/* usage - explain and terminate */
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum\n"),
progname);
tsk_fprintf(stderr,
"\t-B num: force the display of NUM address of block pointers\n");
tsk_fprintf(stderr,
"\t-z zone: time zone of original machine (i.e. EST5EDT or GMT)\n");
tsk_fprintf(stderr,
"\t-s seconds: Time skew of original machine (in seconds)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: print version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-dsu unit_addr] [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images]\n"),
progname);
tsk_fprintf(stderr, "Slowly calculates the opposite block number\n");
tsk_fprintf(stderr, "\tOne of the following must be given:\n");
tsk_fprintf(stderr,
"\t -d: The given address is from a 'dd' image \n");
tsk_fprintf(stderr,
"\t -s: The given address is from a 'blkls -s' (slack) image\n");
tsk_fprintf(stderr,
"\t -u: The given address is from a 'blkls' (unallocated) image\n");
tsk_fprintf(stderr,
"\t-f fstype: The file system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-u usize] image [images] unit_addr [num]\n"),
progname);
tsk_fprintf(stderr, "\t-a: displays in all ASCII \n");
tsk_fprintf(stderr, "\t-h: displays in hexdump-like fashion\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-s: display basic block stats such as unit size, fragments, etc.\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: display version\n");
tsk_fprintf(stderr, "\t-w: displays in web-like (html) fashion\n");
tsk_fprintf(stderr,
"\t-u usize: size of each data unit in image (for raw, blkls, swap)\n");
tsk_fprintf(stderr,
"\t[num] is the number of data units to display (default is 1)\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-eqV] [-f lookup_file] [-i db_type] db_file [hashes]\n"),
progname);
tsk_fprintf(stderr,
"\t-e: Extended mode - where values other than just the name are printed\n");
tsk_fprintf(stderr,
"\t-q: Quick mode - where a 1 is printed if it is found, else 0\n");
tsk_fprintf(stderr, "\t-V: Print version to STDOUT\n");
tsk_fprintf(stderr,
"\t-f lookup_file: File with one hash per line to lookup\n");
tsk_fprintf(stderr,
"\t-i db_type: Create index file for a given hash database type\n");
tsk_fprintf(stderr,
"\tdb_file: The location of the original hash database\n");
tsk_fprintf(stderr,
"\t[hashes]: hashes to lookup (STDIN is used otherwise)\n");
tsk_fprintf(stderr, "\n\tSupported types: %s\n",
TSK_HDB_DBTYPE_SUPPORT_STR);
exit(1);
}
static void
usage()
{
TFPRINTF(stderr, _TSK_T("Usage: %s [-f fstype ] [-o imgoffset ] [-v] image nthreads niters\n"), progname);
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-alvV] [-f fstype] [-i imgtype] [-o imgoffset] [-d unit_addr] [-n file] [-p par_addr] [-z ZONE] image [images]\n"),
progname);
tsk_fprintf(stderr, "\t-a: find all inodes\n");
tsk_fprintf(stderr,
"\t-d unit_addr: Find the meta data given the data unit\n");
tsk_fprintf(stderr, "\t-l: long format when -p is given\n");
tsk_fprintf(stderr,
"\t-n file: Find the meta data given the file name\n");
tsk_fprintf(stderr,
"\t-p par_addr: Find UNALLOCATED MFT entries given the parent's meta address (NTFS only)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: Verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
tsk_fprintf(stderr,
"\t-z ZONE: Time zone setting when -l -p is given\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("%s [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM] [-t vstype] image [images]\n"),
progname);
tsk_fprintf(stderr,
"\t-t vstype: The type of volume system (use '-t list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n");
tsk_fprintf(stderr, "\t-B: print the rounded length in bytes\n");
tsk_fprintf(stderr,
"\t-r: recurse and look for other partition tables in partitions (DOS Only)\n");
tsk_fprintf(stderr, "\t-v: verbose output\n");
tsk_fprintf(stderr, "\t-V: print the version\n");
tsk_fprintf(stderr,
"Unless any of these are specified, all volume types are shown\n");
tsk_fprintf(stderr, "\t-a: Show allocated volumes\n");
tsk_fprintf(stderr, "\t-A: Show unallocated volumes\n");
tsk_fprintf(stderr, "\t-m: Show metadata volumes\n");
tsk_fprintf(stderr, "\t-M: Hide metadata volumes\n");
exit(1);
}
/* usage - explain and terminate */
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-emOpvV] [-aAlLzZ] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-s seconds] image [images] [inum[-end]]\n"),
progname);
tsk_fprintf(stderr, "\t-e: Display all inodes\n");
tsk_fprintf(stderr, "\t-m: Display output in the mactime format\n");
tsk_fprintf(stderr,
"\t-O: Display inodes that are unallocated, but were sill open (UFS/ExtX only)\n");
tsk_fprintf(stderr,
"\t-p: Display orphan inodes (unallocated with no file name)\n");
tsk_fprintf(stderr,
"\t-s seconds: Time skew of original machine (in seconds)\n");
tsk_fprintf(stderr, "\t-a: Allocated inodes\n");
tsk_fprintf(stderr, "\t-A: Unallocated inodes\n");
tsk_fprintf(stderr, "\t-l: Linked inodes\n");
tsk_fprintf(stderr, "\t-L: Unlinked inodes\n");
tsk_fprintf(stderr, "\t-z: Unused inodes\n");
tsk_fprintf(stderr, "\t-Z: Used inodes\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Display version number\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-tvV] [-i imgtype] [-b dev_sector_size] image\n"),
progname);
tsk_fprintf(stderr, "\t-t: display type only\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-tvV] [-f fstype] [-i imgtype] [-o imgoffset] image\n"),
progname);
tsk_fprintf(stderr, "\t-t: display type only\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
/* usage - explain and terminate */
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] image [inode]\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: print version\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("%s [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images]\n"),
progname);
tsk_fprintf(stderr,
"\t-t vstype: The volume system type (use '-t list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output\n");
tsk_fprintf(stderr, "\t-V: print the version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-vV] [-i imgtype] [-b dev_sector_size] [-s start_sector] [-e stop_sector] image\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use 'i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-s start_sector: The sector number to start at\n");
tsk_fprintf(stderr,
"\t-e stop_sector: The sector number to stop at\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("%s [-i imgtype] [-o imgoffset] [-brvV] [-t mmtype] image [images]\n"),
progname);
tsk_fprintf(stderr,
"\t-t mmtype: The type of partition system (use '-t list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n");
tsk_fprintf(stderr, "\t-b: print the rounded length in bytes\n");
tsk_fprintf(stderr,
"\t-r: recurse and look for other partition tables in partitions (DOS Only)\n");
tsk_fprintf(stderr, "\t-v: verbose output\n");
tsk_fprintf(stderr, "\t-V: print the version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-vV] [-i imgtype] [-b dev_sector_size] [-z zone] [-s seconds] image [image]\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
tsk_fprintf(stderr,
"\t-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)\n");
tsk_fprintf(stderr,
"\t-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)\n");
exit(1);
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_DADDR_T addr = 0;
TSK_TCHAR *cp;
TSK_DADDR_T read_num_units; /* Number of data units */
int usize = 0; /* Length of each data unit */
int ch;
char format = 0;
extern int OPTIND;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("ab:f:hi:o:su:vVw"))) > 0) {
switch (ch) {
case _TSK_T('a'):
format |= TSK_FS_BLKCAT_ASCII;
break;
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, BLKLS_TYPE) == 0) {
fstype = TSK_FS_TYPE_RAW;
}
else if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fprintf(stderr,
"\t%" PRIttocTSK " (Unallocated Space)\n", BLKLS_TYPE);
tsk_fs_type_print(stderr);
exit(1);
}
else {
fstype = tsk_fs_type_toid(OPTARG);
}
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('h'):
format |= TSK_FS_BLKCAT_HEX;
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('s'):
format |= TSK_FS_BLKCAT_STAT;
break;
case _TSK_T('u'):
usize = TSTRTOUL(OPTARG, &cp, 0);
if (*cp || cp == OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid block size: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
break;
case _TSK_T('w'):
format |= TSK_FS_BLKCAT_HTML;
break;
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
}
}
if (format & TSK_FS_BLKCAT_STAT) {
if (OPTIND == argc)
usage();
if (format & (TSK_FS_BLKCAT_HTML | TSK_FS_BLKCAT_ASCII |
TSK_FS_BLKCAT_HEX)) {
tsk_fprintf(stderr,
"NOTE: Additional flags will be ignored\n");
}
}
/* We need at least two more arguments */
else if (OPTIND + 1 >= argc) {
tsk_fprintf(stderr, "Missing image name and/or address\n");
usage();
}
if ((format & TSK_FS_BLKCAT_ASCII) && (format & TSK_FS_BLKCAT_HEX)) {
tsk_fprintf(stderr,
"Ascii and Hex flags can not be used together\n");
usage();
}
/* We need to figure out if there is a length argument... */
/* Check out the second argument from the end */
/* default number of units is 1 */
read_num_units = 1;
/* Get the block address */
if (format & TSK_FS_BLKCAT_STAT) {
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
addr = TSTRTOULL(argv[argc - 2], &cp, 0);
if (*cp || *cp == *argv[argc - 2]) {
/* Not a number, so it is the image name and we do not have a length */
addr = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"),
argv[argc - 1]);
usage();
}
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
/* We got a number, so take the length as well while we are at it */
read_num_units = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
TFPRINTF(stderr, _TSK_T("Invalid size: %s\n"),
argv[argc - 1]);
usage();
}
else if (read_num_units <= 0) {
tsk_fprintf(stderr, "Invalid size: %" PRIuDADDR "\n",
read_num_units);
usage();
}
if ((img =
tsk_img_open(argc - OPTIND - 2, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
/* open the file */
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
/* Set the default size if given */
if ((usize != 0) &&
(TSK_FS_TYPE_ISRAW(fs->ftype) || TSK_FS_TYPE_ISSWAP(fs->ftype))) {
TSK_DADDR_T sectors;
int orig_dsize, new_dsize;
if (usize % 512) {
tsk_fprintf(stderr,
"New data unit size not a multiple of 512 (%d)\n", usize);
usage();
}
/* We need to do some math to update the block_count value */
/* Get the original number of sectors */
orig_dsize = fs->block_size / 512;
sectors = fs->block_count * orig_dsize;
/* Convert that to the new size */
new_dsize = usize / 512;
fs->block_count = sectors / new_dsize;
if (sectors % new_dsize)
fs->block_count++;
fs->last_block = fs->block_count - 1;
fs->block_size = usize;
}
if (addr > fs->last_block) {
tsk_fprintf(stderr,
"Data unit address too large for image (%" PRIuDADDR ")\n",
fs->last_block);
fs->close(fs);
img->close(img);
exit(1);
}
if (addr < fs->first_block) {
tsk_fprintf(stderr,
"Data unit address too small for image (%" PRIuDADDR ")\n",
fs->first_block);
fs->close(fs);
img->close(img);
exit(1);
}
if (tsk_fs_blkcat(fs, (TSK_FS_BLKCAT_FLAG_ENUM) format, addr,
read_num_units)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
int
main(int argc, char** argv1)
{
TSK_TCHAR **argv;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_OFF_T imgaddr = 0;
int ch;
while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) {
switch (ch) {
case _TSK_T('f'):
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('v'):
tsk_verbose = 1;
break;
default:
usage();
break;
}
}
if (argc - OPTIND != 3) {
usage();
}
const TSK_TCHAR* image = argv[OPTIND];
size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0);
if (nthreads == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0);
if (niters == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0);
if (img == 0) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype);
if (fs == 0) {
tsk_img_close(img);
tsk_error_print(stderr);
exit(1);
}
TskThread** threads = new TskThread*[nthreads];
for (size_t i = 0; i < nthreads; ++i) {
threads[i] = new MyThread(i, fs, niters);
}
TskThread::run(threads, nthreads);
for (size_t i = 0; i < nthreads; ++i) {
delete threads[i];
}
delete[] threads;
tsk_fs_close(fs);
tsk_img_close(img);
exit(0);
}
int
main(int argc, char ** argv1)
{
int ch;
TSK_TCHAR *idx_type = NULL;
TSK_TCHAR *db_file = NULL, *lookup_file = NULL;
unsigned int flags = 0;
TSK_HDB_INFO *hdb_info;
TSK_TCHAR **argv;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if( argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **)argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("ef:i:qV"))) > 0) {
switch (ch) {
case _TSK_T('e'):
flags |= TSK_HDB_FLAG_EXT;
break;
case _TSK_T('f'):
lookup_file = OPTARG;
break;
case _TSK_T('i'):
idx_type = OPTARG;
break;
case _TSK_T('q'):
flags |= TSK_HDB_FLAG_QUICK;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
default:
usage();
}
}
if (OPTIND + 1 > argc) {
tsk_fprintf(stderr,
"Error: You must provide the source hash database location\n");
usage();
}
db_file = argv[OPTIND++];
if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) {
tsk_error_print(stderr);
return 1;
}
/* What mode are we going to run in
*
* Are we going to make an index? */
if (idx_type != NULL) {
/* Get the flags right */
if (lookup_file != NULL) {
fprintf(stderr, "'-f' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_QUICK) {
fprintf(stderr, "'-q' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_EXT) {
fprintf(stderr, "'-e' flag can't be used with '-i'\n");
usage();
}
if (tsk_hdb_makeindex(hdb_info, idx_type)) {
tsk_error_print(stderr);
tsk_hdb_close(hdb_info);
return 1;
}
printf("Index Created\n");
tsk_hdb_close(hdb_info);
return 0;
}
/* Do some hash lookups
*
* Check if the values were passed on the command line or via a file */
if (OPTIND < argc) {
if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr,
"Error: Only one hash can be given with quick option\n");
usage();
}
if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr, "'-e' flag can't be used with '-q'\n");
usage();
}
if (lookup_file != NULL) {
fprintf(stderr,
"Error: -f can't be used when hashes are also given\n");
usage();
}
/* Loop through all provided hash values
*/
while (OPTIND < argc) {
char htmp[128];
int i;
int retval;
// convert to char -- lazy way to deal with WCHARs..
