19 package org.sleuthkit.datamodel;
21 import java.io.BufferedReader;
22 import java.io.FileReader;
23 import java.io.IOException;
24 import java.text.DateFormat;
25 import java.text.SimpleDateFormat;
26 import java.util.ArrayList;
27 import java.util.Arrays;
28 import java.util.GregorianCalendar;
29 import java.util.HashMap;
30 import java.util.HashSet;
31 import java.util.List;
34 import java.util.TimeZone;
35 import java.util.UUID;
36 import java.util.concurrent.locks.ReadWriteLock;
37 import java.util.concurrent.locks.ReentrantReadWriteLock;
38 import java.util.logging.Level;
39 import java.util.logging.Logger;
40 import org.apache.commons.lang3.StringUtils;
54 private static final Logger logger = Logger.getLogger(
SleuthkitJNI.class.getName());
62 private static final ReadWriteLock tskLock =
new ReentrantReadWriteLock();
81 private static class CaseHandles {
86 private final Map<String, Long> imageHandleCache =
new HashMap<>();
92 private final Map<Long, Map<Long, Long>> fsHandleCache =
new HashMap<>();
98 private final Set<Long> fileHandleCache =
new HashSet<>();
100 private final Map<Long, List<Long>> fileSystemToFileHandles =
new HashMap<>();
102 private final Map<Long, Map<Long, Long>> poolHandleCache =
new HashMap<>();
105 private final List<Long> poolImgCache =
new ArrayList<>();
114 private final List<Long> poolFsList =
new ArrayList<>();
116 private CaseHandles() {
127 private static class HandleCache {
132 private static final Object cacheLock =
new Object();
134 private static final Map<String, CaseHandles> caseHandlesCache =
new HashMap<>();
136 private static final String INVALID_FILE_HANDLE =
"Invalid file handle.";
147 private static final List<Long> poolFileHandles =
new ArrayList<>();
154 private static void createCaseHandleCache(String caseIdentifier) {
155 caseHandlesCache.put(caseIdentifier,
new CaseHandles());
167 synchronized (cacheLock) {
168 if (caseHandlesCache.keySet().size() > 1) {
169 throw new TskCoreException(
"Can not get default case identifier with multiple open cases");
170 }
else if (caseHandlesCache.keySet().isEmpty()) {
171 throw new TskCoreException(
"Can not get default case identifier with no open case");
174 return (caseHandlesCache.keySet().iterator().next());
187 private static CaseHandles getCaseHandles(String caseIdentifier)
throws TskCoreException {
188 synchronized (cacheLock) {
189 if (caseHandlesCache.containsKey(caseIdentifier)) {
190 return caseHandlesCache.get(caseIdentifier);
193 throw new TskCoreException(
"No entry for case " + caseIdentifier +
" in cache. Case may have been closed");
202 private static void removeCaseHandlesCache(String caseIdentifier) {
203 synchronized (cacheLock) {
204 if (caseHandlesCache.containsKey(caseIdentifier)) {
205 caseHandlesCache.get(caseIdentifier).fsHandleCache.clear();
206 caseHandlesCache.get(caseIdentifier).imageHandleCache.clear();
207 caseHandlesCache.get(caseIdentifier).fileHandleCache.clear();
208 caseHandlesCache.get(caseIdentifier).fileSystemToFileHandles.clear();
209 caseHandlesCache.get(caseIdentifier).poolHandleCache.clear();
210 caseHandlesCache.remove(caseIdentifier);
222 private static boolean isImageInAnyCache(
long imgHandle) {
223 synchronized (cacheLock) {
224 for (String caseIdentifier:caseHandlesCache.keySet()) {
225 if (caseHandlesCache.get(caseIdentifier).fsHandleCache.keySet().contains(imgHandle)) {
240 private static void addFileHandle(String caseIdentifier,
long fileHandle,
long fsHandle) {
242 synchronized (cacheLock) {
244 getCaseHandles(caseIdentifier).fileHandleCache.add(fileHandle);
247 if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
248 getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle).add(fileHandle);
250 getCaseHandles(caseIdentifier).fileSystemToFileHandles.put(fsHandle,
new ArrayList<>(Arrays.asList(fileHandle)));
254 logger.log(Level.WARNING,
"Error caching file handle for case {0}", caseIdentifier);
264 private static void removeFileHandle(
long fileHandle,
SleuthkitCase skCase) {
265 synchronized (cacheLock) {
267 if (skCase != null) {
269 getCaseHandles(skCase.getCaseHandleIdentifier()).fileHandleCache.remove(fileHandle);
