Macro that takes a file system type and returns 1 if the type is for an APFS "file system".

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for an APFS "file system".

Macro that takes a file system type and returns 1 if the type is for a Btrfs file system.

Referenced by btrfs_open(), and tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a logical directory "file system".

Macro that takes a file system type and returns 1 if the type is for a ExtX file system.

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a FAT file system.

Referenced by TskAutoDb::filterFs(), TskAuto::isFATSystemFiles(), and tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a FFS file system.

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a HFS file system.

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system.

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for an NTFS file system.

Referenced by TskAuto::isNtfsSystemFiles(), tsk_fs_open_img_decrypt(), and tsk_fs_path2inum().

Macro that takes a file system type and returns 1 if the type is for a raw "file system".

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a swap "file system".

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.

Referenced by tsk_fs_open_img_decrypt().

Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.

Referenced by tsk_fs_open_img_decrypt().

Flags for the FS_INFO structure.

Values for the file system type.

Each bit corresponds to a file system. The "[fs]_DETECT" value (such as TSK_FS_TYPE_NTSF_DETECT) is the OR of all of the subtypes that it could detect. If there is only one type of that file system, the [fs]_DETECT value will be the same as the type.

The _DETECT values should not be stored in TSK_FS_INFO. Once tsk_fs_open() has detected the type, it should assign the specific version in TSK_FS_INFO.

Read the contents of a given attribute using a typical read() type interface.

0s are returned for missing runs.

Parameters

a_fs_attr The attribute to read.

a_offset The byte offset to start reading from.

a_buf The buffer to read the data into.

a_len The number of bytes to read from the file.

a_flags Flags to use while reading

Returns

The number of bytes read or -1 on error (incl if offset is past end of file).

References TSK_FS_ATTR_RUN::addr, TSK_FS_ATTR::allocsize, TSK_FS_INFO::block_size, TSK_FS_ATTR::buf, TSK_FS_ATTR_RUN::crypto_id, TSK_FS_ATTR_RUN::flags, TSK_FS_ATTR::flags, TSK_FS_ATTR::fs_file, TSK_FS_FILE::fs_info, TSK_FS_INFO::ftype, TSK_FS_ATTR::initsize, TSK_FS_ATTR_RUN::len, TSK_FS_FILE::meta, TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, TSK_FS_ATTR_RUN::offset, PRIuSIZE, TSK_FS_ATTR::rd, TSK_FS_ATTR::run, TSK_FS_ATTR::size, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_FS_ATTR_COMP, TSK_FS_ATTR_NONRES, TSK_FS_ATTR_RES, TSK_FS_ATTR_RUN_FLAG_FILLER, TSK_FS_ATTR_RUN_FLAG_SPARSE, TSK_FS_FILE_READ_FLAG_SLACK, tsk_fs_read_decrypt(), TSK_FS_TYPE_LOGICAL, and tsk_verbose.

Referenced by TskFsAttribute::read(), tsk_fs_file_read(), and tsk_fs_file_read_type().

Process an attribute and call a callback function with its contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse attributes, the address may be zero.

Parameters

a_fs_attr Attribute to process

a_flags Flags to use while processing attribute

a_action Callback action to call with content

a_ptr Pointer that will passed to callback

Returns

1 on error and 0 on success.

References TSK_FS_ATTR::flags, TSK_FS_ATTR::fs_file, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_ATTR_COMP, TSK_FS_ATTR_NONRES, and TSK_FS_ATTR_RES.

Referenced by tsk_fs_file_walk(), tsk_fs_file_walk_type(), and TskFsAttribute::walk().

Free the memory associated with the TSK_FS_BLOCK structure.

Parameters

a_fs_block Block to free

References TSK_FS_BLOCK::buf.

Referenced by TskFsBlock::~TskFsBlock().

Get the contents and flags of a specific file system block.

Note that if the block contains compressed data, then this function will return the compressed data with the RAW flag set. The uncompressed data can be obtained only from the file-level functions.

Parameters

a_fs The file system to read the block from.

a_fs_block The structure to write the block data into or NULL to have one created.

a_addr The file system address to read.

a_flags Flag to assign to the returned TSK_FS_BLOCK (use if you already have it as part of a block_walk-type scenario)

Returns

The TSK_FS_BLOCK with the data or NULL on error. (If a_fs_block was not NULL, this will be the same structure).

References TSK_FS_BLOCK::addr, TSK_FS_INFO::block_size, TSK_FS_BLOCK::buf, TSK_FS_BLOCK::fs_info, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_BLOCK_FLAG_RAW, and tsk_img_read().

Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each.

Parameters

a_fs File system to analyze

a_start_blk Block address to start walking from

a_end_blk Block address to walk to

a_flags Flags used during walk to determine which blocks to call callback with

a_action Callback function

a_ptr Pointer that will be passed to callback

Returns

1 on error and 0 on success

References TSK_FS_INFO::block_walk, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskFsInfo::blockWalk(), and btrfs_open().

Close an open file system.

Parameters

a_fs File system to close.

References TSK_FS_INFO::close.

Referenced by btrfs_open(), TskFsInfo::close(), TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), and TskAuto::findFilesInPool().

Close the directory that was opened with tsk_fs_dir_open()

Parameters

a_fs_dir Directory to close

References TSK_FS_DIR::fs_file, TSK_FS_DIR::names, TSK_FS_DIR::names_used, and tsk_fs_file_close().

Referenced by tsk_fs_path2inum().

Return a specific file or subdirectory from an open directory.

Parameters

a_fs_dir Directory to analyze

a_idx Index of file in directory to open (0-based)

Returns

NULL on error

References TSK_FS_NAME::flags, TSK_FS_DIR::fs_info, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_NAME::meta_seq, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_DIR::names, TSK_FS_DIR::names_used, PRIuSIZE, TSK_FS_META::seq, TSK_FS_NAME::shrt_name, tsk_error_print(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_NAME_FLAG_ALLOC, and tsk_verbose.

Referenced by tsk_fs_path2inum().

Return only the name for a file or subdirectory from an open directory.

Useful when wanting to find files of a given name and you don't need the additional metadata.

Parameters

a_fs_dir Directory to analyze

a_idx Index of file in directory to open (0-based)

Returns

NULL on error

References TSK_FS_DIR::fs_info, TSK_FS_DIR::names, TSK_FS_DIR::names_used, PRIuSIZE, tsk_error_set_errno(), and tsk_error_set_errstr().

Returns the number of files and subdirectories in a directory.

Parameters

a_fs_dir Directory to get information about

Returns

Number of files and subdirectories (or 0 on error)

References TSK_FS_DIR::names_used, tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by tsk_fs_path2inum().

Open a directory (using its path) so that each of the files in it can be accessed.

Parameters

a_fs File system to analyze

a_dir Path of the directory to open

Returns

NULL on error

References TSK_FS_DIR::fs_file, TSK_FS_FILE::name, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_dir_open_meta(), and tsk_fs_path2inum().

Open a directory (using its metadata addr) so that each of the files in it can be accessed.

Parameters

a_fs File system to analyze

a_addr Metadata address of the directory to open

Returns

NULL on error

Referenced by tsk_fs_dir_open(), and tsk_fs_path2inum().

Walk the file names in a directory and obtain the details of the files via a callback.

Parameters

a_fs File system to analyze

a_addr Metadata address of the directory to analyze

a_flags Flags used during analysis

a_action Callback function that is called for each file name

a_ptr Pointer to data that is passed to the callback function each time

Returns

1 on error and 0 on success

Referenced by fatfs_inode_walk().

Return the default attribute for the file.

Parameters

a_fs_file File to get data from

Returns

NULL on error

References TSK_FS_META::attr, TSK_FS_FILE::fs_info, and TSK_FS_FILE::meta.

Referenced by tsk_fs_file_read(), and tsk_fs_file_walk().

Return a specific attribute by its ID for the file.

Parameters

a_fs_file File to get data from

a_id Id of attribute to load

Returns

NULL on error

References TSK_FS_ATTR::id, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_attr_get_idx(), and tsk_fs_file_attr_getsize().

Get a file's attribute based on the 0-based index in the list (and not type, id pair).

Parameters

a_fs_file File to get attributes from.

a_idx 0-based index of attribute to return.

Returns

Pointer to attribute or NULL on error

References TSK_FS_META::attr, and TSK_FS_FILE::meta.

Referenced by TskAuto::processAttributes(), tsk_fs_file_attr_get_id(), and tsk_fs_path2inum().

Return a specific type and id attribute for the file.

Parameters

a_fs_file File to get data from

a_type Type of attribute to load

a_id Id of attribute to load

a_id_used Set to 1 if ID is actually set or 0 to use default

Returns

NULL on error

References TSK_FS_META::attr, and TSK_FS_FILE::meta.

Referenced by fatfs_istat(), tsk_fs_file_read_type(), and tsk_fs_file_walk_type().

Return the number of attributes in the file.

Parameters

a_fs_file File to return attribute count for

Returns

number of attributes in file

References TSK_FS_META::attr, TSK_FS_FILE::meta, and tsk_error_reset().

Referenced by TskAuto::processAttributes(), TskAutoDb::processFile(), tsk_fs_file_attr_get_id(), and tsk_fs_path2inum().

Close an open file.

Parameters

a_fs_file Pointer to open file

References TSK_FS_FILE::meta, and TSK_FS_FILE::name.

Referenced by TskFsFile::close(), fatfs_inode_walk(), fatfs_istat(), TskAutoDb::filterFs(), tsk_fs_dir_close(), tsk_fs_file_open_meta(), tsk_fs_path2inum(), and tsk_ntfs_usnjentry_walk().

Return the handle structure for a specific file, given its full path.

Note that if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a more efficient approach.

Parameters

a_fs File system to analyze

a_fs_file Structure to store file data in or NULL to have one allocated.

a_path Path of file to open

Returns

NULL on error

References TSK_FS_FILE::meta, TSK_FS_NAME::meta_seq, TSK_FS_FILE::name, TSK_FS_META::seq, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_open_meta(), and tsk_fs_path2inum().

Referenced by TskAutoDb::filterFs(), and TskFsFile::open().

Open a file given its metadata address.

This function loads the metadata and returns a handle that can be used to read and process the file. Note that the returned TSK_FS_FILE structure will not have the file name set because it was not used to load the file and this function does not search the directory structure to find the name that points to the address. In general, if you know the metadata address of a file, this function is more efficient then tsk_fs_file_open, which first maps a file name to the metadata address and then opens the file using this function.

Parameters

a_fs File system to analyze

a_fs_file Structure to store file data in or NULL to have one allocated.

a_addr Metadata address of file to lookup

Returns

NULL on error

References TSK_FS_FILE::name, tsk_error_set_errno(), tsk_error_set_errstr(), and tsk_fs_file_close().

Referenced by fatfs_istat(), TskFsFile::open(), tsk_fs_file_open(), and tsk_ntfs_usnjopen().

Read the contents of a specific attribute of a file using a typical read() type interface.

0s are returned for missing runs of files.

Parameters

a_fs_file The inode structure of the file to read.

a_offset The byte offset to start reading from.

a_buf The buffer to read the data into.

a_len The number of bytes to read from the file.

a_flags Flags to use while reading

Returns

The number of bytes read or -1 on error (incl if offset is past EOF).

References TSK_FS_FILE::fs_info, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_attr_read(), and tsk_fs_file_attr_get().

Referenced by TskFsFile::read().

Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS).

0s are returned for missing runs of files.

Parameters

a_fs_file The file to read from

a_type The type of attribute to load

a_id The id of attribute to load (use 0 and set a_flags if you do not care)

a_offset The byte offset to start reading from.

a_buf The buffer to read the data into.

a_len The number of bytes to read from the file.

a_flags Flags to use while reading

Returns

The number of bytes read or -1 on error (incl if offset is past EOF).

References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_attr_read(), tsk_fs_file_attr_get_type(), and TSK_FS_FILE_READ_FLAG_NOID.

Referenced by TskFsFile::read().

Process a file and call a callback function with the file contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse files, the address may be zero. If a file has multiple attributes, such as NTFS files, this function uses the default one ($DATA for files, $IDX_ROOT for directories). Use tsk_fs_file_walk_type to specify an attribute.

Parameters

a_fs_file File to process

a_flags Flags to use while processing file

a_action Callback action to call with content

a_ptr Pointer that will passed to callback

Returns

1 on error and 0 on success.

References TSK_FS_META::addr, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_attr_walk(), tsk_fs_file_attr_get(), and tsk_verbose.

Referenced by fatfs_inode_walk(), fatfs_istat(), tsk_fs_file_hash_calc(), and TskFsFile::walk().

Process a specific attribute in a file and call a callback function with the file contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse files, the address may be zero. If the file system you are analyzing does not have multiple attributes per file, then you can use tsk_fs_file_walk(). For incomplete or corrupt files, some missing runs will be identified as SPARSE and zeros will be returned in the content.

Parameters

a_fs_file File to process

a_type Attribute type to process

a_id Id if attribute to process

a_flags Flags to use while processing file

a_action Callback action to call with content

a_ptr Pointer that will passed to callback

Returns

1 on error and 0 on success.

References TSK_FS_META::addr, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_attr_walk(), tsk_fs_file_attr_get_type(), TSK_FS_FILE_WALK_FLAG_NOID, and tsk_verbose.

Referenced by TskFsFile::walk().

Copys a summary of the encryption algoritm to a_desc.

Expected size of description is under 100 characters.

Parameters

a_fs_info TSK_FS_INFO object

a_desc Output buffer for description

a_descLen Size of output buffer (recommended - 256 bytes)

Makes the "ls -l" permissions string for a file.

Parameters

a_fs_meta File to be processed

a_buf [out] Buffer to write results to (must be 12 bytes or longer)

a_len Length of buffer

References TSK_FS_META::mode, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_ISGID, TSK_FS_META_MODE_ISUID, TSK_FS_META_MODE_ISVTX, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IXOTH, TSK_FS_META_MODE_IXUSR, tsk_fs_meta_type_str, TSK_FS_META_TYPE_STR_MAX, and TSK_FS_META::type.

Referenced by TskFsMeta::getLs().

Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.

For example, it can call the callback on only allocated or unallocated entries.

Parameters

a_fs File system to process

a_start Metadata address to start walking from

a_end Metadata address to walk to

a_flags Flags that specify the desired metadata features

a_cb Callback function to call

a_ptr Pointer to pass to the callback

Returns

1 on error and 0 on success

References TSK_FS_INFO::inode_walk.

Referenced by btrfs_open(), and TskFsInfo::metaWalk().

Tries to process data in a disk image at a given offset as a file system.

Returns a structure that can be used for analysis and reporting.

Parameters

a_img_info Disk image to analyze

a_offset Byte offset to start analyzing from

a_ftype Type of file system (or autodetect)

Returns

NULL on error

References tsk_fs_open_img_decrypt().

Referenced by TskAuto::findFilesInPool(), and TskFsInfo::open().

Tries to process data in a disk image at a given offset as a file system.

Allows for providing an optional password for decryption. Returns a structure that can be used for analysis and reporting.

