The Sleuth Kit: TskFsInfo Class Reference

The Sleuth Kit 4.13.0

Public Member Functions | Static Public Member Functions | Friends | List of all members

TskFsInfo Class Reference

Stores information about an open file system. More...

#include <tsk_fs.h>

Public Member Functions

uint8_t blockWalk (TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CPP_CB a_action, void *a_ptr)

Walk a range of file system blocks and call the callback function with the contents and allocation status of each. More...

void close ()

Close an open file system. More...

uint8_t dirWalk (TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CPP_CB a_action, void *a_ptr)

TSK_DADDR_T getBlockCount () const

return number of blocks in fs More...

unsigned int getBlockSize () const

return size of each file system block (in bytes) More...

const char * getDataUnitName () const

return the "name" of data unit type as a string ("Cluster", for example) More...

unsigned int getDeviceSize () const

return size of device block (typically always 512) More...

TSK_DADDR_T getFirstBlock () const

return address of first block More...

TSK_INUM_T getFirstINum () const

return first valid metadata address More...

TSK_FS_INFO_FLAG_ENUM getFlags () const

return flags for file system More...

const uint8_t * getFsId () const

return file system id (as reported in boot sector). More...

size_t getFsIdLen () const

return the number of bytes used in the buffer returned by getFsId(). More...

TSK_FS_TYPE_ENUM getFsType () const

return type of file system More...

TSK_INUM_T getINumCount () const

return number of metadata addresses in FS More...

TSK_INUM_T getJournalINum () const

return address of journal inode More...

TSK_DADDR_T getLastBlock () const

return address of last block that is adjusted so that

(could be larger than last_block in image if end of image does not exist) More...

TSK_DADDR_T getLastBlockAct () const

return address of last block as reported by file system

(it is equal to the last block in the image or volume (if image is not complete) More...

TSK_INUM_T getLastINum () const

return last valid metadata address More...

TSK_OFF_T getOffset () const

return byte offset in image that fs starts More...

TSK_INUM_T getRootINum () const

return metadata address of root directory More...

uint8_t jblkWalk (TSK_DADDR_T a_addr1, TSK_DADDR_T a_addr2, int a_num, TSK_FS_JBLK_WALK_CPP_CB a_action, void *a_ptr)

uint8_t jentryWalk (int a_num, TSK_FS_JENTRY_WALK_CPP_CB a_action, void *a_ptr)

uint8_t jopen (TSK_INUM_T a_inum)

uint8_t metaWalk (TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CPP_CB a_cb, void *a_ptr)

Walk a range of metadata structures and call a callback for each structure that matches the flags supplied. More...

uint8_t open (const TskVsPartInfo *a_part_info, TSK_FS_TYPE_ENUM a_ftype)

Opens a file system that is inside of a Volume. More...

uint8_t open (TskImgInfo *a_img_info, TSK_OFF_T a_offset, TSK_FS_TYPE_ENUM a_ftype)

Opens a file system at a given offset in a disk image. More...

int8_t path2INum (const char *a_path, TSK_INUM_T *a_result, TskFsName *a_fs_name)

Find the meta data address for a given file name (UTF-8). More...

ssize_t read (TSK_OFF_T a_off, char *a_buf, size_t a_len)

Read arbitrary data from inside of the file system. More...

ssize_t readBlock (TSK_DADDR_T a_addr, char *a_buf, size_t a_len)

Read a file system block. More...

TskFsInfo (TSK_FS_INFO *a_fsInfo)

Static Public Member Functions

static int parseINum (const TSK_TCHAR *a_str, TSK_INUM_T *a_inum, TSK_FS_ATTR_TYPE_ENUM *a_type, uint8_t *a_type_used, uint16_t *a_id, uint8_t *a_id_used)

Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts

need to be there). More...

static void typePrint (FILE *a_hFile)

Print the supported file system types to a file handle

See tsk_fs_type_print() for details More...

static TSK_FS_TYPE_ENUM typeSupported ()

Return the supported file system types. More...

static TSK_FS_TYPE_ENUM typeToId (const TSK_TCHAR *a_str)

Parse a string with the file system type and return its internal ID. More...

static const char * typeToName (TSK_FS_TYPE_ENUM a_ftype)

Return the string name of a file system type id. More...

Friends

class TskFsBlock

class TskFsDir

class TskFsFile

Detailed Description

Stores information about an open file system.

One of the open() commands needs to be used before any of the getX() or read() methods will return valid data. See TSK_FS_INFO for more details.

Member Function Documentation

uint8_t TskFsInfo::blockWalk ( TSK_DADDR_T a_start_blk,

TSK_DADDR_T a_end_blk,

TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags,

TSK_FS_BLOCK_WALK_CPP_CB a_action,

void * a_ptr

)

inline

Walk a range of file system blocks and call the callback function with the contents and allocation status of each.

See tsk_fs_block_walk() for details.

Parameters: a_start_blk Block address to start walking from

a_end_blk Block address to walk to

a_flags Flags used during walk to determine which blocks to call callback with

a_action Callback function

a_ptr Pointer that will be passed to callback

Returns: 1 on error and 0 on success

References tsk_fs_block_walk().

void TskFsInfo::close ( )

inline

Close an open file system.

See tsk_fs_close() for details.

References tsk_fs_close().

TSK_DADDR_T TskFsInfo::getBlockCount ( ) const

inline

return number of blocks in fs

Returns: number of blocks in fs

References TSK_FS_INFO::block_count.

unsigned int TskFsInfo::getBlockSize ( ) const

inline

return size of each file system block (in bytes)

Returns: size of each block

References TSK_FS_INFO::block_size.

const char* TskFsInfo::getDataUnitName ( ) const

inline

return the "name" of data unit type as a string ("Cluster", for example)

Returns: string "name" of data unit type

References TSK_FS_INFO::duname.

unsigned int TskFsInfo::getDeviceSize ( ) const

inline

return size of device block (typically always 512)

Returns: size of device block

References TSK_FS_INFO::dev_bsize.

TSK_DADDR_T TskFsInfo::getFirstBlock ( ) const

inline

return address of first block

Returns: address of first block

References TSK_FS_INFO::first_block.

TSK_INUM_T TskFsInfo::getFirstINum ( ) const

inline

return first valid metadata address

Returns: first valid metadata address

References TSK_FS_INFO::first_inum.

TSK_FS_INFO_FLAG_ENUM TskFsInfo::getFlags ( ) const

inline

return flags for file system

Returns: flags for file system

References TSK_FS_INFO::flags.

const uint8_t* TskFsInfo::getFsId ( ) const

inline

return file system id (as reported in boot sector).

Use getFsIdLen() to determine how many byts in buffer are used.

Returns: Buffer with file system id

References TSK_FS_INFO::fs_id.

size_t TskFsInfo::getFsIdLen ( ) const

inline

return the number of bytes used in the buffer returned by getFsId().

Returns: number of bytes used.

References TSK_FS_INFO::fs_id_used.

TSK_FS_TYPE_ENUM TskFsInfo::getFsType ( ) const

inline

return type of file system

Returns: type of file system

References TSK_FS_INFO::ftype.

TSK_INUM_T TskFsInfo::getINumCount ( ) const

inline

return number of metadata addresses in FS

Returns: number of metatdata addresses

References TSK_FS_INFO::inum_count.

TSK_INUM_T TskFsInfo::getJournalINum ( ) const

inline

return address of journal inode

Returns: address of journal inode

References TSK_FS_INFO::journ_inum.

TSK_DADDR_T TskFsInfo::getLastBlock ( ) const

inline

return address of last block that is adjusted so that

(could be larger than last_block in image if end of image does not exist)

Returns: address of last block

References TSK_FS_INFO::last_block.

TSK_DADDR_T TskFsInfo::getLastBlockAct ( ) const

inline

return address of last block as reported by file system

(it is equal to the last block in the image or volume (if image is not complete)

Returns: address of last block

References TSK_FS_INFO::last_block_act.

TSK_INUM_T TskFsInfo::getLastINum ( ) const

inline

return last valid metadata address

Returns: last valid metadata address

References TSK_FS_INFO::last_inum.

TSK_OFF_T TskFsInfo::getOffset ( ) const

inline

return byte offset in image that fs starts

Returns: offset in bytes.

References TSK_FS_INFO::offset.

TSK_INUM_T TskFsInfo::getRootINum ( ) const

inline

return metadata address of root directory

Returns: metadata address of root directory

References TSK_FS_INFO::root_inum.

uint8_t TskFsInfo::metaWalk ( TSK_INUM_T a_start,

TSK_INUM_T a_end,

TSK_FS_META_FLAG_ENUM a_flags,

TSK_FS_META_WALK_CPP_CB a_cb,

void * a_ptr

)

inline

Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.

For example, it can call the callback on only allocated or unallocated entries. See tsk_fs_meta_walk() for details

Parameters: a_start Metadata address to start walking from

a_end Metadata address to walk to

a_flags Flags that specify the desired metadata features

a_cb Callback function to call

a_ptr Pointer to pass to the callback

Returns: 1 on error and 0 on success

References tsk_fs_meta_walk().

uint8_t TskFsInfo::open ( const TskVsPartInfo * a_part_info,

TSK_FS_TYPE_ENUM a_ftype

)

inline

Opens a file system that is inside of a Volume.

Returns a structure that can be used for analysis and reporting. See tsk_fs_open_vol() for details

Parameters: a_part_info Open volume to read from and analyze

a_ftype Type of file system (or autodetect)

Returns: 1 on error 0 on success.

References tsk_fs_open_vol().

uint8_t TskFsInfo::open ( TskImgInfo * a_img_info,

TSK_OFF_T a_offset,

TSK_FS_TYPE_ENUM a_ftype

)

inline

Opens a file system at a given offset in a disk image.

Returns a structure that can be used for analysis and reporting. See tsk_fs_open_img() for details

Parameters: a_img_info Disk image to analyze

a_offset Byte offset to start analyzing from

a_ftype Type of file system (or autodetect)

Returns: 1 on error 0 on success.

References tsk_fs_open_img().

static int TskFsInfo::parseINum ( const TSK_TCHAR * a_str,

TSK_INUM_T * a_inum,

TSK_FS_ATTR_TYPE_ENUM * a_type,

uint8_t * a_type_used,

uint16_t * a_id,

uint8_t * a_id_used

)

inlinestatic

Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts

need to be there).

This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID. Return the values in integer form. See tsk_fs_parse_inum() for details

Parameters: [in] a_str Input string to parse

[out] a_inum Pointer to location where inode can be stored.

[out] a_type Pointer to location where type can be stored (or NULL)

[out] a_type_used Pointer to location where the value can be set to 1 if the type was set (to differentiate between meanings of 0) (or NULL).

[out] a_id Pointer to location where id can be stored (or NULL)

[out] a_id_used Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0) (or NULL).

Returns: 1 on error or if not an inode and 0 on success

References tsk_fs_parse_inum().

int8_t TskFsInfo::path2INum ( const char * a_path,

TSK_INUM_T * a_result,

TskFsName * a_fs_name

)

inline

Find the meta data address for a given file name (UTF-8).

See tsk_fs_path2inum() for details

Parameters: a_path UTF-8 path of file to search for

[out] a_result Meta data address of file

[out] a_fs_name Copy of name details (or NULL if details not wanted)

Returns: -1 on (system) error, 0 if found, and 1 if not found

References tsk_fs_path2inum().

ssize_t TskFsInfo::read ( TSK_OFF_T a_off,

char * a_buf,

size_t a_len

)

inline

Read arbitrary data from inside of the file system.

See tsk_fs_block_free() for details

Parameters: a_off The byte offset to start reading from (relative to start of file system)

a_buf The buffer to store the block in.

a_len The number of bytes to read

Returns: The number of bytes read or -1 on error.

References tsk_fs_read().

ssize_t TskFsInfo::readBlock ( TSK_DADDR_T a_addr,

char * a_buf,

size_t a_len

)

inline

Read a file system block.

See tsk_fs_read_block() for details

Parameters: a_addr The starting block file system address.

a_buf The char * buffer to store the block data in.

a_len The number of bytes to read (must be a multiple of the block size)

Returns: The number of bytes read or -1 on error.

References tsk_fs_read_block().

static void TskFsInfo::typePrint ( FILE * a_hFile )

inlinestatic

Print the supported file system types to a file handle

See tsk_fs_type_print() for details

Parameters: a_hFile File handle to print to

References tsk_fs_type_print().

static TSK_FS_TYPE_ENUM TskFsInfo::typeSupported ( )

inlinestatic

Return the supported file system types.

See tsk_fs_type_supported() for details

Returns: The bit in the return value is 1 if the type is supported.

References tsk_fs_type_supported().

static TSK_FS_TYPE_ENUM TskFsInfo::typeToId ( const TSK_TCHAR * a_str )

inlinestatic

Parse a string with the file system type and return its internal ID.

See tsk_fs_type_toid() for details

Parameters: a_str String to parse.

Returns: ID of string (or unsupported if the name is unknown)

References tsk_fs_type_toid().

static const char* TskFsInfo::typeToName ( TSK_FS_TYPE_ENUM a_ftype )

inlinestatic

Return the string name of a file system type id.

See tsk_fs_type_toname() for details

Parameters: a_ftype File system type id

Returns: Name or NULL on error

References tsk_fs_type_toname().

The documentation for this class was generated from the following file:

tsk/fs/tsk_fs.h