000;
1842  int hour = offset / 3600;
1843  int min = (offset % 3600) / 60;
1844  DateFormat dfm = new SimpleDateFormat("z");
1845  dfm.setTimeZone(zone);
1846  boolean hasDaylight = zone.useDaylightTime();
1847  String first = dfm.format(new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3); // make it only 3 letters code
1848  String second = dfm.format(new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3); // make it only 3 letters code
1849  int mid = hour * -1;
1850  timezoneShortForm = first + Integer.toString(mid);
1851  if (min != 0) {
1852  timezoneShortForm = timezoneShortForm + ":" + (min < 10 ? "0" : "") + Integer.toString(min);
1853  }
1854  if (hasDaylight) {
1855  timezoneShortForm += second;
1856  }
1857  return timezoneShortForm;
1858  }
1859 
1870  public static int finishImageWriter(long imgHandle) throws TskCoreException {
1871  getTSKReadLock();
1872  try {
1873  if(! imgHandleIsValid(imgHandle)) {
1874  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1875  }
1876  return finishImageWriterNat(imgHandle);
1877  } finally {
1878  releaseTSKReadLock();
1879  }
1880  }
1881 
1889  public static int getFinishImageProgress(long imgHandle) {
1890  getTSKReadLock();
1891  try {
1892  if (imgHandleIsValid(imgHandle)) {
1893  return getFinishImageProgressNat(imgHandle);
1894  } else {
1895  return 0;
1896  }
1897  } finally {
1898  releaseTSKReadLock();
1899  }
1900  }
1901 
1907  public static void cancelFinishImage(long imgHandle) {
1908  getTSKReadLock();
1909  try {
1910  if (imgHandleIsValid(imgHandle)) {
1911  cancelFinishImageNat(imgHandle);
1912  }
1913  } finally {
1914  releaseTSKReadLock();
1915  }
1916  }
1917 
1929  public static long findDeviceSize(String devPath) throws TskCoreException {
1930  return findDeviceSizeNat(devPath);
1931  }
1932 
1933  public static boolean isImageSupported(String imagePath) {
1934  return isImageSupportedNat(imagePath);
1935  }
1936 
1950  static long getSleuthkitVersion() {
1951  return getSleuthkitVersionNat();
1952  }
1953 
1958  private static void getTSKReadLock() {
1959  tskLock.readLock().lock();
1960  }
1961 
1965  private static void releaseTSKReadLock() {
1966  tskLock.readLock().unlock();
1967  }
1968 
1976  private static void getTSKWriteLock() {
1977  tskLock.writeLock().lock();
1978  }
1979 
1983  private static void releaseTSKWriteLock() {
1984  tskLock.writeLock().unlock();
1985  }
1986 
1987  //free pointers
1994  @Deprecated
1995  public static void closeImg(long imgHandle) {
1996  //closeImgNat(imgHandle);
1997  }
1998 
2004  @Deprecated
2005  public static void closeVs(long vsHandle) {
2006  // closeVsNat(vsHandle); TODO JIRA-3829
2007  }
2008 
2015  @Deprecated
2016  public static void closeFs(long fsHandle) {
2017  //closeFsNat(fsHandle);
2018  }
2019 
2031  @Deprecated
2032  public static long openImage(String[] imageFiles) throws TskCoreException {
2033 
2034  return openImage(imageFiles, 0, true, null);
2035  }
2036 
2050  @Deprecated
2051  public static long openImage(String[] imageFiles, int sSize) throws TskCoreException {
2052  return openImage(imageFiles, sSize, true, null);
2053  }
2054 
2055 
2069  @Deprecated
2070  public static long openFs(long imgHandle, long fsOffset) throws TskCoreException {
2071  return openFs(imgHandle, fsOffset, null);
2072  }
2073 
2088  @Deprecated
2089  public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId) throws TskCoreException {
2090  return openFile(fsHandle, fileId, attrType, attrId, null);
2091  }
2092 
2093 
2094  private static native String getVersionNat();
2095 
2096  private static native void startVerboseLoggingNat(String logPath);
2097 
2098  private static native int hashDbOpenNat(String hashDbPath) throws TskCoreException;
2099 
2100  private static native int hashDbNewNat(String hashDbPath) throws TskCoreException;
2101 
2102  private static native int hashDbBeginTransactionNat(int dbHandle) throws TskCoreException;
2103 
2104  private static native int hashDbCommitTransactionNat(int dbHandle) throws TskCoreException;
2105 
2106  private static native int hashDbRollbackTransactionNat(int dbHandle) throws TskCoreException;
2107 
