Inheritance diagram for TskDbSqlite:
Public Member Functions
Adds information about a carved file with layout ranges into the database.
More...
Add file layout info to the database.
More...
int
addFileLayoutRange (int64_t a_fileObjId, uint64_t a_byteStart, uint64_t a_byteLen, int a_sequence)
Add file layout info to the database.
More...
Add a file system file to the database.
More...
int
addImageInfo (int type, int size, int64_t &objId, const string &timezone)
deprecated
int
addImageInfo (int type, int size, int64_t &objId, const string &timezone,
TSK_OFF_T, const string &md5, const string &sha1, const string &sha256)
int
addImageInfo (int type,
TSK_OFF_T ssize, int64_t &objId, const string &timezone,
TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string &deviceId, const string &collectionDetails)
Adds image details to the existing database tables.
More...
int
addImageName (int64_t objId, char const *imgName, int sequence)
int
addPoolInfoAndVS (const TSK_POOL_INFO *pool_info, int64_t parObjId, int64_t &vsObjId)
Creates a new tsk_pool_info database entry and a new tsk_vs_info entry with the tsk_pool_info as its parent.
More...
int
addPoolVolumeInfo (const TSK_POOL_VOLUME_INFO *pool_vol, int64_t parObjId, int64_t &objId)
Adds the sector addresses of the pool volumes into the db.
More...
Adds a fake volume that will hold the unallocated blocks for the pool.
More...
Adds information about a unallocated file with layout ranges into the database.
More...
Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs.
More...
Adds information about a unused file with layout ranges into the database.
More...
TSK_RETVAL_ENUM addVirtualDir (const int64_t fsObjId, const int64_t parentDirId, const char *const name, int64_t &objId, int64_t dataSourceObjId)
Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them.
More...
Adds the sector addresses of the volumes into the db.
More...
int close ()
bool dbExists ()
Query tsk_file_layout and return rows for every entry in tsk_file_layout table.
More...
Query tsk_fs_info and return rows for every entry in tsk_fs_info table.
More...
Query tsk_objects and tsk_files given file system id and return the root directory object.
More...
Query tsk_objects with given id and returns object info entry.
More...
Query tsk_objects to find the root image id for the object.
More...
Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry.
More...
Query tsk_vs_info and return rows for every entry in tsk_vs_info table.
More...
Query tsk_vs_part and return rows for every entry in tsk_vs_part table.
More...
bool inTransaction ()
Returns true if database is opened.
int open (bool)
Rollback to specified savepoint and release.
More...
TskDbSqlite (const char *a_dbFilePathUtf8, bool a_blkMapFlag)
Set the locations and logging object.
More...
- Public Member Functions inherited from
TskDb
virtual bool getParentPathAndName (const char *path, const char **ret_parent_path, const char **ret_name)
TskDb (const char *a_dbFilePathUtf8, bool a_blkMapFlag)
Set the locations and logging object.
More...
Additional Inherited Members
- Protected Member Functions inherited from
TskDb Extract the extension from the given file name and store it in the supplied string.
More...
Constructor & Destructor Documentation
TskDbSqlite::TskDbSqlite
(
const char *
a_dbFilePathUtf8,
bool
a_blkMapFlag
)
Set the locations and logging object.
Must call open() before the object can be used.
Member Function Documentation
const int64_t
fsObjId,
const uint64_t
size,
int64_t &
objId,
int64_t
dataSourceObjId
)
virtual
Adds information about a carved file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
- Parameters
-
parentObjId Id of the parent object in the database (fs, volume, or image)
fsObjId fs id associated with the file, or NULL
size Number of bytes in file
ranges vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in)
objId object id of the file object created (output)
dataSourceObjId The object ID for the data source
- Returns
- TSK_OK on success or TSK_ERR on error.
Implements TskDb.
References TSK_DB_FILES_TYPE_CARVED.
Add file layout info to the database.
This table stores the run information for each file so that we can map which parts of an image are used by what files.
- Parameters
-
fileLayoutRange TSK_DB_FILE_LAYOUT_RANGE object storing a single file layout range entry
- Returns
- 1 on error
Implements TskDb.
References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId.
int TskDbSqlite::addFileLayoutRange
(
int64_t
a_fileObjId,
uint64_t
a_byteStart,
uint64_t
a_byteLen,
int
a_sequence
)
virtual
Add file layout info to the database.
This table stores the run information for each file so that we can map which parts of an image are used by what files.
