//return the offset to the file system which contain our target_addr
static TSK_DADDR_T search_partition(TSK_VS_INFO *vs, uint64_t target_addr)
{
int flags = TSK_VS_PART_FLAG_ALL;
TSK_DADDR_T ret = 0;
find_fs_struct* ffs_struct = (find_fs_struct*)malloc(sizeof(find_fs_struct));
if(ffs_struct == NULL)
{
printf("Cannot allocate memory!\n");
return 0;
}
ffs_struct->find_fs_stat = FIND_FS_CONT;
ffs_struct->target_offset = target_addr;
ffs_struct->found_fs_offset = 0;
tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, (void*)ffs_struct);
if(ffs_struct->find_fs_stat == FIND_FS_FOUND)
{
ret = ffs_struct->found_fs_offset;
}else
{
ret = 0;
}
free(ffs_struct);
return ret;
}
/**
* Process the data as a volume system to find the partitions
* and volumes.
* File system analysis will be performed on each partition.
*
* @param img Image file information structure for data to analyze
* @param start Byte offset to start analyzing from.
*
* @return 1 on error and 0 on success
*/
static uint8_t
proc_vs(TSK_IMG_INFO * img_info, TSK_OFF_T start)
{
TSK_VS_INFO *vs_info;
// USE mm_walk to get the volumes
if ((vs_info =
tsk_vs_open(img_info, start, TSK_VS_TYPE_DETECT)) == NULL) {
if (tsk_verbose)
fprintf(stderr,
"Error determining volume system -- trying file systems\n");
/* There was no volume system, but there could be a file system */
tsk_error_reset();
if (proc_fs(img_info, start)) {
return 1;
}
}
else {
fprintf(stderr, "Volume system open, examining each\n");
/* Walk the allocated volumes (skip metadata and unallocated volumes) */
if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) (TSK_VS_PART_FLAG_ALLOC), vs_act,
NULL)) {
tsk_vs_close(vs_info);
return 1;
}
tsk_vs_close(vs_info);
}
return 0;
}
// Find all the harddisk address corresponding to target file
//
// \param img_path path of target image
// \param file_path the target filename
//
// Return NULL if error, otherwise a UT_array of (start, end) tuple will returned, where start and end are the harddisk byte addrsesses
UT_array* tsk_find_haddr_by_filename(const char* img_path, const char* file_path)
{
TSK_IMG_TYPE_ENUM img_type ;
TSK_IMG_INFO *img;
TSK_VS_INFO *vs;
find_file_data data;
UT_array* ret = NULL;
img_type = tsk_img_type_toid(QCOW_IMG_TYPE);
//XXX([email protected]):need error handling.
img = tsk_img_open_sing(img_path, img_type, 0);
if(img == NULL)
{
printf("Image Open Failed!!\n");
return NULL;
}
vs = tsk_vs_open(img, 0, TSK_VS_TYPE_DETECT);
if(vs==NULL)
{
printf("Volume Open Failed!!\n");
tsk_img_close(img);
return NULL;
}
data.file_found = 0;
data.full_path = file_path;
utarray_new(data.offsets_in_disk, &ut_tsk_daddr_tuple_icd);
tsk_vs_part_walk(
vs, // the volume system
0, // start from first partiton
vs->part_count - 1, // walk to last partiton
TSK_VS_PART_FLAG_ALLOC, // traverse all allocated partiton
find_file_in_partiton, // action for each partition
&data // argument for action
);
if (data.file_found) {
ret = data.offsets_in_disk;
}
else {
tsk_vs_close(vs);
tsk_img_close(img);
return NULL;
}
tsk_vs_close(vs);
tsk_img_close(img);
return ret;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* volume system or file system. Will call processFile() on each file
* that is found.
* @param a_start Byte offset to start analyzing from.
* @param a_vtype Volume system type to analyze
* @return 1 on error, 0 on success
*/
uint8_t
TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInVs\n");
return 1;
}
TSK_VS_INFO *vs_info;
// USE mm_walk to get the volumes
if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) {
char
msg[1024];
snprintf(msg, 1024,
"Unable to open volume system at offset %" PRIuOFF " (%s)",
a_start, tsk_error_get());
if (tsk_verbose)
fprintf(stderr, "%s\n", msg);
handleNotification(msg);
/* There was no volume system, but there could be a file system */
tsk_error_reset();
if (findFilesInFs(a_start)) {
return 1;
}
}
else {
TSK_FILTER_ENUM retval = filterVs(vs_info);
if (retval == TSK_FILTER_STOP)
return TSK_STOP;
else if (retval == TSK_FILTER_SKIP)
return TSK_OK;
/* Walk the allocated volumes (skip metadata and unallocated volumes) */
if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1,
m_volFilterFlags, vsWalkCb, this)) {
tsk_vs_close(vs_info);
return 1;
}
tsk_vs_close(vs_info);
}
return 0;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* volume system or file system. Will call processFile() on each file
* that is found.
* @param a_start Byte offset to start analyzing from.
