JNIEXPORT jbyteArray JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_readVolNat(JNIEnv * env,
jclass obj, jlong a_vol_info, jlong offset, jlong len)
{
char *buf = (char *) tsk_malloc((size_t) len);
if (buf == NULL) {
throwTskError(env);
return NULL;
}
TSK_VS_PART_INFO *vol_part_info = castVsPartInfo(env, a_vol_info);
ssize_t retval =
tsk_vs_part_read(vol_part_info, (TSK_OFF_T) offset, buf,
(size_t) len);
if (retval == -1) {
throwTskError(env, tsk_error_get());
free(buf);
return NULL;
}
// package it up for return
jbyteArray return_array = copyBufToByteArray(env, buf, retval);
// no point checking for error. copyBufToByteArray will call throwTskError and return NULL itself
free(buf);
return return_array;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* file system. Will start processing the file system at a specified
* file system. Will call processFile() on each file
* that is found in that directory.
*
* @param a_start Byte offset of file system starting location.
* @param a_ftype Type of file system that will be analyzed.
* @param a_inum inum to start walking files system at.
*
* @returns 1 on error and 0 on success
*/
uint8_t
TskAuto::findFilesInFs(TSK_OFF_T a_start, TSK_FS_TYPE_ENUM a_ftype,
TSK_INUM_T a_inum)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInFs\n");
return 1;
}
TSK_FS_INFO *fs_info;
/* Try it as a file system */
if ((fs_info = tsk_fs_open_img(m_img_info, a_start, a_ftype)) == NULL) {
char msg[1024];
snprintf(msg, 1024,
"Unable to open file system at offset %" PRIuOFF " (%s)",
+a_start, tsk_error_get());
if (tsk_verbose)
fprintf(stderr, "%s\n", msg);
handleNotification(msg);
/* We could do some carving on the volume data at this point */
return 1;
}
TSK_RETVAL_ENUM retval = findFilesInFsInt(fs_info, a_inum);
tsk_fs_close(fs_info);
if (retval == TSK_ERR)
return 1;
else
return 0;
}
/**
* Open the image using the names that were already populated in
* m_images. Used internally by both open() methods.
* @returns -1 on error.
*/
int TskImageFileTsk::openImages(const TSK_IMG_TYPE_ENUM imageType,
const unsigned int sectorSize)
{
m_images_ptrs = (const char **)malloc(m_images.size() * sizeof(char *));
if (m_images_ptrs == NULL)
return -1;
int i = 0;
for(std::vector<std::string>::iterator list_iter = m_images.begin();
list_iter != m_images.end(); list_iter++) {
m_images_ptrs[i++] = (*list_iter).c_str();
}
m_img_info = tsk_img_open_utf8(i, m_images_ptrs, imageType, sectorSize);
if (m_img_info == NULL)
{
std::wstringstream logMessage;
logMessage << L"TskImageFileTsk::openImages - Error with tsk_img_open: " << tsk_error_get() << std::endl;
LOGERROR(logMessage.str());
return -1;
}
return 0;
}
static Img_Info Img_Info_Con(Img_Info self, char *urn, TSK_IMG_TYPE_ENUM type) {
if(urn[0]) {
#ifdef TSK_VERSION_NUM
self->img = (Extended_TSK_IMG_INFO *)tsk_img_open_utf8(1, (const char **)&urn, type, 0);
#else
self->img = (Extended_TSK_IMG_INFO *)tsk_img_open_utf8(1, (const char **)&urn, type);
#endif
} else {
// Initialise the img struct with the correct callbacks:
self->img = talloc_zero(self, Extended_TSK_IMG_INFO);
self->img->container = self;
self->img->base.read = IMG_INFO_read;
self->img->base.close = IMG_INFO_close;
self->img->base.size = CALL(self, get_size);
#ifdef TSK_VERSION_NUM
self->img->base.sector_size = 512;
#endif
self->img->base.itype = TSK_IMG_TYPE_RAW_SING;
};
if(!self->img) {
RaiseError(ERuntimeError, "Unable to open image: %s", tsk_error_get());
goto error;
};
talloc_set_destructor((void *)self, Img_Info_dest);
return self;
error:
talloc_free(self);
return NULL;
};
// This is used to fix tsk_error_get's stupid behaviour of returning
// null when no error occured.
