External header file for file system support.
More...
#include <sys/types.h>
Classes
Holds information about the location of file content (or a file attribute).
More...
Holds information about a single data run, which has a starting address and length.
More...
Structure used as the head of an attribute list.
More...
Generic data structure to hold block data with metadata.
More...
A handle to a directory so that its files can be individually accessed.
More...
Generic structure used to refer to files in the file system.
More...
Stores state information for an open file system.
More...
TSK data structure to store general file and directory metadata.
More...
Relatively generic structure to hold file names that are stored with the file metadata.
More...
Generic structure to store the file name information that is stored in a directory.
More...
Stores information about a file attribute.
More...
Contains information about a single data run, which has a starting address and length.
More...
Stores information about a file system block.
More...
Stores information about a directory in the file system.
More...
Class that represents an allocated or deleted file.
More...
Stores information about an open file system.
More...
Stores metadata about a file.
More...
Stores information about names that are located in metadata structures.
More...
Stores the file name information that is stored in a directory.
More...
Macros
#define TSK_FS_ISDOT(str)
Typedefs
typedef enum TSK_FS_BLKCALC_FLAG_ENUM TSK_FS_BLKCALC_FLAG_ENUM
typedef enum TSK_FS_BLKCAT_FLAG_ENUM TSK_FS_BLKCAT_FLAG_ENUM
typedef enum TSK_FS_BLKLS_FLAG_ENUM TSK_FS_BLKLS_FLAG_ENUM
Function definition used for callback to blockWalk().
More...
typedef enum TSK_FS_FFIND_FLAG_ENUM TSK_FS_FFIND_FLAG_ENUM
File walk callback function definition.
More...
typedef enum TSK_FS_FLS_FLAG_ENUM TSK_FS_FLS_FLAG_ENUM
typedef enum TSK_FS_IFIND_FLAG_ENUM TSK_FS_IFIND_FLAG_ENUM
typedef enum TSK_FS_ILS_FLAG_ENUM TSK_FS_ILS_FLAG_ENUM
Function definition for callback in TskFsInfo.jblkWalk().
More...
Function definition for callback in TskFsInfo.jentryWalk().
More...
inode walk callback function definition.
More...
typedef struct _TSK_POOL_INFO TSK_POOL_INFO
Generic File System Journal Data Structures
Enumerations
enum TSK_FS_BLKCALC_FLAG_ENUM { TSK_FS_BLKCALC_DD = 0x01,
TSK_FS_BLKCALC_BLKLS = 0x02,
TSK_FS_BLKCALC_SLACK = 0x04
}
enum TSK_FS_BLKCAT_FLAG_ENUM {
TSK_FS_BLKCAT_NONE = 0x00,
TSK_FS_BLKCAT_HEX = 0x01,
TSK_FS_BLKCAT_ASCII = 0x02,
TSK_FS_BLKCAT_HTML = 0x04,
TSK_FS_BLKCAT_STAT = 0x08
}
enum TSK_FS_BLKLS_FLAG_ENUM { TSK_FS_BLKLS_NONE = 0x00,
TSK_FS_BLKLS_CAT = 0x01,
TSK_FS_BLKLS_LIST = 0x02,
TSK_FS_BLKLS_SLACK = 0x04
}
enum TSK_FS_FFIND_FLAG_ENUM { TSK_FS_FFIND_ALL = 0x01
}
enum TSK_FS_FLS_FLAG_ENUM {
TSK_FS_FLS_NONE = 0x00,
TSK_FS_FLS_DOT = 0x01,
TSK_FS_FLS_LONG = 0x02,
TSK_FS_FLS_FILE = 0x04,
TSK_FS_FLS_DIR = 0x08,
TSK_FS_FLS_FULL = 0x10,
TSK_FS_FLS_MAC = 0x20,
TSK_FS_FLS_HASH = 0x40
}
enum TSK_FS_IFIND_FLAG_ENUM { TSK_FS_IFIND_NONE = 0x00,
TSK_FS_IFIND_ALL = 0x01,
TSK_FS_IFIND_PAR_LONG = 0x02
}
enum TSK_FS_ILS_FLAG_ENUM {
TSK_FS_ILS_NONE = 0x00,
TSK_FS_ILS_OPEN = 0x01,
TSK_FS_ILS_MAC = 0x02,
TSK_FS_ILS_LINK = 0x04,
TSK_FS_ILS_UNLINK = 0x08
}
Functions
Read a specific number of blocks and print the contents to STDOUT.
More...
Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME).
More...
Find the meta data address for a given file TCHAR name.
More...
Library API for inode walking.
More...
Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there).
More...
Generic File System Block Data Structure
#define TSK_FS_BLOCK_TAG 0x1b7c3f4a
enum
TSK_FS_BLOCK_FLAG_ENUM {
TSK_FS_BLOCK_FLAG_UNUSED = 0x0000,
TSK_FS_BLOCK_FLAG_ALLOC = 0x0001,
TSK_FS_BLOCK_FLAG_UNALLOC = 0x0002,
TSK_FS_BLOCK_FLAG_CONT = 0x0004,
TSK_FS_BLOCK_FLAG_META = 0x0008,
TSK_FS_BLOCK_FLAG_BAD = 0x0010,
TSK_FS_BLOCK_FLAG_RAW = 0x0020,
TSK_FS_BLOCK_FLAG_SPARSE = 0x0040,
TSK_FS_BLOCK_FLAG_COMP = 0x0080,
TSK_FS_BLOCK_FLAG_RES = 0x0100,
TSK_FS_BLOCK_FLAG_AONLY = 0x0200
}
Get the contents and flags of a specific file system block.
More...
Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each.
More...
Generic File System File Content Data Structures
Default Data ID used if file system does not assign one.
Flags used for the
TSK_FS_ATTR structure, which is used to store file content metadata.
More...
Flags used by tsk_fs_file_walk to determine when the callback function should be used.
More...
enum
TSK_FS_ATTR_TYPE_ENUM {
TSK_FS_ATTR_TYPE_NOT_FOUND = 0x00,
TSK_FS_ATTR_TYPE_DEFAULT = 0x01,
TSK_FS_ATTR_TYPE_NTFS_SI = 0x10,
TSK_FS_ATTR_TYPE_NTFS_ATTRLIST = 0x20,
TSK_FS_ATTR_TYPE_NTFS_FNAME = 0x30,
TSK_FS_ATTR_TYPE_NTFS_VVER = 0x40,
TSK_FS_ATTR_TYPE_NTFS_OBJID = 0x40,
TSK_FS_ATTR_TYPE_NTFS_SEC = 0x50,
TSK_FS_ATTR_TYPE_NTFS_VNAME = 0x60,
TSK_FS_ATTR_TYPE_NTFS_VINFO = 0x70,
TSK_FS_ATTR_TYPE_NTFS_DATA = 0x80,
TSK_FS_ATTR_TYPE_NTFS_IDXROOT = 0x90,
TSK_FS_ATTR_TYPE_NTFS_IDXALLOC = 0xA0,
TSK_FS_ATTR_TYPE_NTFS_BITMAP = 0xB0,
TSK_FS_ATTR_TYPE_NTFS_SYMLNK = 0xC0,
TSK_FS_ATTR_TYPE_NTFS_REPARSE = 0xC0,
TSK_FS_ATTR_TYPE_NTFS_EAINFO = 0xD0,
TSK_FS_ATTR_TYPE_NTFS_EA = 0xE0,
TSK_FS_ATTR_TYPE_NTFS_PROP = 0xF0,
TSK_FS_ATTR_TYPE_NTFS_LOG = 0x100,
TSK_FS_ATTR_TYPE_UNIX_INDIR = 0x1001,
TSK_FS_ATTR_TYPE_UNIX_EXTENT = 0x1002,
TSK_FS_ATTR_TYPE_UNIX_XATTR = 0x1003,
TSK_FS_ATTR_TYPE_HFS_DEFAULT = 0x01,
TSK_FS_ATTR_TYPE_HFS_DATA = 0x1100,
TSK_FS_ATTR_TYPE_HFS_RSRC = 0x1101,
TSK_FS_ATTR_TYPE_HFS_EXT_ATTR = 0x1102,
TSK_FS_ATTR_TYPE_HFS_COMP_REC = 0x1103,
TSK_FS_ATTR_TYPE_APFS_DATA = TSK_FS_ATTR_TYPE_HFS_DATA,
TSK_FS_ATTR_TYPE_APFS_RSRC = TSK_FS_ATTR_TYPE_HFS_RSRC,
TSK_FS_ATTR_TYPE_APFS_EXT_ATTR = TSK_FS_ATTR_TYPE_HFS_EXT_ATTR,
TSK_FS_ATTR_TYPE_APFS_COMP_REC = TSK_FS_ATTR_TYPE_HFS_COMP_REC
}
These are based on the NTFS type values.
More...
File walk callback function definition.
More...
Process an attribute and call a callback function with its contents.
More...
Generic File System File Metadata Data Structures
Number of file types in shortname array.
#define TSK_FS_META_TAG 0x13524635
String that is prepended to orphan FAT & NTFS files when the file name is known, but the parent is not.
#define TSK_FS_ORPHANDIR_INUM(fs_info) (fs_info->last_inum)
enum
TSK_FS_META_TYPE_ENUM {
TSK_FS_META_TYPE_UNDEF = 0x00,
TSK_FS_META_TYPE_REG = 0x01,
TSK_FS_META_TYPE_DIR = 0x02,
TSK_FS_META_TYPE_FIFO = 0x03,
TSK_FS_META_TYPE_CHR = 0x04,
TSK_FS_META_TYPE_BLK = 0x05,
TSK_FS_META_TYPE_LNK = 0x06,
TSK_FS_META_TYPE_SHAD = 0x07,
TSK_FS_META_TYPE_SOCK = 0x08,
TSK_FS_META_TYPE_WHT = 0x09,
TSK_FS_META_TYPE_VIRT = 0x0a,
TSK_FS_META_TYPE_VIRT_DIR = 0x0b
}
Values for the mode field – which identifies the file type and permissions.
More...
enum
TSK_FS_META_MODE_ENUM {
TSK_FS_META_MODE_UNSPECIFIED = 0000000,
TSK_FS_META_MODE_ISUID = 0004000,
TSK_FS_META_MODE_ISGID = 0002000,
TSK_FS_META_MODE_ISVTX = 0001000,
TSK_FS_META_MODE_IRUSR = 0000400,
TSK_FS_META_MODE_IWUSR = 0000200,
TSK_FS_META_MODE_IXUSR = 0000100,
TSK_FS_META_MODE_IRGRP = 0000040,
TSK_FS_META_MODE_IWGRP = 0000020,
TSK_FS_META_MODE_IXGRP = 0000010,
TSK_FS_META_MODE_IROTH = 0000004,
TSK_FS_META_MODE_IWOTH = 0000002,
TSK_FS_META_MODE_IXOTH = 0000001
}
inode walk callback function definition.
More...
Contains the short (1 character) name of the file type.
Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.
More...
Makes the "ls -l" permissions string for a file.
More...
Generic File System File Name Data Structures
Number of types that have a short string name.
#define TSK_FS_NAME_TAG 0x23147869
#define TSK_FS_DIR_TAG 0x57531246
File name flags that are used when specifying the status of a name in the
TSK_FS_NAME structure.
More...
enum
TSK_FS_NAME_TYPE_ENUM {
TSK_FS_NAME_TYPE_UNDEF = 0,
TSK_FS_NAME_TYPE_FIFO = 1,
TSK_FS_NAME_TYPE_CHR = 2,
TSK_FS_NAME_TYPE_DIR = 3,
TSK_FS_NAME_TYPE_BLK = 4,
TSK_FS_NAME_TYPE_REG = 5,
TSK_FS_NAME_TYPE_LNK = 6,
TSK_FS_NAME_TYPE_SOCK = 7,
TSK_FS_NAME_TYPE_SHAD = 8,
TSK_FS_NAME_TYPE_WHT = 9,
TSK_FS_NAME_TYPE_VIRT = 10,
TSK_FS_NAME_TYPE_VIRT_DIR = 11
}
File type values – as specified in the directory entry structure.
More...
Flags that are used when walking names in directories.
More...
Open a directory (using its metadata addr) so that each of the files in it can be accessed.
More...
Open a directory (using its path) so that each of the files in it can be accessed.
More...
Walk the file names in a directory and obtain the details of the files via a callback.
More...
Returns the number of files and subdirectories in a directory.
More...
Return a specific file or subdirectory from an open directory.
More...
Return only the name for a file or subdirectory from an open directory.
More...
Find the meta data address for a given file name (UTF-8).
More...
Generic File System File Data Structures
#define TSK_FS_FILE_TAG 0x11212212
Flags used by tsk_fs_file_read.
More...
Return the handle structure for a specific file, given its full path.
More...
Open a file given its metadata address.
More...
Read the contents of a specific attribute of a file using a typical read() type interface.
More...
Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS).
More...
Return the default attribute for the file.
More...
Return the number of attributes in the file.
More...
Get a file's attribute based on the 0-based index in the list (and not type, id pair).
More...
Return a specific type and id attribute for the file.
More...
Return a specific attribute by its ID for the file.
More...
Process a file and call a callback function with the file contents.
More...
Process a specific attribute in a file and call a callback function with the file contents.
More...
Read the contents of a given attribute using a typical read() type interface.
More...
Returns a string representation of the security attributes of a file.
More...
Returns a string containing the md5 hash of the given file.
More...
Generic File System Handle Data Structure
Macro that takes a file system type and returns 1 if the type is for an NTFS file system.
More...
Macro that takes a file system type and returns 1 if the type is for a FAT file system.
More...
Macro that takes a file system type and returns 1 if the type is for a FFS file system.
More...
Macro that takes a file system type and returns 1 if the type is for a ExtX file system.
More...
Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system.
More...
Macro that takes a file system type and returns 1 if the type is for a HFS file system.
More...
Macro that takes a file system type and returns 1 if the type is for a swap "file system".
More...
Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.
More...
Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.
More...
Macro that takes a file system type and returns 1 if the type is for an APFS "file system".
More...
Macro that takes a file system type and returns 1 if the type is for a Btrfs file system.
More...
Macro that takes a file system type and returns 1 if the type is for a raw "file system".
More...
Macro that takes a file system type and returns 1 if the type is for an APFS "file system".
More...
Macro that takes a file system type and returns 1 if the type is for a logical directory "file system".
More...
#define TSK_FS_INFO_TAG 0x10101010
#define TSK_FS_INFO_FS_ID_LEN 32
enum
TSK_FS_TYPE_ENUM {
TSK_FS_TYPE_DETECT = 0x00000000,
TSK_FS_TYPE_NTFS = 0x00000001,
TSK_FS_TYPE_NTFS_DETECT = 0x00000001,
TSK_FS_TYPE_FAT12 = 0x00000002,
TSK_FS_TYPE_FAT16 = 0x00000004,
TSK_FS_TYPE_FAT32 = 0x00000008,
TSK_FS_TYPE_EXFAT = 0x0000000a,
TSK_FS_TYPE_FAT_DETECT = 0x0000000e,
TSK_FS_TYPE_FFS1 = 0x00000010,
TSK_FS_TYPE_FFS1B = 0x00000020,
TSK_FS_TYPE_FFS2 = 0x00000040,
TSK_FS_TYPE_FFS_DETECT = 0x00000070,
TSK_FS_TYPE_EXT2 = 0x00000080,
TSK_FS_TYPE_EXT3 = 0x00000100,
TSK_FS_TYPE_EXT_DETECT = 0x00002180,
TSK_FS_TYPE_SWAP = 0x00000200,
TSK_FS_TYPE_SWAP_DETECT = 0x00000200,
TSK_FS_TYPE_RAW = 0x00000400,
TSK_FS_TYPE_RAW_DETECT = 0x00000400,
TSK_FS_TYPE_ISO9660 = 0x00000800,
TSK_FS_TYPE_ISO9660_DETECT = 0x00000800,
TSK_FS_TYPE_HFS = 0x00001000,
TSK_FS_TYPE_HFS_DETECT = 0x00009000,
TSK_FS_TYPE_EXT4 = 0x00002000,
TSK_FS_TYPE_YAFFS2 = 0x00004000,
TSK_FS_TYPE_YAFFS2_DETECT = 0x00004000,
TSK_FS_TYPE_HFS_LEGACY = 0x00008000,
TSK_FS_TYPE_APFS = 0x00010000,
TSK_FS_TYPE_APFS_DETECT = 0x00010000,
TSK_FS_TYPE_LOGICAL = 0x00020000,
TSK_FS_TYPE_BTRFS = 0x00040000,
TSK_FS_TYPE_BTRFS_DETECT = TSK_FS_TYPE_BTRFS,
TSK_FS_TYPE_XFS = 0x00080000,
TSK_FS_TYPE_XFS_DETECT = 0x00080000,
TSK_FS_TYPE_UNSUPP = 0xffffffff
}
Values for the file system type.