* @param a_vtype Volume system type to analyze
* @return 1 if an error occured (messages will have been registered) and 0 on success
*/
uint8_t
TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInVs -- img_info");
registerError();
return 1;
}
TSK_VS_INFO *vs_info;
// USE mm_walk to get the volumes
if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) {
/* we're going to ignore this error to avoid confusion if the
* fs_open passes. */
tsk_error_reset();
if(tsk_verbose)
fprintf(stderr, "findFilesInVs: Error opening volume system, trying as a file system\n");
/* There was no volume system, but there could be a file system
* Errors will have been registered */
findFilesInFs(a_start);
}
// process the volume system
else {
TSK_FILTER_ENUM retval = filterVs(vs_info);
if ((retval == TSK_FILTER_STOP) || (retval == TSK_FILTER_SKIP)|| (m_stopAllProcessing))
return m_errors.empty() ? 0 : 1;
/* Walk the allocated volumes (skip metadata and unallocated volumes) */
if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1,
m_volFilterFlags, vsWalkCb, this)) {
registerError();
tsk_vs_close(vs_info);
return 1;
}
tsk_vs_close(vs_info);
}
return m_errors.empty() ? 0 : 1;
}
int main(int argc, char* argv1[])
{
TSK_VS_INFO* lVsInfo = NULL;
TSK_OFF_T lCnt = 0;
char lBuf[32768] = { 0 };
unsigned lCntRead = 0;
TSK_IMG_INFO* lImgInfo = OS_FH_INVALID;
OS_FH_TYPE lOut = OS_FH_INVALID;
const TSK_TCHAR *const *argv;
#ifdef TSK_WIN32
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
#else
argv = (const TSK_TCHAR *const *) argv1;
#endif
lOut = OS_FOPEN_WRITE(argv[2]);
if (lOut == OS_FH_INVALID)
{
LOGGING_ERROR("Could not open export image in write mode. \n")
exit(1);
}
lImgInfo = tsk_img_open(
1, /* number of images */
(argv + 1), /* path to images */
TSK_IMG_TYPE_DETECT, /* disk image type */
0); /* size of device sector in bytes */
if (lImgInfo != NULL)
{
TSK_OFF_T lSizeSectors = lImgInfo->size / lImgInfo->sector_size + \
(lImgInfo->size % lImgInfo->sector_size ? 1 : 0);
LOGGING_INFO("Image size (Bytes): %lu, Image size (sectors): %lu\n",
lImgInfo->size,
lSizeSectors);
lVsInfo = tsk_vs_open(lImgInfo, 0, TSK_VS_TYPE_DETECT);
if (lVsInfo != NULL)
{
if (tsk_vs_part_walk(lVsInfo,
0, /* start */
lVsInfo->part_count - 1, /* end */
TSK_VS_PART_FLAG_ALL, /* all partitions */
part_act, /* callback */
(void*) lOut /* data passed to the callback */
) != 0)
{
fprintf(stderr, "Problem when walking partitions. \n");
}
}
else
{
LOGGING_DEBUG("Volume system cannot be opened.\n");
for (lCnt = 0; lCnt < lSizeSectors; lCnt++)
{
lCntRead = lCnt == lSizeSectors - 1 ?
lImgInfo->size % lImgInfo->sector_size :
lImgInfo->sector_size;
LOGGING_DEBUG("Reading %u bytes\n", lCntRead);
tsk_img_read(
lImgInfo, /* handler */
lCnt * lImgInfo->sector_size, /* start address */
lBuf, /* buffer to store data in */
lCntRead /* amount of data to read */
);
data_act(lBuf, lCntRead, lCnt * lImgInfo->sector_size, lOut);
}
}
}
else
{
LOGGING_ERROR("Problem opening the image. \n");
tsk_error_print(stderr);
exit(1);
}
if (lOut != OS_FH_INVALID)
{
OS_FCLOSE(lOut);
}
return EXIT_SUCCESS;
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
int ch;
TSK_OFF_T imgaddr = 0;
int flags = 0;
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
uint8_t hide_meta = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) {
switch (ch) {
case _TSK_T('a'):
flags |= TSK_VS_PART_FLAG_ALLOC;
break;
case _TSK_T('A'):
flags |= TSK_VS_PART_FLAG_UNALLOC;
break;
case _TSK_T('B'):
print_bytes = 1;
break;
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('m'):
flags |= (TSK_VS_PART_FLAG_META);
break;
case _TSK_T('M'):
// we'll set this after all flags have been set
hide_meta = 1;
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('r'):
recurse = 1;
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case _TSK_T('?'):
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
// if they want to hide metadata volumes, set that now
if (hide_meta) {
if (flags == 0)
flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC);
else
flags &= ~TSK_VS_PART_FLAG_META;
}
else if (flags == 0) {
flags = TSK_VS_PART_FLAG_ALL;
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
/* open the image */
img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize);
if (img == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
/* process the partition tables */
vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype);
if (vs == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
tsk_img_close(img);
exit(1);
}
print_header(vs);
if (tsk_vs_part_walk(vs, 0, vs->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) {
tsk_error_print(stderr);
tsk_vs_close(vs);
tsk_img_close(img);
exit(1);
}
tsk_vs_close(vs);
if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) {
int i;
/* disable recursing incase we hit another DOS partition
* future versions may support more layers */
recurse = 0;
for (i = 0; i < recurse_cnt; i++) {
vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT);
if (vs != NULL) {
tsk_printf("\n\n");
print_header(vs);
if (tsk_vs_part_walk(vs, 0, vs->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) {
tsk_error_reset();
}
tsk_vs_close(vs);
}
else {
/* Ignore error in this case and reset */
tsk_error_reset();
}
}
}
tsk_img_close(img);
exit(0);
}