Inheritance diagram for TskAutoDb:
Public Member Functions
Analyzes the open image and adds image info to a database.
More...
Closes the handles to the open disk image.
More...
Finish the transaction after the startAddImage is finished.
More...
virtual void createBlockMap (bool flag)
TskAuto calls this method before it processes each file system that is found in a volume.
More...
TskAuto calls this method before it processes each pool that is found.
More...
TskAuto calls this method before it processes each pool volume that is found in a pool.
More...
TskAuto calls this method before it processes each volume that is found in a volume system.
More...
TskAuto calls this method before it processes the volume system that is found in an image.
More...
Calculate hash values of files and add them to database.
More...
Check if we can talk to the database.
More...
Opens the disk image to be analyzed.
More...
Adds an image to the database.
More...
virtual uint8_t
openImage (const char *a_deviceId=NULL)
Adds an image to the database.
More...
Opens the disk image to be analyzed.
More...
Adds an image to the database.
More...
TskAuto calls this method for each file and directory that it finds in an image.
More...
Sets whether or not the file systems for an image should be added when the image is added to the case database.
More...
When enabled, records for unallocated file system space will be added to the database.
More...
When enabled, records for unallocated file system space will be added to the database.
More...
When enabled, records for unallocated file system space will be added to the database with the given parameters.
More...
Skip processing of orphans on FAT filesystems.
More...
virtual void
setTz (std::string tzone)
Set the current image's timezone.
Start the process to add image/file metadata to database inside of a transaction.
More...
Start the process to add image/file metadata to database inside of a transaction.
More...
Cancel the running process.
More...
- Public Member Functions inherited from
TskAuto Disables image writer.
Enables image writer, which creates a copy of the image as it is being processed.
More...
Starts in a specified byte offset of the opened disk images and looks for a file system.
More...
Starts in a specified byte offset of the opened disk images and looks for a file system.
More...
Starts in a specified byte offset of the opened disk images and looks for a file system.
More...
Starts in a specified byte offset of the opened disk images and looks for a file system.
More...
Starts in a specified byte offset of the opened disk images and looks for a file system.
More...
Starts in sector 0 of the opened disk images and looks for a volume or file system.
More...
Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.
More...
Starts in a specified byte offset of the opened disk images and opens a pool to search though any file systems in the pool.
More...
Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.
More...
Starts in a specified byte offset of the opened disk images and looks for a volume system or file system.
More...
get volume description of the lastly processed volume
More...
get volume flags of the lastly processed volume.
More...
Get the list of errors that were added to the internal list.
More...
Returns true if all processing and recursion should stop.
Override this method to get called for each error that is registered.
More...
Checks whether a volume contains a pool.
More...
Determine if we are inside of a volume system and therefore we can trust the results of getCurVsPartFlag/Desc.
Uses the already opened image for future analysis.
More...
Internal method that
TskAuto calls when it encounters issues while processing an image.
More...
Remove the errors on the internal list.
Store a list of pointers to open file systems to use when calling findFilesInImg instead of opening a new copy.
Set the attributes for the files that should be processed.
More...
Set a password that will be used when trying to open each file system.
Set the attributes for the volumes that should be processed.
More...
Additional Inherited Members
- Static Public Member Functions inherited from
TskAuto
static std::string
errorRecordToString (const
error_record &rec)
- Public Attributes inherited from
TskAuto
unsigned int m_tag
- Protected Member Functions inherited from
TskAuto Utility method to help determine if an attribute is the default type for the file/dir.
More...
Utility method to help determine if a file is a directory.
More...
Utility method to help determine if a file is a .
More...
Utility method to help determine if a file is a FAT file system file (such as $MBR).
More...
Utility method to help determine if a file is a file (and not a directory).
More...
Utility method to help determine if an attribute is non-resident (meaning it uses blocks to store data)
More...
Utility method to help determine if a file is an NTFS file system file (such as $MFT).
More...
Method that can be used from within
processFile() to look at each attribute that a file may have.
More...
When called, will cause
TskAuto to not continue to recurse into directories and volumes.
- Protected Attributes inherited from
TskAuto
bool m_imageWriterEnabled
True if m_img_info was opened in
TskAuto and false if passed in.
std::vector< const TSK_POOL_INFO * > m_poolInfos
True if no further processing should occur.
Constructor & Destructor Documentation
TskAutoDb::TskAutoDb
(
TskDb *
a_db,
)
- Parameters
-
a_db Database to add an image to
a_NSRLDb Database of "known" files (can be NULL)
a_knownBadDb Database of "known bad" files (can be NULL)
Member Function Documentation
uint8_t TskAutoDb::addFilesInImgToDb
(
)
Analyzes the open image and adds image info to a database.
