19 package org.sleuthkit.datamodel;
21 import java.text.MessageFormat;
22 import java.util.ResourceBundle;
23 import java.util.EnumSet;
32 private final static ResourceBundle bundle = ResourceBundle.getBundle(
"org.sleuthkit.datamodel.Bundle");
53 private short dirType;
57 this.dirType = (short) type;
88 if (v.dirType == dir_type) {
92 throw new IllegalArgumentException(
93 MessageFormat.format(bundle.getString(
"TskData.tskFsNameTypeEnum.exception.msg1.text"), dir_type));
116 private short metaType;
117 private String metaTypeStr;
120 this.metaType = (short) type;
121 this.metaTypeStr = metaTypeStr;
140 if (type.getValue() == metaType) {
144 throw new IllegalArgumentException(
145 MessageFormat.format(bundle.getString(
"TskData.tskFsMetaTypeEnum.exception.msg1.text"), metaType));
156 UNKNOWN(0, bundle.getString(
"TskData.tskFsNameFlagEnum.unknown")),
157 ALLOC(1, bundle.getString(
"TskData.tskFsNameFlagEnum.allocated")),
158 UNALLOC(2, bundle.getString(
"TskData.tskFsNameFlagEnum.unallocated"));
160 private short dirFlag;
161 private String dirFlagStr;
164 this.dirFlag = (short) flag;
165 this.dirFlagStr = dirFlagStr;
191 if (flag.dirFlag == dirFlag) {
207 UNKNOWN(0, bundle.getString(
"TskData.tskFsMetaFlagEnum.unknown")),
208 ALLOC(1, bundle.getString(
"TskData.tskFsMetaFlagEnum.allocated")),
209 UNALLOC(2, bundle.getString(
"TskData.tskFsMetaFlagEnum.unallocated")),
210 USED(4, bundle.getString(
"TskData.tskFsMetaFlagEnum.used")),
211 UNUSED(8, bundle.getString(
"TskData.tskFsMetaFlagEnum.unused")),
212 COMP(16, bundle.getString(
"TskData.tskFsMetaFlagEnum.compressed")),
213 ORPHAN(32, bundle.getString(
"TskData.tskFsMetaFlagEnum.orphan"));
215 private short meta_flag;
216 private String label;
219 this.meta_flag = (short) flag;
249 public static Set<TSK_FS_META_FLAG_ENUM>
valuesOf(
short metaFlags) {
258 long flag = v.getValue();
260 if ((metaFlags & flag) == flag) {
268 public static short toInt(Set<TSK_FS_META_FLAG_ENUM> metaFlags) {
271 val |= flag.getValue();
325 if (type.val == val) {
329 throw new IllegalArgumentException(
330 MessageFormat.format(bundle.getString(
"TskData.tskFsAttrTypeEnum.exception.msg1.text"), val));
345 private long vs_flag;
390 this.mode = (short) mode;
410 public static Set<TSK_FS_META_MODE_ENUM>
valuesOf(
short modes) {
414 long flag = v.getMode();
416 if ((modes & flag) == flag) {
429 public static short toInt(Set<TSK_FS_META_MODE_ENUM> modes) {
432 modesInt |= mode.getMode();
476 private String displayName;
480 this.displayName = displayName;
511 if (type.value == fsTypeValue) {
515 throw new IllegalArgumentException(
516 MessageFormat.format(bundle.getString(
"TskData.tskFsTypeEnum.exception.msg1.text"), fsTypeValue));
541 private long imgType;
551 if (type.getValue() == imgType) {
555 throw new IllegalArgumentException(
556 MessageFormat.format(bundle.getString(
"TskData.tskImgTypeEnum.exception.msg1.text"), imgType));
604 if (type.getVsType() == vsType) {
608 throw new IllegalArgumentException(
609 MessageFormat.format(bundle.getString(
"TskData.tskVSTypeEnum.exception.msg1.text"), vsType));
637 IMG(0, bundle.getString(
"TskData.ObjectType.IMG.name")),
638 VS(1, bundle.getString(
"TskData.ObjectType.VS.name")),
639 VOL(2, bundle.getString(
"TskData.ObjectType.VOL.name")),
640 FS(3, bundle.getString(
"TskData.ObjectType.FS.name")),
641 ABSTRACTFILE(4, bundle.getString(
"TskData.ObjectType.AbstractFile.name")),
