uint8_t tsk_fs_blkstat(TSK_FS_INFO * fs, TSK_DADDR_T addr) { int flags = (TSK_FS_BLOCK_WALK_FLAG_UNALLOC | TSK_FS_BLOCK_WALK_FLAG_ALLOC | TSK_FS_BLOCK_WALK_FLAG_META | TSK_FS_BLOCK_WALK_FLAG_CONT | TSK_FS_BLOCK_WALK_FLAG_AONLY); return tsk_fs_block_walk(fs, addr, addr, flags, blkstat_act, NULL); }
/* Return 1 on error and 0 on success */ uint8_t tsk_fs_blkls(TSK_FS_INFO * fs, TSK_FS_BLKLS_FLAG_ENUM a_blklsflags, TSK_DADDR_T bstart, TSK_DADDR_T blast, TSK_FS_BLOCK_WALK_FLAG_ENUM a_block_flags) { BLKLS_DATA data; if (a_blklsflags & TSK_FS_BLKLS_SLACK) { /* get the info on each allocated inode */ if (fs->inode_walk(fs, fs->first_inum, fs->last_inum, TSK_FS_META_FLAG_ALLOC, slack_inode_act, &data)) return 1; } else if (a_blklsflags & TSK_FS_BLKLS_LIST) { if (print_list_head(fs)) return 1; a_block_flags |= TSK_FS_BLOCK_WALK_FLAG_AONLY; if (tsk_fs_block_walk(fs, bstart, blast, a_block_flags, print_list, &data)) return 1; } else { #ifdef TSK_WIN32 if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_WRITE); tsk_error_set_errstr ("blkls_lib: error setting stdout to binary: %s", strerror(errno)); return 1; } #endif if (tsk_fs_block_walk(fs, bstart, blast, a_block_flags, print_block, &data)) return 1; } return 0; }
/* * Class: edu_uw_apl_commons_tsk4j_filesys_FileSystem * Method: blockWalk * Signature: (JJJILedu/uw/apl/commons/tsk4j/filesys/BlockWalk/Callback;)I */ JNIEXPORT jint JNICALL Java_edu_uw_apl_commons_tsk4j_filesys_FileSystem_blockWalk (JNIEnv *env, jobject thiz, jlong nativePtr, jlong startBlk, jlong endBlk, jint flags, jobject callback ) { // We need three handles in the C callback, so package them here. Gruesome! void* vs[3] = { env, thiz, callback }; TSK_FS_INFO* info = (TSK_FS_INFO*)nativePtr; return (jint)tsk_fs_block_walk( info, startBlk, endBlk, flags, blockWalkCallback, (void*)vs ); }
/* Return 1 if block is not found, 0 if it was found, and -1 on error */ int8_t tsk_fs_blkcalc(TSK_FS_INFO * fs, TSK_FS_BLKCALC_FLAG_ENUM a_lclflags, TSK_DADDR_T a_cnt) { BLKCALC_DATA data; data.count = a_cnt; data.found = 0; if (a_lclflags == TSK_FS_BLKCALC_BLKLS) { if (tsk_fs_block_walk(fs, fs->first_block, fs->last_block, (TSK_FS_BLOCK_FLAG_UNALLOC | TSK_FS_BLOCK_FLAG_META | TSK_FS_BLOCK_FLAG_CONT), count_blkls_act, &data)) return -1; } else if (a_lclflags == TSK_FS_BLKCALC_DD) { if (tsk_fs_block_walk(fs, fs->first_block, fs->last_block, (TSK_FS_BLOCK_FLAG_ALLOC | TSK_FS_BLOCK_FLAG_UNALLOC | TSK_FS_BLOCK_FLAG_META | TSK_FS_BLOCK_FLAG_CONT), count_dd_act, &data)) return -1; } else if (a_lclflags == TSK_FS_BLKCALC_SLACK) { if (fs->inode_walk(fs, fs->first_inum, fs->last_inum, TSK_FS_META_FLAG_ALLOC, count_slack_inode_act, &data)) return -1; } if (data.found == 0) { tsk_printf("Block too large\n"); return 1; } else { return 0; } }
TSK_WALK_RET_ENUM part_act( TSK_VS_INFO* pVsInfo, const TSK_VS_PART_INFO* pPartInfo, void* pData) { TSK_FS_INFO* lFsInfo = NULL; OS_FH_TYPE lOut = (OS_FH_TYPE)pData; unsigned long long lCnt = 0; char lBuf[32768] = { 0 }; unsigned long long lOffsetBlock = 0; /* open file system */ if ((lFsInfo = tsk_fs_open_vol( pPartInfo, /* partition to open */ TSK_FS_TYPE_DETECT /* auto-detect mode on */ )) != NULL) { /* known file-system */ /* iterate over unallocated blocks of fs */ tsk_fs_block_walk( lFsInfo, /* file-system info */ 0, /* start */ lFsInfo->block_count - 1, /* end */ TSK_FS_BLOCK_WALK_FLAG_UNALLOC, /* only unallocated blocks */ block_act, /* callback */ pData /* file-handle */ ); /* close fs */ tsk_fs_close(lFsInfo); } else { /* unknown file-system */ /* iterate through all blocks of this volume regardless of their state */ for (lCnt = 0; lCnt < pPartInfo->len; lCnt++) { lOffsetBlock = (pPartInfo->start + lCnt) * pPartInfo->vs->block_size; LOGGING_DEBUG( "Block in unknown partition (Len: %lu blocks). " "Size: %u, Absolute address (Bytes): %lld\n", pPartInfo->len, pPartInfo->vs->block_size, lOffsetBlock); /* use the following function so that forensic images are supported */ /* HINT: this is not the case with fopen/fseek/fread/fclose functions */ tsk_vs_part_read_block( pPartInfo, lCnt, /* start address (blocks) relative to start of volume */ lBuf, /* buffer to store data in */ pPartInfo->vs->block_size /* amount of data to read */ ); data_act(lBuf, pPartInfo->vs->block_size, lOffsetBlock, lOut); } } return TSK_WALK_CONT; }
uint8_t tsk_fs_blkstat(TSK_FS_INFO * fs, TSK_DADDR_T addr, TSK_FS_BLOCK_FLAG_ENUM flags) { return tsk_fs_block_walk(fs, addr, addr, flags, blkstat_act, NULL); }