2108  private static native int hashDbAddEntryNat(String filename, String hashMd5, String hashSha1, String hashSha256, String comment, int dbHandle) throws TskCoreException;
2109 
2110  private static native boolean hashDbIsUpdateableNat(int dbHandle);
2111 
2112  private static native boolean hashDbIsReindexableNat(int dbHandle);
2113 
2114  private static native String hashDbPathNat(int dbHandle);
2115 
2116  private static native String hashDbIndexPathNat(int dbHandle);
2117 
2118  private static native String hashDbGetDisplayName(int dbHandle) throws TskCoreException;
2119 
2120  private static native void hashDbCloseAll() throws TskCoreException;
2121 
2122  private static native void hashDbClose(int dbHandle) throws TskCoreException;
2123 
2124  private static native void hashDbCreateIndexNat(int dbHandle) throws TskCoreException;
2125 
2126  private static native boolean hashDbIndexExistsNat(int dbHandle) throws TskCoreException;
2127 
2128  private static native boolean hashDbIsIdxOnlyNat(int dbHandle) throws TskCoreException;
2129 
2130  private static native boolean hashDbLookup(String hash, int dbHandle) throws TskCoreException;
2131 
2132  private static native HashHitInfo hashDbLookupVerbose(String hash, int dbHandle) throws TskCoreException;
2133 
2134  private static native long initAddImgNat(TskCaseDbBridge dbHelperObj, String timezone, boolean addUnallocSpace, boolean skipFatFsOrphans) throws TskCoreException;
2135 
2136  private static native long initializeAddImgNat(TskCaseDbBridge dbHelperObj, String timezone, boolean addFileSystems, boolean addUnallocSpace, boolean skipFatFsOrphans) throws TskCoreException;
2137 
2138  private static native void runOpenAndAddImgNat(long process, String deviceId, String[] imgPath, int splits, String timezone) throws TskCoreException, TskDataException;
2139 
2140  private static native void runAddImgNat(long process, String deviceId, long a_img_info, long image_id, String timeZone, String imageWriterPath) throws TskCoreException, TskDataException;
2141 
2142  private static native void stopAddImgNat(long process) throws TskCoreException;
2143 
2144  private static native long finishAddImgNat(long process) throws TskCoreException;
2145 
2146  private static native long openImgNat(String[] imgPath, int splits, int sSize) throws TskCoreException;
2147 
2148  private static native long openVsNat(long imgHandle, long vsOffset) throws TskCoreException;
2149 
2150  private static native long openVolNat(long vsHandle, long volId) throws TskCoreException;
2151 
2152  private static native long openPoolNat(long imgHandle, long offset) throws TskCoreException;
2153 
2154  private static native long getImgInfoForPoolNat(long poolHandle, long poolOffset) throws TskCoreException;
2155 
2156  private static native long openFsNat(long imgHandle, long fsId) throws TskCoreException;
2157 
2158  private static native long openFileNat(long fsHandle, long fileId, int attrType, int attrId) throws TskCoreException;
2159 
2160  private static native int readImgNat(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2161 
2162  private static native int readVsNat(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2163 
2164  private static native int readPoolNat(long poolHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2165 
2166  private static native int readVolNat(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2167 
2168  private static native int readFsNat(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2169 
2170  private static native int readFileNat(long fileHandle, byte[] readBuffer, long offset, int offset_type, long len) throws TskCoreException;
2171 
2172  private static native int saveFileMetaDataTextNat(long fileHandle, String fileName) throws TskCoreException;
2173 
2174  private static native String[] getPathsForImageNat(long imgHandle);
2175 
2176  private static native long getSizeForImageNat(long imgHandle);
2177 
2178  private static native long getTypeForImageNat(long imgHandle);
2179 
2180  private static native long getSectorSizeForImageNat(long imgHandle);
2181 
2182  private static native String getMD5HashForImageNat(long imgHandle);
