Sleuth Kit Java Bindings (JNI)  4.12.1
Java bindings for using The Sleuth Kit
SleuthkitJNI.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2011-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.io.BufferedReader;
22 import java.io.FileReader;
23 import java.io.IOException;
24 import java.text.DateFormat;
25 import java.text.SimpleDateFormat;
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.GregorianCalendar;
29 import java.util.HashMap;
30 import java.util.HashSet;
31 import java.util.List;
32 import java.util.Map;
33 import java.util.Set;
34 import java.util.TimeZone;
35 import java.util.UUID;
36 import java.util.concurrent.locks.ReadWriteLock;
37 import java.util.concurrent.locks.ReentrantReadWriteLock;
38 import java.util.logging.Level;
39 import java.util.logging.Logger;
40 import org.apache.commons.lang3.StringUtils;
41 import org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM;
42 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
43 
52 public class SleuthkitJNI {
53 
54  private static final Logger logger = Logger.getLogger(SleuthkitJNI.class.getName());
55 
62  private static final ReadWriteLock tskLock = new ReentrantReadWriteLock();
63 
64  /*
65  * Loads the SleuthKit libraries.
66  */
67  static {
68  LibraryUtils.loadSleuthkitJNI();
69  }
70 
75  private SleuthkitJNI() {
76  }
77 
81  private static class CaseHandles {
82  /*
83  * A SleuthKit image handle cache implemented as a mappng of
84  * concatenated image file paths to image handles.
85  */
86  private final Map<String, Long> imageHandleCache = new HashMap<>();
87 
88  /*
89  * A SleuthKit file system handles cache implemented as a mapping of
90  * image handles to image offset and file system handle pairs.
91  */
92  private final Map<Long, Map<Long, Long>> fsHandleCache = new HashMap<>();
93 
94  /*
95  * The collection of open file handles. We will only allow requests
96  * through to the C code if the file handle exists in this collection.
97  */
98  private final Set<Long> fileHandleCache = new HashSet<>();
99 
100  private final Map<Long, List<Long>> fileSystemToFileHandles = new HashMap<>();
101 
102  private final Map<Long, Map<Long, Long>> poolHandleCache = new HashMap<>();
103 
104  // The poolImgCache is only used to close the images later.
105  private final List<Long> poolImgCache = new ArrayList<>();
106 
107  /*
108  * Currently, our APFS code is not thread-safe and it is the only code
109  * that uses pools. To prevent crashes, we make any reads to a file system
110  * contained in a pool single-threaded. This cache keeps track of which
111  * open file system handles are contained in a pool so we can set the locks
112  * appropriately.
113  */
114  private final List<Long> poolFsList = new ArrayList<>();
115 
116  private CaseHandles() {
117  // Nothing to do here
118  }
119  }
120 
127  private static class HandleCache {
128 
129  /*
130  * A monitor used to guard access to cached Sleuthkit JNI handles.
131  */
132  private static final Object cacheLock = new Object();
133 
134  private static final Map<String, CaseHandles> caseHandlesCache = new HashMap<>();
135 
136  private static final String INVALID_FILE_HANDLE = "Invalid file handle."; //NON-NLS
137 
138  /*
139  * Currently, our APFS code is not thread-safe and it is the only code
140  * that uses pools. To prevent crashes, we make any reads to a file system
141  * contained in a pool single-threaded. This cache keeps track of which
142  * open file handles are contained in a pool so we can set the locks
143  * appropriately.
144  *
145  * Access to this list should be guarded by cacheLock.
146  */
147  private static final List<Long> poolFileHandles = new ArrayList<>();
148 
154  private static void createCaseHandleCache(String caseIdentifier) {
155  caseHandlesCache.put(caseIdentifier, new CaseHandles());
156  }
157 
166  private static String getDefaultCaseIdentifier() throws TskCoreException {
167  synchronized (cacheLock) {
168  if (caseHandlesCache.keySet().size() > 1) {
169  throw new TskCoreException("Can not get default case identifier with multiple open cases");
170  } else if (caseHandlesCache.keySet().isEmpty()) {
171  throw new TskCoreException("Can not get default case identifier with no open case");
172  }
173 
174  return (caseHandlesCache.keySet().iterator().next());
175  }
176  }
177 
187  private static CaseHandles getCaseHandles(String caseIdentifier) throws TskCoreException {
188  synchronized (cacheLock) {
189  if (caseHandlesCache.containsKey(caseIdentifier)) {
190  return caseHandlesCache.get(caseIdentifier);
191  }
192  // If the CaseHandles object isn't in there, it should mean the case has been closed.
193  throw new TskCoreException("No entry for case " + caseIdentifier + " in cache. Case may have been closed");
194  }
195  }
196 
202  private static void removeCaseHandlesCache(String caseIdentifier) {
203  synchronized (cacheLock) {
204  if (caseHandlesCache.containsKey(caseIdentifier)) {
205  caseHandlesCache.get(caseIdentifier).fsHandleCache.clear();
206  caseHandlesCache.get(caseIdentifier).imageHandleCache.clear();
207  caseHandlesCache.get(caseIdentifier).fileHandleCache.clear();
208  caseHandlesCache.get(caseIdentifier).fileSystemToFileHandles.clear();
209  caseHandlesCache.get(caseIdentifier).poolHandleCache.clear();
210  caseHandlesCache.remove(caseIdentifier);
211  }
212  }
213  }
214 
222  private static boolean isImageInAnyCache(long imgHandle) {
223  synchronized (cacheLock) {
224  for (String caseIdentifier:caseHandlesCache.keySet()) {
225  if (caseHandlesCache.get(caseIdentifier).fsHandleCache.keySet().contains(imgHandle)) {
226  return true;
227  }
228  }
229  return false;
230  }
231  }
232 
240  private static void addFileHandle(String caseIdentifier, long fileHandle, long fsHandle) {
241  try {
242  synchronized (cacheLock) {
243  // Add to collection of open file handles.
244  getCaseHandles(caseIdentifier).fileHandleCache.add(fileHandle);
245 
246  // Add to map of file system to file handles.
247  if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
248  getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle).add(fileHandle);
249  } else {
250  getCaseHandles(caseIdentifier).fileSystemToFileHandles.put(fsHandle, new ArrayList<>(Arrays.asList(fileHandle)));
251  }
252  }
253  } catch (TskCoreException ex) {
254  logger.log(Level.WARNING, "Error caching file handle for case {0}", caseIdentifier);
255  }
256  }
257 
264  private static void removeFileHandle(long fileHandle, SleuthkitCase skCase) {
265  synchronized (cacheLock) {
266  // Remove from collection of open file handles.
267  if (skCase != null) {
268  try {
269  getCaseHandles(skCase.getCaseHandleIdentifier()).fileHandleCache.remove(fileHandle);
270  } catch (TskCoreException ex) {
271  // If the call to getCaseHandles() failed, we've already cleared the cache.