- Parameters
-
a_fileObjId ID of the file
a_byteStart Byte address relative to the start of the image file
a_byteLen Length of the run in bytes
a_sequence Sequence of this run in the file
- Returns
- 1 on error
Implements TskDb.
const char *
path,
const unsigned char *const
md5,
int64_t
fsObjId,
int64_t &
objId,
int64_t
dataSourceObjId
)
virtual
Add a file system file to the database.
- Parameters
-
fs_file File structure to add
fs_attr Specific attribute to add
path Path of parent folder
md5 Binary value of MD5 (i.e. 16 bytes) or NULL
known Status regarding if it was found in hash database or not
fsObjId File system object of its file system
objId ID that was assigned to it from the objects table
dataSourceObjId The object ID for the data source
- Returns
- 1 on error and 0 on success
Implements TskDb.
References TSK_FS_FILE::fs_info, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_INFO::root_inum.
int TskDbSqlite::addFsInfo
(
const
TSK_FS_INFO *
fs_info,
int64_t
parObjId,
int64_t &
objId
)
virtual
int TskDbSqlite::addImageInfo
(
int
type,
int
ssize,
int64_t &
objId,
const string &
timezone,
const string &
md5,
const string &
sha1,
const string &
sha256
)
virtual
int TskDbSqlite::addImageInfo
(
int
type,
int64_t &
objId,
const string &
timezone,
const string &
md5,
const string &
sha1,
const string &
sha256,
const string &
deviceId,
const string &
collectionDetails
)
virtual
Adds image details to the existing database tables.
- Parameters
-
type Image type
ssize Size of device sector in bytes (or 0 for default)
objId The object id assigned to the image (out param)
timezone The timezone the image is from
size The size of the image in bytes.
md5 MD5 hash of the image
deviceId An ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
- Returns
- 1 on error, 0 on success
Implements TskDb.
References TSK_DB_OBJECT_TYPE_IMG.
int TskDbSqlite::addImageName
(
int64_t
objId,
char const *
imgName,
int
sequence
)
virtual
- Returns
- 1 on error, 0 on success
Implements TskDb.
int TskDbSqlite::addPoolInfoAndVS
(
const TSK_POOL_INFO *
pool_info,
int64_t
parObjId,
int64_t &
vsObjId
)
virtual
Creates a new tsk_pool_info database entry and a new tsk_vs_info entry with the tsk_pool_info as its parent.
@ param pool_info The pool to save to the database @ param parObjId The ID of the parent of the pool object @ param vsObjId Will be set to the object ID of the new volume system created as a child of the new pool.
- Returns
- 1 on error, 0 on success
Implements TskDb.
References TSK_DB_OBJECT_TYPE_POOL, TSK_DB_OBJECT_TYPE_VS, TSK_VS_TYPE_APFS, and TSK_VS_TYPE_LVM.
int TskDbSqlite::addPoolVolumeInfo
(
const TSK_POOL_VOLUME_INFO *
pool_vol,
int64_t
parObjId,
int64_t &
objId
)
virtual
Adds the sector addresses of the pool volumes into the db.
- Parameters
-
pool_vol The pool volume to save to the DB
parObjId The ID of the parent of the pool volume (should be a volume system)
objId Will be set to the object ID of the new volume
- Returns
- 1 on error, 0 on success
Implements TskDb.
References TSK_DB_OBJECT_TYPE_VOL.
int TskDbSqlite::addUnallocatedPoolVolume
(
int
vol_index,
int64_t
parObjId,
int64_t &
objId
)
virtual
Adds a fake volume that will hold the unallocated blocks for the pool.
- Parameters
-
vol_index The index for the new volume (should be one higher than the number of pool volumes)
parObjId The object ID of the parent volume system
objId Will be set to the object ID of the new volume
- Returns
- 1 on error, 0 on success
Implements TskDb.
References TSK_DB_OBJECT_TYPE_VOL.
TSK_RETVAL_ENUM TskDbSqlite::addUnallocBlockFile
(
const int64_t
parentObjId,
const int64_t
fsObjId,
const uint64_t
size,
int64_t &
objId,
int64_t
dataSourceObjId
)
virtual
Adds information about a unallocated file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
- Parameters
-
parentObjId Id of the parent object in the database (fs, volume, or image)
fsObjId parent fs, or NULL if the file is not associated with fs
size Number of bytes in file
ranges vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in)
objId object id of the file object created (output)
dataSourceObjId The object ID for the data source
- Returns
- TSK_OK on success or TSK_ERR on error.
Implements TskDb.
References TSK_DB_FILES_TYPE_UNALLOC_BLOCKS.
TSK_RETVAL_ENUM TskDbSqlite::addUnallocFsBlockFilesParent
(
const int64_t
fsObjId,
int64_t &
objId,
int64_t
dataSourceObjId
)
virtual
Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs.