Parameters

a_img_info Disk image to analyze

a_offset Byte offset to start analyzing from

a_ftype Type of file system (or autodetect)

a_pass Password to decrypt filesystem. Currently only used if type is specified.

Returns

NULL on error

References btrfs_open(), TSK_FS_INFO::close, TSK_IMG_INFO::itype, tsk_error_get_errno(), tsk_error_get_errstr(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), TSK_FS_TYPE_APFS_DETECT, TSK_FS_TYPE_BTRFS_DETECT, TSK_FS_TYPE_DETECT, TSK_FS_TYPE_EXT_DETECT, TSK_FS_TYPE_FAT_DETECT, TSK_FS_TYPE_FFS_DETECT, TSK_FS_TYPE_HFS_DETECT, TSK_FS_TYPE_ISAPFS, TSK_FS_TYPE_ISBTRFS, TSK_FS_TYPE_ISEXT, TSK_FS_TYPE_ISFAT, TSK_FS_TYPE_ISFFS, TSK_FS_TYPE_ISHFS, TSK_FS_TYPE_ISISO9660, TSK_FS_TYPE_ISNTFS, TSK_FS_TYPE_ISO9660_DETECT, TSK_FS_TYPE_ISRAW, TSK_FS_TYPE_ISSWAP, TSK_FS_TYPE_ISXFS, TSK_FS_TYPE_ISYAFFS2, TSK_FS_TYPE_LOGICAL, TSK_FS_TYPE_NTFS_DETECT, TSK_FS_TYPE_XFS_DETECT, TSK_FS_TYPE_YAFFS2_DETECT, TSK_IMG_TYPE_LOGICAL, and tsk_verbose.

Referenced by TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), tsk_fs_open_img(), and tsk_fs_open_vol_decrypt().

Tries to process data in a volume as a file system.

Returns a structure that can be used for analysis and reporting.

Parameters

a_part_info Open volume to read from and analyze

a_ftype Type of file system (or autodetect)

Returns

NULL on error

References tsk_fs_open_vol_decrypt().

Referenced by TskFsInfo::open().

Tries to process data in a volume as a file system.

Allows for providing an optional password for decryption. Returns a structure that can be used for analysis and reporting.

Parameters

a_part_info Open volume to read from and analyze

a_ftype Type of file system (or autodetect)

a_pass Password to decrypt filesystem

Returns

NULL on error

References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_open_img_decrypt(), and TSK_VS_PART_INFO::vs.

Referenced by tsk_fs_open_vol().

Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there).

This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID. Return the values in integer form.

Parameters

[in] str Input string to parse

[out] inum Pointer to location where inode can be stored.

[out] type Pointer to location where type can be stored (or NULL)

[out] type_used Pointer to location where the value can be set to 1 if the type was set (to differentiate between meanings of 0) (or NULL).

[out] id Pointer to location where id can be stored (or NULL)

[out] id_used Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0) (or NULL).

Returns

1 on error or if not an inode and 0 on success

References TSK_FS_ATTR_ID_DEFAULT.

Referenced by TskFsInfo::parseINum().

Find the meta data address for a given file name (UTF-8).

The basic idea of the function is to break the given name into its subdirectories and start looking for each (starting in the root directory).

Parameters

a_fs FS to analyze

a_path UTF-8 path of file to search for

[out] a_result Meta data address of file

[out] a_fs_name Copy of name details (or NULL if details not wanted)

Returns

-1 on (system) error, 0 if found, and 1 if not found

References TSK_FS_NAME::flags, TSK_FS_DIR::fs_file, TSK_FS_INFO::ftype, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_ATTR::name, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_INFO::root_inum, TSK_FS_NAME::shrt_name, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_dir_close(), tsk_fs_dir_get(), tsk_fs_dir_getsize(), tsk_fs_dir_open_meta(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_getsize(), tsk_fs_file_close(), TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, TSK_FS_TYPE_ISNTFS, tsk_verbose, TSK_FS_META::type, and TSK_FS_NAME::type.

Referenced by TskFsInfo::path2INum(), tsk_fs_dir_open(), tsk_fs_file_open(), and tsk_fs_ifind_path().

Read arbitrary data from inside of the file system.

Parameters

a_fs The file system handle.

a_off The byte offset to start reading from (relative to start of file system)

a_buf The buffer to store the block in.

a_len The number of bytes to read

Returns

The number of bytes read or -1 on error.

References tsk_fs_read_decrypt().

Referenced by TskFsInfo::read().

Read a file system block into a char* buffer.

This is actually a wrapper around the fs_read_random function, but it allows the starting location to be specified as a block address.

Parameters

a_fs The file system structure.

a_addr The starting block file system address.

a_buf The char * buffer to store the block data in.

a_len The number of bytes to read (must be a multiple of the block size)

Returns

The number of bytes read or -1 on error.

References tsk_fs_read_block_decrypt().

Referenced by fatfs_inode_walk(), TskFsInfo::readBlock(), and tsk_fs_blkcat().

Read a file system block into a char* buffer.

This is actually a wrapper around the fs_read_random function, but it allows the starting location to be specified as a block address.

Parameters

a_fs The file system structure.

a_addr The starting block file system address.

a_buf The char * buffer to store the block data in.

a_len The number of bytes to read (must be a multiple of the block size)

crypto_id Starting block number needed for the XTS IV

Returns

The number of bytes read or -1 on error.

References TSK_FS_INFO::block_post_size, TSK_FS_INFO::block_pre_size, TSK_FS_INFO::block_size, TSK_FS_INFO::flags, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, PRIuSIZE, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_INFO_FLAG_ENCRYPTED, and tsk_img_read().

Referenced by tsk_fs_read_block(), and tsk_fs_read_decrypt().

Read arbitrary data from inside of the file system.

Parameters

a_fs The file system handle.

a_off The byte offset to start reading from (relative to start of file system)

a_buf The buffer to store the block in.

a_len The number of bytes to read

crypto_id Starting block number needed for the XTS IV

Returns

The number of bytes read or -1 on error.

References TSK_FS_INFO::block_post_size, TSK_FS_INFO::block_pre_size, TSK_FS_INFO::block_size, TSK_FS_INFO::flags, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_INFO_FLAG_ENCRYPTED, tsk_fs_read_block_decrypt(), and tsk_img_read().

Referenced by tsk_fs_attr_read(), and tsk_fs_read().

Converts a time value to a string representation.

Prints all zero values instead of 1970 if time is 0.

Parameters

time Time to be displayed.

buf Buffer to print into (must be 128 byes or larger)

Returns

Pointer to buffer that was passed in.

Referenced by fatfs_istat().

Converts a time value to a string representation.

Prints all zero values instead of 1970 if time is 0.

Parameters

time Time to be displayed.

buf Buffer to print into (must b 64 bytes or larger)

subsecs Subseconds to be printed

Returns

Pointer to buffer that was passed in.

Print the supported file system types to a file handle.

Parameters

hFile File handle to print to

References tsk_fprintf().

Referenced by TskFsInfo::typePrint().

Return the supported file system types.

Returns

The bit in the return value is 1 if the type is supported.

Referenced by TskFsInfo::typeSupported().

Parse a string with the file system type and return its internal ID.

Parameters

str String to parse.

Returns

ID of string (or unsupported if the name is unknown)

References tsk_fs_type_toid_utf8().

Referenced by TskFsInfo::typeToId().

Parse a string with the file system type and return its internal ID.

Parameters

str String to parse, always UTF-8.

Returns

ID of string (or unsupported if the name is unknown)

References TSK_FS_TYPE_UNSUPP.

Referenced by tsk_fs_type_toid().

Return the string name of a file system type id.

Parameters

ftype File system type id

Returns

Name or NULL on error

Referenced by TskFsInfo::typeToName().