Sleuth Kit Java Bindings (JNI)  4.8.0
Java bindings for using The Sleuth Kit
Volume.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2011-2020 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel;
20 
21 import java.util.ResourceBundle;
22 import java.util.ArrayList;
23 import java.util.List;
24 
29 public class Volume extends AbstractContent {
30 
31  private long addr;
32  private long startSector; //in sectors, relative to volume system start
33  private long lengthInSectors; //in sectors
34  private long flags;
35  private String desc;
36  private volatile long volumeHandle = 0;
37  private String uniquePath;
38  private static ResourceBundle bundle = ResourceBundle.getBundle("org.sleuthkit.datamodel.Bundle");
39 
51  protected Volume(SleuthkitCase db, long obj_id, long addr, long startSector, long lengthInSectors, long flags, String desc) {
52  super(db, obj_id, "vol" + Long.toString(addr)); //NON-NLS
53  this.addr = addr;
54  this.startSector = startSector;
55  this.lengthInSectors = lengthInSectors;
56  this.uniquePath = null;
57  this.flags = flags;
58  if (!desc.equals("")) {
59  this.desc = desc;
60  } else {
61  this.desc = bundle.getString("Volume.desc.text");
62  }
63  }
64 
65  @Override
66  public int read(byte[] buf, long offset, long len) throws TskCoreException {
67  synchronized (this) {
68  Content myParent = getParent();
69  if (!(myParent instanceof VolumeSystem)) {
70  throw new TskCoreException(bundle.getString("Volume.read.exception.msg1.text"));
71  }
72  VolumeSystem parentVs = (VolumeSystem) myParent;
73 
74  // Reading from APFS volumes/volume systems is not yet supported
75  if (parentVs.getType().equals(TskData.TSK_VS_TYPE_ENUM.TSK_VS_TYPE_APFS)) {
76  throw new TskCoreException("Reading APFS pool volumes not yet supported");
77  }
78 
79  // read from the volume
80  if (volumeHandle == 0) {
81  volumeHandle = SleuthkitJNI.openVsPart(parentVs.getVolumeSystemHandle(), addr);
82  }
83 
84  }
85  return SleuthkitJNI.readVsPart(volumeHandle, buf, offset, len);
86  }
87 
88  @Override
89  public void close() {
90  // there is nothing to free. The VolumeSystem structure
91  // in C++ contains this structure and will free it.
92  volumeHandle = 0;
93  }
94 
95  @Override
96  public void finalize() throws Throwable {
97  try {
98  close();
99  } finally {
100  super.finalize();
101  }
102  }
103 
104  @Override
105  public long getSize() {
106  return lengthInSectors * 512;
107  }
108 
109  @Override
110  public synchronized String getUniquePath() throws TskCoreException {
111  if(uniquePath == null) {
112  uniquePath = "";
113  String name = getName();
114  if (!name.isEmpty()) {
115  uniquePath = "/vol_" + name; //NON-NLS
116  }
117 
118  Content myParent = getParent();
119  if (myParent != null) {
120  uniquePath = myParent.getUniquePath() + uniquePath;
121  }
122  }
123  return uniquePath;
124  }
125 
126  //methods get exact data from database. could be manipulated to get more
127  //meaningful data.
134  public long getAddr() {
135  return addr;
136  }
137 
144  public long getStart() {
145  return startSector;
146  }
147 
153  public long getLength() {
154  return lengthInSectors;
155  }
156 
162  public long getFlags() {
163  return flags;
164  }
165 
171  public String getFlagsAsString() {
172  return Volume.vsFlagToString(flags);
173  }
174 
181  public String getDescription() {
182  return desc;
183  }
184 
185  // ----- Here all the methods for vs flags conversion / mapping -----
193  public static String vsFlagToValue(long vsFlag) {
194 
195  String result = "";
196 
198  if (flag.getVsFlag() == vsFlag) {
199  result = flag.toString();
200  }
201  }
202  return result;
203  }
204 
212  public static long valueToVsFlag(String vsFlag) {
213 
214  long result = 0;
215 
217  if (flag.toString().equals(vsFlag)) {
218  result = flag.getVsFlag();
219  }
220  }
221  return result;
222  }
223 
231  public static String vsFlagToString(long vsFlag) {
232 
233  String result = "";
234 
235  long allocFlag = TskData.TSK_VS_PART_FLAG_ENUM.TSK_VS_PART_FLAG_ALLOC.getVsFlag();
236  long unallocFlag = TskData.TSK_VS_PART_FLAG_ENUM.TSK_VS_PART_FLAG_UNALLOC.getVsFlag();
237 
238  // some variables that might be needed in the future
239  long metaFlag = TskData.TSK_VS_PART_FLAG_ENUM.TSK_VS_PART_FLAG_META.getVsFlag();
240  long allFlag = TskData.TSK_VS_PART_FLAG_ENUM.TSK_VS_PART_FLAG_ALL.getVsFlag();
241 
242  if ((vsFlag & allocFlag) == allocFlag) {
243  result = bundle.getString("Volume.vsFlagToString.allocated");
244  }
245  if ((vsFlag & unallocFlag) == unallocFlag) {
246  result = bundle.getString("Volume.vsFlagToString.unallocated");
247  }
248  // ... add more code here if needed
249 
250  return result;
251  }
252 
253  @Override
254  public <T> T accept(SleuthkitItemVisitor<T> v) {
255  return v.visit(this);
256  }
257 
258  @Override
259  public <T> T accept(ContentVisitor<T> v) {
260  return v.visit(this);
261  }
262 
263  @Override
264  public List<Content> getChildren() throws TskCoreException {
265  return getSleuthkitCase().getVolumeChildren(this);
266  }
267 
268  @Override
269  public List<Long> getChildrenIds() throws TskCoreException {
270  return getSleuthkitCase().getVolumeChildrenIds(this);
271  }
272 
278  public List<FileSystem> getFileSystems() throws TskCoreException {
279 
280  List<Content> children = getChildren();
281  List<FileSystem> fileSystems = new ArrayList<FileSystem>();
282  for (Content child : children) {
283  if (child instanceof FileSystem) {
284  fileSystems.add((FileSystem) child);
285  }
286  }
287 
288  return fileSystems;
289  }
290 
291  @Override
292  public String toString(boolean preserveState) {
293  return super.toString(preserveState) + "Volume [\t" + "addr " + addr + "\t" + "desc " + desc + "\t" + "flags " + flags + "\t" + "length " + lengthInSectors + "\t" + "start " + startSector + "]\t"; //NON-NLS
294  }
295 }
TSK_VS_PART_FLAG_ALL
Show all sectors in the walk.
Definition: TskData.java:336
static long valueToVsFlag(String vsFlag)
Definition: Volume.java:212
TSK_VS_PART_FLAG_ALLOC
Sectors are allocated to a volume in the volume system.
Definition: TskData.java:333
int read(byte[] buf, long offset, long len)
Definition: Volume.java:66
List< FileSystem > getFileSystems()
Definition: Volume.java:278
synchronized long getVolumeSystemHandle()
String toString(boolean preserveState)
Definition: Volume.java:292
TSK_VS_PART_FLAG_META
Sectors contain volume system metadata and could also be ALLOC or UNALLOC.
Definition: TskData.java:335
Volume(SleuthkitCase db, long obj_id, long addr, long startSector, long lengthInSectors, long flags, String desc)
Definition: Volume.java:51
static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len)
List< Long > getChildrenIds()
Definition: Volume.java:269
static String vsFlagToValue(long vsFlag)
Definition: Volume.java:193
List< Content > getChildren()
Definition: Volume.java:264
static long openVsPart(long vsHandle, long volId)
TSK_VS_PART_FLAG_UNALLOC
Sectors are not allocated to a volume.
Definition: TskData.java:334
synchronized String getUniquePath()
Definition: Volume.java:110
static String vsFlagToString(long vsFlag)
Definition: Volume.java:231

Copyright © 2011-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.