275 for (String caseIdentifier:caseHandlesCache.keySet()) {
276 if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
277 caseHandlesCache.get(caseIdentifier).fileHandleCache.remove(fileHandle);
292 private static boolean isValidFileHandle(
long fileHandle) {
293 synchronized (cacheLock) {
294 for (String caseIdentifier:caseHandlesCache.keySet()) {
295 if (caseHandlesCache.get(caseIdentifier).fileHandleCache.contains(fileHandle)) {
303 private static void closeHandlesAndClearCache(String caseIdentifier)
throws TskCoreException {
304 synchronized (cacheLock) {
308 for (Map<Long, Long> imageToFsMap : getCaseHandles(caseIdentifier).fsHandleCache.values()) {
309 for (Long fsHandle : imageToFsMap.values()) {
311 if (getCaseHandles(caseIdentifier).fileSystemToFileHandles.containsKey(fsHandle)) {
312 for (Long fileHandle : getCaseHandles(caseIdentifier).fileSystemToFileHandles.get(fsHandle)) {
314 if (poolFileHandles.contains(fileHandle)) {
315 poolFileHandles.remove(fileHandle);
321 closeFsNat(fsHandle);
328 getCaseHandles(caseIdentifier).poolFsList.clear();
333 for (Long imgHandle : getCaseHandles(caseIdentifier).poolHandleCache.keySet()) {
334 for (Long poolHandle : getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle).values()) {
335 closePoolNat(poolHandle);
342 for (Long imageHandle : getCaseHandles(caseIdentifier).poolImgCache) {
343 closeImgNat(imageHandle);
349 for (Long imageHandle : getCaseHandles(caseIdentifier).imageHandleCache.values()) {
350 closeImgNat(imageHandle);
353 removeCaseHandlesCache(caseIdentifier);
368 private final String caseDbIdentifier;
377 this.caseDbIdentifier =
"SingleUser:" + databaseName;
378 HandleCache.createCaseHandleCache(caseDbIdentifier);
389 this.caseDbIdentifier =
"MultiUser:" + info.
getHost() +
":" + databaseName;
390 HandleCache.createCaseHandleCache(caseDbIdentifier);
398 String getCaseDbIdentifier() {
399 return caseDbIdentifier;
409 tskLock.writeLock().lock();
411 HandleCache.closeHandlesAndClearCache(caseDbIdentifier);
414 tskLock.writeLock().unlock();
446 if (imageFilePaths.size() > 0) {
447 String path = imageFilePaths.get(0);
448 hostName = (
new java.io.File(path)).getName() +
" Host";
450 hostName =
"Image_" + deviceObjId +
" Host";
455 long tskAutoDbPointer = initializeAddImgNat(dbHelper, timezoneLongToShort(timeZone),
false,
false,
false);
456 runOpenAndAddImgNat(tskAutoDbPointer, UUID.randomUUID().toString(), imageFilePaths.toArray(
new String[0]), imageFilePaths.size(), timeZone);
457 long id = finishAddImgNat(tskAutoDbPointer);
459 skCase.addDataSourceToHasChildrenMap();
482 AddImageProcess initAddImageProcess(String timeZone,
boolean addUnallocSpace,
boolean skipFatFsOrphans, String imageCopyPath,
SleuthkitCase skCase) {
483 return new AddImageProcess(timeZone, addUnallocSpace, skipFatFsOrphans, imageCopyPath, skCase);
492 private final String timeZone;
493 private final boolean addUnallocSpace;
494 private final boolean skipFatFsOrphans;
495 private final String imageWriterPath;
496 private volatile long tskAutoDbPointer;
497 private long imageId = 0;
498 private boolean isCanceled;
500 private TskCaseDbBridge dbHelper;
515 private AddImageProcess(String timeZone,
boolean addUnallocSpace,
boolean skipFatFsOrphans, String imageWriterPath,
SleuthkitCase skCase) {
516 this.timeZone = timeZone;
517 this.addUnallocSpace = addUnallocSpace;
518 this.skipFatFsOrphans = skipFatFsOrphans;
519 this.imageWriterPath = imageWriterPath;
520 tskAutoDbPointer = 0;
521 this.isCanceled =
false;
522 this.skCase = skCase;
564 public void run(String deviceId,
Image image,
int sectorSize,
567 dbHelper =
new TskCaseDbBridge(skCase, addDataSourceCallbacks, image.getHost());
570 long imageHandle = 0;
571 synchronized (
this) {
572 if (0 != tskAutoDbPointer) {
573 throw new TskCoreException(
"Add image process already started");
576 imageHandle = image.getImageHandle();
577 tskAutoDbPointer = initAddImgNat(dbHelper, timezoneLongToShort(timeZone), addUnallocSpace, skipFatFsOrphans);
579 if (0 == tskAutoDbPointer) {
580 throw new TskCoreException(
"initAddImgNat returned a NULL TskAutoDb pointer");
583 if (imageHandle != 0) {
