/* this is a wrapper type function that takes care of the runtime
* flags
*
* fs_attr should be set to NULL for all non-NTFS file systems
*/
static void
printit(TSK_FS_FILE * fs_file, const char *a_path,
const TSK_FS_ATTR * fs_attr, const FLS_DATA * fls_data)
{
unsigned int i;
if ((!(fls_data->flags & TSK_FS_FLS_FULL)) && (a_path)) {
uint8_t printed = 0;
// lazy way to find out how many dirs there could be
for (i = 0; a_path[i] != '\0'; i++) {
if ((a_path[i] == '/') && (i != 0)) {
tsk_fprintf(stdout, "+");
printed = 1;
}
}
if (printed)
tsk_fprintf(stdout, " ");
}
if (fls_data->flags & TSK_FS_FLS_MAC) {
tsk_fs_name_print_mac(stdout, fs_file, a_path,
fs_attr, fls_data->macpre, fls_data->sec_skew);
}
else if (fls_data->flags & TSK_FS_FLS_LONG) {
tsk_fs_name_print_long(stdout, fs_file, a_path, fs_file->fs_info,
fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0,
fls_data->sec_skew);
}
else {
tsk_fs_name_print(stdout, fs_file, a_path, fs_file->fs_info,
fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0);
tsk_printf("\n");
}
}
/* this is a wrapper type function that takes care of the runtime
* flags
*
* fs_attr should be set to NULL for all non-NTFS file systems
*/
static void
printit(TSK_FS_FILE * fs_file, const char *a_path,
const TSK_FS_ATTR * fs_attr, const FLS_DATA * fls_data)
{
TSK_FS_HASH_RESULTS hash_results;
unsigned char null_buf[16];
unsigned int i;
if ((!(fls_data->flags & TSK_FS_FLS_FULL)) && (a_path)) {
uint8_t printed = 0;
// lazy way to find out how many dirs there could be
for (i = 0; a_path[i] != '\0'; i++) {
if ((a_path[i] == '/') && (i != 0)) {
tsk_fprintf(stdout, "+");
printed = 1;
}
}
if (printed)
tsk_fprintf(stdout, " ");
}
if (fls_data->flags & TSK_FS_FLS_MAC) {
if (fls_data->flags & TSK_FS_FLS_HASH) {
if(0 == tsk_fs_file_hash_calc(fs_file, &hash_results,
TSK_BASE_HASH_MD5)){
tsk_fs_name_print_mac_md5(stdout, fs_file, a_path, fs_attr,
fls_data->macpre, fls_data->sec_skew,
hash_results.md5_digest);
tsk_printf("\n");
}
else{
// If the hash calculation had errors, pass in a buffer of nulls
memset(null_buf, 0, 16);
tsk_fs_name_print_mac_md5(stdout, fs_file, a_path, fs_attr,
fls_data->macpre, fls_data->sec_skew,
null_buf);
tsk_printf("\n");
}
}
else {
tsk_fs_name_print_mac(stdout, fs_file, a_path,
fs_attr, fls_data->macpre, fls_data->sec_skew);
tsk_printf("\n");
}
}
else if (fls_data->flags & TSK_FS_FLS_LONG) {
tsk_fs_name_print_long(stdout, fs_file, a_path, fs_file->fs_info,
fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0,
fls_data->sec_skew);
tsk_printf("\n");
}
else {
tsk_fs_name_print(stdout, fs_file, a_path, fs_file->fs_info,
fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0);
tsk_printf("\n");
}
}
/* inode walk call back for tsk_fs_ifind_par to find unallocated files
* based on parent directory
*/
static TSK_WALK_RET_ENUM
ifind_par_act(TSK_FS_FILE * fs_file, void *ptr)
{
IFIND_PAR_DATA *data = (IFIND_PAR_DATA *) ptr;
TSK_FS_META_NAME_LIST *fs_name_list;
/* go through each file name attribute for this file */
fs_name_list = fs_file->meta->name2;
while (fs_name_list) {
/* we found a file that has the target parent directory.
* Make a FS_NAME structure and print it. */
if (fs_name_list->par_inode == data->parinode) {
int i, cnt;
uint8_t printed;
TSK_FS_NAME *fs_name;
if ((fs_name = tsk_fs_name_alloc(256, 0)) == NULL)
return TSK_WALK_ERROR;
/* Fill in the basics of the fs_name entry
* so we can print in the fls formats */
fs_name->meta_addr = fs_file->meta->addr;
fs_name->flags = TSK_FS_NAME_FLAG_UNALLOC;
strncpy(fs_name->name, fs_name_list->name, fs_name->name_size);
// now look for the $Data and $IDXROOT attributes
fs_file->name = fs_name;
printed = 0;
// cycle through the attributes
cnt = tsk_fs_file_attr_getsize(fs_file);
for (i = 0; i < cnt; i++) {
const TSK_FS_ATTR *fs_attr =
tsk_fs_file_attr_get_idx(fs_file, i);
if (!fs_attr)
continue;
if ((fs_attr->type == TSK_FS_ATTR_TYPE_NTFS_DATA)
|| (fs_attr->type == TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) {
if (data->flags & TSK_FS_IFIND_PAR_LONG) {
tsk_fs_name_print_long(stdout, fs_file, NULL,
fs_file->fs_info, fs_attr, 0, 0);
tsk_printf("\n");
}
else {
tsk_fs_name_print(stdout, fs_file, NULL,
fs_file->fs_info, fs_attr, 0);
tsk_printf("\n");
}
printed = 1;
}
}
// if there were no attributes, print what we got
if (printed == 0) {
if (data->flags & TSK_FS_IFIND_PAR_LONG) {
tsk_fs_name_print_long(stdout, fs_file, NULL,
fs_file->fs_info, NULL, 0, 0);
tsk_printf("\n");
}
else {
tsk_fs_name_print(stdout, fs_file, NULL,
fs_file->fs_info, NULL, 0);
tsk_printf("\n");
}
}
tsk_fs_name_free(fs_name);
data->found = 1;
}
fs_name_list = fs_name_list->next;
}
return TSK_WALK_CONT;
}