2183 
2184  private static native String getSha1HashForImageNat(long imgHandle);
2185 
2186  private static native String getCollectionDetailsForImageNat(long imgHandle);
2187 
2188  private static native void closeImgNat(long imgHandle);
2189 
2190  private static native void closePoolNat(long poolHandle);
2191 
2192  private static native void closeVsNat(long vsHandle);
2193 
2194  private static native void closeFsNat(long fsHandle);
2195 
2196  private static native void closeFileNat(long fileHandle);
2197 
2198  private static native long findDeviceSizeNat(String devicePath) throws TskCoreException;
2199 
2200  private static native String getCurDirNat(long process);
2201 
2202  private static native boolean isImageSupportedNat(String imagePath);
2203 
2204  private static native long getSleuthkitVersionNat();
2205 
2206  private static native int finishImageWriterNat(long a_img_info);
2207 
2208  private static native int getFinishImageProgressNat(long a_img_info);
2209 
2210  private static native void cancelFinishImageNat(long a_img_info);
2211 
2212 }
static int readImg(long imgHandle, byte[] readBuffer, long offset, long len)
static String getHashDatabaseIndexPath(int dbHandle)
static int readVs(long vsHandle, byte[] readBuffer, long offset, long len)
static void createLookupIndexForHashDatabase(int dbHandle)
void run(String deviceId, Image image, int sectorSize, AddDataSourceCallbacks addDataSourceCallbacks)
static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle)
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase)
static int createHashDatabase(String path)
static void closeFs(long fsHandle)
static void cancelFinishImage(long imgHandle)
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId)
void run(String deviceId, String[] imageFilePaths)
static int readFile(long fileHandle, byte[] readBuffer, long offset, long len)
static int finishImageWriter(long imgHandle)
static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle)
static long openVs(long imgHandle, long vsOffset)
static long openImage(String[] imageFiles, SleuthkitCase skCase)
static boolean hashDatabaseIsIndexOnly(int dbHandle)
static boolean isImageSupported(String imagePath)
static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len)
static void closeFile(long fileHandle, SleuthkitCase skCase)
static long openImage(String[] imageFiles, int sSize)
static void closeVs(long vsHandle)
static long openImage(String[] imageFiles)
static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase)
static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase)
void run(String deviceId, String[] imageFilePaths, int sectorSize)
Definition: HashEntry.java:25
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId, Host host)
static long findDeviceSize(String devPath)
static String getHashDatabaseDisplayName(int dbHandle)
static List< String > getFileMetaDataText(long fileHandle)
static void closeImg(long imgHandle)
static long openFs(long imgHandle, long fsOffset)
Image addImage(TskData.TSK_IMG_TYPE_ENUM type, long sectorSize, long size, String displayName, List< String > imagePaths, String timezone, String md5, String sha1, String sha256, String deviceId, CaseDbTransaction transaction)
static int getFinishImageProgress(long imgHandle)
static int openHashDatabase(String path)
static void closeFile(long fileHandle)
static boolean lookupInHashDatabase(String hash, int dbHandle)
static TSK_IMG_TYPE_ENUM valueOf(long imgType)
Definition: TskData.java:540
static boolean hashDatabaseHasLookupIndex(int dbHandle)
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
static long openVsPart(long vsHandle, long volId)
static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len)
static boolean isUpdateableHashDatabase(int dbHandle)
static void addToHashDatabase(List< HashEntry > hashes, int dbHandle)
static boolean hashDatabaseCanBeReindexed(int dbHandle)
static void startVerboseLogging(String logPath)
static int readFs(long fsHandle, byte[] readBuffer, long offset, long len)
static String getHashDatabasePath(int dbHandle)
static void closeHashDatabase(int dbHandle)

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.