The Sleuth Kit: tsk/fs/tsk_fs

The Sleuth Kit 4.13.0

tsk_fs_i.h File Reference

Contains the internal library definitions for the file system functions. More...

#include "tsk/base/tsk_base_i.h"
#include "tsk/img/tsk_img_i.h"
#include "tsk/vs/tsk_vs_i.h"
#include "tsk_fs.h"
#include <time.h>
#include <locale.h>
#include <sys/fcntl.h>
#include <sys/time.h>

Classes

struct TSK_FS_LOAD_FILE

struct TSK_USN_RECORD_HEADER

Macros

#define isset(a, i) (((uint8_t *)(a))[(i)/NBBY] & (1<<((i)%NBBY)))

#define MAX_DIR_SIZE_TO_PROCESS 1000000

#define NBBY 8

#define setbit(a, i) (((uint8_t *)(a))[(i)/NBBY] |= (1<<((i)%NBBY)))

#define TSK_USE_HFS 1

Functions

TSK_FS_INFO * apfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *)

TSK_FS_INFO * apfs_open_auto_detect (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * btrfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * ext2fs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * fatfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * ffs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * hfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * iso9660_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * logical_fs_open (TSK_IMG_INFO *)

TSK_FS_INFO * ntfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * rawfs_open (TSK_IMG_INFO *, TSK_OFF_T)

TSK_FS_INFO * swapfs_open (TSK_IMG_INFO *, TSK_OFF_T)

uint8_t tsk_fs_attr_add_run (TSK_FS_INFO *fs, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *data_run_new)

TSK_FS_ATTR * tsk_fs_attr_alloc (TSK_FS_ATTR_FLAG_ENUM)

void tsk_fs_attr_append_run (TSK_FS_INFO *fs, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *a_data_run)

void tsk_fs_attr_clear (TSK_FS_ATTR *)

void tsk_fs_attr_free (TSK_FS_ATTR *)

uint8_t tsk_fs_attr_print (const TSK_FS_ATTR *a_fs_attr, FILE *hFile)

TSK_FS_ATTR_RUN * tsk_fs_attr_run_alloc ()

uint8_t tsk_fs_attr_set_run (TSK_FS_FILE *, TSK_FS_ATTR *a_fs_attr, TSK_FS_ATTR_RUN *data_run_new, const char *name, TSK_FS_ATTR_TYPE_ENUM type, uint16_t id, TSK_OFF_T size, TSK_OFF_T initsize, TSK_OFF_T allocsize, TSK_FS_ATTR_FLAG_ENUM flags, uint32_t compsize)

uint8_t tsk_fs_attr_set_str (TSK_FS_FILE *, TSK_FS_ATTR *, const char *, TSK_FS_ATTR_TYPE_ENUM, uint16_t, void *, size_t)

uint8_t tsk_fs_attrlist_add (TSK_FS_ATTRLIST *, TSK_FS_ATTR *)

TSK_FS_ATTRLIST * tsk_fs_attrlist_alloc ()

void tsk_fs_attrlist_free (TSK_FS_ATTRLIST *)

const TSK_FS_ATTR * tsk_fs_attrlist_get (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM)

const TSK_FS_ATTR * tsk_fs_attrlist_get_id (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM, uint16_t)

const TSK_FS_ATTR * tsk_fs_attrlist_get_idx (const TSK_FS_ATTRLIST *, int)

int tsk_fs_attrlist_get_len (const TSK_FS_ATTRLIST *a_fs_attrlist)

const TSK_FS_ATTR * tsk_fs_attrlist_get_name_type (const TSK_FS_ATTRLIST *, TSK_FS_ATTR_TYPE_ENUM, const char *)

TSK_FS_ATTR * tsk_fs_attrlist_getnew (TSK_FS_ATTRLIST *, TSK_FS_ATTR_FLAG_ENUM a_atype)

void tsk_fs_attrlist_markunused (TSK_FS_ATTRLIST *)

TSK_FS_BLOCK * tsk_fs_block_alloc (TSK_FS_INFO *fs)

int tsk_fs_block_set (TSK_FS_INFO *fs, TSK_FS_BLOCK *fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags, char *a_buf)

uint8_t tsk_fs_dir_add (TSK_FS_DIR *a_fs_dir, const TSK_FS_NAME *a_fs_dent)

TSK_FS_DIR * tsk_fs_dir_alloc (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, size_t a_cnt)

uint8_t tsk_fs_dir_contains (TSK_FS_DIR *a_fs_dir, TSK_INUM_T meta_addr, uint32_t hash)

Test if a_fs_dir already contains an entry for the given meta data address. More...

uint8_t tsk_fs_dir_find_inum_named (TSK_FS_INFO *a_fs, TSK_INUM_T a_inum)

TSK_RETVAL_ENUM tsk_fs_dir_find_orphans (TSK_FS_INFO *a_fs, TSK_FS_DIR *a_fs_dir)

uint32_t tsk_fs_dir_hash (const char *str)

TSK_RETVAL_ENUM tsk_fs_dir_load_inum_named (TSK_FS_INFO *a_fs)

uint8_t tsk_fs_dir_make_orphan_dir_meta (TSK_FS_INFO *a_fs, TSK_FS_META *a_fs_meta)

uint8_t tsk_fs_dir_make_orphan_dir_name (TSK_FS_INFO *a_fs, TSK_FS_NAME *a_fs_name)

uint8_t tsk_fs_dir_realloc (TSK_FS_DIR *a_fs_dir, size_t a_cnt)

void tsk_fs_dir_reset (TSK_FS_DIR *a_fs_dir)

uint8_t tsk_fs_dir_walk_internal (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr, int macro_recursion_depth)

TSK_FS_FILE * tsk_fs_file_alloc (TSK_FS_INFO *)

void tsk_fs_free (TSK_FS_INFO *)

TSK_WALK_RET_ENUM tsk_fs_load_file_action (TSK_FS_FILE *fs_file, TSK_OFF_T, TSK_DADDR_T, char *, size_t, TSK_FS_BLOCK_FLAG_ENUM, void *)

TSK_FS_INFO * tsk_fs_malloc (size_t)

TSK_FS_META * tsk_fs_meta_alloc (size_t)

void tsk_fs_meta_close (TSK_FS_META *fs_meta)

TSK_FS_META * tsk_fs_meta_realloc (TSK_FS_META *, size_t)

void tsk_fs_meta_reset (TSK_FS_META *)

TSK_FS_NAME * tsk_fs_name_alloc (size_t, size_t)

uint8_t tsk_fs_name_copy (TSK_FS_NAME *a_fs_name_to, const TSK_FS_NAME *a_fs_name_from)

void tsk_fs_name_free (TSK_FS_NAME *)

void tsk_fs_name_print (FILE *, const TSK_FS_FILE *, const char *, TSK_FS_INFO *, const TSK_FS_ATTR *, uint8_t)

void tsk_fs_name_print_long (FILE *, const TSK_FS_FILE *, const char *, TSK_FS_INFO *, const TSK_FS_ATTR *, uint8_t, int32_t)

void tsk_fs_name_print_mac (FILE *, const TSK_FS_FILE *, const char *, const TSK_FS_ATTR *fs_attr, const char *, int32_t)

void tsk_fs_name_print_mac_md5 (FILE *, const TSK_FS_FILE *, const char *, const TSK_FS_ATTR *fs_attr, const char *, int32_t, const unsigned char *)

uint8_t tsk_fs_name_realloc (TSK_FS_NAME *, size_t)

void tsk_fs_name_reset (TSK_FS_NAME *a_fs_name)

TSK_FS_BLOCK_FLAG_ENUM tsk_fs_nofs_block_getflags (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr)

uint8_t tsk_fs_nofs_block_walk (TSK_FS_INFO *fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr)

void tsk_fs_nofs_close (TSK_FS_INFO *fs)

TSK_RETVAL_ENUM tsk_fs_nofs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_FS_DIR **a_fs_dir, TSK_INUM_T a_addr, int recursion_depth)

uint8_t tsk_fs_nofs_file_add_meta (TSK_FS_INFO *fs, TSK_FS_FILE *a_fs_file, TSK_INUM_T inum)

uint8_t tsk_fs_nofs_fsstat (TSK_FS_INFO *fs, FILE *hFile)

TSK_FS_ATTR_TYPE_ENUM tsk_fs_nofs_get_default_attr_type (const TSK_FS_FILE *a_file)

uint8_t tsk_fs_nofs_inode_walk (TSK_FS_INFO *fs, TSK_INUM_T a_start_inum, TSK_INUM_T a_end_inum, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_action, void *a_ptr)

uint8_t tsk_fs_nofs_istat (TSK_FS_INFO *a_fs, TSK_FS_ISTAT_FLAG_ENUM istat_flags, FILE *hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew)

uint8_t tsk_fs_nofs_jblk_walk (TSK_FS_INFO *a_fs, TSK_INUM_T start, TSK_INUM_T end, int a_flags, TSK_FS_JBLK_WALK_CB a_action, void *a_ptr)

uint8_t tsk_fs_nofs_jentry_walk (TSK_FS_INFO *a_fs, int a_flags, TSK_FS_JENTRY_WALK_CB a_action, void *a_ptr)

uint8_t tsk_fs_nofs_jopen (TSK_FS_INFO *a_fs, TSK_INUM_T inum)

uint8_t tsk_fs_nofs_make_data_run (TSK_FS_FILE *)

int tsk_fs_nofs_name_cmp (TSK_FS_INFO *, const char *, const char *)

char * tsk_fs_time_to_str (time_t, char buf[128])

Converts a time value to a string representation. More...

char * tsk_fs_time_to_str_subsecs (time_t, unsigned int subsecs, char buf[128])

Converts a time value to a string representation. More...

TSK_FS_ATTR_TYPE_ENUM tsk_fs_unix_get_default_attr_type (const TSK_FS_FILE *a_file)

uint8_t tsk_fs_unix_make_data_run (TSK_FS_FILE *fs_file)

int tsk_fs_unix_name_cmp (TSK_FS_INFO *a_fs_info, const char *s1, const char *s2)

TSK_FS_INFO * xfs_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

TSK_FS_INFO * yaffs2_open (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *, uint8_t)

NTFS Update Sequence Number Journal Data Structures

#define tsk_fs_guessu16(fs, x, mag) tsk_guess_end_u16(&(fs->endian), (x), (mag))

#define tsk_fs_guessu32(fs, x, mag) tsk_guess_end_u32(&(fs->endian), (x), (mag))

enum TSK_FS_USNJLS_FLAG_ENUM { TSK_FS_USNJLS_NONE = 0x00, TSK_FS_USNJLS_LONG = 0x01, TSK_FS_USNJLS_MAC = 0x02 }

typedef TSK_WALK_RET_ENUM(* TSK_FS_USNJENTRY_WALK_CB) (TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr)

Function definition used for callback to ntfs_usnjentry_walk(). More...

typedef enum TSK_FS_USNJLS_FLAG_ENUM TSK_FS_USNJLS_FLAG_ENUM

uint8_t tsk_ntfs_usnjopen (TSK_FS_INFO *fs, TSK_INUM_T inum)

Open the Update Sequence Number Journal stored at the inode inum. More...

uint8_t tsk_ntfs_usnjentry_walk (TSK_FS_INFO *fs, TSK_FS_USNJENTRY_WALK_CB action, void *ptr)

Walk through the Update Sequence Number journal file opened with ntfs_usnjopen. More...

uint8_t tsk_fs_usnjls (TSK_FS_INFO *fs, TSK_INUM_T inode, TSK_FS_USNJLS_FLAG_ENUM flags)

Detailed Description

Contains the internal library definitions for the file system functions.

This should be included by the code in the file system library.

Typedef Documentation

typedef TSK_WALK_RET_ENUM(* TSK_FS_USNJENTRY_WALK_CB) (TSK_USN_RECORD_HEADER *a_header, void *a_record, void *a_ptr)

Function definition used for callback to ntfs_usnjentry_walk().

Parameters: a_header Pointer to USN header structure.

a_record Pointer USN record structure, its type can be deduced from the major version number in the header.

a_ptr Pointer that was supplied by the caller who called ntfs_usnjentry_walk.

Returns: Value to identify if walk should continue, stop, or stop because of error

Function Documentation

uint8_t tsk_fs_dir_contains ( TSK_FS_DIR * a_fs_dir,

TSK_INUM_T meta_addr,

uint32_t hash

)

Test if a_fs_dir already contains an entry for the given meta data address.

If so, return the allocation state.

Returns: TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_FLAG_UNALLOC, or 0 if not found.

References TSK_FS_NAME::flags, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_DIR::names, TSK_FS_DIR::names_used, and TSK_FS_NAME_FLAG_ALLOC.

uint8_t tsk_ntfs_usnjentry_walk ( TSK_FS_INFO * fs,

TSK_FS_USNJENTRY_WALK_CB action,

void * ptr

)

Walk through the Update Sequence Number journal file opened with ntfs_usnjopen.

For each USN record, calls the callback action passing the USN record header, the USN record and the pointer ptr.

Parameters: ntfs File system where the journal is stored

action action to be called per each USN entry

ptr pointer to data passed to the action callback

Returns: 0 on success, 1 otherwise

References TSK_FS_INFO::ftype, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_close(), and TSK_FS_TYPE_NTFS.

uint8_t tsk_ntfs_usnjopen ( TSK_FS_INFO * fs,

TSK_INUM_T inum

)

Open the Update Sequence Number Journal stored at the inode inum.

Parameters: ntfs File system where the journal is stored

inum file reference number where the USN journal is located

Returns: 0 on success, 1 otherwise

References TSK_FS_INFO::block_size, TSK_FS_INFO::ftype, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_file_open_meta(), TSK_FS_TYPE_NTFS, and tsk_verbose.