char *error_get() {
const char *result = tsk_error_get();
if(!result) result="";
return (char *)result;
};
/* Internal method that the other findFilesInFs can call after they
* have opened FS_INFO.
*/
TSK_RETVAL_ENUM
TskAuto::findFilesInFsInt(TSK_FS_INFO * a_fs_info, TSK_INUM_T a_inum)
{
TSK_FILTER_ENUM retval = filterFs(a_fs_info);
if (retval == TSK_FILTER_STOP)
return TSK_STOP;
else if (retval == TSK_FILTER_SKIP)
return TSK_OK;
/* Walk the files, starting at the given inum */
if (tsk_fs_dir_walk(a_fs_info, a_inum,
(TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_RECURSE |
m_fileFilterFlags), dirWalkCb, this)) {
char msg[1024];
snprintf(msg, 1024,
"Error walking directory in file system at offset %" PRIuOFF
" (%s)", a_fs_info->offset, tsk_error_get());
if (tsk_verbose)
fprintf(stderr, "%s\n", msg);
handleNotification(msg);
return TSK_ERR;
}
/* We could do some analysis of unallocated blocks at this point... */
return TSK_OK;
}
/*
* Open the volume system at the given offset
* @return the created TSK_VS_INFO pointer
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_img_info the pointer to the parent img object
* @param vsOffset the offset of the volume system in bytes
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openVsNat
(JNIEnv * env, jclass obj, jlong a_img_info, jlong vsOffset) {
TSK_IMG_INFO *img_info = castImgInfo(env, a_img_info);
TSK_VS_INFO *vs_info;
vs_info = tsk_vs_open(img_info, vsOffset, TSK_VS_TYPE_DETECT);
if (vs_info == NULL) {
throwTskError(env, tsk_error_get());
}
return (jlong) vs_info;
}
std::string TskAuto::errorRecordToString(error_record &rec) {
tsk_error_reset();
tsk_error_set_errno(rec.code);
tsk_error_set_errstr("%s", rec.msg1.c_str());
tsk_error_set_errstr2("%s", rec.msg2.c_str());
const char *msg = tsk_error_get();
std::string ret;
if (msg != NULL)
ret = msg;
tsk_error_reset();
return ret;
}
/*
* Open volume with the given id from the given volume system
* @return the created TSK_VS_PART_INFO pointer
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_vs_info the pointer to the parent vs object
* @param vol_id the id of the volume to get
*/
JNIEXPORT jlong JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_openVolNat(JNIEnv * env,
jclass obj, jlong a_vs_info, jlong vol_id)
{
TSK_VS_INFO *vs_info = castVsInfo(env, a_vs_info);
const TSK_VS_PART_INFO *vol_part_info;
vol_part_info = tsk_vs_part_get(vs_info, (TSK_PNUM_T) vol_id);
if (vol_part_info == NULL) {
throwTskError(env, tsk_error_get());
}
return (jlong) vol_part_info;
}
/*
* Open file system with the given offset
* @return the created TSK_FS_INFO pointer
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_img_info the pointer to the parent img object
* @param fs_offset the offset in bytes to the file system
*/
JNIEXPORT jlong JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_openFsNat
(JNIEnv * env, jclass obj, jlong a_img_info, jlong fs_offset) {
TSK_IMG_INFO *img_info = castImgInfo(env, a_img_info);
TSK_FS_INFO *fs_info;
fs_info =
tsk_fs_open_img(img_info, (TSK_OFF_T) fs_offset,
TSK_FS_TYPE_DETECT);
if (fs_info == NULL) {
throwTskError(env, tsk_error_get());
}
return (jlong) fs_info;
}
/*
* Open the file with the given id in the given file system
* @return the created TSK_FS_FILE pointer
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_fs_info the pointer to the parent file system object
* @param file_id id of the file to open
*/
JNIEXPORT jlong JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_openFileNat(JNIEnv * env,
jclass obj, jlong a_fs_info, jlong file_id)
{
TSK_FS_INFO *fs_info = castFsInfo(env, a_fs_info);
TSK_FS_FILE *file_info;
file_info = tsk_fs_file_open_meta(fs_info, NULL, (TSK_INUM_T) file_id);
if (file_info == NULL) {
throwTskError(env, tsk_error_get());