Does not deal with transactions and such. Refer to startAddImage() for more control.
- Returns
- 1 if a critical error occurred (DB doesn't exist, no file system, etc.), 2 if errors occurred at some point adding files to the DB (corrupt file, etc.), and 0 otherwise. Errors will have been registered.
References TskAuto::findFilesInImg(), TskAuto::registerError(), TskAuto::setVolFilterFlags(), TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_OK, TSK_VS_PART_FLAG_ALLOC, and TSK_VS_PART_FLAG_UNALLOC.
Referenced by startAddImage().
void TskAutoDb::closeImage
(
)
overridevirtual
Closes the handles to the open disk image.
Should be called after you have completed analysis of the image.
Reimplemented from TskAuto.
References TskAuto::closeImage().
int64_t TskAutoDb::commitAddImage
(
)
TskAuto calls this method before it processes each file system that is found in a volume.
You can use this to learn about each file system before it is processed and you can force TskAuto to skip this file system.
- Parameters
-
fs_info file system details
- Returns
- Value to show if FS should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TSK_FS_INFO::block_count, TSK_FS_INFO::block_size, TSK_FS_INFO::first_inum, TSK_FS_INFO::ftype, TSK_FS_INFO::last_inum, _TSK_DB_FS_INFO::objId, TSK_FS_INFO::offset, processFile(), TskAuto::registerError(), TSK_FS_INFO::root_inum, TskAuto::setFileFilterFlags(), TSK_FILTER_CONT, TSK_FILTER_STOP, TSK_FS_DIR_WALK_FLAG_ALLOC, TSK_FS_DIR_WALK_FLAG_NOORPHAN, TSK_FS_DIR_WALK_FLAG_UNALLOC, tsk_fs_file_close(), tsk_fs_file_open(), and TSK_FS_TYPE_ISFAT.
TSK_FILTER_ENUM TskAutoDb::filterPoolVol
(
const TSK_POOL_VOLUME_INFO *
pool_vol )
overridevirtual
TskAuto calls this method before it processes each volume that is found in a volume system.
You can use this to learn about each volume before it is processed and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be used to configure if TskAuto should process unallocated space.
- Parameters
-
vs_part Parition details
- Returns
- Value to show if volume should be processed, skipped, or process should stop.
Reimplemented from TskAuto.
References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::desc, TSK_VS_PART_INFO::flags, TSK_VS_PART_INFO::len, _TSK_DB_VS_PART_INFO::objId, TskAuto::registerError(), TSK_VS_PART_INFO::start, TSK_FILTER_CONT, TSK_FILTER_STOP, and TSK_MAX_DB_VS_PART_INFO_DESC_LEN.
const std::string TskAutoDb::getCurDir
(
)
Returns the directory currently being analyzed by processFile().
Safe to use from another thread than processFile().
- Returns
- curDirPath string representing currently analyzed directory
void TskAutoDb::hashFiles
(
bool
flag )
virtual
Calculate hash values of files and add them to database.
Default is false. Will be set to true if a Hash DB is configured.
- Parameters
-
flag True to calculate hash values and look them up.
bool TskAutoDb::isDbOpen
(
)
Check if we can talk to the database.
Returns true if the database is reachable with current credentials, false otherwise.
uint8_t TskAutoDb::openImage
(
int
a_numImg,
unsigned int
a_sSize
)
overridevirtual
Opens the disk image to be analyzed.
This must be called before any of the findFilesInXXX() methods.
- Parameters
-
a_numImg The number of images to open (will be > 1 for split images).
a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order)
a_imgType The disk image type (can be autodetection)
a_sSize Size of device sector in bytes (or 0 for default)
- Returns
- 1 on error (messages were NOT registered), 0 on success
Reimplemented from TskAuto.
Referenced by startAddImage().
uint8_t TskAutoDb::openImage
(
int
a_num,
unsigned int
a_ssize,
const char *
a_deviceId
)
virtual
Adds an image to the database.
- Parameters
-
a_num Number of image parts
a_images Array of paths to the image parts
a_type Image type
a_ssize Size of device sector in bytes (or 0 for default)
a_deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 0 for success, 1 for failure
References TskAuto::openImage(), and openImageUtf8().
uint8_t TskAutoDb::openImage
(
const char *
a_deviceId = NULL )
virtual
Adds an image to the database.
Requires that m_img_info is already initialized
- Parameters
-
a_deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 0 for success, 1 for failure
uint8_t TskAutoDb::openImageUtf8
(
int
a_numImg,
const char *const
a_images[],
unsigned int
a_sSize
)
overridevirtual
Opens the disk image to be analyzed.
This must be called before any of the findFilesInXXX() methods. Always uses the utf8 tsk_img_open even in windows.
- Parameters
-
a_numImg The number of images to open (will be > 1 for split images).
a_images The path to the image files (the number of files must be equal to num_img and they must be in a sorted order)
a_imgType The disk image type (can be autodetection)
a_sSize Size of device sector in bytes (or 0 for default)
- Returns
- 1 on error (messages were NOT registered), 0 on success
Reimplemented from TskAuto.
Referenced by openImage().
uint8_t TskAutoDb::openImageUtf8
(
int
a_num,
const char *const
a_images[],
unsigned int
a_ssize,
const char *
a_deviceId
)
virtual
Adds an image to the database.
- Parameters
-
a_num Number of image parts
a_images Array of paths to the image parts
a_type Image type
a_ssize Size of device sector in bytes (or 0 for default)
a_deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 0 for success, 1 for failure
References TskAuto::openImageUtf8().
const char *
path
)
overridevirtual
TskAuto calls this method for each file and directory that it finds in an image.
The setFileFilterFlags() method can be used to set the criteria for what types of files this should be called for. There are several methods, such as isDir() that can be used by this method to help focus in on the files that you care about. When errors are encountered, send them to registerError().
- Parameters
-
fs_file file details
path full path of parent directory
- Returns
- STOP or OK. All error must have been registered.
Implements TskAuto.
References TskAuto::isDir(), TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_NAME::par_addr, TskAuto::processAttributes(), TSK_DB_FILES_KNOWN_UNKNOWN, tsk_fprintf(), tsk_fs_file_attr_getsize(), TSK_OK, TSK_STOP, and tsk_verbose.
Referenced by filterFs().
int TskAutoDb::revertAddImage
(
)
void TskAutoDb::setAddFileSystems
(
bool
addFileSystems )
Sets whether or not the file systems for an image should be added when the image is added to the case database.
The default value is true.
void TskAutoDb::setAddUnallocSpace
(
bool
addUnallocSpace )
virtual
When enabled, records for unallocated file system space will be added to the database.
Default value is false.
- Parameters
-
addUnallocSpace If true, create records for contiguous unallocated file system sectors.
void TskAutoDb::setAddUnallocSpace
(
bool
addUnallocSpace,
int64_t
minChunkSize
)
virtual
When enabled, records for unallocated file system space will be added to the database.
Default value is false.
- Parameters
-
addUnallocSpace If true, create records for contiguous unallocated file system sectors.
minChunkSize the number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk.
void TskAutoDb::setAddUnallocSpace
(
int64_t
minChunkSize,
int64_t
maxChunkSize
)
virtual
When enabled, records for unallocated file system space will be added to the database with the given parameters.
Automatically sets the flag to create records for contiguous unallocated file system sectors.
- Parameters
-
minChunkSize the number of bytes to group unallocated data into. A value of 0 will create one large chunk and group only on volume boundaries. A value of -1 will group each consecutive chunk.
maxChunkSize the maximum number of bytes in one record of unallocated data. A value of -1 will not split the records based on size
void TskAutoDb::setNoFatFsOrphans
(
bool
noFatFsOrphans )
virtual
Skip processing of orphans on FAT filesystems.
This will make the loading of the database much faster but you will not have all deleted files. Default value is false.
- Parameters
-
noFatFsOrphans flag set to true if to skip processing orphans on FAT fs
uint8_t TskAutoDb::startAddImage
(
int
numImg,
unsigned int
sSize,
const char *
deviceId = NULL
)
Start the process to add image/file metadata to database inside of a transaction.
User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.
- Parameters
-
numImg Number of image parts
imagePaths Array of paths to the image parts
imgType Image type
sSize Size of device sector in bytes (or 0 for default)
deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID)
- Returns
- 0 for success, 1 for failure
References addFilesInImgToDb(), openImage(), TskAuto::registerError(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.
Referenced by TskCaseDb::addImage().
const char *
deviceId = NULL
)
Start the process to add image/file metadata to database inside of a transaction.
User must call either commitAddImage() to commit the changes, or revertAddImage() to revert them.
- Parameters
-
deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID)
- Returns
- 0 for success, 1 for failure
References addFilesInImgToDb(), openImage(), TskAuto::openImageHandle(), TskAuto::registerError(), revertAddImage(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), and tsk_verbose.
void TskAutoDb::stopAddImage
(
)
The documentation for this class was generated from the following files: