static TSK_WALK_RET_ENUM find_file_in_partiton(
TSK_VS_INFO * vs, const TSK_VS_PART_INFO * part, void *ptr){
find_file_data *data = (find_file_data*)ptr;
const char *file_path = data->full_path;
TSK_FS_INFO *filesystem;
TSK_FS_FILE *file;
filesystem = tsk_fs_open_vol(part, TSK_FS_TYPE_DETECT);
if (OPEN_FAIL(filesystem))
return TSK_WALK_CONT;
file = tsk_fs_file_open(filesystem, NULL, file_path);
if (OPEN_FAIL(file))
return TSK_WALK_CONT;
data->file_found_in_partiton = 0;
utarray_new(data->offsets_in_filesystem, &ut_tsk_daddr_tuple_icd);
log_file_offsets_in_filesystem(data, file);
if (data->file_found_in_partiton) {
TSK_DADDR_T *p;
for (p=(TSK_DADDR_T*)utarray_front(data->offsets_in_filesystem);
p != NULL;
p=(TSK_DADDR_T*)utarray_next(data->offsets_in_filesystem, p)) {
TSK_DADDR_T offset_start_and_last[2] = {
p[0] + part->start*vs->img_info->sector_size,
p[1] + part->start*vs->img_info->sector_size
};
utarray_push_back(data->offsets_in_disk, &offset_start_and_last);
}
data->file_found = 1;
}
utarray_free(data->offsets_in_filesystem);
tsk_fs_file_close(file);
tsk_fs_close(filesystem);
return TSK_WALK_CONT;
}
TSK_FILTER_ENUM TSKAutoImpl::filterFs(TSK_FS_INFO * a_fsInfo)
{
// add a volume entry if there is no file system
if (m_vsSeen == false)
{
TSK_DADDR_T start_sect = a_fsInfo->offset / a_fsInfo->img_info->sector_size;
TSK_DADDR_T end_sect = start_sect +
((a_fsInfo->block_count * a_fsInfo->block_size) / a_fsInfo->img_info->sector_size);
createDummyVolume(start_sect, (end_sect - start_sect) + 1,
"Dummy volume for file system",
TSK_VS_PART_FLAG_ALLOC);
}
m_curFsId++;
m_db.addFsInfo(m_curVsId, m_curFsId, a_fsInfo);
/* Process the root directory so that its contents are added to
* the DB. We won't see it during the dir_walk. */
TSK_FS_FILE *fs_file = tsk_fs_file_open(a_fsInfo, NULL, "/");
if (fs_file != NULL)
{
processFile(fs_file, "\\");
}
// make sure that flags are set to get all files -- we need this to
// find parent directory
setFileFilterFlags((TSK_FS_DIR_WALK_FLAG_ENUM)
(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC));
std::wstringstream msg;
msg << L"TSKAutoImpl::filterFs - Discovered " << tsk_fs_type_toname(a_fsInfo->ftype)
<< L" file system at offset " << a_fsInfo->offset << L" with Id : " << m_curFsId;
LOGINFO(msg.str());
return TSK_FILTER_CONT;
}
/*
* Class: edu_uw_apl_commons_tsk4j_filesys_FileSystem
* Method: fileOpen
* Signature: (JLjava/lang/String;)Ledu/uw/apl/commons/tsk4j/filesys/File;
*/
JNIEXPORT jobject JNICALL
Java_edu_uw_apl_commons_tsk4j_filesys_FileSystem_fileOpen
(JNIEnv *env, jobject thiz, jlong nativePtr, jstring path ) {
const char* pathC = (*env)->GetStringUTFChars( env, path, NULL );
TSK_FS_INFO* info = (TSK_FS_INFO*)nativePtr;
TSK_FS_FILE* fsFile = tsk_fs_file_open( info, NULL, pathC );
if( !fsFile ) {
(*env)->ReleaseStringUTFChars( env, path, pathC );
return (jobject)NULL;
}
jobject fileMeta = NULL;
if( fsFile->meta ) {
fileMeta = createFileMeta( env, fsFile->meta );
if( !fileMeta ) {
(*env)->ReleaseStringUTFChars( env, path, pathC );
tsk_fs_file_close( fsFile );
return (jobject)NULL;
}
}
jobject fileName = NULL;
if( fsFile->name ) {
fileName = createFileName( env, fsFile->name );
if( !fileName ) {
(*env)->ReleaseStringUTFChars( env, path, pathC );
tsk_fs_file_close( fsFile );
return (jobject)NULL;
}
}
jobject result = createFile( env, fsFile, thiz, fileMeta, fileName );
(*env)->ReleaseStringUTFChars( env, path, pathC );
return result;
}
void tsk_get_file(const char* imgname,uint64_t haddr_img_offset, const char* file_path, const char* destination, uint64_t start_offset, int read_file_len )
{
TSK_IMG_INFO *img;
TSK_VS_INFO *vs;
TSK_FS_INFO *fs;
uint8_t id_used = 0, type_used = 0;
TSK_DADDR_T partition_offset = 0;
TSK_DADDR_T block_img_offset = 0;
TSK_DADDR_T part_byte_offset = 0;
TSK_DADDR_T part_block_offset = 0;
MBA_IFIND_DATA_DATA* ifind_data;
TSK_IMG_TYPE_ENUM imgtype;
MBA_FFIND_DATA* ffind_data;
TSK_FS_FILE *file;
FILE* writeHive;
char *temp;
//open image
imgtype = tsk_img_type_toid(QCOW_IMG_TYPE);
img = tsk_img_open_sing(imgname, imgtype, 0);
if(img == NULL)
{
printf("Image Open Failed!!\n");
return;
}
if(haddr_img_offset >= img->size)
{
printf("Request haddr is larger than image size\n");
return;
}
//open volume
vs = tsk_vs_open(img, 0 , TSK_VS_TYPE_DETECT);
if(vs==NULL)
{
printf("Volume Open Failed!!\n");
return;
}
//calculate block address