}
return (jlong) file_info;
}
/* Parse TSK error and send it to the appliance. */
static void
reply_with_tsk_error (const char *funcname)
{
int ret = 0;
const char *buf = NULL;
ret = tsk_error_get_errno ();
if (ret != 0) {
buf = tsk_error_get ();
reply_with_error ("%s: %s", funcname, buf);
}
else
reply_with_error ("%s: unknown error", funcname);
}
/*
* Read bytes from the given image
* @return array of bytes read from the image
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_img_info the pointer to the image object
* @param offset the offset in bytes to start at
* @param len number of bytes to read
*/
JNIEXPORT jbyteArray JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_readImgNat(JNIEnv * env,
jclass obj, jlong a_img_info, jlong offset, jlong len)
{
char *buf = (char *) tsk_malloc((size_t) len);
if (buf == NULL) {
throwTskError(env, tsk_error_get());
return NULL;
}
TSK_IMG_INFO *img_info = castImgInfo(env, a_img_info);
ssize_t retval =
tsk_img_read(img_info, (TSK_OFF_T) offset, buf, (size_t) len);
if (retval == -1) {
throwTskError(env, tsk_error_get());
}
// package it up for return
jbyteArray return_array = copyBufToByteArray(env, buf, retval);
free(buf);
return return_array;
}
/* Print the error message to hFile */
void
tsk_error_print(FILE * hFile)
{
char *str;
if (tsk_errno == 0)
return;
str = tsk_error_get();
if (str != NULL) {
tsk_fprintf(hFile, "%s", str);
}
else {
tsk_fprintf(hFile, "Error Creating Error String");
}
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* volume system or file system. Will call processFile() on each file
* that is found.
* @param a_start Byte offset to start analyzing from.
* @param a_vtype Volume system type to analyze
* @return 1 on error, 0 on success
*/
uint8_t
TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInVs\n");
return 1;
}
TSK_VS_INFO *vs_info;
// USE mm_walk to get the volumes
if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) {
char
msg[1024];
snprintf(msg, 1024,
"Unable to open volume system at offset %" PRIuOFF " (%s)",
a_start, tsk_error_get());
if (tsk_verbose)
fprintf(stderr, "%s\n", msg);
handleNotification(msg);
/* There was no volume system, but there could be a file system */
tsk_error_reset();
if (findFilesInFs(a_start)) {
return 1;
}
}
else {
TSK_FILTER_ENUM retval = filterVs(vs_info);
if (retval == TSK_FILTER_STOP)
return TSK_STOP;
else if (retval == TSK_FILTER_SKIP)
return TSK_OK;
/* Walk the allocated volumes (skip metadata and unallocated volumes) */
if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1,
m_volFilterFlags, vsWalkCb, this)) {
tsk_vs_close(vs_info);
return 1;
}
tsk_vs_close(vs_info);
}
return 0;
}
/*
* @param byte_start Byte offset to start reading from start of file
* @param byte_len Number of bytes to read
* @param buffer Buffer to read into (must be of size byte_len or larger)
* @returns -1 on error or number of bytes read
*/
int TskImageFileTsk::getByteData(const uint64_t byte_start,
const uint64_t byte_len,
char *buffer)
{
if (m_img_info == NULL) {
if (open() != 0)
return -1;
}
int retval = tsk_img_read(m_img_info, byte_start, buffer, (size_t)(byte_len));
if (retval == -1) {
std::wstringstream message;
message << L"TskImageFileTsk::getByteData - tsk_img_read: " << tsk_error_get() << std::endl;
LOGERROR(message.str());
return -1;
}
return retval;
}
int TskImageFileTsk::readFile(const int handle,
const uint64_t byte_offset,
const size_t byte_len,
char * buffer)
{
TskImageFileTsk::OPEN_FILE * openFile = m_openFiles[handle];
if (openFile == NULL || openFile->fsFile == NULL)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::readFile - Either OPEN_FILE or TSK_FS_FILE is null." << std::endl;
LOGERROR(errorMsg.str());
return -1;
}
// fsAttr can be NULL if the file has no attributes.
if (openFile->fsAttr == NULL || byte_offset >= openFile->fsAttr->size)
{
// If the offset is larger than the attribute size then there is nothing left to read.
return 0;
}
int bytesRead = tsk_fs_file_read_type(openFile->fsFile,
static_cast<TSK_FS_ATTR_TYPE_ENUM>(openFile->fsAttr->type),
openFile->fsAttr->id,
byte_offset, buffer,
byte_len, TSK_FS_FILE_READ_FLAG_NONE);
if (bytesRead == -1)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::readFile - Error reading file (FS_OFFSET: "
<< openFile->fsFile->fs_info->offset << " - ID: "
<< openFile->fsFile->meta->addr << " - "
<< ((openFile->fsFile->meta->flags & TSK_FS_META_FLAG_ALLOC) ? "Allocated" : "Deleted")
<< ") ("
<< tsk_error_get() << ")" << std::endl;
LOGERROR(errorMsg.str());
}
return bytesRead;
}
/*
* Open an image pointer for the given image
* @return the created TSK_IMG_INFO pointer
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param paths the paths to the image parts
* @param num_imgs number of image parts
*/
JNIEXPORT jlong JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_openImgNat(JNIEnv * env,
jclass obj, jobjectArray paths, jint num_imgs) {
TSK_IMG_INFO *img_info;
jboolean isCopy;
// get pointers to each of the file names
char **imagepaths8 = (char **) tsk_malloc(num_imgs * sizeof(char *));
if (imagepaths8 == NULL) {
throwTskError(env);
return NULL;
}
for (int i = 0; i < num_imgs; i++) {
imagepaths8[i] =
(char *) env->
GetStringUTFChars((jstring) env->GetObjectArrayElement(paths,
i), &isCopy);
// @@@ Error check
}
// open the image
img_info =
tsk_img_open_utf8((int) num_imgs, imagepaths8, TSK_IMG_TYPE_DETECT,
0);
if (img_info == NULL) {
throwTskError(env, tsk_error_get());
}
// cleanup
for (int i = 0; i < num_imgs; i++) {
env->
ReleaseStringUTFChars((jstring)
env->GetObjectArrayElement(paths, i), imagepaths8[i]);
}
free(imagepaths8);
return (jlong) img_info;
}
int TskImageFileTsk::extractFiles()
{
// @@@ Add Sanity check that DB is empty
if (m_img_info == NULL) {
LOGERROR(L"TskImageFileTsk::extractFiles: Images not open yet\n");
return 1;
}
m_db.addImageInfo((int)m_img_info->itype, m_img_info->sector_size);
for (uint32_t i = 0; i < m_images.size(); i++) {
const char *img_ptr = NULL;
img_ptr = m_images[i].c_str();
m_db.addImageName(img_ptr);
}
TSKAutoImpl tskAutoImpl;
if (tskAutoImpl.openImage(m_img_info))
{
std::wstringstream msg;
msg << L"TSKExtract::processImage - Error opening image: " << tsk_error_get() << std::endl;
LOGERROR(msg.str());
return 1;
}
// TskAutoImpl will log errors as they occur
tskAutoImpl.extractFiles();
// It's possible that this is an image with no volumes or file systems.
// Scan the image for file systems starting at sector 0.
// By default it will scan 1024 sectors.
if (m_db.getNumVolumes() == 0)
{
tskAutoImpl.scanImgForFs(0);
}
return 0;
}
int TskImageFileTsk::readFile(const int handle,
const uint64_t byte_offset,
const size_t byte_len,
char * buffer)
{
TskImageFileTsk::OPEN_FILE * openFile = m_openFiles[handle];
if (openFile == NULL || openFile->fsFile == NULL)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::readFile - Either OPEN_FILE or TSK_FS_FILE is null." << std::endl;
LOGERROR(errorMsg.str());
return -1;
}
if (byte_offset >= openFile->fsFile->meta->size)
{
// If the offset is larger than the file then there is nothing left to read.
return 0;
}
int bytesRead = tsk_fs_file_read_type(openFile->fsFile,
static_cast<TSK_FS_ATTR_TYPE_ENUM>(openFile->attrType),
openFile->attrId,
byte_offset, buffer,
byte_len, TSK_FS_FILE_READ_FLAG_NONE);
if (bytesRead == -1)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::readFile - Error reading file: "
<< tsk_error_get() << std::endl;
LOGERROR(errorMsg.str());
}
return bytesRead;
}
/**
* Open the image using the names that were already populated in
* m_images. Used internally by both open() methods.
* @returns -1 on error.
*/
int TskImageFileTsk::openImages()
{
m_images_ptrs = (const wchar_t **)malloc(m_images.size() * sizeof(wchar_t *));
if (m_images_ptrs == NULL)
return -1;
int i = 0;
for(std::vector<std::wstring>::iterator list_iter = m_images.begin();
list_iter != m_images.end(); list_iter++) {
m_images_ptrs[i++] = (*list_iter).c_str();
}
m_img_info = tsk_img_open(i, m_images_ptrs, TSK_IMG_TYPE_DETECT, 512);
if (m_img_info == NULL)
{
std::wstringstream logMessage;
logMessage << L"TskImageFileTsk::openImages - Error with tsk_img_open: " << tsk_error_get() << std::endl;
LOGERROR(logMessage.str());
return -1;
}
return 0;
}
/*
* Read bytes from the given file
* @return array of bytes read from the file
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_file_info the pointer to the file object
* @param offset the offset in bytes to start at
* @param len number of bytes to read
*/
JNIEXPORT jbyteArray JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_readFileNat(JNIEnv * env,
jclass obj, jlong a_file_info, jlong offset, jlong len)
{
char *buf = (char *) tsk_malloc((size_t) len);
if (buf == NULL) {
throwTskError(env);
return NULL;
}
TSK_FS_FILE *file_info = castFsFile(env, a_file_info);
ssize_t retval =
tsk_fs_file_read(file_info, (TSK_OFF_T) offset, buf, (size_t) len,
TSK_FS_FILE_READ_FLAG_NONE);
if (retval == -1) {
throwTskError(env, tsk_error_get());
}
// package it up for return
jbyteArray return_array = copyBufToByteArray(env, buf, retval);
free(buf);
return return_array;
}
int TskImageFileTsk::openFile(const uint64_t fileId)
{
if (m_img_info == NULL) {
if (open() != 0)
return -1;
}
// Use ImgDb::getFileUniqueIdentifiers to get the four needed values.
uint64_t fsByteOffset = 0;
uint64_t fsFileId = 0;
int attrType = 0;
int attrId = 0;
if (m_db.getFileUniqueIdentifiers(fileId, fsByteOffset, fsFileId, attrType, attrId) != 0)
{
LOGERROR(L"TskImageFileTsk::openFile - Error getting file identifiers.\n");
return -1;
}
// Check if the file system at the offset is already open (using m_openFs). If not, open it (tsk_fs_open) and add it to the map.