for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) {
htmp[i] = (char) argv[OPTIND][i];
}
htmp[i] = '\0';
/* Perform lookup */
retval =
tsk_hdb_lookup_str(hdb_info, (const char *)htmp,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
}
else if (retval == 0) {
print_notfound(htmp);
}
OPTIND++;
}
}
/* Hash were given from stdin or a file */
else {
char buf[100];
/* If the file was specified, use that - otherwise stdin */
#ifdef TSK_WIN32
HANDLE handle = NULL;
if (lookup_file != NULL) {
if ((handle = CreateFile(lookup_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"),
lookup_file);
exit(1);
}
}
else {
handle = GetStdHandle(STD_INPUT_HANDLE);
}
#else
FILE *handle = NULL;
if (lookup_file != NULL) {
handle = fopen(lookup_file, "r");
if (!handle) {
fprintf(stderr, "Error opening hash file: %s\n",
lookup_file);
exit(1);
}
}
else {
handle = stdin;
}
#endif
while (1) {
int retval;
memset(buf, 0, 100);
#ifdef TSK_WIN32
int done = 0;
// win32 doesn't have a fgets equivalent, so we make an equivalent one
for (int i = 0; i < 100; i++) {
DWORD nread;
if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) {
done = 1;
break;
}
// skip the windows CR
else if (buf[i] == '\r') {
buf[i] = '\0';
i--;
continue;
}
else if (buf[i] == '\n') {
break;
}
}
if (done)
break;
#else
if (NULL == fgets(buf, 100, handle)) {
break;
}
#endif
/* Remove the newline */
buf[strlen(buf) - 1] = '\0';
retval =
tsk_hdb_lookup_str(hdb_info, (const char *)buf,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
break;
}
else if (retval == 0) {
print_notfound(buf);
}
}
#ifdef TSK_WIN32
if (lookup_file != NULL)
CloseHandle(handle);
#else
if (lookup_file != NULL)
fclose(handle);
#endif
}
tsk_hdb_close(hdb_info);
return 0;
}
/**
* Open one or more files as a disk image. This serves as a
* wrapper around the specific types of disk image formats. You
* can specify the type or autodetection can be used.
*
* @param type The text a user supplied for the type of format.
* Examples include "raw", "split", "aff", etc.
* @param num_img The number of images that are being considered.
* @param images The path to the files (the number of files must
* be equal to num_img)
*
* @return Pointer to the Image state structure or NULL on error
*/
TSK_IMG_INFO *
tsk_img_open(const TSK_TCHAR * type, const int num_img,
const TSK_TCHAR ** images)
{
TSK_IMG_INFO *img_info = NULL;
TSK_TCHAR *tp, *next;
TSK_TCHAR type_lcl[128], *type_lcl_p;
const TSK_TCHAR **img_tmp;
int num_img_tmp = num_img;
// Get rid of any old error messages laying around
tsk_error_reset();
if ((num_img == 0) || (images[0] == NULL)) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_NOFILE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open");
tsk_errstr2[0] = '\0';
return NULL;
}
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("tsk_img_open: Type: %s NumImg: %d Img1: %s\n"),
(type ? type : _TSK_T("n/a")), num_img, images[0]);
// only the first in list (lowest) layer gets the files
img_tmp = images;
/* If no type is given, then we use the autodetection methods
* In case the image file matches the signatures of multiple formats,
* we try all of the embedded formats
*/
if (type == NULL) {
TSK_IMG_INFO *img_set = NULL;
#if HAVE_LIBAFFLIB || HAVE_LIBEWF
char *set = NULL;
#endif
struct STAT_STR stat_buf;
/* First verify that the image file exists */
if (TSTAT(images[0], &stat_buf) < 0) {
// special case to handle windows objects
#if defined(TSK_WIN32)
if ((images[0][0] == _TSK_T('\\'))
&& (images[0][1] == _TSK_T('\\'))
&& (images[0][2] == _TSK_T('.'))
&& (images[0][3] == _TSK_T('\\'))) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T
("tsk_img_open: Ignoring stat error because of windows object: %s\n"),
images[0]);
}
#endif
/* AFFLIB supports s3 storage on Amazon, so skip those 'file' paths */
#if HAVE_LIBAFFLIB
#if defined(TSK_WIN32)
else
#endif
if (((images[0][0] == _TSK_T('s'))
&& (images[0][1] == _TSK_T('3'))
&& (images[0][2] == _TSK_T(':'))
&& (images[0][3] == _TSK_T('/'))
&& (images[0][4] == _TSK_T('/'))) ||
((images[0][0] == _TSK_T('h'))
&& (images[0][1] == _TSK_T('t'))
&& (images[0][2] == _TSK_T('t'))
&& (images[0][3] == _TSK_T('p'))
&& (images[0][4] == _TSK_T(':'))
&& (images[0][5] == _TSK_T('/'))
&& (images[0][6] == _TSK_T('/')))) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T
("tsk_img_open: Ignoring stat error because of s3/http object: %s\n"),
images[0]);
}
#endif
#if HAVE_LIBAFFLIB || defined(TSK_WIN32)
else {
#endif
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_STAT;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK " : %s",
images[0], strerror(errno));
return NULL;
#if HAVE_LIBAFFLIB || defined(TSK_WIN32)
}
#endif
}
// we rely on tsk_errno, so make sure it is 0
tsk_error_reset();
/* Try the non-raw formats first */
#if HAVE_LIBAFFLIB
if ((img_info = aff_open(images, NULL)) != NULL) {
set = "AFF";
img_set = img_info;
}
else {
tsk_error_reset();
}
#endif
#if HAVE_LIBEWF
if ((img_info = ewf_open(num_img, images, NULL)) != NULL) {
if (set == NULL) {
set = "EWF";
img_set = img_info;
}
else {
img_set->close(img_set);
img_info->close(img_info);
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF or %s", set);
return NULL;
}
}
else {
tsk_error_reset();
}
#endif
if (img_set != NULL)
return img_set;
/* We'll use the raw format */
if (num_img == 1) {
if ((img_info = raw_open(images, NULL)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
else {
if ((img_info = split_open(num_img, images, NULL)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
tsk_errno = TSK_ERR_IMG_UNKTYPE;
tsk_errstr[0] = '\0';
tsk_errstr2[0] = '\0';
return NULL;
}
/*
* Type values
* Make a local copy that we can modify the string as we parse it
*/
TSTRNCPY(type_lcl, type, 128);
type_lcl_p = type_lcl;
/* We parse this and go up in the layers */
tp = TSTRTOK(type_lcl, _TSK_T(","));
while (tp != NULL) {
uint8_t imgtype;
next = TSTRTOK(NULL, _TSK_T(","));
imgtype = tsk_img_parse_type(type);
switch (imgtype) {
case TSK_IMG_INFO_TYPE_RAW_SING:
/* If we have more than one image name, and raw was the only
* type given, then use split */
if ((num_img > 1) && (next == NULL) && (img_tmp != NULL)) {
img_info = split_open(num_img_tmp, img_tmp, img_info);
num_img_tmp = 0;
}
else {
img_info = raw_open(img_tmp, img_info);
}
img_tmp = NULL;
break;
case TSK_IMG_INFO_TYPE_RAW_SPLIT:
/* If only one image file is given, and only one type was
* given then use raw */
if ((num_img == 1) && (next == NULL) && (img_tmp != NULL)) {
img_info = raw_open(img_tmp, img_info);
}
else {
img_info = split_open(num_img_tmp, img_tmp, img_info);
num_img_tmp = 0;
}
img_tmp = NULL;
break;
#if HAVE_LIBAFFLIB
case TSK_IMG_INFO_TYPE_AFF_AFF:
case TSK_IMG_INFO_TYPE_AFF_AFD:
case TSK_IMG_INFO_TYPE_AFF_AFM:
img_info = aff_open(img_tmp, img_info);
break;
#endif
#if HAVE_LIBEWF
case TSK_IMG_INFO_TYPE_EWF_EWF:
img_info = ewf_open(num_img_tmp, img_tmp, img_info);
break;
#endif
default:
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNSUPTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK, tp);
return NULL;
}
/* Advance the pointer */
tp = next;
}
/* Return the highest layer */
return img_info;
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
int ch;
TSK_TCHAR *cp;
uint8_t type = 0;
int set = 0;
TSK_DADDR_T count = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:d:f:i:o:s:u:vV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('d'):
type |= TSK_FS_BLKCALC_DD;
count = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG);
usage();
}
set = 1;
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('s'):
type |= TSK_FS_BLKCALC_SLACK;
count = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG);
usage();
}
set = 1;
break;
case _TSK_T('u'):
type |= TSK_FS_BLKCALC_BLKLS;
count = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG);
usage();
}
set = 1;
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND == argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((!type) || (set == 0)) {
tsk_fprintf(stderr, "Calculation type not given (-u, -d, -s)\n");
usage();
}
if ((type & TSK_FS_BLKCALC_DD) && (type & TSK_FS_BLKCALC_BLKLS)
&& (type & TSK_FS_BLKCALC_SLACK)) {
tsk_fprintf(stderr, "Only one block type can be given\n");
usage();
}
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
if (-1 == tsk_fs_blkcalc(fs, (TSK_FS_BLKCALC_FLAG_ENUM) type, count)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_INUM_T inum;
int ch;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:f:i:o:vV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name and/or address\n");
usage();
}
/* open image - there is an optional inode address at the end of args
*
* Check the final argument and see if it is a number
*/
if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) {
/* Not an inode at the end */
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
inum = fs->journ_inum;
}
else {
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
}
if (fs->jopen == NULL) {
tsk_fprintf(stderr,
"Journal support does not exist for this file system\n");
fs->close(fs);
img->close(img);
exit(1);
}
if (inum > fs->last_inum) {
tsk_fprintf(stderr,
"Inode value is too large for image (%" PRIuINUM ")\n",
fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (inum < fs->first_inum) {
tsk_fprintf(stderr,
"Inode value is too small for image (%" PRIuINUM ")\n",
fs->first_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->jopen(fs, inum)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->jentry_walk(fs, 0, 0, NULL)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
/**
* \internal
* Open the file as a raw image.
* @param image Path to disk image to open.
* @param a_ssize Size of device sector in bytes (or 0 for default)
* @returns NULL on error.
*/
TSK_IMG_INFO *
raw_open(const TSK_TCHAR * image, unsigned int a_ssize)
{
IMG_RAW_INFO *raw_info;
TSK_IMG_INFO *img_info;
struct STAT_STR stat_buf;
int is_winobj = 0;
if ((raw_info =
(IMG_RAW_INFO *) tsk_img_malloc(sizeof(IMG_RAW_INFO))) == NULL)
return NULL;
img_info = (TSK_IMG_INFO *) raw_info;
img_info->itype = TSK_IMG_TYPE_RAW_SING;
img_info->read = raw_read;
img_info->close = raw_close;
img_info->imgstat = raw_imgstat;
img_info->sector_size = 512;
if (a_ssize)
img_info->sector_size = a_ssize;
#if defined(TSK_WIN32) || defined(__CYGWIN__)
if ((image[0] == _TSK_T('\\'))
&& (image[1] == _TSK_T('\\'))
&& (image[2] == _TSK_T('.'))
&& (image[3] == _TSK_T('\\'))) {
is_winobj = 1;
}
#endif
if (is_winobj == 0) {
/* Exit if we are given a directory */
if (TSTAT(image, &stat_buf) < 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_STAT);
tsk_error_set_errstr("raw_open: %s", strerror(errno));
return NULL;
}
else if ((stat_buf.st_mode & S_IFMT) == S_IFDIR) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("raw_open: image %s is a directory\n"), image);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_MAGIC);
tsk_error_set_errstr("raw_open: path is for a directory");
return NULL;
}
}
#ifdef TSK_WIN32
{
DWORD dwHi, dwLo;
if ((raw_info->fd = CreateFile(image, FILE_READ_DATA,
FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL)) ==
INVALID_HANDLE_VALUE) {
// if it is a device, try with SHARE_WRITE
if ((image[0] == _TSK_T('\\')) && (image[1] == _TSK_T('\\')) &&
(image[2] == _TSK_T('.')) && (image[3] == _TSK_T('\\'))) {
if (tsk_verbose)
tsk_fprintf(stderr,
"raw_open: Trying Windows device with share_write mode\n");
raw_info->fd = CreateFile(image, FILE_READ_DATA,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
}
if (raw_info->fd == INVALID_HANDLE_VALUE) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
// print string of commonly found errors
if (GetLastError() == ERROR_ACCESS_DENIED) {
tsk_error_set_errstr("raw_open file: %" PRIttocTSK
" (Access Denied)", image);
}
else if (GetLastError() == ERROR_SHARING_VIOLATION) {
tsk_error_set_errstr("raw_open file: %" PRIttocTSK
" (Sharing Violation)", image);
}
else if (GetLastError() == ERROR_FILE_NOT_FOUND) {
tsk_error_set_errstr("raw_open file: %" PRIttocTSK
" (File not found)", image);
}
else {
tsk_error_set_errstr("raw_open file: %" PRIttocTSK
" (%d)", image, (int) GetLastError());
}
return NULL;
}
}