272  }
273  } else {
274  // If we don't know what case the handle is from, delete the first one we find
275  for (String caseIdentifier:caseHandlesCache.keySet()) {
276  if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
277  caseHandlesCache.get(caseIdentifier).fileHandleCache.remove(fileHandle);
278  return;
279  }
280  }
281  }
282  }
283  }
284 
292  private static boolean isValidFileHandle(long fileHandle) {
293  synchronized (cacheLock) {
294  for (String caseIdentifier:caseHandlesCache.keySet()) {
295  if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
296  return true;
297  }
298  }
299  return false;
300  }
301  }
302 
303  private static void closeHandlesAndClearCache(String caseIdentifier) throws TskCoreException {
304  synchronized (cacheLock) {
305  /*
306  * Close any cached file system handles.
307  */
308  for (Map<Long, Long> imageToFsMap : getCaseHandles(caseIdentifier).fsHandleCache.values()) {
309  for (Long fsHandle : imageToFsMap.values()) {
310  // First close all open file handles for the file system.
311  if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
312  for (Long fileHandle : getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle)) {
313  // Update the cache of file handles contained in pools
314  if (poolFileHandles.contains(fileHandle)) {
315  poolFileHandles.remove(fileHandle);
316  }
317  closeFile(fileHandle);
318  }
319  }
320  // Then close the file system handle.
321  closeFsNat(fsHandle);
322  }
323  }
324 
325  /*
326  * Clear out the list of pool file systems.
327  */
328  getCaseHandles(caseIdentifier).poolFsList.clear();
329 
330  /*
331  * Close any cached pools
332  */
333  for (Long imgHandle : getCaseHandles(caseIdentifier).poolHandleCache.keySet()) {
334  for (Long poolHandle : getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle).values()) {
335  closePoolNat(poolHandle);
336  }
337  }
338 
339  /*
340  * Close any open pool images
341  */
342  for (Long imageHandle : getCaseHandles(caseIdentifier).poolImgCache) {
343  closeImgNat(imageHandle);
344  }
345 
346  /*
347  * Close any cached image handles.
348  */
349  for (Long imageHandle : getCaseHandles(caseIdentifier).imageHandleCache.values()) {
350  closeImgNat(imageHandle);
351  }
352 
353  removeCaseHandlesCache(caseIdentifier);
354  }
355 
356  }
357  }
358 
363  public static class CaseDbHandle {
364 
365  /*
366  * A unique indentifier for a case
367  */
368  private final String caseDbIdentifier;
369 
376  private CaseDbHandle(String databaseName) {
377  this.caseDbIdentifier = "SingleUser:" + databaseName; // NON-NLS
378  HandleCache.createCaseHandleCache(caseDbIdentifier);
379  }
380 
388  private CaseDbHandle(String databaseName, CaseDbConnectionInfo info) {
389  this.caseDbIdentifier = "MultiUser:" + info.getHost() + ":" + databaseName;
390  HandleCache.createCaseHandleCache(caseDbIdentifier);
391  }
392 
398  String getCaseDbIdentifier() {
399  return caseDbIdentifier;
400  }
401 
408  void free() throws TskCoreException {
409  tskLock.writeLock().lock();
410  try {
411  HandleCache.closeHandlesAndClearCache(caseDbIdentifier);
412  //SleuthkitJNI.closeCaseDbNat(caseDbIdentifier);
413  } finally {
414  tskLock.writeLock().unlock();
415  }
416  }
417 
441  long addImageInfo(long deviceObjId, List<String> imageFilePaths, String timeZone, Host host, SleuthkitCase skCase) throws TskCoreException {
442 
443  try {
444  if (host == null) {
445  String hostName;
446  if (imageFilePaths.size() > 0) {
447  String path = imageFilePaths.get(0);
448  hostName = (new java.io.File(path)).getName() + " Host";
449  } else {
450  hostName = "Image_" + deviceObjId + " Host";
451  }
452  host = skCase.getHostManager().newHost(hostName);
453  }
454  TskCaseDbBridge dbHelper = new TskCaseDbBridge(skCase, new DefaultAddDataSourceCallbacks(), host);
455  long tskAutoDbPointer = initializeAddImgNat(dbHelper, timezoneLongToShort(timeZone), false, false, false);
456  runOpenAndAddImgNat(tskAutoDbPointer, UUID.randomUUID().toString(), imageFilePaths.toArray(new String[0]), imageFilePaths.size(), timeZone);
457  long id = finishAddImgNat(tskAutoDbPointer);
458  dbHelper.finish();
459  skCase.addDataSourceToHasChildrenMap();
460  return id;
461  } catch (TskDataException ex) {
462  throw new TskCoreException("Error adding image to case database", ex);
463  }
464  }
465 
482  AddImageProcess initAddImageProcess(String timeZone, boolean addUnallocSpace, boolean skipFatFsOrphans, String imageCopyPath, SleuthkitCase skCase) {
483  return new AddImageProcess(timeZone, addUnallocSpace, skipFatFsOrphans, imageCopyPath, skCase);
484  }
485 
490  public class AddImageProcess {
491 
492  private final String timeZone;
493  private final boolean addUnallocSpace;
494  private final boolean skipFatFsOrphans;
495  private final String imageWriterPath;
496  private volatile long tskAutoDbPointer;
497  private long imageId = 0;
498  private boolean isCanceled;
499  private final SleuthkitCase skCase;
500  private TskCaseDbBridge dbHelper;
501 
515  private AddImageProcess(String timeZone, boolean addUnallocSpace, boolean skipFatFsOrphans, String imageWriterPath, SleuthkitCase skCase) {
516  this.timeZone = timeZone;
517  this.addUnallocSpace = addUnallocSpace;
518  this.skipFatFsOrphans = skipFatFsOrphans;
519  this.imageWriterPath = imageWriterPath;
520  tskAutoDbPointer = 0;
521  this.isCanceled = false;
522  this.skCase = skCase;
523 
524  }
525 
542  public void run(String deviceId, String[] imageFilePaths, int sectorSize) throws TskCoreException, TskDataException {
543  Image img = addImageToDatabase(skCase, imageFilePaths, sectorSize, "", "", "", "", deviceId);
544  run(deviceId, img, sectorSize, new DefaultAddDataSourceCallbacks());
545  }
546 
564  public void run(String deviceId, Image image, int sectorSize,
565  AddDataSourceCallbacks addDataSourceCallbacks) throws TskCoreException, TskDataException {
566 
567  dbHelper = new TskCaseDbBridge(skCase, addDataSourceCallbacks, image.getHost());
568  getTSKReadLock();
569  try {
570  long imageHandle = 0;
571  synchronized (this) {
572  if (0 != tskAutoDbPointer) {
573  throw new TskCoreException("Add image process already started");
574  }
575  if (!isCanceled) { //with isCanceled being guarded by this it will have the same value everywhere in this synchronized block
576  imageHandle = image.getImageHandle();
577  tskAutoDbPointer = initAddImgNat(dbHelper, timezoneLongToShort(timeZone), addUnallocSpace, skipFatFsOrphans);
578  }
579  if (0 == tskAutoDbPointer) {
580  throw new TskCoreException("initAddImgNat returned a NULL TskAutoDb pointer");
581  }
582  }
583  if (imageHandle != 0) {
584  runAddImgNat(tskAutoDbPointer, deviceId, imageHandle, image.getId(), timeZone, imageWriterPath);
585  }
586  } finally {
587  finishAddImageProcess();
588  releaseTSKReadLock();
589  }
590  }
591 
601  public synchronized void stop() throws TskCoreException {
602  getTSKReadLock();
603  try {
604  isCanceled = true;
605  if (tskAutoDbPointer != 0) {
606  stopAddImgNat(tskAutoDbPointer);
607  }
608  } finally {
609  releaseTSKReadLock();
610  }
611  }
612 
623  private synchronized void finishAddImageProcess() throws TskCoreException {
624  if (tskAutoDbPointer == 0) {
625  return;
626  }
627 
628  // If the process wasn't cancelled, finish up processing the
629  // remaining files.
630  if (! this.isCanceled && dbHelper != null) {
631  dbHelper.finish();
632  }
633 
634  // Free the auto DB pointer and get the image ID
635  imageId = finishAddImgNat(tskAutoDbPointer);
636  tskAutoDbPointer = 0;
637 
638  skCase.addDataSourceToHasChildrenMap();
639  }
640 
649  @Deprecated
650  public synchronized void revert() throws TskCoreException {
651  // No-op
652  }
653 
665  @Deprecated
666  public synchronized long commit() throws TskCoreException {
667  return imageId;
668  }
669 
676  public synchronized String currentDirectory() {
677  return tskAutoDbPointer == 0 ? "" : getCurDirNat(tskAutoDbPointer); //NON-NLS
678  }
679 
695  @Deprecated
696  public void run(String[] imageFilePaths) throws TskCoreException, TskDataException {
697  run(null, imageFilePaths, 0);
698  }
699 
715  public void run(String deviceId, String[] imageFilePaths) throws TskCoreException, TskDataException {
716  run(deviceId, imageFilePaths, 0);
717  }
718  }
719 
720  }
721 
733  static CaseDbHandle newCaseDb(String path) throws TskCoreException {
734  return new CaseDbHandle(path);
735  }
736 
749  static CaseDbHandle newCaseDb(String databaseName, CaseDbConnectionInfo info) throws TskCoreException {
750  return new CaseDbHandle(databaseName, info);
751  }
752 
764  static CaseDbHandle openCaseDb(String path) throws TskCoreException {
765  return new CaseDbHandle(path);
766  }
767 
780  static CaseDbHandle openCaseDb(String databaseName, CaseDbConnectionInfo info) throws TskCoreException {
781  return new CaseDbHandle(databaseName, info);
782  }
783 
789  public static String getVersion() {
790  return getVersionNat();
791  }
792 
798  public static void startVerboseLogging(String logPath) {
799  startVerboseLoggingNat(logPath);
800  }
801 
813  public static long openImage(String[] imageFiles, SleuthkitCase skCase) throws TskCoreException {
814  if (skCase == null) {
815  throw new TskCoreException("SleuthkitCase can not be null");
816  }
817  return openImage(imageFiles, 0, true, skCase.getCaseHandleIdentifier());
818  }
819 
833  public static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase) throws TskCoreException {
834  if (skCase == null) {
835  throw new TskCoreException("SleuthkitCase can not be null");
836  }
837  return openImage(imageFiles, sSize, true, skCase.getCaseHandleIdentifier());
838  }
839 
857  private static long openImage(String[] imageFiles, int sSize, boolean useCache, String caseIdentifer) throws TskCoreException {
858  getTSKReadLock();
859  try {
860  long imageHandle;
861 
862  StringBuilder keyBuilder = new StringBuilder();
863  for (int i = 0; i < imageFiles.length; ++i) {
864  keyBuilder.append(imageFiles[i]);
865  }
866  final String imageKey = keyBuilder.toString();
867 
868  synchronized (HandleCache.cacheLock) {
869  String nonNullCaseIdentifer = caseIdentifer;
870  if (nonNullCaseIdentifer == null) {
871  nonNullCaseIdentifer = HandleCache.getDefaultCaseIdentifier();
872  }
873 
874  // If we're getting a fresh copy and an image with this path is already
875  // in the cache, move the existing cache reference so it won't be used by
876  // any subsequent calls to openImage but will still be valid if any objects
877  // have it cached. This happens in the case where the user adds the same data
878  // source twice (see JIRA-5868).
879  if (!useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) {
880  long tempImageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
881 
882  // Store the old image handle in a fake path. This way it will no longer be found but will
883  // still be valid and the image and its file systems will be closed with the case.
884  String newPath = "Image_" + UUID.randomUUID().toString();
885  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(newPath, tempImageHandle);
886  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.remove(imageKey);
887  }
888 
889  if (useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) //get from cache
890  {
891  imageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
892  } else {
893  //open new handle and cache it
894  imageHandle = openImgNat(imageFiles, imageFiles.length, sSize);
895  HandleCache.getCaseHandles(nonNullCaseIdentifer).fsHandleCache.put(imageHandle, new HashMap<>());
896  HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(imageKey, imageHandle);
897  }
898  }
899  return imageHandle;
900  } finally {
901  releaseTSKReadLock();
902  }
903  }
904 
918  private static void cacheImageHandle(SleuthkitCase skCase, List<String> imagePaths, long imageHandle) throws TskCoreException {
919 
920  // Construct the hash key from the image paths
921  StringBuilder keyBuilder = new StringBuilder();
922  for (int i = 0; i < imagePaths.size(); ++i) {
923  keyBuilder.append(imagePaths.get(i));
924  }
925  final String imageKey = keyBuilder.toString();
926 
927  // Get the case identifier
928  String caseIdentifier = skCase.getCaseHandleIdentifier();
929 
930  synchronized (HandleCache.cacheLock) {
931  HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.put(imageHandle, new HashMap<>());
932  HandleCache.getCaseHandles(caseIdentifier).imageHandleCache.put(imageKey, imageHandle);
933  }
934  }
935 
952  public static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize,
953  String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId) throws TskCoreException {
954 
955  return addImageToDatabase(skCase, imagePaths, sectorSize, timeZone, md5fromSettings, sha1fromSettings, sha256fromSettings, deviceId, null);
956  }
957 
975  public static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize,
976  String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId, Host host) throws TskCoreException {
977 
978  // Open the image
979  long imageHandle = openImgNat(imagePaths, 1, sectorSize);
980 
981  // Get the fields stored in the native code
982  List<String> computedPaths = Arrays.asList(getPathsForImageNat(imageHandle));
983  long size = getSizeForImageNat(imageHandle);
984  long type = getTypeForImageNat(imageHandle);
985  long computedSectorSize = getSectorSizeForImageNat(imageHandle);
986  String md5 = md5fromSettings;
987  if (StringUtils.isEmpty(md5)) {
988  md5 = getMD5HashForImageNat(imageHandle);
989  }
990  String sha1 = sha1fromSettings;
991  if (StringUtils.isEmpty(sha1)) {
992  sha1 = getSha1HashForImageNat(imageHandle);
993  }
994  // Sleuthkit does not currently generate any SHA256 hashes. Set to empty
995  // string for consistency.
996  String sha256 = sha256fromSettings;
997  if (sha256 == null) {
998  sha256 = "";
999  }
1000  String collectionDetails = getCollectionDetailsForImageNat(imageHandle);
1001 
1002  // Now save to database
1003  CaseDbTransaction transaction = skCase.beginTransaction();
1004  try {
1005  Image img = skCase.addImage(TskData.TSK_IMG_TYPE_ENUM.valueOf(type), computedSectorSize,
1006  size, null, computedPaths,
1007  timeZone, md5, sha1, sha256,
1008  deviceId, host, transaction);
1009  if (!StringUtils.isEmpty(collectionDetails)) {
1010  skCase.setAcquisitionDetails(img, collectionDetails);
1011  }
1012  transaction.commit();
1013 
1014  img.setImageHandle(imageHandle);
1015  cacheImageHandle(skCase, computedPaths, imageHandle);
1016  return img;
1017  } catch (TskCoreException ex) {
1018  transaction.rollback();
1019  throw(ex);
1020  }
1021  }
1022 
1023 
1024 
1037  public static long openVs(long imgHandle, long vsOffset) throws TskCoreException {
1038  getTSKReadLock();
1039  try {
1040  if(! imgHandleIsValid(imgHandle)) {
1041  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1042  }
1043  return openVsNat(imgHandle, vsOffset);
1044  } finally {
1045  releaseTSKReadLock();
1046  }
1047  }
1048 
1049  //get pointers
1061  public static long openVsPart(long vsHandle, long volId) throws TskCoreException {
1062  getTSKReadLock();
1063  try {
1064  //returned long is ptr to vs Handle object in tsk
1065  return openVolNat(vsHandle, volId);
1066  } finally {
1067  releaseTSKReadLock();
1068  }
1069  }
1070 
1082  static long openPool(long imgHandle, long offset, SleuthkitCase skCase) throws TskCoreException {
1083  getTSKReadLock();
1084  try {
1085  if(! imgHandleIsValid(imgHandle)) {
1086  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1087  }
1088 
1089  synchronized (HandleCache.cacheLock) {
1090  String caseIdentifier;
1091  if (skCase == null) {
1092  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1093  } else {
1094  caseIdentifier = skCase.getCaseHandleIdentifier();
1095  }
1096 
1097  // If a pool handle cache for this image does not exist, make one
1098  if (! HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.containsKey(imgHandle)) {
1099  HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.put(imgHandle, new HashMap<>());
1100  }
1101 
1102  // Get the pool handle cache for this image
1103  Map<Long, Long> poolCacheForImage = HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle);
1104 
1105  if (poolCacheForImage.containsKey(offset)) {
1106  return poolCacheForImage.get(offset);
1107  } else {
1108  //returned long is ptr to pool Handle object in tsk
1109  long poolHandle = openPoolNat(imgHandle, offset);
1110  poolCacheForImage.put(offset, poolHandle);
1111  return poolHandle;
1112  }
1113  }
1114  } finally {
1115  releaseTSKReadLock();
1116  }
1117  }
1118 
1132  public static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase) throws TskCoreException {
1133  getTSKReadLock();
1134  try {
1135  long fsHandle;
1136  synchronized (HandleCache.cacheLock) {
1137  String caseIdentifier;
1138  if (skCase == null) {
1139  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1140  } else {
1141  caseIdentifier = skCase.getCaseHandleIdentifier();
1142  }
1143  final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1144  if (imgOffSetToFsHandle == null) {
1145  throw new TskCoreException("Missing image offset to file system handle cache for image handle " + imgHandle);
1146  }
1147  if (imgOffSetToFsHandle.containsKey(fsOffset)) {
1148  //return cached
1149  fsHandle = imgOffSetToFsHandle.get(fsOffset);
1150  } else {
1151  fsHandle = openFsNat(imgHandle, fsOffset);
1152  //cache it
1153  imgOffSetToFsHandle.put(fsOffset, fsHandle);
1154  }
1155  }
1156  return fsHandle;
1157  } finally {
1158  releaseTSKReadLock();
1159  }
1160  }
1161 
1178  static long openFsPool(long imgHandle, long fsOffset, long poolHandle, long poolBlock, SleuthkitCase skCase) throws TskCoreException {
1179  /*
1180  * Currently, our APFS code is not thread-safe and it is the only code
1181  * that uses pools. To prevent crashes, we make any reads to a file system
1182  * contained in a pool single-threaded.
1183  */
1184  getTSKWriteLock();
1185  try {
1186  long fsHandle;
1187  synchronized (HandleCache.cacheLock) {
1188  String caseIdentifier;
1189  if (skCase == null) {
1190  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1191  } else {
1192  caseIdentifier = skCase.getCaseHandleIdentifier();
1193  }
1194  final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1195  if (imgOffSetToFsHandle == null) {
1196  throw new TskCoreException("Missing image offset to file system handle cache for image handle " + imgHandle);
1197  }
1198 
1199  if (imgOffSetToFsHandle.containsKey(poolBlock)) {
1200  //return cached
1201  fsHandle = imgOffSetToFsHandle.get(poolBlock);
1202  } else {
1203  long poolImgHandle = getImgInfoForPoolNat(poolHandle, poolBlock);
1204  HandleCache.getCaseHandles(caseIdentifier).poolImgCache.add(poolImgHandle);
1205  fsHandle = openFsNat(poolImgHandle, fsOffset);
1206  //cache it
1207  imgOffSetToFsHandle.put(poolBlock, fsHandle);
1208  HandleCache.getCaseHandles(caseIdentifier).poolFsList.add(fsHandle);
1209  }
1210  }
1211  return fsHandle;
1212  } finally {
1213  releaseTSKWriteLock();
1214  }
1215  }
1216 
1231  public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase) throws TskCoreException {
1232  /*
1233  * NOTE: previously attrId used to be stored in AbstractFile as (signed)
1234  * short even though it is stored as uint16 in TSK. In extremely rare
1235  * occurrences attrId can be larger than what a signed short can hold
1236  * (2^15). Changes were made to AbstractFile to store attrId as integer.
1237  * However, a depricated method still exists in AbstractFile to get
1238  * attrId as short. In that method we convert attribute ids that are
1239  * larger than 32K to a negative number. Therefore if encountered, we
1240  * need to convert negative attribute id to uint16 which is what TSK is
1241  * using to store attribute id.
1242  */
1243  boolean withinPool = false;
1244  synchronized (HandleCache.cacheLock) {
1245  String caseIdentifier;
1246  if (skCase == null) {
1247  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1248  } else {
1249  caseIdentifier = skCase.getCaseHandleIdentifier();
1250  }
1251  if (HandleCache.getCaseHandles(caseIdentifier).poolFsList.contains(fsHandle)) {
1252  withinPool = true;
1253  }
1254  }
1255 
1256  /*
1257  * The current APFS code is not thread-safe. To compensate, we make any
1258  * reads to the APFS pool single-threaded by obtaining a write
1259  * lock instead of a read lock.
1260  */
1261  if (withinPool) {
1262  getTSKWriteLock();
1263  } else {
1264  getTSKReadLock();
1265  }
1266  try {
1267  long fileHandle = openFileNat(fsHandle, fileId, attrType.getValue(), convertSignedToUnsigned(attrId));
1268  synchronized (HandleCache.cacheLock) {
1269  String caseIdentifier;
1270  if (skCase == null) {
1271  caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1272  } else {
1273  caseIdentifier = skCase.getCaseHandleIdentifier();
1274  }
1275  HandleCache.addFileHandle(caseIdentifier, fileHandle, fsHandle);
1276 
1277  // If this file is in a pool file system, record it so the locks
1278  // can be set appropriately when reading it.
1279  if (withinPool) {
1280  HandleCache.poolFileHandles.add(fileHandle);
1281  }
1282  }
1283  return fileHandle;
1284  } finally {
1285  if (withinPool) {
1286  releaseTSKWriteLock();
1287  } else {
1288  releaseTSKReadLock();
1289  }
1290  }
1291  }
1292 
1300  private static int convertSignedToUnsigned(int val) {
1301  if (val >= 0) {
1302  return val;
1303  }
1304 
1305  return val & 0xffff; // convert negative value to positive value
1306  }
1307 
1313  private static boolean imgHandleIsValid(long imgHandle) {
1314  synchronized(HandleCache.cacheLock) {
1315  return HandleCache.isImageInAnyCache(imgHandle);
1316  }
1317  }
1318 
1319  //do reads
1334  public static int readImg(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1335  getTSKReadLock();
1336  try {
1337  if(! imgHandleIsValid(imgHandle)) {
1338  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1339  }
1340  //returned byte[] is the data buffer
1341  return readImgNat(imgHandle, readBuffer, offset, len);
1342  } finally {
1343  releaseTSKReadLock();
1344  }
1345  }
1346 
1361  public static int readVs(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1362  getTSKReadLock();
1363  try {
1364  return readVsNat(vsHandle, readBuffer, offset, len);
1365  } finally {
1366  releaseTSKReadLock();
1367  }
1368  }
1369 
1382  static int readPool(long poolHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1383  getTSKReadLock();
1384  try {
1385  return readPoolNat(poolHandle, readBuffer, offset, len);
1386  } finally {
1387  releaseTSKReadLock();
1388  }
1389  }
1390 
1405  public static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1406  getTSKReadLock();
1407  try {
1408  //returned byte[] is the data buffer
1409  return readVolNat(volHandle, readBuffer, offset, len);
1410  } finally {
1411  releaseTSKReadLock();
1412  }
1413  }
1414 
1429  public static int readFs(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1430  getTSKReadLock();
1431  try {
1432  //returned byte[] is the data buffer
1433  return readFsNat(fsHandle, readBuffer, offset, len);
1434  } finally {
1435  releaseTSKReadLock();
1436  }
1437  }
1438 
1443  private enum TSK_FS_FILE_READ_OFFSET_TYPE_ENUM {
1444  START_OF_FILE(0),
1445  START_OF_SLACK(1);
1446 
1447  private final int val;
1448 
1449  TSK_FS_FILE_READ_OFFSET_TYPE_ENUM(int val) {
1450  this.val = val;
1451  }
1452 
1453  int getValue() {
1454  return val;
1455  }
1456  }
1457 
1472  public static int readFile(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1473  boolean withinPool = false;
1474  synchronized (HandleCache.cacheLock) {
1475  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1476  withinPool = true;
1477  }
1478  }
1479 
1480  /*
1481  * The current APFS code is not thread-safe. To compensate, we make any
1482  * reads to the APFS pool single-threaded by obtaining a write
1483  * lock instead of a read lock.
1484  */
1485  if (withinPool) {
1486  getTSKWriteLock();
1487  } else {
1488  getTSKReadLock();
1489  }
1490  try {
1491  if (!HandleCache.isValidFileHandle(fileHandle)) {
1492  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1493  }
1494 
1495  return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_FILE.getValue(), len);
1496  } finally {
1497  if (withinPool) {
1498  releaseTSKWriteLock();
1499  } else {
1500  releaseTSKReadLock();
1501  }
1502  }
1503  }
1504 
1519  public static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
1520  getTSKReadLock();
1521  try {
1522  if (!HandleCache.isValidFileHandle(fileHandle)) {
1523  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1524  }
1525 
1526  return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_SLACK.getValue(), len);
1527  } finally {
1528  releaseTSKReadLock();
1529  }
1530  }
1531 
1542  public static List<String> getFileMetaDataText(long fileHandle) throws TskCoreException {
1543  getTSKReadLock();
1544  try {
1545  if (!HandleCache.isValidFileHandle(fileHandle)) {
1546  throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1547  }
1548 
1549  try {
1550  java.io.File tmp = java.io.File.createTempFile("tsk", ".txt");
1551 
1552  saveFileMetaDataTextNat(fileHandle, tmp.getAbsolutePath());
1553 
1554  FileReader fr = new FileReader(tmp.getAbsolutePath());
1555  BufferedReader textReader = new BufferedReader(fr);
1556 
1557  List<String> lines = new ArrayList<String>();
1558  while (true) {
1559  String line = textReader.readLine();
1560  if (line == null) {
1561  break;
1562  }
1563  lines.add(line);
1564  }
1565  textReader.close();
1566  fr.close();
1567  tmp.delete();
1568  return lines;
1569  } catch (IOException ex) {
1570  throw new TskCoreException("Error reading istat output: " + ex.getLocalizedMessage());
1571  }
1572  } finally {
1573  releaseTSKReadLock();
1574  }
1575  }
1576 
1582  public static void closeFile(long fileHandle) {
1583  closeFile(fileHandle, null);
1584  }
1585 
1592  public static void closeFile(long fileHandle, SleuthkitCase skCase) {
1593  boolean withinPool = false;
1594  synchronized (HandleCache.cacheLock) {
1595  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1596  withinPool = true;
1597  }
1598  }
1599 
1600  /*
1601  * The current APFS code is not thread-safe. To compensate, we make any
1602  * reads to the APFS pool single-threaded by obtaining a write
1603  * lock instead of a read lock.
1604  */
1605  if (withinPool) {
1606  getTSKWriteLock();
1607  } else {
1608  getTSKReadLock();
1609  }
1610  try {
1611  synchronized (HandleCache.cacheLock) {
1612  if (!HandleCache.isValidFileHandle(fileHandle)) {
1613  // File handle is not open so this is a no-op.
1614  return;
1615  }
1616  closeFileNat(fileHandle);
1617  HandleCache.removeFileHandle(fileHandle, skCase);
1618  if (HandleCache.poolFileHandles.contains(fileHandle)) {
1619  HandleCache.poolFileHandles.remove(fileHandle);
1620  }
1621  }
1622  } finally {
1623  if (withinPool) {
1624  releaseTSKWriteLock();
1625  } else {
1626  releaseTSKReadLock();
1627  }
1628  }
1629  }
1630 
1638  public static void createLookupIndexForHashDatabase(int dbHandle) throws TskCoreException {
1639  hashDbCreateIndexNat(dbHandle);
1640  }
1641 
1651  public static boolean hashDatabaseHasLookupIndex(int dbHandle) throws TskCoreException {
1652  return hashDbIndexExistsNat(dbHandle);
1653  }
1654 
1665  public static boolean hashDatabaseCanBeReindexed(int dbHandle) throws TskCoreException {
1666  return hashDbIsReindexableNat(dbHandle);
1667  }
1668 
1678  public static String getHashDatabasePath(int dbHandle) throws TskCoreException {
1679  return hashDbPathNat(dbHandle);
1680  }
1681 
1691  public static String getHashDatabaseIndexPath(int dbHandle) throws TskCoreException {
1692  return hashDbIndexPathNat(dbHandle);
1693  }
1694 
1701  public static int openHashDatabase(String path) throws TskCoreException {
1702  return hashDbOpenNat(path);
1703  }
1704 
1714  public static int createHashDatabase(String path) throws TskCoreException {
1715  return hashDbNewNat(path);
1716  }
1717 
1724  public static void closeAllHashDatabases() throws TskCoreException {
1725  hashDbCloseAll();
1726  }
1727 
1737  public static void closeHashDatabase(int dbHandle) throws TskCoreException {
1738  hashDbClose(dbHandle);
1739  }
1740 
1750  public static String getHashDatabaseDisplayName(int dbHandle) throws TskCoreException {
1751  return hashDbGetDisplayName(dbHandle);
1752  }
1753 
1764  public static boolean lookupInHashDatabase(String hash, int dbHandle) throws TskCoreException {
1765  return hashDbLookup(hash, dbHandle);
1766  }
1767 
1779  public static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle) throws TskCoreException {
1780  return hashDbLookupVerbose(hash, dbHandle);
1781  }
1782 
1795  public static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle) throws TskCoreException {
1796  hashDbAddEntryNat(filename, md5, sha1, sha256, comment, dbHandle);
1797  }
1798 
1799  public static void addToHashDatabase(List<HashEntry> hashes, int dbHandle) throws TskCoreException {
1800  hashDbBeginTransactionNat(dbHandle);
1801  try {
1802  for (HashEntry entry : hashes) {
1803  hashDbAddEntryNat(entry.getFileName(), entry.getMd5Hash(), entry.getSha1Hash(), entry.getSha256Hash(), entry.getComment(), dbHandle);
1804  }
1805  hashDbCommitTransactionNat(dbHandle);
1806  } catch (TskCoreException ex) {
1807  try {
1808  hashDbRollbackTransactionNat(dbHandle);
1809  } catch (TskCoreException ex2) {
1810  ex2.initCause(ex);
1811  throw ex2;
1812  }
1813  throw ex;
1814  }
1815  }
1816 
1817  public static boolean isUpdateableHashDatabase(int dbHandle) throws TskCoreException {
1818  return hashDbIsUpdateableNat(dbHandle);
1819  }
1820 
1821  public static boolean hashDatabaseIsIndexOnly(int dbHandle) throws TskCoreException {
1822  return hashDbIsIdxOnlyNat(dbHandle);
1823  }
1824 
1834  private static String timezoneLongToShort(String timezoneLongForm) {
1835  if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
1836  return "";
1837  }
1838 
1839  String timezoneShortForm;
1840  TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
1841  int offset = zone.getRawOffset() / 1000;
1842  int hour = offset / 3600;
1843  int min = (offset % 3600) / 60;
1844  DateFormat dfm = new SimpleDateFormat("z");
1845  dfm.setTimeZone(zone);
1846  boolean hasDaylight = zone.useDaylightTime();
1847  String first = dfm.format(new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3); // make it only 3 letters code
1848  String second = dfm.format(new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3); // make it only 3 letters code
1849  int mid = hour * -1;
1850  timezoneShortForm = first + Integer.toString(mid);
1851  if (min != 0) {
1852  timezoneShortForm = timezoneShortForm + ":" + (min < 10 ? "0" : "") + Integer.toString(min);
1853  }
1854  if (hasDaylight) {
1855  timezoneShortForm += second;
1856  }
1857  return timezoneShortForm;
1858  }
1859 
1870  public static int finishImageWriter(long imgHandle) throws TskCoreException {
1871  getTSKReadLock();
1872  try {
1873  if(! imgHandleIsValid(imgHandle)) {
1874  throw new TskCoreException("Image handle " + imgHandle + " is closed");
1875  }
1876  return finishImageWriterNat(imgHandle);
1877  } finally {
1878  releaseTSKReadLock();
1879  }
1880  }
1881 
1889  public static int getFinishImageProgress(long imgHandle) {
1890  getTSKReadLock();
1891  try {
1892  if (imgHandleIsValid(imgHandle)) {
1893  return getFinishImageProgressNat(imgHandle);
1894  } else {
1895  return 0;
1896  }
1897  } finally {
1898  releaseTSKReadLock();
1899  }
1900  }
1901 
1907  public static void cancelFinishImage(long imgHandle) {
1908  getTSKReadLock();
1909  try {
1910  if (imgHandleIsValid(imgHandle)) {
1911  cancelFinishImageNat(imgHandle);
1912  }
1913  } finally {
1914  releaseTSKReadLock();
1915  }
1916  }
1917 
1929  public static long findDeviceSize(String devPath) throws TskCoreException {
1930  return findDeviceSizeNat(devPath);
1931  }
1932 
1933  public static boolean isImageSupported(String imagePath) {
1934  return isImageSupportedNat(imagePath);
1935  }
1936 
1950  static long getSleuthkitVersion() {
1951  return getSleuthkitVersionNat();
1952  }
1953 
1958  private static void getTSKReadLock() {
1959  tskLock.readLock().lock();
1960  }
1961 
1965  private static void releaseTSKReadLock() {
1966  tskLock.readLock().unlock();
1967  }
1968 
1976  private static void getTSKWriteLock() {
1977  tskLock.writeLock().lock();
1978  }
1979 
1983  private static void releaseTSKWriteLock() {
1984  tskLock.writeLock().unlock();
1985  }
1986 
1987  //free pointers
1994  @Deprecated
1995  public static void closeImg(long imgHandle) {
1996  //closeImgNat(imgHandle);
1997  }
1998 
2004  @Deprecated
2005  public static void closeVs(long vsHandle) {
2006  // closeVsNat(vsHandle); TODO JIRA-3829
2007  }
2008 
2015  @Deprecated
2016  public static void closeFs(long fsHandle) {
2017  //closeFsNat(fsHandle);
2018  }
2019 
2031  @Deprecated
2032  public static long openImage(String[] imageFiles) throws TskCoreException {
2033 
2034  return openImage(imageFiles, 0, true, null);
2035  }
2036 
2050  @Deprecated
2051  public static long openImage(String[] imageFiles, int sSize) throws TskCoreException {
2052  return openImage(imageFiles, sSize, true, null);
2053  }
2054 
2055 
2069  @Deprecated
2070  public static long openFs(long imgHandle, long fsOffset) throws TskCoreException {
2071  return openFs(imgHandle, fsOffset, null);
2072  }
2073 
2088  @Deprecated
2089  public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId) throws TskCoreException {
2090  return openFile(fsHandle, fileId, attrType, attrId, null);
2091  }
2092 
2093 
2094  private static native String getVersionNat();
2095 
2096  private static native void startVerboseLoggingNat(String logPath);
2097 
2098  private static native int hashDbOpenNat(String hashDbPath) throws TskCoreException;
2099 
2100  private static native int hashDbNewNat(String hashDbPath) throws TskCoreException;
2101 
2102  private static native int hashDbBeginTransactionNat(int dbHandle) throws TskCoreException;
2103 
2104  private static native int hashDbCommitTransactionNat(int dbHandle) throws TskCoreException;
2105 
2106  private static native int hashDbRollbackTransactionNat(int dbHandle) throws TskCoreException;
2107 
2108  private static native int hashDbAddEntryNat(String filename, String hashMd5, String hashSha1, String hashSha256, String comment, int dbHandle) throws TskCoreException;
2109 
2110  private static native boolean hashDbIsUpdateableNat(int dbHandle);
2111 
2112  private static native boolean hashDbIsReindexableNat(int dbHandle);
2113 
2114  private static native String hashDbPathNat(int dbHandle);
2115 
2116  private static native String hashDbIndexPathNat(int dbHandle);
2117 
2118  private static native String hashDbGetDisplayName(int dbHandle) throws TskCoreException;
2119 
2120  private static native void hashDbCloseAll() throws TskCoreException;
2121 
2122  private static native void hashDbClose(int dbHandle) throws TskCoreException;
2123 
2124  private static native void hashDbCreateIndexNat(int dbHandle) throws TskCoreException;
2125 
2126  private static native boolean hashDbIndexExistsNat(int dbHandle) throws TskCoreException;
2127 
2128  private static native boolean hashDbIsIdxOnlyNat(int dbHandle) throws TskCoreException;
2129 
2130  private static native boolean hashDbLookup(String hash, int dbHandle) throws TskCoreException;
2131 
2132  private static native HashHitInfo hashDbLookupVerbose(String hash, int dbHandle) throws TskCoreException;
2133 
2134  private static native long initAddImgNat(TskCaseDbBridge dbHelperObj, String timezone, boolean addUnallocSpace, boolean skipFatFsOrphans) throws TskCoreException;
2135 
2136  private static native long initializeAddImgNat(TskCaseDbBridge dbHelperObj, String timezone, boolean addFileSystems, boolean addUnallocSpace, boolean skipFatFsOrphans) throws TskCoreException;
2137 
2138  private static native void runOpenAndAddImgNat(long process, String deviceId, String[] imgPath, int splits, String timezone) throws TskCoreException, TskDataException;
2139 
2140  private static native void runAddImgNat(long process, String deviceId, long a_img_info, long image_id, String timeZone, String imageWriterPath) throws TskCoreException, TskDataException;
2141 
2142  private static native void stopAddImgNat(long process) throws TskCoreException;
2143 
2144  private static native long finishAddImgNat(long process) throws TskCoreException;
2145 
2146  private static native long openImgNat(String[] imgPath, int splits, int sSize) throws TskCoreException;
2147 
2148  private static native long openVsNat(long imgHandle, long vsOffset) throws TskCoreException;
2149 
2150  private static native long openVolNat(long vsHandle, long volId) throws TskCoreException;
2151 
2152  private static native long openPoolNat(long imgHandle, long offset) throws TskCoreException;
2153 
2154  private static native long getImgInfoForPoolNat(long poolHandle, long poolOffset) throws TskCoreException;
2155 
2156  private static native long openFsNat(long imgHandle, long fsId) throws TskCoreException;
2157 
2158  private static native long openFileNat(long fsHandle, long fileId, int attrType, int attrId) throws TskCoreException;
2159 
2160  private static native int readImgNat(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2161 
2162  private static native int readVsNat(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2163 
2164  private static native int readPoolNat(long poolHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2165 
2166  private static native int readVolNat(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2167 
2168  private static native int readFsNat(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
2169 
2170  private static native int readFileNat(long fileHandle, byte[] readBuffer, long offset, int offset_type, long len) throws TskCoreException;
2171 
2172  private static native int saveFileMetaDataTextNat(long fileHandle, String fileName) throws TskCoreException;
2173 
2174  private static native String[] getPathsForImageNat(long imgHandle);
2175 
2176  private static native long getSizeForImageNat(long imgHandle);
2177 
2178  private static native long getTypeForImageNat(long imgHandle);
2179 
2180  private static native long getSectorSizeForImageNat(long imgHandle);
2181 
2182  private static native String getMD5HashForImageNat(long imgHandle);
2183 
2184  private static native String getSha1HashForImageNat(long imgHandle);
2185 
2186  private static native String getCollectionDetailsForImageNat(long imgHandle);
2187 
2188  private static native void closeImgNat(long imgHandle);
2189 
2190  private static native void closePoolNat(long poolHandle);
2191 
2192  private static native void closeVsNat(long vsHandle);
2193 
2194  private static native void closeFsNat(long fsHandle);
2195 
2196  private static native void closeFileNat(long fileHandle);
2197 
2198  private static native long findDeviceSizeNat(String devicePath) throws TskCoreException;
2199 
2200  private static native String getCurDirNat(long process);
2201 
2202  private static native boolean isImageSupportedNat(String imagePath);
2203 
2204  private static native long getSleuthkitVersionNat();
2205 
2206  private static native int finishImageWriterNat(long a_img_info);
2207 
2208  private static native int getFinishImageProgressNat(long a_img_info);
2209 
2210  private static native void cancelFinishImageNat(long a_img_info);
2211 
2212 }
org.sleuthkit.datamodel.SleuthkitJNI.readImg
static int readImg(long imgHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1334
org.sleuthkit.datamodel.SleuthkitJNI.getHashDatabaseIndexPath
static String getHashDatabaseIndexPath(int dbHandle)
Definition: SleuthkitJNI.java:1691
org.sleuthkit.datamodel.SleuthkitJNI.readVs
static int readVs(long vsHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1361
org.sleuthkit.datamodel.SleuthkitJNI.createLookupIndexForHashDatabase
static void createLookupIndexForHashDatabase(int dbHandle)
Definition: SleuthkitJNI.java:1638
org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess.run
void run(String deviceId, Image image, int sectorSize, AddDataSourceCallbacks addDataSourceCallbacks)
Definition: SleuthkitJNI.java:564
org.sleuthkit.datamodel.SleuthkitJNI.addToHashDatabase
static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle)
Definition: SleuthkitJNI.java:1795
org.sleuthkit.datamodel.SleuthkitJNI.openFile
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:1231
org.sleuthkit.datamodel.SleuthkitJNI.createHashDatabase
static int createHashDatabase(String path)
Definition: SleuthkitJNI.java:1714
org.sleuthkit.datamodel.SleuthkitJNI.closeFs
static void closeFs(long fsHandle)
Definition: SleuthkitJNI.java:2016
org.sleuthkit.datamodel.SleuthkitJNI.cancelFinishImage
static void cancelFinishImage(long imgHandle)
Definition: SleuthkitJNI.java:1907
org.sleuthkit.datamodel.SleuthkitJNI.openFile
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId)
Definition: SleuthkitJNI.java:2089
org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess.run
void run(String deviceId, String[] imageFilePaths)
Definition: SleuthkitJNI.java:715
org.sleuthkit.datamodel.SleuthkitJNI.readFile
static int readFile(long fileHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1472
org.sleuthkit.datamodel.SleuthkitJNI.finishImageWriter
static int finishImageWriter(long imgHandle)
Definition: SleuthkitJNI.java:1870
org.sleuthkit.datamodel.SleuthkitJNI.lookupInHashDatabaseVerbose
static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle)
Definition: SleuthkitJNI.java:1779
org.sleuthkit.datamodel.SleuthkitJNI.openVs
static long openVs(long imgHandle, long vsOffset)
Definition: SleuthkitJNI.java:1037
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:813
org.sleuthkit.datamodel.SleuthkitJNI.hashDatabaseIsIndexOnly
static boolean hashDatabaseIsIndexOnly(int dbHandle)
Definition: SleuthkitJNI.java:1821
org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM
Definition: TskData.java:282
org.sleuthkit.datamodel.SleuthkitJNI.isImageSupported
static boolean isImageSupported(String imagePath)
Definition: SleuthkitJNI.java:1933
org.sleuthkit.datamodel.SleuthkitJNI.readVsPart
static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1405
org.sleuthkit.datamodel.SleuthkitJNI.closeFile
static void closeFile(long fileHandle, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:1592
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles, int sSize)
Definition: SleuthkitJNI.java:2051
org.sleuthkit.datamodel.SleuthkitJNI.closeVs
static void closeVs(long vsHandle)
Definition: SleuthkitJNI.java:2005
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles)
Definition: SleuthkitJNI.java:2032
org.sleuthkit.datamodel.SleuthkitJNI.openFs
static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:1132
org.sleuthkit.datamodel.SleuthkitJNI.openImage
static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase)
Definition: SleuthkitJNI.java:833
org.sleuthkit.datamodel.SleuthkitJNI.CaseDbHandle.AddImageProcess.run
void run(String deviceId, String[] imageFilePaths, int sectorSize)
Definition: SleuthkitJNI.java:542
org.sleuthkit.datamodel.HashEntry
Definition: HashEntry.java:25
org.sleuthkit.datamodel.SleuthkitJNI.addImageToDatabase
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId, Host host)
Definition: SleuthkitJNI.java:975
org.sleuthkit.datamodel.SleuthkitJNI.findDeviceSize
static long findDeviceSize(String devPath)
Definition: SleuthkitJNI.java:1929
org.sleuthkit.datamodel.SleuthkitJNI.getHashDatabaseDisplayName
static String getHashDatabaseDisplayName(int dbHandle)
Definition: SleuthkitJNI.java:1750
org.sleuthkit.datamodel.SleuthkitJNI.getFileMetaDataText
static List< String > getFileMetaDataText(long fileHandle)
Definition: SleuthkitJNI.java:1542
org.sleuthkit.datamodel.SleuthkitJNI.closeImg
static void closeImg(long imgHandle)
Definition: SleuthkitJNI.java:1995
org.sleuthkit.datamodel.SleuthkitJNI.openFs
static long openFs(long imgHandle, long fsOffset)
Definition: SleuthkitJNI.java:2070
org.sleuthkit.datamodel.SleuthkitCase.addImage
Image addImage(TskData.TSK_IMG_TYPE_ENUM type, long sectorSize, long size, String displayName, List< String > imagePaths, String timezone, String md5, String sha1, String sha256, String deviceId, CaseDbTransaction transaction)
Definition: SleuthkitCase.java:6799
org.sleuthkit.datamodel.SleuthkitJNI.getFinishImageProgress
static int getFinishImageProgress(long imgHandle)
Definition: SleuthkitJNI.java:1889
org.sleuthkit.datamodel.SleuthkitJNI.openHashDatabase
static int openHashDatabase(String path)
Definition: SleuthkitJNI.java:1701
org.sleuthkit.datamodel.SleuthkitJNI.closeFile
static void closeFile(long fileHandle)
Definition: SleuthkitJNI.java:1582
org.sleuthkit.datamodel.SleuthkitJNI.lookupInHashDatabase
static boolean lookupInHashDatabase(String hash, int dbHandle)
Definition: SleuthkitJNI.java:1764
org.sleuthkit.datamodel.TskData.TSK_IMG_TYPE_ENUM.valueOf
static TSK_IMG_TYPE_ENUM valueOf(long imgType)
Definition: TskData.java:549
org.sleuthkit.datamodel.SleuthkitJNI.hashDatabaseHasLookupIndex
static boolean hashDatabaseHasLookupIndex(int dbHandle)
Definition: SleuthkitJNI.java:1651
org.sleuthkit.datamodel.SleuthkitJNI.addImageToDatabase
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
Definition: SleuthkitJNI.java:952
org.sleuthkit.datamodel.SleuthkitJNI.openVsPart
static long openVsPart(long vsHandle, long volId)
Definition: SleuthkitJNI.java:1061
org.sleuthkit.datamodel.SleuthkitJNI.readFileSlack
static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1519
org.sleuthkit.datamodel.SleuthkitJNI.isUpdateableHashDatabase
static boolean isUpdateableHashDatabase(int dbHandle)
Definition: SleuthkitJNI.java:1817
org.sleuthkit.datamodel.SleuthkitJNI.addToHashDatabase
static void addToHashDatabase(List< HashEntry > hashes, int dbHandle)
Definition: SleuthkitJNI.java:1799
org.sleuthkit.datamodel.SleuthkitJNI.hashDatabaseCanBeReindexed
static boolean hashDatabaseCanBeReindexed(int dbHandle)
Definition: SleuthkitJNI.java:1665
org.sleuthkit.datamodel.SleuthkitJNI.startVerboseLogging
static void startVerboseLogging(String logPath)
Definition: SleuthkitJNI.java:798
org.sleuthkit.datamodel.TskData.TSK_IMG_TYPE_ENUM
Definition: TskData.java:525
org.sleuthkit.datamodel.SleuthkitJNI.readFs
static int readFs(long fsHandle, byte[] readBuffer, long offset, long len)
Definition: SleuthkitJNI.java:1429
org.sleuthkit.datamodel.SleuthkitJNI.getHashDatabasePath
static String getHashDatabasePath(int dbHandle)
Definition: SleuthkitJNI.java:1678
org.sleuthkit.datamodel.SleuthkitJNI.closeHashDatabase
static void closeHashDatabase(int dbHandle)
Definition: SleuthkitJNI.java:1737

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.