642 ARTIFACT(5, bundle.getString(
"TskData.ObjectType.Artifact.name")),
643 REPORT(6, bundle.getString(
"TskData.ObjectType.Report.name")),
644 POOL(7, bundle.getString(
"TskData.ObjectType.Pool.name")),
645 OS_ACCOUNT(8, bundle.getString(
"TskData.ObjectType.OsAccount.name")),
646 HOST_ADDRESS(9, bundle.getString(
"TskData.ObjectType.HostAddress.name")),
647 UNSUPPORTED(-1, bundle.getString(
"TskData.ObjectType.Unsupported.name"))
649 private final short objectType;
650 private final String displayName;
652 private ObjectType(
int objectType, String displayName) {
653 this.objectType = (short) objectType;
654 this.displayName = displayName;
680 if (v.objectType == objectType) {
694 FS(0,
"File System"),
706 private final short fileType;
707 private final String name;
710 this.fileType = (short) fileType;
723 if (type.fileType == fileType) {
727 throw new IllegalArgumentException(
728 MessageFormat.format(bundle.getString(
"TskData.tskDbFilesTypeEnum.exception.msg1.text"), fileType));
752 TSK_POOL_TYPE_UNSUPP(0xffff,
"Unsupported")
755 private final short poolType;
756 private final String name;
759 this.poolType = (short) poolType;
772 if (type.poolType == poolType) {
776 throw new IllegalArgumentException(
777 MessageFormat.format(bundle.getString(
"TskData.tskDbFilesTypeEnum.exception.msg1.text"), poolType));
800 UNKNOWN(0, bundle.getString(
"TskData.fileKnown.unknown")),
801 KNOWN(1, bundle.getString(
"TskData.fileKnown.known")),
802 BAD(2, bundle.getString(
"TskData.fileKnown.knownBad"));
807 private FileKnown(
int known, String name) {
808 this.known = (byte) known;
821 if (v.known == known) {
825 throw new IllegalArgumentException(
826 MessageFormat.format(bundle.getString(
"TskData.fileKnown.exception.msg1.text"), known));
879 private final int type;
891 if (v.type == type) {
895 throw new IllegalArgumentException(
896 MessageFormat.format(bundle.getString(
"TskData.encodingType.exception.msg1.text"), type));
921 private final int type;
933 if (v.type == type) {
937 throw new IllegalArgumentException(
938 MessageFormat.format(bundle.getString(
"TskData.collectedStatus.exception.msg1.text"), type));
950 private final int type;
962 if (v.type == type) {
966 throw new IllegalArgumentException(
967 MessageFormat.format(bundle.getString(
"TskData.keywordSearchQueryType.exception.msg1.text"), type));
VIRT
Special (TSK added "Virtual" files) NON-NLS.
TSK_FS_ATTR_TYPE_NTFS_OBJID
FS
File that can be found in file system tree.
static FileKnown valueOf(byte known)
TSK_POOL_TYPE_ENUM(int poolType, String name)
TSK_VS_PART_FLAG_ALL
Show all sectors in the walk.
TSK_FS_ATTR_TYPE_NTFS_EAINFO
TSK_VS_TYPE_BSD
BSD Partition table NON-NLS.
TSK_FS_META_TYPE_WHT
Whiteout NON-NLS.
TSK_FS_TYPE_EXT_DETECT
ExtX auto detection.
TSK_VS_TYPE_MAC
Mac partition table NON-NLS.
TSK_FS_ATTR_TYPE_NTFS_VNAME
static Set< TSK_FS_META_FLAG_ENUM > valuesOf(short metaFlags)
TSK_VS_TYPE_DBFILLER
fake partition table type for loaddb (for images that do not have a volume system) ...
UNUSED
Metadata structure has never been allocated.
TSK_FS_TYPE_EXT3
Ext3 file system.
ALLOC
Metadata structure is currently in an allocated state.
TSK_FS_ATTR_TYPE_NTFS_VINFO
TSK_VS_PART_FLAG_ALLOC
Sectors are allocated to a volume in the volume system.
TSK_FS_TYPE_NTFS_DETECT
NTFS auto detection.
static TSK_FS_TYPE_ENUM valueOf(int fsTypeValue)
TSK_FS_TYPE_NTFS
NTFS file system.
TSK_FS_META_TYPE_DIR
Directory file NON-NLS.
TSK_FS_META_TYPE_SHAD
SOLARIS ONLY NON-NLS.
TSK_FS_META_MODE_ISVTX
sticky bit
TSK_VS_TYPE_SUN
Sun VTOC NON-NLS.
UNALLOC
Metadata structure is currently in an unallocated state.
TSK_FS_ATTR_TYPE_HFS_EXT_ATTR
TSK_FS_TYPE_FAT32
FAT32 file system.
NO_UNSUPPORTED_COMPRESSION
static TSK_FS_META_TYPE_ENUM valueOf(short metaType)
TSK_FS_META_MODE_IXOTH
X for other.
LNK
Symbolic link NON-NLS.
TSK_FS_META_TYPE_VIRT_DIR
"Virtual Directory" created by TSK for Orphan Files NON-NLS
TSK_FS_ATTR_TYPE_NTFS_ATTRLIST
COMP
The file contents are compressed.
TSK_FS_META_MODE_ISUID
set user id on execution
TSK_VS_TYPE_APFS
APFS pool NON-NLS.
TSK_FS_TYPE_HFS_DETECT
HFS auto detection.
TSK_FS_META_MODE_IXGRP
X for group.
TSK_FS_TYPE_FAT12
FAT12 file system.
HOST_ADDRESS
Host Address - see tsk_host_addresses for more details.
LAYOUT_FILE
Set of blocks from an image that have been designated as a file.
TSK_FS_TYPE_YAFFS2_DETECT
YAFFS2 auto detection.
TSK_FS_META_MODE_IWOTH
W for other.
WHT
Whiteout (openbsd) NON-NLS.
TSK_FS_META_MODE_IRGRP
R for group.
TSK_VS_PART_FLAG_META
Sectors contain volume system metadata and could also be ALLOC or UNALLOC.
TSK_FS_ATTR_TYPE_HFS_COMP_REC
TSK_FS_TYPE_FFS1B
UFS1b (Solaris - has no type)
SLACK
Slack space for a single file.
TSK_FS_ATTR_TYPE_NTFS_REPARSE
TSK_FS_TYPE_FFS1
UFS1 (FreeBSD, OpenBSD, BSDI ...)
TSK_FS_ATTR_TYPE_NTFS_IDXROOT
static TSK_FS_ATTR_TYPE_ENUM valueOf(int val)
LOCAL
Local file that was added (not from a disk image)
TSK_FS_META_MODE_IWUSR
W for owner.
TSK_VS_TYPE_UNSUPP
Unsupported.
TSK_FS_TYPE_SWAP_DETECT
SWAP auto detection.
TSK_FS_META_TYPE_CHR
Character device NON-NLS.
static TSK_POOL_TYPE_ENUM valueOf(long poolType)
TSK_POOL_TYPE_APFS
APFS Pooled Volumes.
TSK_FS_TYPE_APFS_DETECT
APFS auto detection.
CARVED
Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS ra...
static TSK_FS_NAME_FLAG_ENUM valueOf(int dirFlag)
TSK_FS_TYPE_ISO9660_DETECT
ISO9660 auto detection.
TSK_FS_ATTR_TYPE_HFS_DATA
FS
File System - see tsk_fs_info for more details.
TSK_FS_TYPE_SWAP
SWAP file system.
TSK_FS_META_MODE_IROTH
R for other.
TSK_FS_TYPE_UNSUPP
Unsupported file system.
TSK_FS_TYPE_RAW
RAW file system.
TSK_FS_TYPE_EXFAT
ExFAT file system.
USED
Metadata structure has been allocated at least once.
VIRT_DIR
Special (TSK added "Virtual" directories) NON-NLS.
TSK_IMG_TYPE_UNSUPP
Logical directory.
LOCAL_DIR
Local directory that was added (not from a disk image)
TSK_FS_TYPE_FAT_DETECT
FAT auto detection.
VOL
Volume - see tsk_vs_parts for more details.
TSK_FS_ATTR_TYPE_NTFS_IDXALLOC
static EncodingType valueOf(int type)
TSK_FS_ATTR_TYPE_NTFS_BITMAP
TSK_FS_TYPE_RAW_DETECT
RAW auto detection.
TSK_FS_META_TYPE_VIRT
"Virtual File" created by TSK for file system areas NON-NLS
TSK_VS_TYPE_GPT
GPT partition table NON-NLS.
TSK_FS_META_MODE_IRUSR
R for owner.
TSK_FS_TYPE_DETECT
Use autodetection methods.
TSK_FS_ATTR_TYPE_HFS_DEFAULT
static TSK_FS_NAME_TYPE_ENUM valueOf(short dir_type)
CHR
Character device NON-NLS.
TSK_FS_TYPE_APFS
APFS file system.
REPORT
Artifact - see blackboard_artifacts for more details.
SHAD
Shadow inode (solaris) NON-NLS.
static short toInt(Set< TSK_FS_META_MODE_ENUM > modes)
BAD
File marked as known and bad/notable/interesting by hash db.
DERIVED
File derived from a parent file (i.e. from ZIP)
TSK_FS_TYPE_EXT2
Ext2 file system.
TSK_FS_ATTR_TYPE_NTFS_LOG
TSK_FS_ATTR_TYPE_UNIX_INDIR
TSK_FS_TYPE_HFS
HFS file system.
OS_ACCOUNT
OS Account - see tsk_os_accounts for more details.
static TSK_DB_FILES_TYPE_ENUM valueOf(short fileType)
TSK_FS_META_TYPE_BLK
Block device NON-NLS.
TSK_FS_TYPE_EXT4
Ext4 file system.
TSK_FS_ATTR_TYPE_NTFS_PROP
static short toInt(Set< TSK_FS_META_FLAG_ENUM > metaFlags)
TSK_FS_ATTR_TYPE_HFS_RSRC
static TSK_IMG_TYPE_ENUM valueOf(long imgType)
TSK_FS_TYPE_YAFFS2
YAFFS2 file system.
UNALLOC_BLOCKS
Set of blocks not allocated by file system. Parent should be image, volume, or file system...
TSK_FS_META_TYPE_SOCK
UNIX domain socket NON-NLS.
static ObjectType valueOf(short objectType)
TSK_POOL_TYPE_DETECT
Use autodetection methods.
TSK_FS_META_TYPE_FIFO
Named pipe (fifo) NON-NLS.
UNKNOWN
File marked as unknown by hash db.
static Set< TSK_FS_META_MODE_ENUM > valuesOf(short modes)
TSK_FS_META_TYPE_LNK
Symbolic link NON-NLS.
TSK_VS_TYPE_DETECT
Use autodetection methods.
TSK_FS_ATTR_TYPE_NTFS_SEC
TSK_FS_TYPE_FAT16
FAT16 file system.
TSK_FS_TYPE_FFS_DETECT
UFS auto detection.
static KeywordSearchQueryType valueOf(int type)
KNOWN
File marked as a known by hash db.
TSK_FS_ATTR_TYPE_NTFS_DATA
TSK_FS_META_MODE_IWGRP
W for group.
ALLOC
Name is in an allocated state.
VIRTUAL_DIR
Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other ...
TSK_VS_PART_FLAG_UNALLOC
Sectors are not allocated to a volume.
TSK_FS_ATTR_TYPE_NTFS_FNAME
static TSK_VS_TYPE_ENUM valueOf(long vsType)
ABSTRACTFILE
File - see tsk_files for more details.
TSK_FS_ATTR_TYPE_NTFS_SYMLNK
TSK_FS_TYPE_ISO9660
ISO9660 file system.
TSK_VS_TYPE_DOS
DOS Partition table NON-NLS.
TSK_FS_META_TYPE_REG
Regular file NON-NLS.
TSK_FS_ATTR_TYPE_NOT_FOUND
TSK_FS_META_MODE_ISGID
set group id on execution
ORPHAN
Return only metadata structures that have no file name pointing to the (inode_walk flag only) ...
TSK_FS_TYPE_FFS2
UFS2 - FreeBSD, NetBSD.
TSK_FS_META_MODE_IXUSR
X for owner.
UNUSED_BLOCKS
Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNAL...
static CollectedStatus valueOf(int type)
VS
Volume System - see tsk_vs_info for more details.
IMG
Disk Image - see tsk_image_info for more details.
UNALLOC
Name is in an unallocated state.
TSK_FS_ATTR_TYPE_NTFS_VVER
