• TskAutoDb
• TskIsImageSupported

Closes the handles to the open disk image.

Should be called after you have completed analysis of the image.

Reimplemented in TskAutoDb.

References m_internalOpen, and tsk_img_close().

Referenced by TskAutoDb::closeImage(), openImage(), openImageHandle(), and openImageUtf8().

Enables image writer, which creates a copy of the image as it is being processed.

Parameters

imagePath UTF8 version of path to write the image to

References TSK_ERR, tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, tsk_UTF8toUTF16(), TSKconversionOK, and TSKlenientConversion.

TskAuto calls this method before it processes each file system that is found in a volume.

You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.

Parameters

fs_info file system details

Returns

Value to show if FS should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_CONT.

TskAuto calls this method before it processes each pool that is found.

You can use this to learn about each pool before it is processed and you can force TskAuto to skip this volume.

Parameters

pool_vol Pool details

Returns

Value to show if pool should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_SKIP, and tsk_verbose.

Referenced by findFilesInPool().

TskAuto calls this method before it processes each pool volume that is found in a pool.

You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume.

Parameters

pool_vol Pool volume details

Returns

Value to show if pool volume should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_SKIP, and tsk_verbose.

Referenced by findFilesInPool().

TskAuto calls this method before it processes each volume that is found in a volume system.

You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.

Parameters

vs_part Parition details

Returns

Value to show if volume should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb, and TskIsImageSupported.

References TSK_FILTER_CONT.

TskAuto calls this method before it processes the volume system that is found in an image.

You can use this to learn about the volume system before it is processed and you can force TskAuto to skip this volume system.

Parameters

vs_info volume system details

Returns

Value to show if Vs should be processed, skipped, or process should stop.

Reimplemented in TskAutoDb.

References TSK_FILTER_CONT.

Referenced by findFilesInVs().

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will call processFile() on each file that is found.

Parameters

a_start Byte offset of file system starting location.

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References TSK_FS_TYPE_DETECT.

Referenced by findFilesInFs(), findFilesInImg(), and findFilesInVs().

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will call processFile() on each file that is found.

Parameters

a_start Byte offset of file system starting location.

a_ftype Type of file system that is located at the offset.

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References findFilesInFsRet().

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will start processing the file system at a specified file system. Will call processFile() on each file that is found in that directory.

Parameters

a_start Byte offset of file system starting location.

a_inum inum to start walking files system at.

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References findFilesInFs(), and TSK_FS_TYPE_DETECT.

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will start processing the file system at a specified file system. Will call processFile() on each file that is found in that directory.

Parameters

a_start Byte offset of file system starting location.

a_ftype Type of file system that will be analyzed.

a_inum inum to start walking files system at.

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References getCurVsPartDescr(), getCurVsPartFlag(), isCurVsValid(), registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fs_close(), tsk_fs_open_img_decrypt(), and TSK_VS_PART_FLAG_ALLOC.

Processes the file system represented by the given TSK_FS_INFO pointer.

Will Call processFile() on each file that is found.

Parameters

a_fs_info Pointer to a previously opened file system.

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References registerError(), TSK_FS_INFO::root_inum, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Processes the file system represented by the given TSK_FS_INFO pointer.

Will Call processFile() on each file that is found.

Parameters

a_fs_info Pointer to a previously opened file system.

a_inum inum to start walking files system at.

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References registerError(), tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Starts in a specified byte offset of the opened disk images and looks for a file system.

Will call processFile() on each file that is found. Same as findFilesInFs, but gives more detailed return values.

Parameters

a_start Byte offset to start analyzing from.

a_ftype File system type.

Returns

Error (messages will have been registered), OK, or STOP.

References getCurVsPartDescr(), getCurVsPartFlag(), isCurVsValid(), registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fs_close(), tsk_fs_open_img_decrypt(), TSK_OK, and TSK_VS_PART_FLAG_ALLOC.

Referenced by findFilesInFs().

Starts in sector 0 of the opened disk images and looks for a volume or file system.

Will call processFile() on each file that is found.

Returns

1 if an error occurred (message will have been registered) and 0 on success

References findFilesInFs(), findFilesInVs(), TSK_IMG_INFO::itype, registerError(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_TYPE_LOGICAL, and TSK_IMG_TYPE_LOGICAL.

Referenced by TskAutoDb::addFilesInImgToDb().

Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.

Will call processFile() on each file that is found.

Parameters

start Byte offset to start analyzing from.

Returns

1 if an error occurred (message will have been registered), 0 on success

Referenced by findFilesInVs().

Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.

Will call processFile() on each file that is found.

Parameters

start Byte offset to start analyzing from.

ptype The type of pool

Returns

1 if an error occurred (message will have been registered), 0 on success

References filterPool(), filterPoolVol(), m_stopAllProcessing, registerError(), TSK_FS_INFO::root_inum, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_FILTER_SKIP, TSK_FILTER_STOP, tsk_fs_close(), tsk_fs_open_img(), TSK_FS_TYPE_APFS, TSK_FS_TYPE_DETECT, tsk_img_close(), TSK_OK, and TSK_STOP.

Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.

Will call processFile() on each file that is found.

Parameters

a_start Byte offset to start analyzing from.

Returns

1 if an error occurred (message will have been registered), 0 on success

References TSK_VS_TYPE_DETECT.

Referenced by findFilesInImg().

Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.

Will call processFile() on each file that is found.

Parameters

a_start Byte offset to start analyzing from.

a_vtype Volume system type to analyze

Returns

1 if an error occurred (messages will have been registered) and 0 on success

References filterVs(), findFilesInFs(), findFilesInPool(), hasPool(), m_stopAllProcessing, registerError(), tsk_error_get_errno(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FILTER_SKIP, TSK_FILTER_STOP, tsk_verbose, tsk_vs_close(), tsk_vs_open(), and tsk_vs_part_walk().

get volume description of the lastly processed volume

Returns

volume description string of the lastly processed volume

Referenced by findFilesInFs(), and findFilesInFsRet().

get volume flags of the lastly processed volume.

Returns

flags for lastly processed volume.

Referenced by findFilesInFs(), and findFilesInFsRet().

Get the list of errors that were added to the internal list.

This list could be empty if the implementing class already acted on the errors or never called addToErrorList().

Returns

list of errors.

Returns

A password that will be used when trying to open each file system or empty.

Returns

The size of the image in bytes or -1 if the image is not open.

References TSK_IMG_INFO::size.

Override this method to get called for each error that is registered.

This method allows you to log the message or stop processing. Use setStopProcessing() to do that.

Returns

1 to stop the processing flow and 0 to continue.

Reimplemented in TskIsImageSupported.

Referenced by registerError().

Checks whether a volume contains a pool.

Parameters

a_start Byte offset to start analyzing from.

Returns

true if a pool is found, false if not or on error

References registerError(), tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by findFilesInVs().

Utility method to help determine if an attribute is the default type for the file/dir.

Returns

1 if the attribute is a default type, 0 if not.

References TSK_FS_FILE::fs_info, and TSK_FS_ATTR::type.

Utility method to help determine if a file is a directory.

Returns

1 if the file is a directory, 0 if not.

References TSK_FS_FILE::meta, TSK_FS_FILE::name, TSK_FS_NAME_TYPE_UNDEF, TSK_FS_META::type, and TSK_FS_NAME::type.

Referenced by TskAutoDb::processFile().

Utility method to help determine if a file is a .

or .. directory.

Parameters

a_fs_file File to evaluate

Returns

1 if the file is a dot directory, 0 if not.

References TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_NAME::name_size, TSK_FS_NAME_TYPE_DIR, and TSK_FS_NAME::type.

Utility method to help determine if a file is a FAT file system file (such as $MBR).

Returns

1 if the file is an FAT System file, 0 if not.

References TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_NAME::meta_addr, TSK_FS_FILE::name, and TSK_FS_TYPE_ISFAT.

Utility method to help determine if a file is a file (and not a directory).

Returns

1 if the file is a file, 0 if not.

References TSK_FS_FILE::meta, TSK_FS_FILE::name, TSK_FS_META_TYPE_REG, TSK_FS_NAME_TYPE_REG, TSK_FS_NAME_TYPE_UNDEF, TSK_FS_META::type, and TSK_FS_NAME::type.

Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data)

Returns

1 if the attribute is non-resident, 0 if not.

References TSK_FS_ATTR::flags, and TSK_FS_ATTR_NONRES.