More...
Flags for the FS_INFO structure.
More...
enum TSK_FS_ISTAT_FLAG_ENUM { TSK_FS_ISTAT_NONE = 0x00,
TSK_FS_ISTAT_RUNLIST = 0x01
}
enum TSK_FS_ENCRYPTION_TYPE_ENUM { TSK_FS_ENCRYPTION_TYPE_NONE = 0x00,
TSK_FS_ENCRYPTION_TYPE_BITLOCKER = 0x01
}
typedef enum TSK_FS_ISTAT_FLAG_ENUM TSK_FS_ISTAT_FLAG_ENUM
typedef enum TSK_FS_ENCRYPTION_TYPE_ENUM TSK_FS_ENCRYPTION_TYPE_ENUM
Tries to process data in a disk image at a given offset as a file system.
More...
Tries to process data in a volume as a file system.
More...
Tries to process data in a disk image at a given offset as a file system.
More...
Tries to process data in a volume as a file system.
More...
Parse a string with the file system type and return its internal ID.
More...
Parse a string with the file system type and return its internal ID.
More...
Print the supported file system types to a file handle.
More...
Return the string name of a file system type id.
More...
Return the supported file system types.
More...
Copys a summary of the encryption algoritm to a_desc.
More...
Read arbitrary data from inside of the file system.
More...
Read arbitrary data from inside of the file system.
More...
Read a file system block into a char* buffer.
More...
Read a file system block into a char* buffer.
More...
Detailed Description
External header file for file system support.
Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_fs_i.h.
Macro Definition Documentation
#define TSK_FS_ISDOT
(
str )
Value:( ((str[0] == '.') && \
( ((str[1] == '.') && (str[2] == '0円')) || (str[1] == '0円') ) ) ? 1 : 0 )
Typedef Documentation
Function definition used for callback to tsk_fs_block_walk().
- Parameters
-
a_block Pointer to block structure that holds block content and flags
a_ptr Pointer that was supplied by the caller who called tsk_fs_block_walk
- Returns
- Value to identify if walk should continue, stop, or stop because of error
Function definition used for callback to blockWalk().
- Parameters
-
a_block Pointer to
TskFsBlock object that holds block content and flags
a_ptr Pointer that was supplied by the caller who called tsk_fs_block_walk
- Returns
- Value to identify if walk should continue, stop, or stop because of error
Definition of callback function that is used by tsk_fs_dir_walk().
This is is called for each file in a directory.
- Parameters
-
a_fs_file Pointer to the current file in the directory
a_path Path of the file
a_ptr Pointer that was originally passed by caller to tsk_fs_dir_walk.
- Returns
- Value to signal if tsk_fs_dir_walk should stop or continue.
Definition of callback function that is used by tsk_fs_dir_walk().
This is is called for each file in a directory.
- Parameters
-
a_fs_file Pointer to the current file in the directory
a_path Path of the file
a_ptr Pointer that was originally passed by caller to tsk_fs_dir_walk.
- Returns
- Value to signal if tsk_fs_dir_walk should stop or continue.
File walk callback function definition.
This is called for chunks of content in the file being processed.
- Parameters
-
a_fs_file Pointer to file being processed
a_off Byte offset in file that this data is for
a_addr Address of data being passed (valid only if a_flags have RAW set)
a_buf Pointer to buffer with file content
a_len Size of data in buffer (in bytes)
a_flags Flags about the file content
a_ptr Pointer that was specified by caller to inode_walk
- Returns
- Value that tells file walk to continue or stop
File walk callback function definition.
This is called for chunks of content in the file being processed.
- Parameters
-
a_fs_file Pointer to file being processed
a_off Byte offset in file that this data is for
a_addr Address of data being passed (valid only if a_flags have RAW set)
a_buf Pointer to buffer with file content
a_len Size of data in buffer (in bytes)
a_flags Flags about the file content
a_ptr Pointer that was specified by caller to inode_walk
- Returns
- Value that tells file walk to continue or stop
Function definition for callback in TskFsInfo.jblkWalk().
- Parameters
-
a_fsInfo File system being analyzed
a_string
a_num
a_ptr Pointer that was supplied by the caller
- Returns
- Value to identify if walk should continue, stop, or stop because of error
Function definition for callback in TskFsInfo.jentryWalk().
- Parameters
-
a_fsInfo File system being analyzed
a_jentry journal entry
a_num
a_ptr Pointer that was supplied by the caller.
- Returns
- Value to identify if walk should continue, stop, or stop because of error
inode walk callback function definition.
This is called for every file that meets the criteria specified when inode_walk was called.
- Parameters
-
a_fs_file Pointer to the current file
a_ptr Pointer that was specified by caller to inode_walk
- Returns
- Value that tells inode walk to continue or stop
inode walk callback function definition.
This is called for every file that meets the criteria specified when inode_walk was called.
- Parameters
-
a_fs_file Pointer to the current file
a_ptr Pointer that was specified by caller to inode_walk
- Returns
- Value that tells inode walk to continue or stop
Enumeration Type Documentation
Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata.
| Enumerator |
|---|
| TSK_FS_ATTR_FLAG_NONE |
No Flag.
|
| TSK_FS_ATTR_INUSE |
data structure is in use
|
| TSK_FS_ATTR_NONRES |
Contains non-resident data (i.e. located in blocks)
|
| TSK_FS_ATTR_RES |
Contains resident data (i.e. in a small buffer)
|
| TSK_FS_ATTR_ENC |
Contains encrypted data.
|
| TSK_FS_ATTR_COMP |
Contains compressed data.
|
| TSK_FS_ATTR_SPARSE |
Contains sparse data.
|
| TSK_FS_ATTR_RECOVERY |
Data was determined in file recovery mode.
|
Flags used for a TSK_FS_ATTR_RUN entry.
| Enumerator |
|---|
| TSK_FS_ATTR_RUN_FLAG_NONE |
No Flag.
|
| TSK_FS_ATTR_RUN_FLAG_FILLER |
Entry is a filler for a run that has not been seen yet in the processing (or has been lost)
|
| TSK_FS_ATTR_RUN_FLAG_SPARSE |
Entry is a sparse run where all data in the run is zeros.
|
| TSK_FS_ATTR_RUN_FLAG_ENCRYPTED |
Entry is arun where the data is encrypted.
|
These are based on the NTFS type values.
Added types for HFS+. NOTE: Update bindings/java/src/org/sleuthkit/datamodel/TskData.java with any changes.
Flags that are used in TSK_FS_BLOCK and in callback of file_walk.
Note that some of these are dependent. A block can be either TSK_FS_BLOCK_FLAG_ALLOC or TSK_FS_BLOCK_FLAG_UNALLOC. It can be one of TSK_FS_BLOCK_FLAG_RAW, TSK_FS_BLOCK_FLAG_BAD, TSK_FS_BLOCK_FLAG_RES, TSK_FS_BLOCK_FLAG_SPARSE, or TSK_FS_BLOCK_FLAG_COMP. Note that some of these are set only by file_walk because they are file-level details, such as compression and sparse.
| Enumerator |
|---|
| TSK_FS_BLOCK_FLAG_UNUSED |
Used to show that TSK_FS_BLOCK structure has no data in it.
|
| TSK_FS_BLOCK_FLAG_ALLOC |
Block is allocated (and not TSK_FS_BLOCK_FLAG_UNALLOC)
|
| TSK_FS_BLOCK_FLAG_UNALLOC |
Block is unallocated (and not TSK_FS_BLOCK_FLAG_ALLOC)
|
| TSK_FS_BLOCK_FLAG_CONT |
Block (could) contain file content (and not TSK_FS_BLOCK_FLAG_META)
|
| TSK_FS_BLOCK_FLAG_META |
Block (could) contain file system metadata (and not TSK_FS_BLOCK_FLAG_CONT)
|
| TSK_FS_BLOCK_FLAG_BAD |
Block has been marked as bad by the file system.
|
| TSK_FS_BLOCK_FLAG_RAW |
The data has been read raw from the disk (and not COMP or SPARSE)
|
| TSK_FS_BLOCK_FLAG_SPARSE |
The data passed in the file_walk callback was stored as sparse (all zeros) (and not RAW or COMP)
|
| TSK_FS_BLOCK_FLAG_COMP |
The data passed in the file_walk callback was stored in a compressed form (and not RAW or SPARSE)
|
| TSK_FS_BLOCK_FLAG_RES |
The data passed in the file_walk callback is from an NTFS resident file.
|
Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with.
| Enumerator |
|---|
| TSK_FS_BLOCK_WALK_FLAG_NONE |
No Flags.
|
| TSK_FS_BLOCK_WALK_FLAG_ALLOC |
Allocated blocks.
|
| TSK_FS_BLOCK_WALK_FLAG_UNALLOC |
Unallocated blocks.
|
| TSK_FS_BLOCK_WALK_FLAG_CONT |
Blocks that could store file content.
|
| TSK_FS_BLOCK_WALK_FLAG_META |
Blocks that could store file system metadata.
|
| TSK_FS_BLOCK_WALK_FLAG_AONLY |
Do not include content in callback only address and allocation status.
|
Flags that are used when walking names in directories.
These are used to identify which files to call the callback function on.
| Enumerator |
|---|
| TSK_FS_DIR_WALK_FLAG_NONE |
No Flags.
|
| TSK_FS_DIR_WALK_FLAG_ALLOC |
Return allocated names in callback.
|
| TSK_FS_DIR_WALK_FLAG_UNALLOC |
Return unallocated names in callback.
|
| TSK_FS_DIR_WALK_FLAG_RECURSE |
Recurse into sub-directories.
|
| TSK_FS_DIR_WALK_FLAG_NOORPHAN |
Do not return (or recurse into) the special Orphan directory.
|
Flags used by tsk_fs_file_read.
| Enumerator |
|---|
| TSK_FS_FILE_READ_FLAG_NONE |
No Flags.
|
| TSK_FS_FILE_READ_FLAG_SLACK |
Allow read access into slack space.
|
| TSK_FS_FILE_READ_FLAG_NOID |
Ignore the Id argument given in the API (use only the type)
|
Flags used by tsk_fs_file_walk to determine when the callback function should be used.
| Enumerator |
|---|
| TSK_FS_FILE_WALK_FLAG_NONE |
No Flag.
|
| TSK_FS_FILE_WALK_FLAG_SLACK |
Include the file's slack space in the callback.
|
| TSK_FS_FILE_WALK_FLAG_NOID |
Ignore the Id argument given in the API (use only the type)
|
| TSK_FS_FILE_WALK_FLAG_AONLY |
Provide callback with only addresses and no file content.
|
| TSK_FS_FILE_WALK_FLAG_NOSPARSE |
Do not include sparse blocks in the callback.
|
| Enumerator |
|---|
| TSK_FS_META_ATTR_EMPTY |
The data in the attributes (if any) is not for this file.
|
| TSK_FS_META_ATTR_STUDIED |
The data in the attributes are for this file.
|
| TSK_FS_META_ATTR_ERROR |
The attributes for this file could not be loaded.
|
| Enumerator |
|---|
| TSK_FS_META_CONTENT_TYPE_EXT4_EXTENTS |
Ext4 with extents instead of individual pointers.
|
| TSK_FS_META_CONTENT_TYPE_EXT4_INLINE |
Ext4 with inline data.
|
Metadata flags used in TSK_FS_META.flags and in request to inode_walk.
| Enumerator |
|---|
| TSK_FS_META_FLAG_ALLOC |
Metadata structure is currently in an allocated state.
|
| TSK_FS_META_FLAG_UNALLOC |
Metadata structure is currently in an unallocated state.
|
| TSK_FS_META_FLAG_USED |
Metadata structure has been allocated at least once.
|
| TSK_FS_META_FLAG_UNUSED |
Metadata structure has never been allocated.
|
| TSK_FS_META_FLAG_COMP |
The file contents are compressed.
|
| TSK_FS_META_FLAG_ORPHAN |
Return only metadata structures that have no file name pointing to the (inode_walk flag only)
|
| Enumerator |
|---|
| TSK_FS_META_MODE_UNSPECIFIED |
unspecified
|
| TSK_FS_META_MODE_ISUID |
set user id on execution
|
| TSK_FS_META_MODE_ISGID |
set group id on execution
|
| TSK_FS_META_MODE_ISVTX |
sticky bit
|
| TSK_FS_META_MODE_IRUSR |
R for owner.
|
| TSK_FS_META_MODE_IWUSR |
W for owner.
|
| TSK_FS_META_MODE_IXUSR |
X for owner.
|
| TSK_FS_META_MODE_IRGRP |
R for group.
|
| TSK_FS_META_MODE_IWGRP |
W for group.
|
| TSK_FS_META_MODE_IXGRP |
X for group.
|
| TSK_FS_META_MODE_IROTH |
R for other.
|
| TSK_FS_META_MODE_IWOTH |
W for other.
|
| TSK_FS_META_MODE_IXOTH |
X for other.
|
Values for the mode field – which identifies the file type and permissions.
| Enumerator |
|---|
| TSK_FS_META_TYPE_REG |
Regular file.
|
| TSK_FS_META_TYPE_DIR |
Directory file.
|
| TSK_FS_META_TYPE_FIFO |
Named pipe (fifo)
|
| TSK_FS_META_TYPE_CHR |
Character device.
|
| TSK_FS_META_TYPE_BLK |
Block device.
|
| TSK_FS_META_TYPE_LNK |
Symbolic link.
|
| TSK_FS_META_TYPE_SHAD |
SOLARIS ONLY.
|
| TSK_FS_META_TYPE_SOCK |
UNIX domain socket.
|
| TSK_FS_META_TYPE_WHT |
Whiteout.
|
| TSK_FS_META_TYPE_VIRT |
"Virtual File" created by TSK for file system areas
|
| TSK_FS_META_TYPE_VIRT_DIR |
"Virtual Directory" created by TSK to hold data like orphan files
|
File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure.
| Enumerator |
|---|
| TSK_FS_NAME_FLAG_ALLOC |
Name is in an allocated state.
|
| TSK_FS_NAME_FLAG_UNALLOC |
Name is in an unallocated state.
|
File type values – as specified in the directory entry structure.
| Enumerator |
|---|
| TSK_FS_NAME_TYPE_UNDEF |
Unknown type.
|
| TSK_FS_NAME_TYPE_FIFO |
Named pipe.
|
| TSK_FS_NAME_TYPE_CHR |
Character device.
|
| TSK_FS_NAME_TYPE_DIR |
Directory.
|
| TSK_FS_NAME_TYPE_BLK |
Block device.
|
| TSK_FS_NAME_TYPE_REG |
Regular file.
|
| TSK_FS_NAME_TYPE_LNK |
Symbolic link.
|
| TSK_FS_NAME_TYPE_SOCK |
Socket.
|
| TSK_FS_NAME_TYPE_SHAD |
Shadow inode (solaris)
|
| TSK_FS_NAME_TYPE_WHT |
Whiteout (openbsd)
|
| TSK_FS_NAME_TYPE_VIRT |
Special (TSK added "Virtual" files)
|
| TSK_FS_NAME_TYPE_VIRT_DIR |
Special (TSK added "Virtual" directories)
|
Function Documentation
TSK_FS_BLKCAT_FLAG_ENUM
lclflags,
)
uint8_t tsk_fs_file_get_owner_sid
(
TSK_FS_FILE *
a_fs_file,
char **
sid_str
)
uint8_t tsk_fs_file_hash_calc
(
TSK_FS_FILE *
a_fs_file,
TSK_BASE_HASH_ENUM
a_flags
)
TSK_FS_IFIND_FLAG_ENUM
lclflags,
)
TSK_FS_ILS_FLAG_ENUM
lclflags,
int32_t
skew,
)