/* We need different techniques to determine the size of physical
* devices versus normal files
*/
if (is_winobj == 0) {
dwLo = GetFileSize(raw_info->fd, &dwHi);
if (dwLo == 0xffffffff) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("raw_open file: %" PRIttocTSK
" GetFileSize: %d", image, (int) GetLastError());
return NULL;
}
img_info->size = dwLo | ((TSK_OFF_T) dwHi << 32);
}
else {
DISK_GEOMETRY pdg;
DWORD junk;
if (FALSE == DeviceIoControl(raw_info->fd, // device to be queried
IOCTL_DISK_GET_DRIVE_GEOMETRY, // operation to perform
NULL, 0, &pdg, sizeof(pdg), &junk,
(LPOVERLAPPED) NULL)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("raw_open file: %" PRIttocTSK
" DeviceIoControl: %d", image, (int) GetLastError());
return NULL;
}
img_info->size =
pdg.Cylinders.QuadPart *
(TSK_OFF_T) pdg.TracksPerCylinder *
(TSK_OFF_T) pdg.SectorsPerTrack *
(TSK_OFF_T) pdg.BytesPerSector;
}
}
#else
if ((raw_info->fd = open(image, O_RDONLY | O_BINARY)) < 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_OPEN);
tsk_error_set_errstr("raw_open file: %" PRIttocTSK " msg: %s",
image, strerror(errno));
return NULL;
}
#if defined(__APPLE__)
/* OS X doesn't support SEEK_END on char devices */
if ((stat_buf.st_mode & S_IFMT) != S_IFCHR) {
img_info->size = lseek(raw_info->fd, 0, SEEK_END);
lseek(raw_info->fd, 0, SEEK_SET);
}
if (img_info->size == 0) {
int blkSize;
long long blkCnt;
if (ioctl(raw_info->fd, DKIOCGETBLOCKSIZE, &blkSize) >= 0) {
if (ioctl(raw_info->fd, DKIOCGETBLOCKCOUNT, &blkCnt) >= 0) {
img_info->size = blkCnt * (long long) blkSize;
}
}
}
#else
/* We don't use the stat output because it doesn't work on raw
* devices and such */
img_info->size = lseek(raw_info->fd, 0, SEEK_END);
lseek(raw_info->fd, 0, SEEK_SET);
#endif
#endif
raw_info->seek_pos = 0;
return img_info;
}
/**
* Process the database to create a sorted index of it. Consecutive
* entries with the same hash value are not added to the index, but
* will be found during lookup.
*
* @param hdb_info Hash database to make index of.
* @param dbtype Type of database
*
* @return 1 on error and 0 on success.
*/
uint8_t
nsrl_makeindex(TSK_HDB_INFO * hdb_info, TSK_TCHAR * dbtype)
{
size_t i, len;
char buf[TSK_HDB_MAXLEN];
char *hash = NULL, phash[TSK_HDB_HTYPE_SHA1_LEN + 1];
TSK_OFF_T offset = 0;
int ver = 0;
int db_cnt = 0, idx_cnt = 0, ig_cnt = 0;
if (tsk_hdb_idxinitialize(hdb_info, dbtype)) {
tsk_error_set_errstr2( "nsrl_makeindex");
return 1;
}
/* Status */
if (tsk_verbose)
TFPRINTF(stderr, _TSK_T("Extracting Data from Database (%s)\n"),
hdb_info->db_fname);
/* Allocate a buffer for the previous hash value */
memset(phash, '0', TSK_HDB_HTYPE_SHA1_LEN + 1);
/* read the file */
fseek(hdb_info->hDb, 0, SEEK_SET);
for (i = 0; NULL != fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb);
offset += len, i++) {
len = strlen(buf);
/* Get the version of the database on the first time around */
if (i == 0) {
if ((ver = get_format_ver(buf)) == -1) {
return 1;
}
ig_cnt++;
continue;
}
/* Parse the line */
if (hdb_info->hash_type & TSK_HDB_HTYPE_SHA1_ID) {
if (nsrl_parse_sha1(buf, &hash, NULL, ver)) {
ig_cnt++;
continue;
}
}
else if (hdb_info->hash_type & TSK_HDB_HTYPE_MD5_ID) {
if (nsrl_parse_md5(buf, &hash, NULL, ver)) {
ig_cnt++;
continue;
}
}
db_cnt++;
/* We only want to add one of each hash to the index */
if (memcmp(hash, phash, hdb_info->hash_len) == 0) {
continue;
}
/* Add the entry to the index */
if (tsk_hdb_idxaddentry(hdb_info, hash, offset)) {
tsk_error_set_errstr2( "nsrl_makeindex");
return 1;
}
idx_cnt++;
/* Set the previous has value */
strncpy(phash, hash, hdb_info->hash_len + 1);
}
if (idx_cnt > 0) {
if (tsk_verbose) {
fprintf(stderr, " Valid Database Entries: %d\n", db_cnt);
fprintf(stderr,
" Invalid Database Entries (headers or errors): %d\n",
ig_cnt);
fprintf(stderr, " Index File Entries %s: %d\n",
(idx_cnt == db_cnt) ? "" : "(optimized)", idx_cnt);
}
/* Close and sort the index */
if (tsk_hdb_idxfinalize(hdb_info)) {
tsk_error_set_errstr2( "nsrl_makeindex");
return 1;
}
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_CORRUPT);
tsk_error_set_errstr(
"nsrl_makeindex: No valid entries found in database");
return 1;
}
return 0;
}
int
MAIN(int argc, TSK_TCHAR ** argv)
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
TSK_TCHAR *fstype = NULL;
TSK_TCHAR *imgtype = NULL;
int ch;
uint8_t type = 0;
SSIZE_T imgoff = 0;
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = getopt(argc, argv, _TSK_T("f:i:o:tvV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[optind]);
usage();
case _TSK_T('f'):
fstype = optarg;
if (TSTRCMP(fstype, _TSK_T("list")) == 0) {
tsk_fs_print_types(stderr);
exit(1);
}
break;
case _TSK_T('i'):
imgtype = optarg;
if (TSTRCMP(imgtype, _TSK_T("list")) == 0) {
tsk_img_print_types(stderr);
exit(1);
}
break;
case _TSK_T('o'):
if ((imgoff = tsk_parse_offset(optarg)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('t'):
type = 1;
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_print_version(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (optind >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((img =
tsk_img_open(imgtype, argc - optind,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_print_types(stderr);
img->close(img);
exit(1);
}
if (type) {
char *str = tsk_fs_get_type(fs->ftype);
tsk_printf("%s\n", str);
}
else {
if (fs->fsstat(fs, stdout)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
}
fs->close(fs);
img->close(img);
exit(0);
}
/**
* \ingroup imglib
* Opens one or more disk image files so that they can be read. If a file format
* type is specified, this function will call the specific routine to open the file.
* Otherwise, it will detect the type (it will default to raw if no specific type can
* be detected). This function must be called before a disk image can be read from.
* Note that the data type used to store the image paths is a TSK_TCHAR, which changes
* depending on a Unix or Windows build. If you will always have UTF8, then consider
* using tsk_img_open_utf8().
*
* @param num_img The number of images to open (will be > 1 for split images).
* @param images The path to the image files (the number of files must
* be equal to num_img and they must be in a sorted order)
* @param type The disk image type (can be autodetection)
* @param a_ssize Size of device sector in bytes (or 0 for default)
*
* @return Pointer to TSK_IMG_INFO or NULL on error
*/
TSK_IMG_INFO *
tsk_img_open(int num_img,
const TSK_TCHAR * const images[], TSK_IMG_TYPE_ENUM type,
unsigned int a_ssize)
{
TSK_IMG_INFO *img_info = NULL;
// Get rid of any old error messages laying around
tsk_error_reset();
if ((num_img == 0) || (images[0] == NULL)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_NOFILE);
tsk_error_set_errstr("tsk_img_open");
return NULL;
}
if ((a_ssize > 0) && (a_ssize < 512)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_ARG);
tsk_error_set_errstr("sector size is less than 512 bytes (%d)",
a_ssize);
return NULL;
}
if ((a_ssize % 512) != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_ARG);
tsk_error_set_errstr("sector size is not a multiple of 512 (%d)",
a_ssize);
return NULL;
}
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("tsk_img_open: Type: %d NumImg: %d Img1: %s\n"),
type, num_img, images[0]);
/* If no type is given, then we use the autodetection methods
* In case the image file matches the signatures of multiple formats,
* we try all of the embedded formats
*/
if (type == TSK_IMG_TYPE_DETECT) {
TSK_IMG_INFO *img_set = NULL;
#if HAVE_LIBAFFLIB || HAVE_LIBEWF
char *set = NULL;
#endif
// we rely on tsk_errno, so make sure it is 0
tsk_error_reset();
/* Try the non-raw formats first */
#if HAVE_LIBAFFLIB
if ((img_info = aff_open(images, a_ssize)) != NULL) {
/* we don't allow the "ANY" when autodetect is used because
* we only want to detect the tested formats. */
if (img_info->itype == TSK_IMG_TYPE_AFF_ANY) {
img_info->close(img_info);
}
else {
set = "AFF";
img_set = img_info;
}
}
else {
// If AFF is otherwise happy except for a password, stop trying to guess
if (tsk_error_get_errno() == TSK_ERR_IMG_PASSWD) {
return NULL;
}
tsk_error_reset();
}
#endif
#if HAVE_LIBEWF
if ((img_info = ewf_open(num_img, images, a_ssize)) != NULL) {
if (set == NULL) {
set = "EWF";
img_set = img_info;
}
else {
img_set->close(img_set);
img_info->close(img_info);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_UNKTYPE);
tsk_error_set_errstr("EWF or %s", set);
return NULL;
}
}
else {
tsk_error_reset();
}
#endif
// if any of the non-raw formats were detected, then use it.
if (img_set != NULL)
return img_set;
// otherwise, try raw
if ((img_info = raw_open(num_img, images, a_ssize)) != NULL) {
return img_info;
}
else if (tsk_error_get_errno() != 0) {
return NULL;
}
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_UNKTYPE);
return NULL;
}
/*
* Type values
*/
switch (type) {
case TSK_IMG_TYPE_RAW:
img_info = raw_open(num_img, images, a_ssize);
break;
#if HAVE_LIBAFFLIB
case TSK_IMG_TYPE_AFF_AFF:
case TSK_IMG_TYPE_AFF_AFD:
case TSK_IMG_TYPE_AFF_AFM:
case TSK_IMG_TYPE_AFF_ANY:
img_info = aff_open(images, a_ssize);
break;
#endif
#if HAVE_LIBEWF
case TSK_IMG_TYPE_EWF_EWF:
img_info = ewf_open(num_img, images, a_ssize);
break;
#endif
default:
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_UNSUPTYPE);
tsk_error_set_errstr("%d", type);
return NULL;
}
return img_info;
}
/**
* \ingroup imglib
* Opens one or more disk image files so that they can be read. If a file format
* type is specified, this function will call the specific routine to open the file.
* Otherwise, it will detect the type (it will default to raw if no specific type can
* be detected). This function must be called before a disk image can be read from.
* Note that the data type used to store the image paths is a TSK_TCHAR, which changes
* depending on a Unix or Windows build. If you will always have UTF8, then consider
* using tsk_img_open_utf8().
*
* @param num_img The number of images to open (will be > 1 for split images).
* @param images The path to the image files (the number of files must
* be equal to num_img and they must be in a sorted order)
* @param type The disk image type (can be autodetection)
* @param a_ssize Size of device sector in bytes (or 0 for default)
*
* @return Pointer to TSK_IMG_INFO or NULL on error
*/
TSK_IMG_INFO *
tsk_img_open(int num_img,
const TSK_TCHAR * const images[], TSK_IMG_TYPE_ENUM type,
unsigned int a_ssize)
{
TSK_IMG_INFO *img_info = NULL;
// Get rid of any old error messages laying around
tsk_error_reset();
if ((num_img == 0) || (images[0] == NULL)) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_NOFILE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open");
return NULL;
}
if ((a_ssize > 0) && (a_ssize < 512)) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L, "sector size is less than 512 bytes (%d)", a_ssize);
return NULL;
}
if ((a_ssize % 512) != 0) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L, "sector size is not a multiple of 512 (%d)", a_ssize);
return NULL;
}
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("tsk_img_open: Type: %d NumImg: %d Img1: %s\n"),
type, num_img, images[0]);
/* If no type is given, then we use the autodetection methods
* In case the image file matches the signatures of multiple formats,
* we try all of the embedded formats
*/
if (type == TSK_IMG_TYPE_DETECT) {
TSK_IMG_INFO *img_set = NULL;
#if HAVE_LIBAFFLIB || HAVE_LIBEWF
char *set = NULL;
#endif
struct STAT_STR stat_buf;
// we rely on tsk_errno, so make sure it is 0
tsk_error_reset();
/* Try the non-raw formats first */
#if HAVE_LIBAFFLIB
if ((img_info = aff_open(images, a_ssize)) != NULL) {
/* we don't allow the "ANY" when autodetect is used because
* we only want to detect the tested formats. */
if (img_info->itype == TSK_IMG_TYPE_AFF_ANY) {
img_info->close(img_info);
}
else {
set = "AFF";
img_set = img_info;
}
}
else {
// If AFF is otherwise happy except for a password, stop trying to guess
if (tsk_errno == TSK_ERR_IMG_PASSWD) {
return NULL;
}
tsk_error_reset();
}
#endif
#if HAVE_LIBEWF
if ((img_info = ewf_open(num_img, images, a_ssize)) != NULL) {
if (set == NULL) {
set = "EWF";
img_set = img_info;
}
else {
img_set->close(img_set);
img_info->close(img_info);
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF or %s", set);
return NULL;
}
}
else {
tsk_error_reset();
}
#endif
// if any of the non-raw formats were detected, then use it.
if (img_set != NULL)
return img_set;
/* We'll use the raw format */
if (num_img == 1) {
if ((img_info = raw_open(images[0], a_ssize)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
else {
if ((img_info = split_open(num_img, images, a_ssize)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
/* To improve the error message, verify the file can be read. */
if (TSTAT(images[0], &stat_buf) < 0) {
// special case to handle windows objects
#if defined(TSK_WIN32) || defined(__CYGWIN__)
if (TSTRNCMP(_TSK_T("\\\\.\\"), images[0], 4) == 0) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T
("tsk_img_open: Ignoring stat error because of windows object: %s\n"),
images[0]);
}
else {
#endif
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_STAT;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK " : %s",
images[0], strerror(errno));
return NULL;
#if defined(TSK_WIN32) || defined(__CYGWIN__)
}
#endif
}
tsk_errno = TSK_ERR_IMG_UNKTYPE;
tsk_errstr[0] = '\0';
tsk_errstr2[0] = '\0';
return NULL;
}
/*
* Type values
* Make a local copy that we can modify the string as we parse it
*/
switch (type) {
case TSK_IMG_TYPE_RAW_SING:
/* If we have more than one image name, and raw was the only
* type given, then use split */
if (num_img > 1)
img_info = split_open(num_img, images, a_ssize);
else
img_info = raw_open(images[0], a_ssize);
break;
case TSK_IMG_TYPE_RAW_SPLIT:
/* If only one image file is given, and only one type was
* given then use raw */
if (num_img == 1)
img_info = raw_open(images[0], a_ssize);
else
img_info = split_open(num_img, images, a_ssize);
break;
#if HAVE_LIBAFFLIB
case TSK_IMG_TYPE_AFF_AFF:
case TSK_IMG_TYPE_AFF_AFD:
case TSK_IMG_TYPE_AFF_AFM:
case TSK_IMG_TYPE_AFF_ANY:
img_info = aff_open(images, a_ssize);
break;
#endif
#if HAVE_LIBEWF
case TSK_IMG_TYPE_EWF_EWF:
img_info = ewf_open(num_img, images, a_ssize);
break;
#endif
case TSK_IMG_TYPE_QEMU:
img_info = qemu_open(images[0], a_ssize);
break;
default:
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNSUPTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%d", type);
return NULL;
}
return img_info;
}
/**
* Process the database to create a sorted index of it. Consecutive
* entries with the same hash value are not added to the index, but
* will be found during lookup.
*
* @param hdb_info Hash database to make index of
* @param dbtype Text of database type (should always be TSK_HDB_DBTYPE_HK_STR)
*
* @return 1 on error and 0 on success.
*/
uint8_t
hk_makeindex(TSK_HDB_INFO * hdb_info, TSK_TCHAR * dbtype)
{
int i;
size_t len = 0;
char buf[TSK_HDB_MAXLEN];
char *hash = NULL, phash[TSK_HDB_HTYPE_MD5_LEN + 1];
TSK_OFF_T offset = 0;
int db_cnt = 0, idx_cnt = 0, ig_cnt = 0;
if (tsk_hdb_idxinitialize(hdb_info, dbtype)) {
tsk_error_set_errstr2( "hk_makeindex");
return 1;
}
fseek(hdb_info->hDb, 0, SEEK_SET);
/* Status */
if (tsk_verbose)
TFPRINTF(stderr, _TSK_T("Extracting Data from Database (%s)\n"),
hdb_info->db_fname);
/* Allocate a buffer to hold the previous hash values */
memset(phash, '0', TSK_HDB_HTYPE_MD5_LEN + 1);
/* read each line of the file */
fseek(hdb_info->hDb, 0, SEEK_SET);
for (i = 0; NULL != fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb);
offset += (TSK_OFF_T) len, i++) {
len = strlen(buf);
/* Parse each line to get the MD5 value */
if (hk_parse_md5(buf, &hash, NULL, 0, NULL, 0)) {
ig_cnt++;
continue;
}
db_cnt++;
/* If this entry is for the same hash value as the last entry,
* the skip it -- we'll look for it during lookup */
if (memcmp(hash, phash, TSK_HDB_HTYPE_MD5_LEN) == 0) {
continue;
}
/* Add the entry to the index */
if (tsk_hdb_idxaddentry(hdb_info, hash, offset)) {
tsk_error_set_errstr2( "hk_makeindex");
return 1;
}
idx_cnt++;
/* Set the previous hash value */
strncpy(phash, hash, TSK_HDB_HTYPE_MD5_LEN + 1);
}
if (idx_cnt > 0) {
if (tsk_verbose) {
fprintf(stderr, " Valid Database Entries: %d\n", db_cnt);
fprintf(stderr,
" Invalid Database Entries (headers or errors): %d\n",
ig_cnt);
fprintf(stderr, " Index File Entries %s: %d\n",
(idx_cnt == db_cnt) ? "" : "(optimized)", idx_cnt);
}
/* Finish the index making process */
if (tsk_hdb_idxfinalize(hdb_info)) {
tsk_error_set_errstr2( "hk_makeindex");
return 1;
}
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_CORRUPT);
tsk_error_set_errstr(
"hk_makeindex: No valid entries found in database");
return 1;
}
return 0;
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
int ch;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
int32_t sec_skew = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:s:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case 'z':
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG);
if (0 != TPUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
/* we should be checking this somehow */
TZSET();
}
break;
}
}
/* We need at least one more argument */
if (OPTIND > argc) {
tsk_fprintf(stderr,
"Missing image name\n");
usage();
}
TskGetTimes tskGetTimes(sec_skew);
if (tskGetTimes.openImage(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) {
tsk_error_print(stderr);
exit(1);
}
if (tskGetTimes.findFilesInImg()) {
tsk_error_print(stderr);
exit(1);
}
exit(0);
}
/* main - open file system, list inode info */
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_TCHAR *cp, *dash;
TSK_INUM_T istart = 0, ilast = 0;
int ch;
int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED;
int ils_flags = 0;
int set_range = 1;
TSK_TCHAR *image = NULL;
int32_t sec_skew = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
/*
* Provide convenience options for the most commonly selected feature
* combinations.
*/
while ((ch =
GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('e'):
flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC);
flags &= ~TSK_FS_META_FLAG_USED;
break;
case _TSK_T('m'):
ils_flags |= TSK_FS_ILS_MAC;
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('O'):
flags |= TSK_FS_META_FLAG_UNALLOC;
flags &= ~TSK_FS_META_FLAG_ALLOC;
ils_flags |= TSK_FS_ILS_OPEN;
break;
case _TSK_T('p'):
flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC);
flags &= ~TSK_FS_META_FLAG_ALLOC;
break;
case _TSK_T('r'):
flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED);
flags &= ~TSK_FS_META_FLAG_ALLOC;
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
/*
* Provide fine controls to tweak one feature at a time.
