construct a TskFsAttribute object

Parameters

a_fsAttr a pointer of TSK_FS_ATTR. If NULL, the getX() return values are undefi ned.

get number of bytes that are allocated in all clusters of non-resident run

(will be larger than size - does not include skiplen).

This is defined when the attribute is created and used to determine slack space.

Returns

number of bytes that are allocated in all clusters of non-resident run

References TSK_FS_ATTR::allocsize, and TSK_FS_ATTR::nrd.

Pointer to buffer with resident data.

Only getSize() bytes will be valid.

Returns

pointer to buffer with resident data.

References TSK_FS_ATTR::buf, and TSK_FS_ATTR::rd.

get size of compression units (needed only if NTFS file is compressed)

Returns

size of compression units (needed only if NTFS file is compressed)

References TSK_FS_ATTR::compsize, and TSK_FS_ATTR::nrd.

get the attribute's flags

Returns

flags for attribute

References TSK_FS_ATTR::flags.

get id of attribute

Returns

id of attribute

References TSK_FS_ATTR::id.

get number of bytes (starting from offset 0) that have data

(including FILLER) saved for them (smaller then or equal to size).

This is defined when the attribute is created.

Returns

number of bytes (starting from offset 0) that have data

References TSK_FS_ATTR::initsize, and TSK_FS_ATTR::nrd.

get the attributes's name (in UTF-8).

Returns

name of attribute (or NULL if attribute doesn't have one)

References TSK_FS_ATTR::name.

get a run for a non-resident attribute.

It's caller's responsibility to free memory of TskFsAttrRun

Parameters

a_idx The index of the run to return.

Returns

A run in the attribute.

References TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, and TSK_FS_ATTR::run.

gets the number of runs in a non-resident attribute.

Returns

number of runs.

References TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, and TSK_FS_ATTR::run.

get size in bytes of attribute (does not include skiplen for non-resident)

Returns

size in bytes of attribute

References TSK_FS_ATTR::size.

get number of initial bytes in run to skip before content begins.

The size field does not include this length.

Returns

number of initial bytes in run to skip before content begins

References TSK_FS_ATTR::nrd, and TSK_FS_ATTR::skiplen.

get type of attribute

Returns

type of attribute

References TSK_FS_ATTR::type.

Read the contents of this attribute using a typical read() type interface.

0s are returned for missing runs.

See tsk_fs_attr_read() for details

Parameters

a_offset The byte offset to start reading from.

a_buf The buffer to read the data into.

a_len The number of bytes to read from the file.

a_flags Flags to use while reading

Returns

The number of bytes read or -1 on error (incl if offset is past end of file).

References tsk_fs_attr_read().

Process an attribute and call a callback function with its contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse attributes, the address may be zero.

See tsk_fs_attr_walk() for details

Parameters

a_flags Flags to use while processing attribute

a_action Callback action to call with content

a_ptr Pointer that will passed to callback

Returns

1 on error and 0 on success.

References tsk_fs_attr_walk().