584 runAddImgNat(tskAutoDbPointer, deviceId, imageHandle, image.getId(), timeZone, imageWriterPath);
587 finishAddImageProcess();
588 releaseTSKReadLock();
601 public synchronized void stop() throws TskCoreException {
605 if (tskAutoDbPointer != 0) {
606 stopAddImgNat(tskAutoDbPointer);
609 releaseTSKReadLock();
623 private synchronized void finishAddImageProcess() throws TskCoreException {
624 if (tskAutoDbPointer == 0) {
630 if (! this.isCanceled && dbHelper != null) {
635 imageId = finishAddImgNat(tskAutoDbPointer);
636 tskAutoDbPointer = 0;
638 skCase.addDataSourceToHasChildrenMap();
650 public synchronized void revert() throws TskCoreException {
666 public synchronized long commit() throws TskCoreException {
677 return tskAutoDbPointer == 0 ?
"" : getCurDirNat(tskAutoDbPointer);
697 run(null, imageFilePaths, 0);
716 run(deviceId, imageFilePaths, 0);
733 static CaseDbHandle newCaseDb(String path)
throws TskCoreException {
734 return new CaseDbHandle(path);
749 static CaseDbHandle newCaseDb(String databaseName, CaseDbConnectionInfo info)
throws TskCoreException {
750 return new CaseDbHandle(databaseName, info);
764 static CaseDbHandle openCaseDb(String path)
throws TskCoreException {
765 return new CaseDbHandle(path);
780 static CaseDbHandle openCaseDb(String databaseName, CaseDbConnectionInfo info)
throws TskCoreException {
781 return new CaseDbHandle(databaseName, info);
790 return getVersionNat();
799 startVerboseLoggingNat(logPath);
814 if (skCase == null) {
815 throw new TskCoreException(
"SleuthkitCase can not be null");
817 return openImage(imageFiles, 0,
true, skCase.getCaseHandleIdentifier());
834 if (skCase == null) {
835 throw new TskCoreException(
"SleuthkitCase can not be null");
837 return openImage(imageFiles, sSize,
true, skCase.getCaseHandleIdentifier());
857 private static long openImage(String[] imageFiles,
int sSize,
boolean useCache, String caseIdentifer)
throws TskCoreException {
862 StringBuilder keyBuilder =
new StringBuilder();
863 for (
int i = 0; i < imageFiles.length; ++i) {
864 keyBuilder.append(imageFiles[i]);
866 final String imageKey = keyBuilder.toString();
868 synchronized (HandleCache.cacheLock) {
869 String nonNullCaseIdentifer = caseIdentifer;
870 if (nonNullCaseIdentifer == null) {
871 nonNullCaseIdentifer = HandleCache.getDefaultCaseIdentifier();
879 if (!useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey)) {
880 long tempImageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
884 String newPath =
"Image_" + UUID.randomUUID().toString();
885 HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(newPath, tempImageHandle);
886 HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.remove(imageKey);
889 if (useCache && HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.containsKey(imageKey))
891 imageHandle = HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.get(imageKey);
894 imageHandle = openImgNat(imageFiles, imageFiles.length, sSize);
895 HandleCache.getCaseHandles(nonNullCaseIdentifer).fsHandleCache.put(imageHandle,
new HashMap<>());
896 HandleCache.getCaseHandles(nonNullCaseIdentifer).imageHandleCache.put(imageKey, imageHandle);
901 releaseTSKReadLock();
918 private static void cacheImageHandle(SleuthkitCase skCase, List<String> imagePaths,
long imageHandle)
throws TskCoreException {
921 StringBuilder keyBuilder =
new StringBuilder();
922 for (
int i = 0; i < imagePaths.size(); ++i) {
923 keyBuilder.append(imagePaths.get(i));
925 final String imageKey = keyBuilder.toString();
928 String caseIdentifier = skCase.getCaseHandleIdentifier();
930 synchronized (HandleCache.cacheLock) {
931 HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.put(imageHandle,
new HashMap<>());
932 HandleCache.getCaseHandles(caseIdentifier).imageHandleCache.put(imageKey, imageHandle);
953 String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
throws TskCoreException {
955 return addImageToDatabase(skCase, imagePaths, sectorSize, timeZone, md5fromSettings, sha1fromSettings, sha256fromSettings, deviceId, null);
976 String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId,
Host host)
throws TskCoreException {
979 long imageHandle = openImgNat(imagePaths, 1, sectorSize);
982 List<String> computedPaths = Arrays.asList(getPathsForImageNat(imageHandle));
983 long size = getSizeForImageNat(imageHandle);
984 long type = getTypeForImageNat(imageHandle);
985 long computedSectorSize = getSectorSizeForImageNat(imageHandle);
986 String md5 = md5fromSettings;
987 if (StringUtils.isEmpty(md5)) {
988 md5 = getMD5HashForImageNat(imageHandle);
990 String sha1 = sha1fromSettings;
991 if (StringUtils.isEmpty(sha1)) {
992 sha1 = getSha1HashForImageNat(imageHandle);
996 String sha256 = sha256fromSettings;
997 if (sha256 == null) {
1000 String collectionDetails = getCollectionDetailsForImageNat(imageHandle);
1006 size, null, computedPaths,
1007 timeZone, md5, sha1, sha256,
1008 deviceId, host, transaction);
1009 if (!StringUtils.isEmpty(collectionDetails)) {
1010 skCase.setAcquisitionDetails(img, collectionDetails);
1014 img.setImageHandle(imageHandle);
1015 cacheImageHandle(skCase, computedPaths, imageHandle);
1017 }
catch (TskCoreException ex) {
1037 public static long openVs(
long imgHandle,
long vsOffset)
throws TskCoreException {
1040 if(! imgHandleIsValid(imgHandle)) {
1041 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1043 return openVsNat(imgHandle, vsOffset);
1045 releaseTSKReadLock();
1061 public static long openVsPart(
long vsHandle,
long volId)
throws TskCoreException {
1065 return openVolNat(vsHandle, volId);
1067 releaseTSKReadLock();
1082 static long openPool(
long imgHandle,
long offset,
SleuthkitCase skCase)
throws TskCoreException {
1085 if(! imgHandleIsValid(imgHandle)) {
1086 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1089 synchronized (HandleCache.cacheLock) {
1090 String caseIdentifier;
1091 if (skCase == null) {
1092 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1094 caseIdentifier = skCase.getCaseHandleIdentifier();
1098 if (! HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.containsKey(imgHandle)) {
1099 HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.put(imgHandle,
new HashMap<>());
1103 Map<Long, Long> poolCacheForImage = HandleCache.getCaseHandles(caseIdentifier).poolHandleCache.get(imgHandle);
1105 if (poolCacheForImage.containsKey(offset)) {
1106 return poolCacheForImage.get(offset);
1109 long poolHandle = openPoolNat(imgHandle, offset);
1110 poolCacheForImage.put(offset, poolHandle);
1115 releaseTSKReadLock();
1136 synchronized (HandleCache.cacheLock) {
1137 String caseIdentifier;
1138 if (skCase == null) {
1139 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1141 caseIdentifier = skCase.getCaseHandleIdentifier();
1143 final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1144 if (imgOffSetToFsHandle == null) {
1145 throw new TskCoreException(
"Missing image offset to file system handle cache for image handle " + imgHandle);
1147 if (imgOffSetToFsHandle.containsKey(fsOffset)) {
1149 fsHandle = imgOffSetToFsHandle.get(fsOffset);
1151 fsHandle = openFsNat(imgHandle, fsOffset);
1153 imgOffSetToFsHandle.put(fsOffset, fsHandle);
1158 releaseTSKReadLock();
1178 static long openFsPool(
long imgHandle,
long fsOffset,
long poolHandle,
long poolBlock,
SleuthkitCase skCase)
throws TskCoreException {
1187 synchronized (HandleCache.cacheLock) {
1188 String caseIdentifier;
1189 if (skCase == null) {
1190 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1192 caseIdentifier = skCase.getCaseHandleIdentifier();
1194 final Map<Long, Long> imgOffSetToFsHandle = HandleCache.getCaseHandles(caseIdentifier).fsHandleCache.get(imgHandle);
1195 if (imgOffSetToFsHandle == null) {
1196 throw new TskCoreException(
"Missing image offset to file system handle cache for image handle " + imgHandle);
1199 if (imgOffSetToFsHandle.containsKey(poolBlock)) {
1201 fsHandle = imgOffSetToFsHandle.get(poolBlock);
1203 long poolImgHandle = getImgInfoForPoolNat(poolHandle, poolBlock);
1204 HandleCache.getCaseHandles(caseIdentifier).poolImgCache.add(poolImgHandle);
1205 fsHandle = openFsNat(poolImgHandle, fsOffset);
1207 imgOffSetToFsHandle.put(poolBlock, fsHandle);
1208 HandleCache.getCaseHandles(caseIdentifier).poolFsList.add(fsHandle);
1213 releaseTSKWriteLock();
1243 boolean withinPool =
false;
1244 synchronized (HandleCache.cacheLock) {
1245 String caseIdentifier;
1246 if (skCase == null) {
1247 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1249 caseIdentifier = skCase.getCaseHandleIdentifier();
1251 if (HandleCache.getCaseHandles(caseIdentifier).poolFsList.contains(fsHandle)) {
1267 long fileHandle = openFileNat(fsHandle, fileId, attrType.getValue(), convertSignedToUnsigned(attrId));
1268 synchronized (HandleCache.cacheLock) {
1269 String caseIdentifier;
1270 if (skCase == null) {
1271 caseIdentifier = HandleCache.getDefaultCaseIdentifier();
1273 caseIdentifier = skCase.getCaseHandleIdentifier();
1275 HandleCache.addFileHandle(caseIdentifier, fileHandle, fsHandle);
1280 HandleCache.poolFileHandles.add(fileHandle);
1286 releaseTSKWriteLock();
1288 releaseTSKReadLock();
1300 private static int convertSignedToUnsigned(
int val) {
1305 return val & 0xffff;
1313 private static boolean imgHandleIsValid(
long imgHandle) {
1314 synchronized(HandleCache.cacheLock) {
1315 return HandleCache.isImageInAnyCache(imgHandle);
1334 public static int readImg(
long imgHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1337 if(! imgHandleIsValid(imgHandle)) {
1338 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1341 return readImgNat(imgHandle, readBuffer, offset, len);
1343 releaseTSKReadLock();
1361 public static int readVs(
long vsHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1364 return readVsNat(vsHandle, readBuffer, offset, len);
1366 releaseTSKReadLock();
1382 static int readPool(
long poolHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1385 return readPoolNat(poolHandle, readBuffer, offset, len);
1387 releaseTSKReadLock();
1405 public static int readVsPart(
long volHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1409 return readVolNat(volHandle, readBuffer, offset, len);
1411 releaseTSKReadLock();
1429 public static int readFs(
long fsHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1433 return readFsNat(fsHandle, readBuffer, offset, len);
1435 releaseTSKReadLock();
1443 private enum TSK_FS_FILE_READ_OFFSET_TYPE_ENUM {
1447 private final int val;
1449 TSK_FS_FILE_READ_OFFSET_TYPE_ENUM(
int val) {
1472 public static int readFile(
long fileHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1473 boolean withinPool =
false;
1474 synchronized (HandleCache.cacheLock) {
1475 if (HandleCache.poolFileHandles.contains(fileHandle)) {
1491 if (!HandleCache.isValidFileHandle(fileHandle)) {
1492 throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1495 return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_FILE.getValue(), len);
1498 releaseTSKWriteLock();
1500 releaseTSKReadLock();
1519 public static int readFileSlack(
long fileHandle, byte[] readBuffer,
long offset,
long len)
throws TskCoreException {
1522 if (!HandleCache.isValidFileHandle(fileHandle)) {
1523 throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1526 return readFileNat(fileHandle, readBuffer, offset, TSK_FS_FILE_READ_OFFSET_TYPE_ENUM.START_OF_SLACK.getValue(), len);
1528 releaseTSKReadLock();
1545 if (!HandleCache.isValidFileHandle(fileHandle)) {
1546 throw new TskCoreException(HandleCache.INVALID_FILE_HANDLE);
1550 java.io.File tmp = java.io.File.createTempFile(
"tsk",
".txt");
1552 saveFileMetaDataTextNat(fileHandle, tmp.getAbsolutePath());
1554 FileReader fr =
new FileReader(tmp.getAbsolutePath());
1555 BufferedReader textReader =
new BufferedReader(fr);
1557 List<String> lines =
new ArrayList<String>();
1559 String line = textReader.readLine();
1569 }
catch (IOException ex) {
1570 throw new TskCoreException(
"Error reading istat output: " + ex.getLocalizedMessage());
1573 releaseTSKReadLock();
1593 boolean withinPool =
false;
1594 synchronized (HandleCache.cacheLock) {
1595 if (HandleCache.poolFileHandles.contains(fileHandle)) {
1611 synchronized (HandleCache.cacheLock) {
1612 if (!HandleCache.isValidFileHandle(fileHandle)) {
1616 closeFileNat(fileHandle);
1617 HandleCache.removeFileHandle(fileHandle, skCase);
1618 if (HandleCache.poolFileHandles.contains(fileHandle)) {
1619 HandleCache.poolFileHandles.remove(fileHandle);
1624 releaseTSKWriteLock();
1626 releaseTSKReadLock();
1639 hashDbCreateIndexNat(dbHandle);
1652 return hashDbIndexExistsNat(dbHandle);
1666 return hashDbIsReindexableNat(dbHandle);
1679 return hashDbPathNat(dbHandle);
1692 return hashDbIndexPathNat(dbHandle);
1702 return hashDbOpenNat(path);
1715 return hashDbNewNat(path);
1738 hashDbClose(dbHandle);
1751 return hashDbGetDisplayName(dbHandle);
1765 return hashDbLookup(hash, dbHandle);
1780 return hashDbLookupVerbose(hash, dbHandle);
1795 public static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment,
int dbHandle)
throws TskCoreException {
1796 hashDbAddEntryNat(filename, md5, sha1, sha256, comment, dbHandle);
1799 public static void addToHashDatabase(List<HashEntry> hashes,
int dbHandle)
throws TskCoreException {
1800 hashDbBeginTransactionNat(dbHandle);
1803 hashDbAddEntryNat(entry.getFileName(), entry.getMd5Hash(), entry.getSha1Hash(), entry.getSha256Hash(), entry.getComment(), dbHandle);
1805 hashDbCommitTransactionNat(dbHandle);
1806 }
catch (TskCoreException ex) {
1808 hashDbRollbackTransactionNat(dbHandle);
1809 }
catch (TskCoreException ex2) {
1818 return hashDbIsUpdateableNat(dbHandle);
1822 return hashDbIsIdxOnlyNat(dbHandle);
1834 private static String timezoneLongToShort(String timezoneLongForm) {
1835 if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
1839 String timezoneShortForm;
1840 TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
1841 int offset = zone.getRawOffset() / 1000;
1842 int hour = offset / 3600;
1843 int min = (offset % 3600) / 60;
1844 DateFormat dfm =
new SimpleDateFormat(
"z");
1845 dfm.setTimeZone(zone);
1846 boolean hasDaylight = zone.useDaylightTime();
1847 String first = dfm.format(
new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3);
1848 String second = dfm.format(
new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3);
1849 int mid = hour * -1;
1850 timezoneShortForm = first + Integer.toString(mid);
1852 timezoneShortForm = timezoneShortForm +
":" + (min < 10 ?
"0" :
"") + Integer.toString(min);
1855 timezoneShortForm += second;
1857 return timezoneShortForm;
1873 if(! imgHandleIsValid(imgHandle)) {
1874 throw new TskCoreException(
"Image handle " + imgHandle +
" is closed");
1876 return finishImageWriterNat(imgHandle);
1878 releaseTSKReadLock();
1892 if (imgHandleIsValid(imgHandle)) {
1893 return getFinishImageProgressNat(imgHandle);
1898 releaseTSKReadLock();
1910 if (imgHandleIsValid(imgHandle)) {
1911 cancelFinishImageNat(imgHandle);
1914 releaseTSKReadLock();
1930 return findDeviceSizeNat(devPath);
1934 return isImageSupportedNat(imagePath);
1950 static long getSleuthkitVersion() {
1951 return getSleuthkitVersionNat();
1958 private static void getTSKReadLock() {
1959 tskLock.readLock().lock();
1965 private static void releaseTSKReadLock() {
1966 tskLock.readLock().unlock();
1976 private static void getTSKWriteLock() {
1977 tskLock.writeLock().lock();
1983 private static void releaseTSKWriteLock() {
1984 tskLock.writeLock().unlock();
2032 public static long openImage(String[] imageFiles)
throws TskCoreException {
2034 return openImage(imageFiles, 0,
true, null);
2051 public static long openImage(String[] imageFiles,
int sSize)
throws TskCoreException {
2052 return openImage(imageFiles, sSize,
true, null);
2070 public static long openFs(
long imgHandle,
long fsOffset)
throws TskCoreException {
2071 return openFs(imgHandle, fsOffset, null);
2090 return openFile(fsHandle, fileId, attrType, attrId, null);
2094 private static native String getVersionNat();
2096 private static native
void startVerboseLoggingNat(String logPath);
2098 private static native
int hashDbOpenNat(String hashDbPath)
throws TskCoreException;
2100 private static native
int hashDbNewNat(String hashDbPath)
throws TskCoreException;
2102 private static native
int hashDbBeginTransactionNat(
int dbHandle)
throws TskCoreException;
2104 private static native
int hashDbCommitTransactionNat(
int dbHandle)
throws TskCoreException;
2106 private static native
int hashDbRollbackTransactionNat(
int dbHandle)
throws TskCoreException;
2108 private static native
int hashDbAddEntryNat(String filename, String hashMd5, String hashSha1, String hashSha256, String comment,
int dbHandle)
throws TskCoreException;
2110 private static native
boolean hashDbIsUpdateableNat(
int dbHandle);
2112 private static native
boolean hashDbIsReindexableNat(
int dbHandle);
2114 private static native String hashDbPathNat(
int dbHandle);
2116 private static native String hashDbIndexPathNat(
int dbHandle);
2118 private static native String hashDbGetDisplayName(
int dbHandle)
throws TskCoreException;
2120 private static native
void hashDbCloseAll() throws TskCoreException;
2122 private static native
void hashDbClose(
int dbHandle) throws TskCoreException;
2124 private static native
void hashDbCreateIndexNat(
int dbHandle) throws TskCoreException;
2126 private static native
boolean hashDbIndexExistsNat(
int dbHandle) throws TskCoreException;
2128 private static native
boolean hashDbIsIdxOnlyNat(
int dbHandle) throws TskCoreException;
2130 private static native
boolean hashDbLookup(String hash,
int dbHandle) throws TskCoreException;
2132 private static native
HashHitInfo hashDbLookupVerbose(String hash,
int dbHandle) throws TskCoreException;
2134 private static native
long initAddImgNat(TskCaseDbBridge dbHelperObj, String timezone,
boolean addUnallocSpace,
boolean skipFatFsOrphans) throws TskCoreException;
2136 private static native
long initializeAddImgNat(TskCaseDbBridge dbHelperObj, String timezone,
boolean addFileSystems,
boolean addUnallocSpace,
boolean skipFatFsOrphans) throws TskCoreException;
2138 private static native
void runOpenAndAddImgNat(
long process, String deviceId, String[] imgPath,
int splits, String timezone) throws TskCoreException,
TskDataException;
2140 private static native
void runAddImgNat(
long process, String deviceId,
long a_img_info,
long image_id, String timeZone, String imageWriterPath) throws TskCoreException, TskDataException;
2142 private static native
void stopAddImgNat(
long process) throws TskCoreException;
2144 private static native
long finishAddImgNat(
long process) throws TskCoreException;
2146 private static native
long openImgNat(String[] imgPath,
int splits,
int sSize) throws TskCoreException;
2148 private static native
long openVsNat(
long imgHandle,
long vsOffset) throws TskCoreException;
2150 private static native
long openVolNat(
long vsHandle,
long volId) throws TskCoreException;
2152 private static native
long openPoolNat(
long imgHandle,
long offset) throws TskCoreException;
2154 private static native
long getImgInfoForPoolNat(
long poolHandle,
long poolOffset) throws TskCoreException;
2156 private static native
long openFsNat(
long imgHandle,
long fsId) throws TskCoreException;
2158 private static native
long openFileNat(
long fsHandle,
long fileId,
int attrType,
int attrId) throws TskCoreException;
2160 private static native
int readImgNat(
long imgHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2162 private static native
int readVsNat(
long vsHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2164 private static native
int readPoolNat(
long poolHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2166 private static native
int readVolNat(
long volHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2168 private static native
int readFsNat(
long fsHandle, byte[] readBuffer,
long offset,
long len) throws TskCoreException;
2170 private static native
int readFileNat(
long fileHandle, byte[] readBuffer,
long offset,
int offset_type,
long len) throws TskCoreException;
2172 private static native
int saveFileMetaDataTextNat(
long fileHandle, String fileName) throws TskCoreException;
2174 private static native String[] getPathsForImageNat(
long imgHandle);
2176 private static native
long getSizeForImageNat(
long imgHandle);
2178 private static native
long getTypeForImageNat(
long imgHandle);
2180 private static native
long getSectorSizeForImageNat(
long imgHandle);
2182 private static native String getMD5HashForImageNat(
long imgHandle);
2184 private static native String getSha1HashForImageNat(
long imgHandle);
2186 private static native String getCollectionDetailsForImageNat(
long imgHandle);
2188 private static native
void closeImgNat(
long imgHandle);
2190 private static native
void closePoolNat(
long poolHandle);
2192 private static native
void closeVsNat(
long vsHandle);
2194 private static native
void closeFsNat(
long fsHandle);
2196 private static native
void closeFileNat(
long fileHandle);
2198 private static native
long findDeviceSizeNat(String devicePath) throws TskCoreException;
2200 private static native String getCurDirNat(
long process);
2202 private static native
boolean isImageSupportedNat(String imagePath);
2204 private static native
long getSleuthkitVersionNat();
2206 private static native
int finishImageWriterNat(
long a_img_info);
2208 private static native
int getFinishImageProgressNat(
long a_img_info);
2210 private static native
void cancelFinishImageNat(
long a_img_info);
static int readImg(long imgHandle, byte[] readBuffer, long offset, long len)
static String getHashDatabaseIndexPath(int dbHandle)
static int readVs(long vsHandle, byte[] readBuffer, long offset, long len)
static void createLookupIndexForHashDatabase(int dbHandle)
CaseDbTransaction beginTransaction()
void run(String deviceId, Image image, int sectorSize, AddDataSourceCallbacks addDataSourceCallbacks)
static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle)
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId, SleuthkitCase skCase)
static int createHashDatabase(String path)
static void closeFs(long fsHandle)
static void cancelFinishImage(long imgHandle)
static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId)
void run(String deviceId, String[] imageFilePaths)
static int readFile(long fileHandle, byte[] readBuffer, long offset, long len)
static int finishImageWriter(long imgHandle)
static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle)
static long openVs(long imgHandle, long vsOffset)
synchronized long commit()
static long openImage(String[] imageFiles, SleuthkitCase skCase)
static boolean hashDatabaseIsIndexOnly(int dbHandle)
synchronized void revert()
static boolean isImageSupported(String imagePath)
static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len)
static boolean loadSleuthkitJNI()
static void closeFile(long fileHandle, SleuthkitCase skCase)
static long openImage(String[] imageFiles, int sSize)
static void closeVs(long vsHandle)
static long openImage(String[] imageFiles)
static long openFs(long imgHandle, long fsOffset, SleuthkitCase skCase)
static long openImage(String[] imageFiles, int sSize, SleuthkitCase skCase)
void run(String deviceId, String[] imageFilePaths, int sectorSize)
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId, Host host)
static long findDeviceSize(String devPath)
static String getHashDatabaseDisplayName(int dbHandle)
static List< String > getFileMetaDataText(long fileHandle)
static void closeImg(long imgHandle)
HostManager getHostManager()
static long openFs(long imgHandle, long fsOffset)
Host newHost(String name)
void run(String[] imageFilePaths)
synchronized String currentDirectory()
Image addImage(TskData.TSK_IMG_TYPE_ENUM type, long sectorSize, long size, String displayName, List< String > imagePaths, String timezone, String md5, String sha1, String sha256, String deviceId, CaseDbTransaction transaction)
static int getFinishImageProgress(long imgHandle)
static int openHashDatabase(String path)
static void closeFile(long fileHandle)
static boolean lookupInHashDatabase(String hash, int dbHandle)
static TSK_IMG_TYPE_ENUM valueOf(long imgType)
static boolean hashDatabaseHasLookupIndex(int dbHandle)
static Image addImageToDatabase(SleuthkitCase skCase, String[] imagePaths, int sectorSize, String timeZone, String md5fromSettings, String sha1fromSettings, String sha256fromSettings, String deviceId)
static long openVsPart(long vsHandle, long volId)
static int readFileSlack(long fileHandle, byte[] readBuffer, long offset, long len)
static boolean isUpdateableHashDatabase(int dbHandle)
static void addToHashDatabase(List< HashEntry > hashes, int dbHandle)
static void closeAllHashDatabases()
static boolean hashDatabaseCanBeReindexed(int dbHandle)
static String getVersion()
static void startVerboseLogging(String logPath)
static int readFs(long fsHandle, byte[] readBuffer, long offset, long len)
static String getHashDatabasePath(int dbHandle)
static void closeHashDatabase(int dbHandle)