The Sleuth Kit: tsk/auto/tsk_db.h File Reference

The Sleuth Kit 4.13.0

Classes | Macros | Typedefs | Enumerations | Functions

tsk_db.h File Reference

Contains TSK interface to abstract database handling class. More...

#include <vector>
#include <string>
#include <ostream>
#include "tsk_auto_i.h"

Classes

struct _TSK_DB_FILE_LAYOUT_RANGE

Structure wrapping a single file_layout db entry. More...

struct _TSK_DB_FS_INFO

Structure wrapping a single fs info db entry. More...

struct _TSK_DB_OBJECT

Structure wrapping a single tsk objects db entry. More...

struct _TSK_DB_VS_INFO

Structure wrapping a single vs info db entry. More...

struct _TSK_DB_VS_PART_INFO

class TskDb

Macros

#define MAX_PATH_LENGTH 2048

#define TSK_MAX_DB_VS_PART_INFO_DESC_LEN 512

Structure wrapping a single vs part db entry.

#define TSK_SCHEMA_MINOR_VER 4

#define TSK_SCHEMA_VER 8

Do not change these values - the schema is no longer being updated in this code and does not match the current version in SleuthkitCase.java.

Typedefs

typedef struct _TSK_DB_FILE_LAYOUT_RANGE TSK_DB_FILE_LAYOUT_RANGE

Structure wrapping a single file_layout db entry.

typedef struct _TSK_DB_FS_INFO TSK_DB_FS_INFO

Structure wrapping a single fs info db entry.

typedef struct _TSK_DB_OBJECT TSK_DB_OBJECT

Structure wrapping a single tsk objects db entry.

typedef struct _TSK_DB_VS_INFO TSK_DB_VS_INFO

Structure wrapping a single vs info db entry.

typedef struct _TSK_DB_VS_PART_INFO TSK_DB_VS_PART_INFO

Enumerations

enum TSK_DB_FILES_KNOWN_ENUM { TSK_DB_FILES_KNOWN_UNKNOWN = 0, TSK_DB_FILES_KNOWN_KNOWN = 1, TSK_DB_FILES_KNOWN_KNOWN_BAD = 2, TSK_DB_FILES_KNOWN_KNOWN_GOOD = 3 }

Values for the "known" column of the tsk_files table. More...

enum TSK_DB_FILES_TYPE_ENUM {
TSK_DB_FILES_TYPE_FS = 0, TSK_DB_FILES_TYPE_CARVED, TSK_DB_FILES_TYPE_DERIVED, TSK_DB_FILES_TYPE_LOCAL,
TSK_DB_FILES_TYPE_UNALLOC_BLOCKS, TSK_DB_FILES_TYPE_UNUSED_BLOCKS, TSK_DB_FILES_TYPE_VIRTUAL_DIR, TSK_DB_FILES_TYPE_SLACK
}

Values for the files type column in the tsk_files table. More...

enum TSK_DB_OBJECT_TYPE_ENUM {
TSK_DB_OBJECT_TYPE_IMG = 0, TSK_DB_OBJECT_TYPE_VS, TSK_DB_OBJECT_TYPE_VOL, TSK_DB_OBJECT_TYPE_FS,
TSK_DB_OBJECT_TYPE_FILE, TSK_DB_OBJECT_TYPE_ARTIFACT, TSK_DB_OBJECT_TYPE_REPORT, TSK_DB_OBJECT_TYPE_POOL
}

Values for the type column in the tsk_objects table. More...

Functions

ostream & operator<< (ostream &os, const TSK_DB_OBJECT &dbObject)

ostream & operator<< (ostream &os, const TSK_DB_FILE_LAYOUT_RANGE &layoutRange)

ostream & operator<< (ostream &os, const TSK_DB_FS_INFO &fsInfo)

ostream & operator<< (ostream &os, const TSK_DB_VS_INFO &vsInfo)

ostream & operator<< (ostream &os, const TSK_DB_VS_PART_INFO &vsPartInfos)

Detailed Description

Contains TSK interface to abstract database handling class.

The intent of this class is so that different databases can be seamlessly used by TSK.

Enumeration Type Documentation

enum TSK_DB_FILES_KNOWN_ENUM

Values for the "known" column of the tsk_files table.

Enumerator
TSK_DB_FILES_KNOWN_UNKNOWN	Not matched against an index.
TSK_DB_FILES_KNOWN_KNOWN	Match found in a "known" file index (such as NIST NSRL)and could be good or bad.
TSK_DB_FILES_KNOWN_KNOWN_BAD	Match found in a "known bad" index.
TSK_DB_FILES_KNOWN_KNOWN_GOOD	Match found in a "known good" index.

enum TSK_DB_FILES_TYPE_ENUM

Values for the files type column in the tsk_files table.

Enumerator
TSK_DB_FILES_TYPE_FS	File that can be found in file system tree.
TSK_DB_FILES_TYPE_CARVED	Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS range.
TSK_DB_FILES_TYPE_DERIVED	File derived from a parent file (i.e. from ZIP)
TSK_DB_FILES_TYPE_LOCAL	Local file that was added (not from a disk image)
TSK_DB_FILES_TYPE_UNALLOC_BLOCKS	Set of blocks not allocated by file system. Parent should be image, volume, or file system. Many columns in tsk_files will be NULL. Set layout in tsk_file_layout.
TSK_DB_FILES_TYPE_UNUSED_BLOCKS	Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNALLOC_BLOCKS, many columns in tsk_files will be NULL, set layout in tsk_file_layout.
TSK_DB_FILES_TYPE_VIRTUAL_DIR	Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other than TSK_DB_FILES_TYPE_FS. Its parent is either another TSK_DB_FILES_TYPE_FS or a root directory or type TSK_DB_FILES_TYPE_FS.
TSK_DB_FILES_TYPE_SLACK	Slack space for a single file.

enum TSK_DB_OBJECT_TYPE_ENUM

Values for the type column in the tsk_objects table.

Enumerator
TSK_DB_OBJECT_TYPE_IMG	Object is a disk image.
TSK_DB_OBJECT_TYPE_VS	Object is a volume system.
TSK_DB_OBJECT_TYPE_VOL	Object is a volume.
TSK_DB_OBJECT_TYPE_FS	Object is a file system.
TSK_DB_OBJECT_TYPE_FILE	Object is a file (exact type can be determined in the tsk_files table via TSK_DB_FILES_TYPE_ENUM)
TSK_DB_OBJECT_TYPE_ARTIFACT	Autopsy placeholder.
TSK_DB_OBJECT_TYPE_REPORT	Autopsy placeholder.
TSK_DB_OBJECT_TYPE_POOL	Object is a pool.