The dir has is associated with its root dir parent for the fs.
- Parameters
-
fsObjId (in) fs id to find root dir for and create $Unalloc dir for
objId (out) object id of the $Unalloc dir created
dataSourceObjId The object ID for the data source
- Returns
- TSK_ERR on error or TSK_OK on success
Implements TskDb.
References addVirtualDir(), getFsRootDirObjectInfo(), _TSK_DB_OBJECT::objId, and TSK_ERR.
TSK_RETVAL_ENUM TskDbSqlite::addUnusedBlockFile
(
const int64_t
parentObjId,
const int64_t
fsObjId,
const uint64_t
size,
int64_t &
objId,
int64_t
dataSourceObjId
)
virtual
Adds information about a unused file with layout ranges into the database.
Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table
- Parameters
-
parentObjId Id of the parent object in the database (fs, volume, or image)
fsObjId parent fs, or NULL if the file is not associated with fs
size Number of bytes in file
ranges vector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in)
objId object id of the file object created (output)
dataSourceObjId The object ID for the data source
- Returns
- TSK_OK on success or TSK_ERR on error.
Implements TskDb.
References TSK_DB_FILES_TYPE_UNUSED_BLOCKS.
const int64_t
parentDirId,
const char *const
name,
int64_t &
objId,
int64_t
dataSourceObjId
)
virtual
Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them.
- Parameters
-
fsObjId (in) file system object id to associate with the virtual directory.
parentDirId (in) parent dir object id of the new directory: either another virtual directory or root fs directory
name name (int) of the new virtual directory
objId (out) object id of the created virtual directory object
dataSourceObjId The object Id of the data source
- Returns
- TSK_ERR on error or TSK_OK on success
Implements TskDb.
References TSK_DB_FILES_KNOWN_UNKNOWN, TSK_DB_FILES_TYPE_VIRTUAL_DIR, TSK_DB_OBJECT_TYPE_FILE, TSK_ERR, TSK_FS_META_FLAG_ALLOC, TSK_FS_META_FLAG_USED, TSK_FS_META_TYPE_DIR, TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, and TSK_OK.
Referenced by addUnallocFsBlockFilesParent().
int64_t
parObjId,
int64_t &
objId
)
virtual
int TskDbSqlite::addVsInfo
(
const
TSK_VS_INFO *
vs_info,
int64_t
parObjId,
int64_t &
objId
)
virtual
int TskDbSqlite::createSavepoint
(
const char *
name )
virtual
Query tsk_file_layout and return rows for every entry in tsk_file_layout table.
- Parameters
-
fileLayouts (out) TSK_DB_FILE_LAYOUT_RANGE row representations to return
- Returns
- TSK_ERR on error, TSK_OK on success
Implements TskDb.
References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId, TSK_ERR, and TSK_OK.
TSK_RETVAL_ENUM TskDbSqlite::getFsRootDirObjectInfo
(
const int64_t
fsObjId,
)
virtual
Query tsk_objects and tsk_files given file system id and return the root directory object.
- Parameters
-
fsObjId (int) file system id to query root dir object for
rootDirObjInfo (out) TSK_DB_OBJECT root dir entry representation to return
- Returns
- TSK_ERR on error (or if not found), TSK_OK on success
Implements TskDb.
References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by addUnallocFsBlockFilesParent().
Query tsk_objects with given id and returns object info entry.
- Parameters
-
objId object id to query
objectInfo (out) TSK_DB_OBJECT entry representation to return
- Returns
- TSK_ERR on error (or if not found), TSK_OK on success
Implements TskDb.
References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.
Referenced by getParentImageId().
int64_t &
imageId
)
virtual
Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry.
- Parameters
-
objId vs id to query
vsInfo (out) TSK_DB_VS_INFO entry representation to return
- Returns
- TSK_ERR on error (or if not found), TSK_OK on success
Implements TskDb.
References _TSK_DB_VS_INFO::objId, TSK_ERR, and TSK_OK.
int TskDbSqlite::releaseSavepoint
(
const char *
name )
virtual
Release a savepoint.
Commits if savepoint was not rollbacked.
- Parameters
-
name Name of savepoint
- Returns
- 1 on error, 0 on success
Implements TskDb.
Referenced by revertSavepoint().
int TskDbSqlite::revertSavepoint
(
const char *
name )
virtual
Rollback to specified savepoint and release.
- Parameters
-
name Name of savepoint
- Returns
- 1 on error, 0 on success
Implements TskDb.
References releaseSavepoint().
The documentation for this class was generated from the following files: