The Sleuth Kit: tsk/hashdb/tsk_hashdb

The Sleuth Kit 4.13.0

tsk_hashdb_i.h File Reference

Contains the internal library definitions for the hash database functions. More...

#include "tsk/base/tsk_base_i.h"
#include "tsk_hashdb.h"
#include <string.h>
#include <ctype.h>
#include <wchar.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <locale.h>

Macros

#define TSK_HDB_IDX_HEAD_NAME_STR "00000000000000000000000000000000000000001"

#define TSK_HDB_IDX_HEAD_TYPE_STR "00000000000000000000000000000000000000000"

Strings used in index header. More...

#define TSK_HDB_IDX_LEN(x) ( TSK_HDB_HTYPE_LEN(x) + TSK_HDB_OFF_LEN + 2)

Get the length of an index file line - 2 for comma and newline.

#define TSK_HDB_MAXLEN 512

Default buffer size used in many places.

#define TSK_HDB_OFF_LEN 16

Number of digits used in offset field in index.

Functions

uint8_t encase_get_entry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

uint8_t encase_make_index (TSK_HDB_INFO *, TSK_TCHAR *htype)

Process the database to create a sorted index of it. More...

TSK_HDB_INFO * encase_open (FILE *, const TSK_TCHAR *)

uint8_t encase_test (FILE *)

Test the file to see if it is an Encase database. More...

uint8_t hdb_base_accepts_updates ()

uint8_t hdb_base_add_entry (TSK_HDB_INFO *, const char *, const char *, const char *, const char *, const char *)

uint8_t hdb_base_begin_transaction (TSK_HDB_INFO *)

uint8_t hdb_base_commit_transaction (TSK_HDB_INFO *)

void hdb_base_db_name_from_path (TSK_HDB_INFO *)

Sets hash database name in hdb_info based on database file path. More...

const TSK_TCHAR * hdb_base_get_db_path (TSK_HDB_INFO *)

const char * hdb_base_get_display_name (TSK_HDB_INFO *)

const TSK_TCHAR * hdb_base_get_index_path (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM)

uint8_t hdb_base_has_index (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM)

int8_t hdb_base_lookup_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

int8_t hdb_base_lookup_str (TSK_HDB_INFO *, const char *, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

int8_t hdb_base_lookup_verbose_str (TSK_HDB_INFO *, const char *, void *)

uint8_t hdb_base_make_index (TSK_HDB_INFO *, TSK_TCHAR *)

uint8_t hdb_base_open_index (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM)

uint8_t hdb_base_rollback_transaction (TSK_HDB_INFO *)

uint8_t hdb_base_uses_external_indexes ()

uint8_t hdb_binsrch_accepts_updates ()

void hdb_binsrch_close (TSK_HDB_INFO *)

const TSK_TCHAR * hdb_binsrch_get_index_path (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM)

uint8_t hdb_binsrch_has_index (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM)

uint8_t hdb_binsrch_idx_add_entry_bin (TSK_HDB_BINSRCH_INFO *, unsigned char *, int, TSK_OFF_T)

Add a binary entry to the intermediate index file. More...

uint8_t hdb_binsrch_idx_add_entry_str (TSK_HDB_BINSRCH_INFO *, char *, TSK_OFF_T)

Add a string entry to the intermediate index file. More...

uint8_t hdb_binsrch_idx_finalize (TSK_HDB_BINSRCH_INFO *)

Finalize index creation process by sorting the index and removing the intermediate temp file. More...

uint8_t hdb_binsrch_idx_init_hash_type_info (TSK_HDB_BINSRCH_INFO *, TSK_HDB_HTYPE_ENUM)

uint8_t hdb_binsrch_idx_initialize (TSK_HDB_BINSRCH_INFO *, TSK_TCHAR *)

Initialize the TSK hash DB index file. More...

int8_t hdb_binsrch_lookup_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

Search the index for the given hash value given (in binary form). More...

int8_t hdb_binsrch_lookup_str (TSK_HDB_INFO *, const char *, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

Search the index for a text/ASCII hash value. More...

int8_t hdb_binsrch_lookup_verbose_str (TSK_HDB_INFO *, const char *, void *)

TSK_HDB_BINSRCH_INFO * hdb_binsrch_open (FILE *, const TSK_TCHAR *)

Called by the various text-based databases to setup the TSK_HDB_BINSRCH_INFO struct. More...

uint8_t hdb_binsrch_open_idx (TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM)

uint8_t hdb_binsrch_uses_external_indexes ()

void hdb_info_base_close (TSK_HDB_INFO *)

De-initializes struct representation of a hash database. More...

uint8_t hdb_info_base_open (TSK_HDB_INFO *, const TSK_TCHAR *)

uint8_t hk_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

Find the corresponding name at the given offset. More...

uint8_t hk_makeindex (TSK_HDB_INFO *, TSK_TCHAR *htype)

Process the database to create a sorted index of it. More...

TSK_HDB_INFO * hk_open (FILE *, const TSK_TCHAR *)

uint8_t hk_test (FILE *)

Test the file to see if it is a hashkeeper database. More...

const TSK_TCHAR * idxonly_get_db_path (TSK_HDB_INFO *)

uint8_t idxonly_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

uint8_t idxonly_makeindex (TSK_HDB_INFO *, TSK_TCHAR *)

TSK_HDB_INFO * idxonly_open (const TSK_TCHAR *, const TSK_TCHAR *)

uint8_t md5sum_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

uint8_t md5sum_makeindex (TSK_HDB_INFO *, TSK_TCHAR *htype)

Process the database to create a sorted index of it. More...

TSK_HDB_INFO * md5sum_open (FILE *, const TSK_TCHAR *)

uint8_t md5sum_test (FILE *)

Test the file to see if it is a md5sum database. More...

uint8_t nsrl_getentry (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

uint8_t nsrl_makeindex (TSK_HDB_INFO *, TSK_TCHAR *htype)

Process the database to create a sorted index of it. More...

TSK_HDB_INFO * nsrl_open (FILE *, const TSK_TCHAR *)

uint8_t nsrl_test (FILE *)

Test the file to see if it is an NSRL database. More...

uint8_t sqlite_hdb_add_entry (TSK_HDB_INFO *, const char *, const char *, const char *, const char *, const char *)

uint8_t sqlite_hdb_begin_transaction (TSK_HDB_INFO *)

void sqlite_hdb_close (TSK_HDB_INFO *)

uint8_t sqlite_hdb_commit_transaction (TSK_HDB_INFO *)

uint8_t sqlite_hdb_create_db (TSK_TCHAR *)

uint8_t sqlite_hdb_is_sqlite_file (FILE *)

int8_t sqlite_hdb_lookup_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

int8_t sqlite_hdb_lookup_str (TSK_HDB_INFO *, const char *, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *)

int8_t sqlite_hdb_lookup_verbose_bin (TSK_HDB_INFO *, uint8_t *, uint8_t, void *)

int8_t sqlite_hdb_lookup_verbose_str (TSK_HDB_INFO *, const char *, void *)

TSK_HDB_INFO * sqlite_hdb_open (TSK_TCHAR *)

uint8_t sqlite_hdb_rollback_transaction (TSK_HDB_INFO *)

Detailed Description

Contains the internal library definitions for the hash database functions.

This should be included by the code in the hash database library.

Macro Definition Documentation

#define TSK_HDB_IDX_HEAD_TYPE_STR "00000000000000000000000000000000000000000"

Strings used in index header.

It is one longer than a sha-1 hash - so that it always sorts to the top

Referenced by hdb_binsrch_idx_initialize().

Function Documentation

uint8_t encase_make_index ( TSK_HDB_INFO * hdb_info_base,

TSK_TCHAR * dbtype

)

Process the database to create a sorted index of it.

Consecutive entries with the same hash value are not added to the index, but will be found during lookup.

Parameters: hdb_info_base Hash database to make index of.

dbtype Type of hash database (should always be TSK_HDB_DBTYPE_ENCASE_STR)

Returns: 1 on error and 0 on success.

References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_bin(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), and tsk_verbose.

uint8_t encase_test ( FILE * hFile )

Test the file to see if it is an Encase database.

Parameters: hFile File handle to hash database

Returns: 1 if encase and 0 if not

uint8_t hdb_binsrch_idx_add_entry_bin ( TSK_HDB_BINSRCH_INFO * hdb_binsrch_info,

unsigned char * hvalue,

int hlen,

TSK_OFF_T offset

)

Add a binary entry to the intermediate index file.

Parameters: hdb_binsrch_info Hash database state info

hvalue Array of integers of hash value to add

hlen Number of bytes in hvalue

offset Byte offset of hash entry in original database.

Returns: 1 on error and 0 on success

References TSK_HDB_BINSRCH_INFO::hIdxTmp.

Referenced by encase_make_index().

uint8_t hdb_binsrch_idx_add_entry_str ( TSK_HDB_BINSRCH_INFO * hdb_binsrch_info,

char * hvalue,

TSK_OFF_T offset

)

Add a string entry to the intermediate index file.

Will not add an all-zero hash since this creates errors in the final index file, but does not return an error in this case.

Parameters: hdb_binsrch_info Hash database state info

hvalue String of hash value to add

offset Byte offset of hash entry in original database.

Returns: 1 on error and 0 on success

References TSK_HDB_BINSRCH_INFO::hIdxTmp.

Referenced by hk_makeindex(), md5sum_makeindex(), and nsrl_makeindex().

uint8_t hdb_binsrch_idx_finalize ( TSK_HDB_BINSRCH_INFO * hdb_binsrch_info )

Finalize index creation process by sorting the index and removing the intermediate temp file.

Parameters: hdb_binsrch_info Hash database state info structure.

Returns: 1 on error and 0 on success

References TSK_HDB_BINSRCH_INFO::hIdx, TSK_HDB_BINSRCH_INFO::hIdxTmp, TSK_HDB_BINSRCH_INFO::idx_fname, TSK_HDB_BINSRCH_INFO::idx_lbuf, TSK_HDB_BINSRCH_INFO::idx_llen, TSK_HDB_BINSRCH_INFO::idx_off, TSK_HDB_BINSRCH_INFO::idx_size, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), tsk_fprintf(), TSK_HDB_MAXLEN, tsk_verbose, and TSK_HDB_BINSRCH_INFO::uns_fname.

Referenced by encase_make_index(), hk_makeindex(), md5sum_makeindex(), and nsrl_makeindex().

uint8_t hdb_binsrch_idx_initialize ( TSK_HDB_BINSRCH_INFO * hdb_binsrch_info,

TSK_TCHAR * htype

)

Initialize the TSK hash DB index file.

This creates the intermediate file, which will have entries added to it. This file must be sorted before the process is finished.

Parameters: hdb_binsrch_info Hash database state structure

htype String of index type to create

Returns: 1 on error and 0 on success

References TSK_HDB_INFO::db_fname, TSK_HDB_INFO::db_name, TSK_HDB_INFO::db_type, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hIdxTmp, PRIcTSK, PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_DBTYPE_ENCASE_ID, TSK_HDB_DBTYPE_ENCASE_STR, TSK_HDB_DBTYPE_HK_ID, TSK_HDB_DBTYPE_HK_STR, TSK_HDB_DBTYPE_IDXONLY_ID, TSK_HDB_DBTYPE_MD5SUM_ID, TSK_HDB_DBTYPE_MD5SUM_STR, TSK_HDB_DBTYPE_NSRL_ID, TSK_HDB_DBTYPE_NSRL_MD5_STR, TSK_HDB_DBTYPE_NSRL_SHA1_STR, TSK_HDB_DBTYPE_NSRL_STR, TSK_HDB_HTYPE_INVALID_ID, TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_STR, TSK_HDB_IDX_HEAD_TYPE_STR, and TSK_HDB_BINSRCH_INFO::uns_fname.

Referenced by encase_make_index(), hk_makeindex(), md5sum_makeindex(), and nsrl_makeindex().

TSK_HDB_BINSRCH_INFO* hdb_binsrch_open ( FILE * hDb,

const TSK_TCHAR * db_path

)

Called by the various text-based databases to setup the TSK_HDB_BINSRCH_INFO struct.

This will setup the basic function pointers, that will be overwritten by the more specific methods.

References TSK_HDB_INFO::db_type, TSK_HDB_BINSRCH_INFO::hash_len, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_lookup_bin(), hdb_binsrch_lookup_str(), TSK_HDB_DBTYPE_INVALID_ID, and TSK_HDB_HTYPE_INVALID_ID.

Referenced by idxonly_open().

uint8_t hk_getentry ( TSK_HDB_INFO * hdb_info,

const char * hash,

TSK_OFF_T offset,

TSK_HDB_FLAG_ENUM flags,

TSK_HDB_LOOKUP_FN action,

void * cb_ptr

)

Find the corresponding name at the given offset.

The offset was likely determined from the index. The entries in the DB following the one specified are also processed if they have the same hash value and their name is different. The callback is called for each entry.

Note: This routine assumes that &hdb_info->lock is locked by the caller.

Parameters: hdb_info Data base to get data from.

hash MD5 hash value that was searched for

offset Byte offset where hash value should be located in db_file

flags

action Callback used for each entry found in lookup

cb_ptr Pointer to data passed to callback

Returns: 1 on error and 0 on success

References TSK_HDB_BINSRCH_INFO::hDb, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_FLAG_EXT, TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_MAXLEN, tsk_verbose, TSK_WALK_ERROR, and TSK_WALK_STOP.

uint8_t hk_makeindex ( TSK_HDB_INFO * hdb_info_base,

TSK_TCHAR * dbtype

)

Process the database to create a sorted index of it.

Consecutive entries with the same hash value are not added to the index, but will be found during lookup.

Parameters: hdb_info_base Hash database to make index of

dbtype Text of database type (should always be TSK_HDB_DBTYPE_HK_STR)

Returns: 1 on error and 0 on success.

References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_str(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_MAXLEN, and tsk_verbose.

uint8_t hk_test ( FILE * hFile )

Test the file to see if it is a hashkeeper database.

Parameters: hFile File handle to hash database

Returns: 1 if hk and 0 if not

References TSK_HDB_MAXLEN.

TSK_HDB_INFO* idxonly_open ( const TSK_TCHAR * db_path,

const TSK_TCHAR * idx_path

)

Parameters: db_path Path to DB, which probably does not exist. But it gets passed in because we need it in a bunch of places.

idx_path Path to index file (should be superset of db_path)

References TSK_HDB_INFO::db_type, TSK_HDB_BINSRCH_INFO::hash_type, hdb_binsrch_open(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_DBTYPE_IDXONLY_ID, TSK_HDB_HTYPE_MD5_ID, and TSK_HDB_HTYPE_SHA1_ID.

Referenced by tsk_hdb_open().

uint8_t md5sum_makeindex ( TSK_HDB_INFO * hdb_info_base,

TSK_TCHAR * dbtype

)

Process the database to create a sorted index of it.

Consecutive entries with the same hash value are not added to the index, but will be found during lookup.

Parameters: hdb_info_base Hash database to make index of.

dbtype Type of hash database (should always be TSK_HDB_DBTYPE_MD5SUM_STR)

Returns: 1 on error and 0 on success.

uint8_t md5sum_test ( FILE * hFile )

Test the file to see if it is a md5sum database.

Parameters: hFile File handle to hash database

Returns: 1 if md5sum and 0 if not

References TSK_HDB_HTYPE_MD5_LEN, and TSK_HDB_MAXLEN.

uint8_t nsrl_makeindex ( TSK_HDB_INFO * hdb_info_base,

TSK_TCHAR * dbtype

)

Process the database to create a sorted index of it.

Consecutive entries with the same hash value are not added to the index, but will be found during lookup.

Parameters: hdb_info_base Hash database to make index of.

dbtype Type of database

Returns: 1 on error and 0 on success.

References TSK_HDB_INFO::db_fname, TSK_HDB_BINSRCH_INFO::hash_len, TSK_HDB_BINSRCH_INFO::hash_type, TSK_HDB_BINSRCH_INFO::hDb, hdb_binsrch_idx_add_entry_str(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_SHA1_ID, TSK_HDB_HTYPE_SHA1_LEN, TSK_HDB_MAXLEN, and tsk_verbose.

uint8_t nsrl_test ( FILE * hFile )

Test the file to see if it is an NSRL database.

Parameters: hFile File handle to hash database

Returns: 1 if NSRL and 0 if not

References TSK_HDB_MAXLEN.