TSK_FS_INFO * fsInfo = m_openFs[fsByteOffset];
if (fsInfo == NULL)
{
// Open the file system and add it to the map.
fsInfo = tsk_fs_open_img(m_img_info, fsByteOffset, TSK_FS_TYPE_DETECT);
if (fsInfo == NULL)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::openFile - Error opening file system : " << tsk_error_get();
LOGERROR(errorMsg.str());
return -1;
}
m_openFs[fsByteOffset] = fsInfo;
}
// Find a new entry in m_openFiles and use tsk_fs_file_open to open the file and save the handle in m_openFiles.
TSK_FS_FILE * fsFile = tsk_fs_file_open_meta(fsInfo, NULL, fsFileId);
if (fsFile == NULL)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::openFile - Error opening file : " << tsk_error_get();
LOGERROR(errorMsg.str());
return -1;
}
const TSK_FS_ATTR * fsAttr = tsk_fs_file_attr_get_id(fsFile, attrId);
// @@@ TSK_ATTR_TYPE_ENUM should have a value added to it to represent an
// empty (or null) attribute type and we should then compare attrType against
// this enum value instead of 0.
// It is possible to have a file with no attributes. We only report an
// error if we are expecting a valid attribute.
if (attrType != 0 && fsAttr == NULL)
{
std::wstringstream msg;
msg << L"TskImageFileTsk::openFile - Error getting attribute : " << tsk_error_get();
LOGERROR(msg.str());
return -1;
}
TskImageFileTsk::OPEN_FILE * openFile = new TskImageFileTsk::OPEN_FILE();
openFile->fsFile = fsFile;
openFile->fsAttr = fsAttr;
m_openFiles.push_back(openFile);
// Return the index into m_openFiles
return m_openFiles.size() - 1;
}
// Print errors as they are encountered
uint8_t TskGetTimes::handleError()
{
fprintf(stderr, "%s", tsk_error_get());
return 0;
}
/**
* Scan the image for file systems creating allocated volumes for file systems found
* and unallocated volumes for areas in the image that do not contain file systems.
* Will initially look for file system in first sect_count sectors. If a file system
* is found then it will continue to process the remainder of the image for other
* file systems.
*
* @param sect_start Start looking for file systems starting at this sector.
* @param sect_count The initial number of sectors to scan for file systems.
* @return 0 on success, 1 on failure
*/
uint8_t TSKAutoImpl::scanImgForFs(const uint64_t sect_start, const uint64_t sect_count)
{
if (m_img_info == NULL)
{
LOGERROR(L"TSKAutoImpl::scanImgForFs - Image not open.");
return 1;
}
LOGINFO(L"TSKAutoImpl::scanImgForFs - Starting file system scan.");
// Initialize current offset to our starting byte location.
TSK_OFF_T current_offset = sect_start * m_img_info->sector_size;
TSK_OFF_T end_offset = current_offset + (sect_count * m_img_info->sector_size);
// Last offset keeps track of byte location where we last saw file system
// data. It gets initialized to our starting location.
TSK_OFF_T last_offset = current_offset;
while (current_offset < end_offset)
{
TSK_FS_INFO * fs_info;
if ((fs_info = tsk_fs_open_img(m_img_info,
current_offset,
TSK_FS_TYPE_DETECT)) == NULL)
{
// We didn't find a file system so we move on to the next sector.
current_offset += m_img_info->sector_size;
}
else
{
// We found a file system so we will continue to search for file
// systems beyond the initial sectors.
end_offset = m_img_info->size;
// If there is a gap between the location of this file system and
// where we last saw file system data, an unallocated volume entry
// needs to be created for the gap.
if (fs_info->offset > last_offset)
{
createDummyVolume(last_offset / m_img_info->sector_size,
(fs_info->offset - last_offset) / m_img_info->sector_size,
"Dummy volume for carving purposes",
TSK_VS_PART_FLAG_UNALLOC);
}
// The call to findFilesInFs will take care of creating a
// dummy volume for the file system.
if (findFilesInFs(fs_info) == TSK_ERR)
{
std::wstringstream msg;
msg << L"TSKAutoImpl::scanImgForFs - Error finding files: "
<< tsk_error_get();
tsk_error_reset();
LOGERROR(msg.str());
}
// Move the current offset past the file system we just found.
current_offset += ((fs_info->block_count + 1) * fs_info->block_size);
// Update the last location we saw file system data.
last_offset = current_offset;
tsk_fs_close(fs_info);
}
}
// Finally, create a dummy unallocated volume for the area between the
// last offset and the end of the image.
if (last_offset < m_img_info->size)
{
createDummyVolume(last_offset / m_img_info->sector_size,
(m_img_info->size - last_offset) / m_img_info->sector_size,
"Dummy volume for carving purposes",
TSK_VS_PART_FLAG_UNALLOC);
}
LOGINFO(L"TSKAutoImpl::scanImgForFs - File system scan complete.");
return 0;
}
int TskL01Extract::openContainer()
{
static const std::string MSG_PREFIX = "TskL01Extract::openContainer : ";
ewf::libewf_error_t *ewfError = NULL;
try
{
if (m_archivePath.empty())
{
throw TskException("Error: archive path is empty.");
}
//m_imgInfo = tsk_img_open_sing(m_archivePath.c_str(), TSK_IMG_TYPE_EWF_EWF, 512);
m_imgInfo = openEwfSimple();
if (m_imgInfo == NULL)
{
std::stringstream logMessage;
logMessage << "Error with tsk_img_open_sing: " << tsk_error_get() << std::endl;
throw TskException(logMessage.str());
}
/// TSK stores different struct objs to the same pointer
ewf::IMG_EWF_INFO *ewfInfo = (ewf::IMG_EWF_INFO*)m_imgInfo;
m_imgInfo = &(ewfInfo->img_info);
ewf::libewf_file_entry_t *root = NULL;
int ret = ewf::libewf_handle_get_root_file_entry(ewfInfo->handle, &root, &ewfError);
if (ret == -1)
{
std::stringstream logMessage;
logMessage << "Error with libewf_handle_get_root_file_entry: ";
throw TskException(logMessage.str());
}
if (ret > 0)
{
uint8_t nameString[512];
nameString[0] = '\0';
ewfError = NULL;
if (ewf::libewf_file_entry_get_utf8_name(root, nameString, 512, &ewfError) == -1)
{
std::stringstream logMessage;
logMessage << "Error with libewf_file_entry_get_utf8_name: ";
throw TskException(logMessage.str());
}
traverse(root);
}
}
catch (TskException &ex)
{
std::ostringstream msg;
msg << MSG_PREFIX << "TskException: " << ex.message();
if (ewfError)
{
char errorString[512];
errorString[0] = '\0';
ewf::libewf_error_backtrace_sprint(ewfError, errorString, 512);
msg << "libewf error: " << errorString << std::endl;
}
LOGERROR(msg.str());
return -1;
}
catch (std::exception &ex)
{
std::ostringstream msg;
msg << MSG_PREFIX << "std::exception: " << ex.what();
LOGERROR(msg.str());
return -1;
}
catch (...)
{
LOGERROR(MSG_PREFIX + "unrecognized exception");
return -1;
}
return 0; //success
}
int TskImageFileTsk::openFile(const uint64_t fileId)
{
if (m_img_info == NULL) {
if (open() != 0)
return -1;
}
// Use ImgDb::getFileUniqueIdentifiers to get the four needed values.
uint64_t fsByteOffset = 0;
uint64_t fsFileId = 0;
int attrType = 0;
int attrId = 0;
if (m_db.getFileUniqueIdentifiers(fileId, fsByteOffset, fsFileId, attrType, attrId) != 0)
{
LOGERROR(L"TskImageFileTsk::openFile - Error getting file identifiers.\n");
return -1;
}
// Check if the file system at the offset is already open (using m_openFs). If not, open it (tsk_fs_open) and add it to the map.
TSK_FS_INFO * fsInfo = m_openFs[fsByteOffset];
if (fsInfo == NULL)
{
// Open the file system and add it to the map.
fsInfo = tsk_fs_open_img(m_img_info, fsByteOffset, TSK_FS_TYPE_DETECT);
if (fsInfo == NULL)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::openFile - Error opening file system : "
<< tsk_error_get() << std::endl;
LOGERROR(errorMsg.str());
return -1;
}
m_openFs[fsByteOffset] = fsInfo;
}
// Find a new entry in m_openFiles and use tsk_fs_file_open to open the file and save the handle in m_openFiles.
TSK_FS_FILE * fsFile = tsk_fs_file_open_meta(fsInfo, NULL, fsFileId);
if (fsFile == NULL)
{
std::wstringstream errorMsg;
errorMsg << L"TskImageFileTsk::openFile - Error opening file : "
<< tsk_error_get() << std::endl;
LOGERROR(errorMsg.str());
return -1;
}
TskImageFileTsk::OPEN_FILE * openFile = new TskImageFileTsk::OPEN_FILE();
openFile->attrId = attrId;
openFile->attrType = attrType;
openFile->fsFile = fsFile;
m_openFiles.push_back(openFile);
// Return the index into m_openFiles
return m_openFiles.size() - 1;
}
/* Throw and exception to java
* @param the java environment to send the exception to
*/
static void
throwTskError(JNIEnv * env)
{
const char *msg = tsk_error_get();
throwTskError(env, msg);
}
int TskImageFileTsk::extractFiles()
{
// @@@ Add Sanity check that DB is empty
if (m_img_info == NULL) {
LOGERROR(L"TskImageFileTsk::extractFiles: Images not open yet\n");
return 1;
}
m_db.addImageInfo((int)m_img_info->itype, m_img_info->sector_size);
for (uint32_t i = 0; i < m_images.size(); i++) {
char *img_ptr = NULL;
#ifdef TSK_WIN32
char img2[1024];
UTF8 *ptr8;
UTF16 *ptr16;
ptr8 = (UTF8 *) img2;
ptr16 = (UTF16 *) m_images_ptrs[i];
TSKConversionResult retval =
tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *)
& ptr16[wcslen(m_images_ptrs[i]) + 1], &ptr8,
(UTF8 *) ((uintptr_t) ptr8 + 1024), TSKlenientConversion);
if (retval != TSKconversionOK)
{
std::wstringstream msg;
msg << L"TskImageFileTsk::extractFiles: Error converting image to UTF-8" << std::endl;
LOGERROR(msg.str());
return 1;
}
img_ptr = img2;
#else
img_ptr = (char *) a_images[i];
#endif
m_db.addImageName(img_ptr);
}
TSKAutoImpl tskAutoImpl;
if (tskAutoImpl.openImage(m_img_info))
{
std::wstringstream msg;
msg << L"TSKExtract::processImage - Error opening image: " << tsk_error_get() << std::endl;
LOGERROR(msg.str());
return 1;
}
// TskAutoImpl will log errors as they occur
tskAutoImpl.findFilesInImg();
// It's possible that this is an image with no volumes or file systems.
// Scan the image for file systems starting at sector 0.
// By default it will scan 1024 sectors.
if (m_db.getNumVolumes() == 0)
{
tskAutoImpl.scanImgForFs(0);
}
return 0;
}