*/
case _TSK_T('a'):
flags |= TSK_FS_META_FLAG_ALLOC;
flags &= ~TSK_FS_META_FLAG_UNALLOC;
break;
case _TSK_T('A'):
flags |= TSK_FS_META_FLAG_UNALLOC;
break;
case _TSK_T('l'):
ils_flags |= TSK_FS_ILS_LINK;
break;
case _TSK_T('L'):
ils_flags |= TSK_FS_ILS_UNLINK;
break;
case _TSK_T('z'):
flags |= TSK_FS_META_FLAG_UNUSED;
break;
case _TSK_T('Z'):
flags |= TSK_FS_META_FLAG_USED;
break;
}
}
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) {
tsk_fprintf(stderr,
"ERROR: Only linked or unlinked should be used\n");
usage();
}
/* We need to determine if an inode or inode range was given */
if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) {
/* Check if is a single number */
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
/* Single address set end addr to start */
ilast = istart;
set_range = 0;
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
else {
/* We have a dash, but it could be part of the file name */
*dash = '\0';
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
*dash = _TSK_T('-');
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
dash++;
ilast = TSTRTOULL(dash, &cp, 0);
if (*cp || *cp == *dash) {
/* Not a number - consider it a file name */
dash--;
*dash = '-';
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
set_range = 0;
/* It was a block range, so do not include it in the open */
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
/* do we need to set the range or just check them? */
if (set_range) {
istart = fs->first_inum;
ilast = fs->last_inum;
}
else {
if (istart < fs->first_inum)
istart = fs->first_inum;
if (ilast > fs->last_inum)
ilast = fs->last_inum;
}
/* NTFS uses alloc and link different than UNIX so change
* the default behavior
*
* The link value can be > 0 on deleted files (even when closed)
*/
/* NTFS and FAT have no notion of deleted but still open */
if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype)
|| TSK_FS_TYPE_ISFAT(fs->ftype))) {
fprintf(stderr,
"Error: '-O' argument does not work with NTFS and FAT images\n");
exit(1);
}
if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast,
(TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
/* main - open file system, list inode info */
int
MAIN(int argc, TSK_TCHAR ** argv)
{
TSK_TCHAR *fstype = NULL;
TSK_TCHAR *imgtype = NULL, *cp, *dash;
TSK_IMG_INFO *img;
TSK_FS_INFO *fs;
INUM_T istart = 0, ilast = 0;
int ch;
int flags = TSK_FS_INODE_FLAG_UNALLOC | TSK_FS_INODE_FLAG_USED;
int argflags = 0;
SSIZE_T imgoff = 0;
int set_range = 1;
TSK_TCHAR *image = NULL;
int32_t sec_skew = 0;
progname = argv[0];
setlocale(LC_ALL, "");
/*
* Provide convenience options for the most commonly selected feature
* combinations.
*/
while ((ch = getopt(argc, argv, _TSK_T("aAef:i:lLmo:Oprs:vVzZ"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[optind]);
usage();
case _TSK_T('f'):
fstype = optarg;
if (TSTRCMP(fstype, _TSK_T("list")) == 0) {
tsk_fs_print_types(stderr);
exit(1);
}
break;
case _TSK_T('i'):
imgtype = optarg;
if (TSTRCMP(imgtype, _TSK_T("list")) == 0) {
tsk_img_print_types(stderr);
exit(1);
}
break;
case _TSK_T('e'):
flags |= (TSK_FS_INODE_FLAG_ALLOC | TSK_FS_INODE_FLAG_UNALLOC);
flags &= ~TSK_FS_INODE_FLAG_USED;
break;
case _TSK_T('m'):
argflags |= TSK_FS_ILS_MAC;
break;
case _TSK_T('o'):
if ((imgoff = tsk_parse_offset(optarg)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('O'):
flags |= TSK_FS_INODE_FLAG_UNALLOC;
flags &= ~TSK_FS_INODE_FLAG_ALLOC;
argflags |= TSK_FS_ILS_OPEN;
break;
case _TSK_T('p'):
flags |=
(TSK_FS_INODE_FLAG_ORPHAN | TSK_FS_INODE_FLAG_UNALLOC);
flags &= ~TSK_FS_INODE_FLAG_ALLOC;
break;
case _TSK_T('r'):
flags |= (TSK_FS_INODE_FLAG_UNALLOC | TSK_FS_INODE_FLAG_USED);
flags &= ~TSK_FS_INODE_FLAG_ALLOC;
break;
case _TSK_T('s'):
sec_skew = TATOI(optarg);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_print_version(stdout);
exit(0);
/*
* Provide fine controls to tweak one feature at a time.
*/
case _TSK_T('a'):
flags |= TSK_FS_INODE_FLAG_ALLOC;
break;
case _TSK_T('A'):
flags |= TSK_FS_INODE_FLAG_UNALLOC;
break;
case _TSK_T('l'):
argflags |= TSK_FS_ILS_LINK;
break;
case _TSK_T('L'):
argflags |= TSK_FS_ILS_UNLINK;
break;
case _TSK_T('z'):
flags |= TSK_FS_INODE_FLAG_UNUSED;
break;
case _TSK_T('Z'):
flags |= TSK_FS_INODE_FLAG_USED;
break;
}
}
if (optind >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((argflags & TSK_FS_ILS_LINK) && (argflags & TSK_FS_ILS_UNLINK)) {
tsk_fprintf(stderr,
"ERROR: Only linked or unlinked should be used\n");
usage();
}
/* We need to determine if an inode or inode range was given */
if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) {
/* Check if is a single number */
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
image = argv[optind];
if ((img =
tsk_img_open(imgtype, argc - optind,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
}
else {
/* Single address set end addr to start */
ilast = istart;
set_range = 0;
image = argv[optind];
if ((img =
tsk_img_open(imgtype, argc - optind - 1,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
}
}
else {
/* We have a dash, but it could be part of the file name */
*dash = '\0';
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
*dash = _TSK_T('-');
image = argv[optind];
if ((img =
tsk_img_open(imgtype, argc - optind,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
}
else {
dash++;
ilast = TSTRTOULL(dash, &cp, 0);
if (*cp || *cp == *dash) {
/* Not a number - consider it a file name */
dash--;
*dash = '-';
image = argv[optind];
if ((img =
tsk_img_open(imgtype, argc - optind,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
}
else {
set_range = 0;
/* It was a block range, so do not include it in the open */
image = argv[optind];
if ((img =
tsk_img_open(imgtype, argc - optind - 1,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
}
}
}
if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_print_types(stderr);
img->close(img);
exit(1);
}
/* do we need to set the range or just check them? */
if (set_range) {
istart = fs->first_inum;
ilast = fs->last_inum;
}
else {
if (istart < fs->first_inum)
istart = fs->first_inum;
if (ilast > fs->last_inum)
ilast = fs->last_inum;
}
/* NTFS uses alloc and link different than UNIX so change
* the default behavior
*
* The link value can be > 0 on deleted files (even when closed)
*/
/* NTFS and FAT have no notion of deleted but still open */
if ((argflags & TSK_FS_ILS_OPEN) &&
(((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) ==
TSK_FS_INFO_TYPE_NTFS_TYPE)
|| ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) ==
TSK_FS_INFO_TYPE_FAT_TYPE))) {
fprintf(stderr,
"Error: '-O' argument does not work with NTFS and FAT images\n");
exit(1);
}
if (tsk_fs_ils(fs, argflags, istart, ilast, flags, sec_skew, image)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}