/* main - open file system, list inode info */ int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_TCHAR *cp, *dash; TSK_INUM_T istart = 0, ilast = 0; int ch; int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED; int ils_flags = 0; int set_range = 1; TSK_TCHAR *image = NULL; int32_t sec_skew = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); /* * Provide convenience options for the most commonly selected feature * combinations. */ while ((ch = GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('e'): flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_USED; break; case _TSK_T('m'): ils_flags |= TSK_FS_ILS_MAC; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('O'): flags |= TSK_FS_META_FLAG_UNALLOC; flags &= ~TSK_FS_META_FLAG_ALLOC; ils_flags |= TSK_FS_ILS_OPEN; break; case _TSK_T('p'): flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('r'): flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); /* * Provide fine controls to tweak one feature at a time. */ case _TSK_T('a'): flags |= TSK_FS_META_FLAG_ALLOC; flags &= ~TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('A'): flags |= TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('l'): ils_flags |= TSK_FS_ILS_LINK; break; case _TSK_T('L'): ils_flags |= TSK_FS_ILS_UNLINK; break; case _TSK_T('z'): flags |= TSK_FS_META_FLAG_UNUSED; break; case _TSK_T('Z'): flags |= TSK_FS_META_FLAG_USED; break; } } if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) { tsk_fprintf(stderr, "ERROR: Only linked or unlinked should be used\n"); usage(); } /* We need to determine if an inode or inode range was given */ if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) { /* Check if is a single number */ istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { /* Single address set end addr to start */ ilast = istart; set_range = 0; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } else { /* We have a dash, but it could be part of the file name */ *dash = '\0'; istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ *dash = _TSK_T('-'); image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { dash++; ilast = TSTRTOULL(dash, &cp, 0); if (*cp || *cp == *dash) { /* Not a number - consider it a file name */ dash--; *dash = '-'; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { set_range = 0; /* It was a block range, so do not include it in the open */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } /* do we need to set the range or just check them? */ if (set_range) { istart = fs->first_inum; ilast = fs->last_inum; } else { if (istart < fs->first_inum) istart = fs->first_inum; if (ilast > fs->last_inum) ilast = fs->last_inum; } /* NTFS uses alloc and link different than UNIX so change * the default behavior * * The link value can be > 0 on deleted files (even when closed) */ /* NTFS and FAT have no notion of deleted but still open */ if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype) || TSK_FS_TYPE_ISFAT(fs->ftype))) { fprintf(stderr, "Error: '-O' argument does not work with NTFS and FAT images\n"); exit(1); } if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast, (TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char * const *argv1) { int ch; const char *arff_fn = 0; const char *text_fn = 0; string *xml_fn = 0; const char *audit_file = 0; bool opt_x = false; string command_line = xml::make_command_line(argc,argv1); bool opt_zap = false; u_int sector_size=512; // defaults to 512; may be changed by AFF struct timeval tv0; struct timeval tv1; gettimeofday(&tv0,0); TSK_TCHAR * const *argv; #ifdef TSK_WIN32 char *opt_arg = NULL; char *argv_0 = NULL; argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr,"Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR * const*) argv1; #endif while ((ch = GETOPT(argc, argv, _TSK_T("A:a:C:dfG:gmv1IMX:S:T:VZn:c:b:xOzh?"))) > 0 ) { // s: removed switch (ch) { case _TSK_T('1'): opt_sha1 = true;break; case _TSK_T('m'): opt_body_file = 1; opt_sha1 = 0; opt_md5 = 1; t = stdout; break; case _TSK_T('A'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); arff_fn = opt_arg; #else arff_fn = OPTARG; #endif break; case _TSK_T('C'): file_count_max = TATOI(OPTARG);break; case _TSK_T('d'): opt_debug++; break; case _TSK_T('f'): opt_magic = true;break; case _TSK_T('g'): opt_no_data = true; break; case _TSK_T('b'): opt_get_fragments = false; break; case _TSK_T('G'): opt_maxgig = TATOI(OPTARG);break; case _TSK_T('h'): usage(); break; case _TSK_T('I'): opt_ignore_ntfs_system_files=true;break; case _TSK_T('M'): opt_md5 = true; case _TSK_T('O'): opt_allocated_only=true; break; case _TSK_T('S'): opt_sector_hash = true; sectorhash_size = TATOI(OPTARG); break; case _TSK_T('T'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); text_fn = opt_arg; #else text_fn = OPTARG; #endif break; case _TSK_T('V'): print_version();exit(0); case _TSK_T('X'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); xml_fn = new string(opt_arg); #else xml_fn = new string(OPTARG); #endif break; case _TSK_T('x'): opt_x = true;break; case _TSK_T('Z'): opt_zap = true;break; case _TSK_T('a'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); audit_file = opt_arg; #else audit_file = OPTARG; #endif break; case _TSK_T('c'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); config_file = opt_arg; #else config_file = OPTARG; #endif break; case _TSK_T('n'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); namelist.push_back(opt_arg); #else namelist.push_back(OPTARG); #endif break; //case 's': save_outdir = optarg; opt_save = true; break; case _TSK_T('v'): tsk_verbose++; break; // sleuthkit option case _TSK_T('z'): opt_sha1=false;opt_md5=false;break; case _TSK_T('?'): usage();break; default: fprintf(stderr, "Invalid argument: %s\n", argv[OPTIND]); usage(); } } if (OPTIND >= argc) usage(); argc -= OPTIND; argv += OPTIND; argv1 += OPTIND; #ifdef TSK_WIN32 convert(argv[0],&argv_0); const char *filename = argv_0; #else const char *filename = argv[0]; #endif opt_parent_tracking = true; if(!filename){ errx(1,"must provide filename"); } if(opt_no_data && (opt_md5 || opt_sha1 || opt_save || opt_magic)) { errx(1, "-g conflicts with options requiring data access (-z may be needed)"); } if(opt_save){ if(access(save_outdir.c_str(),F_OK)){ #ifdef WIN32 if(mkdir(save_outdir.c_str())) { #else if(mkdir(save_outdir.c_str(),0777)){ #endif err(1,"Cannot make directory: %s",save_outdir.c_str()); } } if(access(save_outdir.c_str(),R_OK)){ err(1,"Cannot access directory: %s",save_outdir.c_str()); } } if(text_fn){ if(access(text_fn,F_OK)==0) errx(1,"%s: file exists",text_fn); t = fopen(text_fn,"w"); if(!t) err(1,"%s",text_fn); } if(arff_fn){ if(access(arff_fn,F_OK)==0) errx(1,"%s: file exists",arff_fn); a = new arff("fiwalk"); // the ARFF output object a->set_outfile(arff_fn); } /* XML initialization */ if(opt_x){ x = new xml(); // default to stdout } if(xml_fn){ if(*xml_fn == "0"){ string newfn = filename; *xml_fn = newfn.substr(0,newfn.rfind(".")) + ".xml"; } if(x) errx(1,"Cannot write XML to stdout and file at same time\n"); if(access(xml_fn->c_str(),F_OK)==0){ if(opt_zap){ if(unlink(xml_fn->c_str())){ err(1,"%s: file exists and cannot unlink",xml_fn->c_str()); } } else{ errx(1,"%s: file exists",xml_fn->c_str()); } } x = new xml(*xml_fn,true); // we will make DTD going to a file } /* If no output file has been specified, output text to stdout */ if(a==0 && x==0 && t==0){ t = stdout; } if(strstr(filename,".aff") || strstr(filename,".afd") || strstr(filename,".afm")){ #ifndef HAVE_LIBAFFLIB fprintf(stderr,"ERROR: fiwalk was compiled without AFF support.\n"); exit(0); #else #endif } /* If we are outputing ARFF, create the ARFF object and set the file types for the file system metadata */ if(a){ a->add_attribute("id",arff::NUMERIC); a->add_attribute("partition",arff::NUMERIC); a->add_attribute("filesize",arff::NUMERIC); a->add_attribute("mtime",arff::DATE); a->add_attribute("ctime",arff::DATE); a->add_attribute("atime",arff::DATE); a->add_attribute("fragments",arff::NUMERIC); a->add_attribute("frag1startsector",arff::NUMERIC); a->add_attribute("frag2startsector",arff::NUMERIC); a->add_attribute("filename",arff::STRING); if(opt_md5) a->add_attribute("md5",arff::STRING); if(opt_sha1) a->add_attribute("sha1",arff::STRING); } /* output per-run metadata for XML output */ if(x){ /* Output Dublin Core information */ x->push("dfxml", "\n xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'" "\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'" "\n xmlns:dc='http://purl.org/dc/elements/1.1/'" "\n version='1.0'" ); x->push("metadata", ""); x->xmlout("dc:type","Disk Image",fw_empty,false); x->pop(); /* Output carver information per photorec standard */ x->add_DFXML_creator("fiwalk",tsk_version_get_str(),command_line); } /* Can't use comment until after here... */ if(config_file){ comment("Reading configuration file %s",config_file); config_read(config_file); /* Read the configuration file */ } /* Check that we have a valid file format */ if(x) x->push("source"); partition_info("image_filename",filename); if(!x){ partition_info("fiwalk_version",tsk_version_get_str()); partition_info("start_time",mytime()); partition_info("tsk_version",tsk_version_get_str()); } if(x) x->pop(); if (opt_debug) printf("calling tsk_img_open(%s)\n",filename); #ifdef SIGINFO signal(SIGINFO,sig_info); #endif #ifdef TSK_WIN32 int count = process_image_file(argc,argv1,audit_file,sector_size); if(count<=0 || sector_size!=512){ comment("Retrying with 512 byte sector size."); count = process_image_file(argc,argv1,audit_file,512); } #else int count = process_image_file(argc,argv,audit_file,sector_size); if(count<=0 || sector_size!=512){ comment("Retrying with 512 byte sector size."); count = process_image_file(argc,argv,audit_file,512); } #endif /* Calculate time elapsed (reported as a comment and with rusage) */ struct timeval tv; char tvbuf[64]; gettimeofday(&tv1,0); tv.tv_sec = tv1.tv_sec - tv0.tv_sec; if(tv1.tv_usec > tv0.tv_usec){ tv.tv_usec = tv1.tv_usec - tv0.tv_usec; } else { tv.tv_sec--; tv.tv_usec = (tv1.tv_usec+1000000) - tv0.tv_usec; } sprintf(tvbuf, "%d.%06d",(int)tv.tv_sec, (int)tv.tv_usec); comment("clock: %s",tvbuf); #ifdef HAVE_SYS_RESOURCE_H #ifdef HAVE_GETRUSAGE /* Print usage information */ struct rusage ru; memset(&ru,0,sizeof(ru)); if(getrusage(RUSAGE_SELF,&ru)==0){ if(x) x->push("rusage"); partition_info("utime",ru.ru_utime); partition_info("stime",ru.ru_stime); partition_info("maxrss",ru.ru_maxrss); partition_info("minflt",ru.ru_minflt); partition_info("majflt",ru.ru_majflt); partition_info("nswap",ru.ru_nswap); partition_info("inblock",ru.ru_inblock); partition_info("oublock",ru.ru_oublock); partition_info("clocktime",tv); comment("stop_time: %s",cstr(mytime())); if(x) x->pop(); } #endif #endif // *** Added <finished time="(time_t)" duration="<seconds>" /> if(a){ a->write(); delete a; } if(t) comment("=EOF="); if(x) { x->pop(); // <dfxml> x->close(); delete(x); } exit(0); }
/* main - open file system, list inode info */ int MAIN(int argc, TSK_TCHAR ** argv) { TSK_TCHAR *fstype = NULL; TSK_TCHAR *imgtype = NULL, *cp, *dash; TSK_IMG_INFO *img; TSK_FS_INFO *fs; INUM_T istart = 0, ilast = 0; int ch; int flags = TSK_FS_INODE_FLAG_UNALLOC | TSK_FS_INODE_FLAG_USED; int argflags = 0; SSIZE_T imgoff = 0; int set_range = 1; TSK_TCHAR *image = NULL; int32_t sec_skew = 0; progname = argv[0]; setlocale(LC_ALL, ""); /* * Provide convenience options for the most commonly selected feature * combinations. */ while ((ch = getopt(argc, argv, _TSK_T("aAef:i:lLmo:Oprs:vVzZ"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[optind]); usage(); case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('e'): flags |= (TSK_FS_INODE_FLAG_ALLOC | TSK_FS_INODE_FLAG_UNALLOC); flags &= ~TSK_FS_INODE_FLAG_USED; break; case _TSK_T('m'): argflags |= TSK_FS_ILS_MAC; break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('O'): flags |= TSK_FS_INODE_FLAG_UNALLOC; flags &= ~TSK_FS_INODE_FLAG_ALLOC; argflags |= TSK_FS_ILS_OPEN; break; case _TSK_T('p'): flags |= (TSK_FS_INODE_FLAG_ORPHAN | TSK_FS_INODE_FLAG_UNALLOC); flags &= ~TSK_FS_INODE_FLAG_ALLOC; break; case _TSK_T('r'): flags |= (TSK_FS_INODE_FLAG_UNALLOC | TSK_FS_INODE_FLAG_USED); flags &= ~TSK_FS_INODE_FLAG_ALLOC; break; case _TSK_T('s'): sec_skew = TATOI(optarg); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); /* * Provide fine controls to tweak one feature at a time. */ case _TSK_T('a'): flags |= TSK_FS_INODE_FLAG_ALLOC; break; case _TSK_T('A'): flags |= TSK_FS_INODE_FLAG_UNALLOC; break; case _TSK_T('l'): argflags |= TSK_FS_ILS_LINK; break; case _TSK_T('L'): argflags |= TSK_FS_ILS_UNLINK; break; case _TSK_T('z'): flags |= TSK_FS_INODE_FLAG_UNUSED; break; case _TSK_T('Z'): flags |= TSK_FS_INODE_FLAG_USED; break; } } if (optind >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((argflags & TSK_FS_ILS_LINK) && (argflags & TSK_FS_ILS_UNLINK)) { tsk_fprintf(stderr, "ERROR: Only linked or unlinked should be used\n"); usage(); } /* We need to determine if an inode or inode range was given */ if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) { /* Check if is a single number */ istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { /* Single address set end addr to start */ ilast = istart; set_range = 0; image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } } else { /* We have a dash, but it could be part of the file name */ *dash = '\0'; istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ *dash = _TSK_T('-'); image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { dash++; ilast = TSTRTOULL(dash, &cp, 0); if (*cp || *cp == *dash) { /* Not a number - consider it a file name */ dash--; *dash = '-'; image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { set_range = 0; /* It was a block range, so do not include it in the open */ image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } } } if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); exit(1); } /* do we need to set the range or just check them? */ if (set_range) { istart = fs->first_inum; ilast = fs->last_inum; } else { if (istart < fs->first_inum) istart = fs->first_inum; if (ilast > fs->last_inum) ilast = fs->last_inum; } /* NTFS uses alloc and link different than UNIX so change * the default behavior * * The link value can be > 0 on deleted files (even when closed) */ /* NTFS and FAT have no notion of deleted but still open */ if ((argflags & TSK_FS_ILS_OPEN) && (((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) == TSK_FS_INFO_TYPE_NTFS_TYPE) || ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) == TSK_FS_INFO_TYPE_FAT_TYPE))) { fprintf(stderr, "Error: '-O' argument does not work with NTFS and FAT images\n"); exit(1); } if (tsk_fs_ils(fs, argflags, istart, ilast, flags, sec_skew, image)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; int ch; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; int32_t sec_skew = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:i:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case 'z': { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG); if (0 != TPUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } /* we should be checking this somehow */ TZSET(); } break; } } /* We need at least one more argument */ if (OPTIND > argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } TskGetTimes tskGetTimes(sec_skew); if (tskGetTimes.openImage(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) { tsk_error_print(stderr); exit(1); } if (tskGetTimes.findFilesInImg()) { tsk_error_print(stderr); exit(1); } exit(0); }
int MAIN(int argc, TSK_TCHAR ** argv) { TSK_TCHAR *imgtype = NULL; TSK_TCHAR *fstype = NULL; TSK_IMG_INFO *img; TSK_FS_INFO *fs; INUM_T inum; int ch; TSK_TCHAR *cp; int32_t sec_skew = 0; SSIZE_T imgoff = 0; /* When > 0 this is the number of blocks to print, used for -b arg */ DADDR_T numblock = 0; progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = getopt(argc, argv, _TSK_T("b:f:i:o:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[optind]); usage(); case _TSK_T('b'): numblock = TSTRTOULL(optarg, &cp, 0); if (*cp || *cp == *optarg || numblock < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: block count must be positive: %s\n"), optarg); usage(); } break; case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): sec_skew = TATOI(optarg); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); case _TSK_T('z'): { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg); if (0 != PUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } TZSET(); } break; } } /* We need at least two more argument */ if (optind + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* if we are given the inode in the inode-type-id form, then ignore * the other stuff w/out giving an error * * This will make scripting easier */ if (tsk_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL)) { TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"), argv[argc - 1]); usage(); } /* * Open the file system. */ if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Metadata address is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Metadata address is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_INUM_T inum; int ch; TSK_TCHAR *cp; int32_t sec_skew = 0; /* When > 0 this is the number of blocks to print, used for -B arg */ TSK_DADDR_T numblock = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:B:f:i:o:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('B'): numblock = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || numblock < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: block count must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('z'): { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG); if (0 != TPUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } TZSET(); } break; } } /* We need at least two more argument */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* if we are given the inode in the inode-type-id form, then ignore * the other stuff w/out giving an error * * This will make scripting easier */ if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) { TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"), argv[argc - 1]); usage(); } /* * Open the file system. */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Metadata address is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Metadata address is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }