The Sleuth Kit: tsk/base/tsk_base.h File Reference

The Sleuth Kit 4.13.0

tsk_base.h File Reference

Contains the type and function definitions that are needed by external programs to use the TSK library. More...

#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include "tsk/tsk_incs.h"
#include "tsk_os.h"

Classes

struct TSK_ERROR_INFO

struct TSK_LIST

Linked list structure that holds a 'key' and optional 'length'. More...

struct tsk_lock_t

struct TSK_MD5_CTX

struct TSK_SHA_CTX

struct TSK_STACK

Basic stack structure to push and pop (used for finding loops in recursion). More...

class TskError

Allows access to most recent error message and code in the thread. More...

Macros

#define TSK_ERR_AUTO 0x20000000

#define TSK_ERR_AUTO_CORRUPT (TSK_ERR_AUTO | 1)

#define TSK_ERR_AUTO_DB (TSK_ERR_AUTO | 0)

#define TSK_ERR_AUTO_MAX 4

#define TSK_ERR_AUTO_NOTOPEN (TSK_ERR_AUTO | 3)

#define TSK_ERR_AUTO_UNICODE (TSK_ERR_AUTO | 2)

#define TSK_ERR_AUX 0x01000000

#define TSK_ERR_AUX_GENERIC (TSK_ERR_AUX | 2)

#define TSK_ERR_AUX_MALLOC (TSK_ERR_AUX | 0)

#define TSK_ERR_AUX_MAX 2

#define TSK_ERR_FS 0x08000000

#define TSK_ERR_FS_ARG (TSK_ERR_FS | 6)

#define TSK_ERR_FS_ATTR_NOTFOUND (TSK_ERR_FS | 17)

#define TSK_ERR_FS_BITLOCKER_ERROR (TSK_ERR_FS | 21)

#define TSK_ERR_FS_BLK_NUM (TSK_ERR_FS | 7)

#define TSK_ERR_FS_CORRUPT (TSK_ERR_FS | 16)

#define TSK_ERR_FS_ENCRYPTED (TSK_ERR_FS | 18)

#define TSK_ERR_FS_FWALK (TSK_ERR_FS | 11)

#define TSK_ERR_FS_GENFS (TSK_ERR_FS | 15)

#define TSK_ERR_FS_INODE_COR (TSK_ERR_FS | 9)

#define TSK_ERR_FS_INODE_NUM (TSK_ERR_FS | 8)

#define TSK_ERR_FS_MAGIC (TSK_ERR_FS | 10)

#define TSK_ERR_FS_MAX 22

#define TSK_ERR_FS_MULTTYPE (TSK_ERR_FS | 20)

#define TSK_ERR_FS_POSSIBLY_ENCRYPTED (TSK_ERR_FS | 19)

#define TSK_ERR_FS_READ (TSK_ERR_FS | 4)

#define TSK_ERR_FS_READ_OFF (TSK_ERR_FS | 5)

#define TSK_ERR_FS_RECOVER (TSK_ERR_FS | 14)

#define TSK_ERR_FS_UNICODE (TSK_ERR_FS | 13)

#define TSK_ERR_FS_UNKTYPE (TSK_ERR_FS | 0)

#define TSK_ERR_FS_UNSUPFUNC (TSK_ERR_FS | 2)

#define TSK_ERR_FS_UNSUPTYPE (TSK_ERR_FS | 1)

#define TSK_ERR_FS_WALK_RNG (TSK_ERR_FS | 3)

#define TSK_ERR_FS_WRITE (TSK_ERR_FS | 12)

#define TSK_ERR_HDB 0x10000000

#define TSK_ERR_HDB_ARG (TSK_ERR_HDB | 4)

#define TSK_ERR_HDB_CORRUPT (TSK_ERR_HDB | 11)

#define TSK_ERR_HDB_CREATE (TSK_ERR_HDB | 6)

#define TSK_ERR_HDB_DELETE (TSK_ERR_HDB | 7)

#define TSK_ERR_HDB_MAX 13

#define TSK_ERR_HDB_MISSING (TSK_ERR_HDB | 8)

#define TSK_ERR_HDB_OPEN (TSK_ERR_HDB | 10)

#define TSK_ERR_HDB_PROC (TSK_ERR_HDB | 9)

#define TSK_ERR_HDB_READDB (TSK_ERR_HDB | 2)

#define TSK_ERR_HDB_READIDX (TSK_ERR_HDB | 3)

#define TSK_ERR_HDB_UNKTYPE (TSK_ERR_HDB | 0)

#define TSK_ERR_HDB_UNSUPFUNC (TSK_ERR_HDB | 11)

#define TSK_ERR_HDB_UNSUPTYPE (TSK_ERR_HDB | 1)

#define TSK_ERR_HDB_WRITE (TSK_ERR_HDB | 5)

#define TSK_ERR_IMG 0x02000000

#define TSK_ERR_IMG_ARG (TSK_ERR_IMG | 9)

#define TSK_ERR_IMG_CONVERT (TSK_ERR_IMG | 12)

#define TSK_ERR_IMG_MAGIC (TSK_ERR_IMG | 10)

#define TSK_ERR_IMG_MAX 14

#define TSK_ERR_IMG_NOFILE (TSK_ERR_IMG | 0)

#define TSK_ERR_IMG_OFFSET (TSK_ERR_IMG | 1)

#define TSK_ERR_IMG_OPEN (TSK_ERR_IMG | 4)

#define TSK_ERR_IMG_PASSWD (TSK_ERR_IMG | 13)

#define TSK_ERR_IMG_READ (TSK_ERR_IMG | 7)

#define TSK_ERR_IMG_READ_OFF (TSK_ERR_IMG | 8)

#define TSK_ERR_IMG_SEEK (TSK_ERR_IMG | 6)

#define TSK_ERR_IMG_STAT (TSK_ERR_IMG | 5)

#define TSK_ERR_IMG_UNKTYPE (TSK_ERR_IMG | 2)

#define TSK_ERR_IMG_UNSUPTYPE (TSK_ERR_IMG | 3)

#define TSK_ERR_IMG_WRITE (TSK_ERR_IMG | 11)

#define TSK_ERR_MASK 0x00ffffff

#define TSK_ERR_POOL 0x40000000

#define TSK_ERR_POOL_ARG (TSK_ERR_POOL | 2)

#define TSK_ERR_POOL_GENPOOL (TSK_ERR_POOL | 3)

#define TSK_ERR_POOL_MAX 4

#define TSK_ERR_POOL_UNKTYPE (TSK_ERR_POOL | 0)

#define TSK_ERR_POOL_UNSUPTYPE (TSK_ERR_IMG | 1)

#define TSK_ERR_VS 0x04000000

#define TSK_ERR_VS_ARG (TSK_ERR_VS | 7)

#define TSK_ERR_VS_BLK_NUM (TSK_ERR_VS | 6)

#define TSK_ERR_VS_BUF (TSK_ERR_VS | 5)

#define TSK_ERR_VS_ENCRYPTED (TSK_ERR_VS | 8)

#define TSK_ERR_VS_MAGIC (TSK_ERR_VS | 3)

#define TSK_ERR_VS_MAX 10

#define TSK_ERR_VS_MULTTYPE (TSK_ERR_VS | 9)

#define TSK_ERR_VS_READ (TSK_ERR_VS | 2)

#define TSK_ERR_VS_UNKTYPE (TSK_ERR_VS | 0)

#define TSK_ERR_VS_UNSUPTYPE (TSK_ERR_VS | 1)

#define TSK_ERR_VS_WALK_RNG (TSK_ERR_VS | 4)

#define TSK_ERROR_FORMAT_ATTRIBUTE(n, m)

#define TSK_ERROR_STRING_MAX_LENGTH 1024

#define TSK_VERSION_NUM 0x041300ff

Version of code in number form. More...

#define TSK_VERSION_STR "4.13.0"

Version of code in string form. More...

printf macros if system does not define them

#define PRIx64 "llx"

#define PRIX64 "llX"

#define PRIu64 "llu"

#define PRId64 "lld"

#define PRIo64 "llo"

#define PRIx32 "x"

#define PRIX32 "X"

#define PRIu32 "u"

#define PRId32 "d"

#define PRIx16 "hx"

#define PRIX16 "hX"

#define PRIu16 "hu"

#define PRIu8 "hhu"

#define PRIx8 "hhx"

Typedefs

typedef struct TSK_LIST TSK_LIST

Enumerations

enum TSK_RETVAL_ENUM { TSK_OK, TSK_ERR, TSK_COR, TSK_STOP }

Return values for some TSK functions that need to differentiate between errors and corrupt data. More...

enum TSK_WALK_RET_ENUM { TSK_WALK_CONT = 0x0, TSK_WALK_STOP = 0x1, TSK_WALK_ERROR = 0x2 }

Values that callback functions can return to calling walk function. More...

Endian Ordering Functions

enum TSK_ENDIAN_ENUM { TSK_UNKNOWN_ENDIAN = 0x00, TSK_LIT_ENDIAN = 0x01, TSK_BIG_ENDIAN = 0x02 }

Flag that identifies the endian ordering of the data being read. More...

Functions

void tsk_error_errstr2_concat (const char *format,...) TSK_ERROR_FORMAT_ATTRIBUTE(1

void const char * tsk_error_get ()

Return a human-readable form of tsk_error_get_errno. More...

uint32_t tsk_error_get_errno ()

Return the current error number. More...

char * tsk_error_get_errstr ()

Retrieve the current, basic error string. More...

char * tsk_error_get_errstr2 ()

Retrieve the current error string #2. More...

TSK_ERROR_INFO * tsk_error_get_info ()

void tsk_error_print (FILE *)

Print the current fully formed error message to a file. More...

void tsk_error_reset ()

Clear the error number and error message.

void tsk_error_set_errno (uint32_t t_errno)

Set the current TSK error number. More...

void tsk_error_set_errstr (const char *format,...) TSK_ERROR_FORMAT_ATTRIBUTE(1

void tsk_error_set_errstr2 (const char *format,...) TSK_ERROR_FORMAT_ATTRIBUTE(1

void void tsk_error_vset_errstr (const char *format, va_list args)

Set the error string. More...

void void tsk_error_vset_errstr2 (const char *format, va_list args)

Set the error string. More...

void tsk_fprintf (FILE *fd, const char *msg,...)

fprintf wrapper function that takes UTF-8 strings as input (on all platforms) and does what is necessary to output strings in the correct encoding (UTF-8 on Unix and UTF-16 on Windows). More...

uint8_t tsk_list_add (TSK_LIST **list, uint64_t key)

Add an entry to a TSK_LIST (and create one if one does not exist) More...

uint8_t tsk_list_find (TSK_LIST *list, uint64_t key)

Search a TSK_LIST for the existence of a value. More...

void tsk_list_free (TSK_LIST *list)

Free a TSK_LIST. More...

TSK_OFF_T tsk_parse_offset (const TSK_TCHAR *)

Parse a TSK_TCHAR block address string. More...

int tsk_parse_pnum (const TSK_TCHAR *a_pnum_str, TSK_PNUM_T *a_pnum)

Parse a TSK_TCHAR string of a partition byte offset and the integer version of it. More...

int tsk_print_sanitized (FILE *fd, const char *str)

Prints the string removing control characters. More...

void tsk_printf (const char *msg,...)

printf wrapper function that takes UTF-8 strings as input (on all platforms) and does what is necessary to output strings in the correct encoding (UTF-8 on Unix and UTF-16 on Windows). More...

TSK_STACK * tsk_stack_create ()

Create a TSK_STACK structure. More...

uint8_t tsk_stack_find (TSK_STACK *stack, uint64_t key)

Search a TSK_STACK for a given value. More...

void tsk_stack_free (TSK_STACK *stack)

Free an allocated TSK_STACK structure. More...

void tsk_stack_pop (TSK_STACK *stack)

Pop a value from the top of the stack. More...

uint8_t tsk_stack_push (TSK_STACK *stack, uint64_t key)

Push a value to the top of TSK_STACK. More...

const char * tsk_version_get_str ()

Return the library version as a string. More...

void tsk_version_print (FILE *)

Print the library name and version to a handle (such as "The Sleuth Kit ver 1.00"). More...

Variables

int tsk_verbose

Set to 1 to have verbose debug messages printed to stderr.

Internal integer types and printf macros

#define PRIuINUM PRIu64

#define PRIxINUM PRIx64

#define PRIuUID PRIu32

#define PRIxUID PRIx32

#define PRIuGID PRIu32

#define PRIxGID PRIx32

#define PRIuDADDR PRIu64

#define PRIxDADDR PRIx64

#define PRIxOFF PRIx64

#define PRIdOFF PRId64

#define PRIuPNUM PRIu32

#define PRIxPNUM PRIx32

typedef uint64_t TSK_INUM_T

Data type used to internally store metadata / inode addresses.

typedef uint32_t TSK_UID_T

Data type used to internally store User IDs.

typedef uint32_t TSK_GID_T

Data type used to internally store Group IDs.

typedef uint64_t TSK_DADDR_T

Data type used to internally store sector and block addresses.

typedef int64_t TSK_OFF_T

Data type used to internally store volume, file, etc. sizes and offsets.

typedef uint32_t TSK_PNUM_T

Data type used to internally store partition addresses.

MD5 and SHA-1 hashing

#define FALSE 0

#define TRUE ( !FALSE )

#define TSK_MD5_DIGEST_LENGTH 16

#define TSK_SHA_DIGEST_LENGTH 32

enum TSK_BASE_HASH_ENUM { TSK_BASE_HASH_INVALID_ID = 0, TSK_BASE_HASH_MD5 = 0x01, TSK_BASE_HASH_SHA1 = 0x02 }

typedef unsigned char * POINTER

typedef uint16_t UINT2

typedef uint32_t UINT4

typedef uint8_t BYTE

void TSK_MD5_Init (TSK_MD5_CTX *)

Initialize a MD5 context structure so that data can be added to it. More...

void TSK_MD5_Update (TSK_MD5_CTX *, const unsigned char *, unsigned int)

Add data to an initialized MD5 operation. More...

void TSK_MD5_Final (TSK_MD5_CTX *, unsigned char[16])

Calculate the MD5 hash of the data added to this context. More...

void TSK_SHA_Init (TSK_SHA_CTX *)

Initialize a SHA-1 context so that data can be added to it. More...

void TSK_SHA_Update (TSK_SHA_CTX *, const BYTE *buffer, unsigned int count)

Add data to an initialized SHA-1 context. More...

void TSK_SHA_Final (TSK_SHA_CTX *, BYTE *output)

Calculate the hash of the data added to the context. More...

Detailed Description

Contains the type and function definitions that are needed by external programs to use the TSK library.

Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_base_i.h.

Macro Definition Documentation

#define TSK_VERSION_NUM 0x041300ff

Version of code in number form.

Upper byte is A, next is B, and next byte is C in version A.B.C. Lowest byte is 0xff, except in beta releases, in which case it increments from 1. Nightly snapshots will have upper byte as 0xff and next bytes with year, month, and date, respectively. Note that you will not be able to differentiate between snapshots from the trunk or branches with this method... For example, 3.1.2 would be stored as 0x030102FF. 3.1.2b1 would be 0x03010201. Snapshot from Jan 2, 2003 would be 0xFF030102. See TSK_VERSION_STR for string form.

#define TSK_VERSION_STR "4.13.0"

Version of code in string form.

See TSK_VERSION_NUM for integer form.

Referenced by tsk_version_get_str(), and tsk_version_print().

Enumeration Type Documentation

enum TSK_ENDIAN_ENUM

Flag that identifies the endian ordering of the data being read.

Enumerator
TSK_UNKNOWN_ENDIAN	Endianness is unknown.
TSK_LIT_ENDIAN	Data is in little endian.
TSK_BIG_ENDIAN	Data is in big endian.

enum TSK_RETVAL_ENUM

Return values for some TSK functions that need to differentiate between errors and corrupt data.

Enumerator
TSK_OK	Ok – success.
TSK_ERR	System error – should abort.
TSK_COR	Data is corrupt, can still process another set of data.
TSK_STOP	Stop further processing, not an error though.

enum TSK_WALK_RET_ENUM

Values that callback functions can return to calling walk function.

Enumerator
TSK_WALK_CONT	Walk function should continue to next object.
TSK_WALK_STOP	Walk function should stop processing units and return OK.
TSK_WALK_ERROR	Walk function should stop processing units and return error.