The Sleuth Kit: tsk/vs/tsk_vs.h File Reference

The Sleuth Kit 4.13.0

Classes | Macros | Typedefs | Enumerations | Functions

tsk_vs.h File Reference

External header file for media management (volume system) support. More...

Classes

struct TSK_VS_INFO

Data structure used to store state and basic information for open volume systems. More...

struct TSK_VS_PART_INFO

Linked list entry that describes a volume in a generic way. More...

struct TSK_VS_PART_WALK_CPP_DATA

class TskVsInfo

Stores information about an open volume system. More...

class TskVsPartInfo

Stores information about a volume / partition inside of an open volume system. More...

Macros

#define TSK_VS_INFO_TAG 0x52301642

#define TSK_VS_PART_INFO_TAG 0x40121253

Typedefs

typedef struct TSK_VS_INFO TSK_VS_INFO

typedef struct TSK_VS_PART_INFO TSK_VS_PART_INFO

typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CB) (TSK_VS_INFO *a_vs, const TSK_VS_PART_INFO *a_vs_part, void *a_ptr)

Definition for callback function that vs_part_walk() calls for each partition that it walks. More...

typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CPP_CB) (TskVsInfo *a_vs, const TskVsPartInfo *a_vs_part, void *a_ptr)

Definition for callback function that vs_part_walk() calls for each partition that it walks. More...

Enumerations

enum TSK_VS_PART_FLAG_ENUM { TSK_VS_PART_FLAG_ALLOC = 0x01, TSK_VS_PART_FLAG_UNALLOC = 0x02, TSK_VS_PART_FLAG_META = 0x04, TSK_VS_PART_FLAG_ALL = 0x07 }

Flag values that describe the partitions in the VS. More...

enum TSK_VS_TYPE_ENUM {
  TSK_VS_TYPE_DETECT = 0x0000, TSK_VS_TYPE_DOS = 0x0001, TSK_VS_TYPE_BSD = 0x0002, TSK_VS_TYPE_SUN = 0x0004,
  TSK_VS_TYPE_MAC = 0x0008, TSK_VS_TYPE_GPT = 0x0010, TSK_VS_TYPE_APFS = 0x0020, TSK_VS_TYPE_LVM = 0x0030,
  TSK_VS_TYPE_DBFILLER = 0x00F0, TSK_VS_TYPE_UNSUPP = 0xffff
}

Flags for the partition type. More...

Functions

void tsk_vs_close (TSK_VS_INFO *)

Closes an open volume system. More...

TSK_VS_INFO * tsk_vs_open (TSK_IMG_INFO *, TSK_DADDR_T, TSK_VS_TYPE_ENUM)

Open a disk image and process the media management system data. More...

const TSK_VS_PART_INFO * tsk_vs_part_get (const TSK_VS_INFO *, TSK_PNUM_T idx)

Return handle to a volume in the volume system. More...

ssize_t tsk_vs_part_read (const TSK_VS_PART_INFO *a_vs_part, TSK_OFF_T a_off, char *buf, size_t len)

Reads data starting at a byte address relative to the start of a VOLUME in a volume system. More...

ssize_t tsk_vs_part_read_block (const TSK_VS_PART_INFO *a_vs_part, TSK_DADDR_T a_addr, char *buf, size_t len)

Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system. More...

uint8_t tsk_vs_part_walk (TSK_VS_INFO *vs, TSK_PNUM_T start, TSK_PNUM_T last, TSK_VS_PART_FLAG_ENUM flags, TSK_VS_PART_WALK_CB action, void *ptr)

Walk a range of partitions and pass the data to a callback function. More...

TSK_WALK_RET_ENUM tsk_vs_part_walk_cpp_c_cb (TSK_VS_INFO *a_vs, const TSK_VS_PART_INFO *a_vs_part, void *a_ptr)

ssize_t tsk_vs_read_block (TSK_VS_INFO *a_vs, TSK_DADDR_T a_addr, char *buf, size_t len)

Reads one or more blocks of data with an address relative to the start of the volume system. More...

void tsk_vs_type_print (FILE *)

Print the supported volume system type names to an open handle. More...

TSK_VS_TYPE_ENUM tsk_vs_type_supported ()

Return the supported volume system types. More...

const char * tsk_vs_type_todesc (TSK_VS_TYPE_ENUM)

Return the string description of a partition type ID. More...

TSK_VS_TYPE_ENUM tsk_vs_type_toid (const TSK_TCHAR *)

Parse a string with the volume system type and return its internal ID. More...

TSK_VS_TYPE_ENUM tsk_vs_type_toid_utf8 (const char *)

Parse a string with the volume system type and return its internal ID. More...

const char * tsk_vs_type_toname (TSK_VS_TYPE_ENUM)

Return the string name of a partition type ID. More...

Detailed Description

External header file for media management (volume system) support.

Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_vs_i.h.

Typedef Documentation

typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CB) (TSK_VS_INFO *a_vs, const TSK_VS_PART_INFO *a_vs_part, void *a_ptr)

Definition for callback function that vs_part_walk() calls for each partition that it walks.

Parameters: a_vs Pointer to volume system being analyzed

a_vs_part Pointer to current partition in the walk

a_ptr Pointer that was passed to vs_part_walk by caller

Returns: Status on whether the vs_part_walk() function should continue, stop, or error.

typedef TSK_WALK_RET_ENUM(* TSK_VS_PART_WALK_CPP_CB) (TskVsInfo *a_vs, const TskVsPartInfo *a_vs_part, void *a_ptr)

Definition for callback function that vs_part_walk() calls for each partition that it walks.

Parameters: a_vs Pointer to volume system being analyzed

a_vs_part Pointer to current partition in the walk

a_ptr Pointer that was passed to vs_part_walk by caller

Returns: Status on whether the vs_part_walk() function should continue, stop, or error.

Enumeration Type Documentation

enum TSK_VS_PART_FLAG_ENUM

Flag values that describe the partitions in the VS.

Refer to Accessing Individual Volumes for more details.

Enumerator
TSK_VS_PART_FLAG_ALLOC	Sectors are allocated to a volume in the volume system.
TSK_VS_PART_FLAG_UNALLOC	Sectors are not allocated to a volume.
TSK_VS_PART_FLAG_META	Sectors contain volume system metadata and could also be ALLOC or UNALLOC.
TSK_VS_PART_FLAG_ALL	Show all sectors in the walk.

enum TSK_VS_TYPE_ENUM

Flags for the partition type.

Enumerator
TSK_VS_TYPE_DETECT	Use autodetection methods.
TSK_VS_TYPE_DOS	DOS Partition table.
TSK_VS_TYPE_BSD	BSD Partition table.
TSK_VS_TYPE_SUN	Sun VTOC.
TSK_VS_TYPE_MAC	Mac partition table.
TSK_VS_TYPE_GPT	GPT partition table.
TSK_VS_TYPE_APFS	APFS.
TSK_VS_TYPE_LVM	LVM.
TSK_VS_TYPE_DBFILLER	fake partition table type for loaddb (for images that do not have a volume system)
TSK_VS_TYPE_UNSUPP	Unsupported.