block_img_offset = haddr_img_offset/img->sector_size;
//search the partition contain the target block
partition_offset = search_partition(vs, block_img_offset);
if(partition_offset == 0)
{
printf("Cannot found partition contains the target haddr\n");
return;
}
//open the partition's file system
fs = tsk_fs_open_img(img, partition_offset * img->sector_size, TSK_FS_TYPE_DETECT);
if(fs==NULL)
{
printf("Cannot open file system\n");
return;
}
//calculate offset to the current partition
part_byte_offset = haddr_img_offset - (partition_offset * img->sector_size);
part_block_offset = part_byte_offset/fs->block_size;
file = tsk_fs_file_open( fs, NULL, file_path);
if ( OPEN_FAIL(file) )
printf("open file fail\n\n");
temp = calloc( read_file_len, sizeof(char));
int size = tsk_fs_file_read( file,
start_offset,
temp,
read_file_len,
TSK_FS_FILE_READ_FLAG_NONE );
tsk_fs_file_close(file);
writeHive = fopen( destination, "w" );
if ( writeHive == NULL )
printf("Open fail");
else {
fwrite( temp, size, sizeof(char), writeHive );
fclose(writeHive);
} // else
free(temp);
//find the inode of this block
ifind_data = fs_ifind_data(fs, (TSK_FS_IFIND_FLAG_ENUM) 0, part_block_offset);
if(ifind_data == NULL)
{
return;
}
if(ifind_data->found!=1)
{
printf("Inode not found\n");
return;
}
//Find the inode's filename
//Note: Do Not Know what to fill in variable type_used and id_used
ffind_data = fs_ffind(fs, 0, ifind_data->curinode, ifind_data->curtype ,
type_used, ifind_data->curid , id_used,
(TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC));
if(ffind_data==NULL){
printf("Cannot found fdata associate with inode\n");
return;
}
free(ifind_data);
return;
}
/* This test checks the RECOVER flags
*/
int
test_fat_recover()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1.img-FAT";
char fname[512];
TSK_FS_FILE *file1;
TSK_FS_FILE *file2;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs =
tsk_fs_open_img(img, 41126400,
(TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// fragmented.html
const char *fname2 = "fragmented.html";
file1 = tsk_fs_file_open_meta(fs, NULL, 1162);
if (file1 == NULL) {
fprintf(stderr, "Error opening %s (%s)\n", fname2, tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// verify expected size
if (file1->meta->size != 5905) {
fprintf(stderr,
"Error: %s not expected size (%" PRIuOFF ") (%s)\n", fname2,
file1->meta->size, tname);
return 1;
}
// verify we can open it via name as well
file2 = tsk_fs_file_open(fs, NULL, "/deleted/fragmented.html");
if (file2 == NULL) {
fprintf(stderr,
"Error opening /deleted/fragmented.html via path name (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (file2->name == NULL) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path name did not have name set(%s)\n",
tname);
return 1;
}
if (strcmp(file2->name->name, fname2) != 0) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path had incorrect name set (%s) (%s)\n",
file2->name->name, tname);
return 1;
}
if ((file2->name->meta_addr != file2->meta->addr)
|| (file2->meta->addr != file1->meta->addr)) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path had incorrect meta addresses (%"
PRIuINUM " %" PRIuINUM " %" PRIuINUM " (%s)\n",
file2->name->meta_addr, file2->meta->addr, file1->meta->addr,
tname);
return 1;
}
tsk_fs_file_close(file2);
file2 = NULL;
// try to read past end of first 2048-byte cluster
retval =
tsk_fs_file_read(file1, 2048, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr, "Error reading %s past end w/out Recover flag\n",
fname2);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// current behavior is to return 0s in "unitialized" space
//if (retval != 0) {
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading %s past end w/out Recover flag.\n",
fname2);
fprintf(stderr, "Expected: 0. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 2048, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr, "Error reading %s past end w/Recover flag\n",
fname2);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from %s past end w/Recover flag.\n",
fname2);
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("appear", buf, 6) != 0) {
fprintf(stderr,
"expected string not found in %s recovery: %c %c %c %c %c %c\n",
fname2, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]);
return 1;
}
tsk_fs_file_close(file1);
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