Utility method to help determine if a file is an NTFS file system file (such as $MFT).

Returns

1 if the file is an NTFS System file, 0 if not.

References TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_TYPE_ISNTFS.

Opens the disk image to be analyzed.

This must be called before any of the findFilesInXXX() methods.

Parameters

a_numImg The number of images to open (will be > 1 for split images).

a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order)

a_imgType The disk image type (can be autodetection)

a_sSize Size of device sector in bytes (or 0 for default)

Returns

1 on error (messages were NOT registered), 0 on success

Reimplemented in TskAutoDb.

References closeImage(), m_internalOpen, resetErrorList(), and tsk_img_open().

Referenced by TskAutoDb::openImage().

Uses the already opened image for future analysis.

This must be called before any of the findFilesInXXX() methods. Note that the TSK_IMG_INFO will not be freed when the TskAuto class is closed.

Parameters

a_img_info Handle to an already opened disk image.

Returns

1 on error (messages were NOT registered) and 0 on success

References closeImage(), m_internalOpen, and resetErrorList().

Referenced by TskAutoDb::startAddImage().

Opens the disk image to be analyzed.

This must be called before any of the findFilesInXXX() methods. Always uses the utf8 tsk_img_open even in windows.

Parameters

a_numImg The number of images to open (will be > 1 for split images).

a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order)

a_imgType The disk image type (can be autodetection)

a_sSize Size of device sector in bytes (or 0 for default)

Returns

1 on error (messages were NOT registered), 0 on success

Reimplemented in TskAutoDb.

References closeImage(), m_internalOpen, resetErrorList(), and tsk_img_open_utf8().

Referenced by TskAutoDb::openImageUtf8().

Method that is called from processAttributes() for each attribute that a file has.

processAttributes() is not called by default. It exists so that implementations of processFile() can choose to call it if they want to look at all of the attributes. You must implement this method to see each attribute and modify processFile() so that it calls processAttributes().

Parameters

fs_file File being analyzed.

fs_attr Attribute of the file.

path full path of parent directory

Returns

STOP or OK. All error must have been registered.

References TSK_OK.

Referenced by processAttributes().

Method that can be used from within processFile() to look at each attribute that a file may have.

This will call the processAttribute() method (which you must implement) on each of the attributes in the file.

Parameters

fs_file file details

path full path of parent directory

Returns

STOP if the file system processing should stop and not process more files or OK.

References m_stopAllProcessing, processAttribute(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_getsize(), TSK_OK, and TSK_STOP.

Referenced by TskAutoDb::processFile().

TskAuto calls this method for each file and directory that it finds in an image.

The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().

Parameters

fs_file file details

path full path of parent directory

Returns

STOP or OK. All error must have been registered.

Implemented in TskAutoDb, and TskIsImageSupported.

Internal method that TskAuto calls when it encounters issues while processing an image.

It will add the error to an internal list and then call handleError() to allow the sub-class to decide what to do with the error. The tsk global error values must be set before this is called (tsk_error_set_errno, etc.). This method will reset the error values before it returns.

Returns

1 if the caller should stop processing (registerError() implementation should also call setStopProcessing() to ensure all processes stop) or 0 if they should continue.

References handleError(), tsk_error_get_errno(), tsk_error_get_errstr(), tsk_error_get_errstr2(), and tsk_error_reset().

Referenced by TskAutoDb::addFilesInImgToDb(), TskAutoDb::filterFs(), TskAutoDb::filterPool(), TskAutoDb::filterPoolVol(), TskAutoDb::filterVol(), TskAutoDb::filterVs(), findFilesInFs(), findFilesInFsRet(), findFilesInImg(), findFilesInPool(), findFilesInVs(), hasPool(), and TskAutoDb::startAddImage().

Set the attributes for the files that should be processed.

The default settings are for all files (allocated and deleted). This must be called before the findFilesInXX() method.

Parameters

file_flags Flags to use for filtering

Referenced by TskAutoDb::filterFs().

Set the attributes for the volumes that should be processed.

The default settings are for Allocated Non-Meta volumes only. This must be called before the findFilesInXX() method.

Parameters

vs_flags Flags to use for filtering

Referenced by TskAutoDb::addFilesInImgToDb().