/* dir_walk local function that is used for recursive calls. Callers
* should initially call the non-local version. */
static TSK_WALK_RET_ENUM
tsk_fs_dir_walk_lcl(TSK_FS_INFO * a_fs, DENT_DINFO * a_dinfo,
TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags,
TSK_FS_DIR_WALK_CB a_action, void *a_ptr)
{
TSK_FS_DIR *fs_dir;
TSK_FS_FILE *fs_file;
size_t i;
// get the list of entries in the directory
if ((fs_dir = tsk_fs_dir_open_meta(a_fs, a_addr)) == NULL) {
return TSK_WALK_ERROR;
}
/* Allocate a file structure for the callbacks. We
* will allocate fs_meta structures as needed and
* point into the fs_dir structure for the names. */
if ((fs_file = tsk_fs_file_alloc(a_fs)) == NULL) {
tsk_fs_dir_close(fs_dir);
return TSK_WALK_ERROR;
}
for (i = 0; i < fs_dir->names_used; i++) {
TSK_WALK_RET_ENUM retval;
/* Point name to the buffer of names. We need to be
* careful about resetting this before we free fs_file */
fs_file->name = (TSK_FS_NAME *) & fs_dir->names[i];
/* load the fs_meta structure if possible.
* Must have non-zero inode addr or have allocated name (if inode is 0) */
if (((fs_file->name->meta_addr)
|| (fs_file->name->flags & TSK_FS_NAME_FLAG_ALLOC))) {
if (a_fs->file_add_meta(a_fs, fs_file,
fs_file->name->meta_addr)) {
if (tsk_verbose)
tsk_error_print(stderr);
tsk_error_reset();
}
}
// call the action if we have the right flags.
if ((fs_file->name->flags & a_flags) == fs_file->name->flags) {
retval = a_action(fs_file, a_dinfo->dirs, a_ptr);
if (retval == TSK_WALK_STOP) {
tsk_fs_dir_close(fs_dir);
fs_file->name = NULL;
tsk_fs_file_close(fs_file);
/* free the list -- fs_dir_walk has no way
* of knowing that we stopped early w/out error.
*/
if (a_dinfo->save_inum_named) {
tsk_list_free(a_dinfo->list_inum_named);
a_dinfo->list_inum_named = NULL;
a_dinfo->save_inum_named = 0;
}
return TSK_WALK_STOP;
}
else if (retval == TSK_WALK_ERROR) {
tsk_fs_dir_close(fs_dir);
fs_file->name = NULL;
tsk_fs_file_close(fs_file);
return TSK_WALK_ERROR;
}
}
// save the inode info for orphan finding - if requested
if ((a_dinfo->save_inum_named) && (fs_file->meta)
&& (fs_file->meta->flags & TSK_FS_META_FLAG_UNALLOC)) {
if (tsk_list_add(&a_dinfo->list_inum_named,
fs_file->meta->addr)) {
// if there is an error, then clear the list
tsk_list_free(a_dinfo->list_inum_named);
a_dinfo->list_inum_named = NULL;
a_dinfo->save_inum_named = 0;
}
}
/* Recurse into a directory if:
* - Both dir entry and inode have DIR type (or name is undefined)
* - Recurse flag is set
* - dir entry is allocated OR both are unallocated
* - not one of the '.' or '..' entries
* - A Non-Orphan Dir or the Orphan Dir with the NOORPHAN flag not set.
*/
if (((fs_file->name->type == TSK_FS_NAME_TYPE_DIR)
|| (fs_file->name->type == TSK_FS_NAME_TYPE_UNDEF))
&& (fs_file->meta)
&& (fs_file->meta->type == TSK_FS_META_TYPE_DIR)
&& (a_flags & TSK_FS_DIR_WALK_FLAG_RECURSE)
&& ((fs_file->name->flags & TSK_FS_NAME_FLAG_ALLOC)
|| ((fs_file->name->flags & TSK_FS_NAME_FLAG_UNALLOC)
&& (fs_file->meta->flags & TSK_FS_META_FLAG_UNALLOC))
)
&& (!TSK_FS_ISDOT(fs_file->name->name))
&& ((fs_file->name->meta_addr != TSK_FS_ORPHANDIR_INUM(a_fs))
|| ((a_flags & TSK_FS_DIR_WALK_FLAG_NOORPHAN) == 0))
) {
/* Make sure we do not get into an infinite loop */
if (0 == tsk_stack_find(a_dinfo->stack_seen,
fs_file->name->meta_addr)) {
int depth_added = 0;
uint8_t save_bak = 0;
if (tsk_stack_push(a_dinfo->stack_seen,
fs_file->name->meta_addr)) {
tsk_fs_dir_close(fs_dir);
fs_file->name = NULL;
tsk_fs_file_close(fs_file);
return TSK_WALK_ERROR;
}
if ((a_dinfo->depth < MAX_DEPTH) &&
(DIR_STRSZ >
strlen(a_dinfo->dirs) +
strlen(fs_file->name->name))) {
a_dinfo->didx[a_dinfo->depth] =
&a_dinfo->dirs[strlen(a_dinfo->dirs)];
strncpy(a_dinfo->didx[a_dinfo->depth],
fs_file->name->name,
DIR_STRSZ - strlen(a_dinfo->dirs));
strncat(a_dinfo->dirs, "/", DIR_STRSZ);
depth_added = 1;
}
a_dinfo->depth++;
/* We do not want to save info about named unalloc files
* when we go into the Orphan directory (because then we have
* no orphans). So, disable it for this recursion.
*/
if (fs_file->name->meta_addr ==
TSK_FS_ORPHANDIR_INUM(a_fs)) {
save_bak = a_dinfo->save_inum_named;
a_dinfo->save_inum_named = 0;
}
retval = tsk_fs_dir_walk_lcl(a_fs,
a_dinfo, fs_file->name->meta_addr, a_flags,
a_action, a_ptr);
if (retval == TSK_WALK_ERROR) {
/* If this fails because the directory could not be
* loaded, then we still continue */
if (tsk_verbose) {
tsk_fprintf(stderr,
"tsk_fs_dir_walk_lcl: error reading directory: %"
PRIuINUM "\n", fs_file->name->meta_addr);
tsk_error_print(stderr);
}
tsk_error_reset();
}
else if (retval == TSK_WALK_STOP) {
tsk_fs_dir_close(fs_dir);
fs_file->name = NULL;
tsk_fs_file_close(fs_file);
return TSK_WALK_STOP;
}
// reset the save status
if (fs_file->name->meta_addr ==
TSK_FS_ORPHANDIR_INUM(a_fs)) {
a_dinfo->save_inum_named = save_bak;
}
tsk_stack_pop(a_dinfo->stack_seen);
a_dinfo->depth--;
if (depth_added)
*a_dinfo->didx[a_dinfo->depth] = '\0';
}
else {
if (tsk_verbose)
fprintf(stderr,
"tsk_fs_dir_walk_lcl: Loop detected with address %"
PRIuINUM, fs_file->name->meta_addr);
}
}
// remove the pointer to name buffer
fs_file->name = NULL;
// free the metadata if we allocated it
if (fs_file->meta) {
tsk_fs_meta_close(fs_file->meta);
fs_file->meta = NULL;
}
}
tsk_fs_dir_close(fs_dir);
fs_file->name = NULL;
tsk_fs_file_close(fs_file);
return TSK_WALK_CONT;
}
/**
* Open a directory and cycle through its contents. Read each file and recurse
* into each directory.
*
* @param fs_info File system to process
* @param stack Stack to prevent infinite recursion loops
* @param dir_inum Metadata address of directory to open
* @param path Path of directory being opened
* @returns 1 on error
*/
static uint8_t
proc_dir(TSK_FS_INFO * fs_info, TSK_STACK * stack,
TSK_INUM_T dir_inum, const char *path)
{
TSK_FS_DIR *fs_dir;
size_t i;
char *path2 = NULL;
char *buf = NULL;
// open the directory
if ((fs_dir = tsk_fs_dir_open_meta(fs_info, dir_inum)) == NULL) {
fprintf(stderr, "Error opening directory: %" PRIuINUM "\n",
dir_inum);
tsk_error_print(stderr);
return 1;
}
/* These should be dynamic lengths, but this is just a sample program.
* Allocate heap space instead of stack to prevent overflow for deep
* directories. */
if ((path2 = (char *) malloc(4096)) == NULL) {
return 1;
}
if ((buf = (char *) malloc(2048)) == NULL) {
free(path2);
return 1;
}
// cycle through each entry
for (i = 0; i < tsk_fs_dir_getsize(fs_dir); i++) {
TSK_FS_FILE *fs_file;
TSK_OFF_T off = 0;
size_t len = 0;
// get the entry
if ((fs_file = tsk_fs_dir_get(fs_dir, i)) == NULL) {
fprintf(stderr,
"Error getting directory entry %" PRIuSIZE
" in directory %" PRIuINUM "\n", i, dir_inum);
tsk_error_print(stderr);
free(path2);
free(buf);
return 1;
}
/* Ignore NTFS System files */
if ((TSK_FS_TYPE_ISNTFS(fs_file->fs_info->ftype)) &&
(fs_file->name->name[0] == '$')) {
tsk_fs_file_close(fs_file);
continue;
}
//printf("Processing %s/%s\n", path, fs_file->name->name);
// make sure it's got metadata and not only a name
if (fs_file->meta) {
ssize_t cnt;
/* Note that we could also cycle through all of the attributes in the
* file by using one of the tsk_fs_attr_get() functions and reading it
* with tsk_fs_attr_read(). See the File Systems section of the Library
* User's Guide for more details:
* http://www.sleuthkit.org/sleuthkit/docs/api-docs/ */
// read file contents
if (fs_file->meta->type == TSK_FS_META_TYPE_REG) {
int myflags = 0;
for (off = 0; off < fs_file->meta->size; off += len) {
if (fs_file->meta->size - off < 2048)
len = (size_t) (fs_file->meta->size - off);
else
len = 2048;
cnt = tsk_fs_file_read(fs_file, off, buf, len,
(TSK_FS_FILE_READ_FLAG_ENUM) myflags);
if (cnt == -1) {
// could check tsk_errno here for a recovery error (TSK_ERR_FS_RECOVER)
fprintf(stderr, "Error reading %s file: %s\n",
((fs_file->name->
flags & TSK_FS_NAME_FLAG_UNALLOC)
|| (fs_file->meta->
flags & TSK_FS_META_FLAG_UNALLOC)) ?
"unallocated" : "allocated",
fs_file->name->name);
tsk_error_print(stderr);
break;
}
else if (cnt != (ssize_t) len) {
fprintf(stderr,
"Warning: %" PRIuSIZE " of %" PRIuSIZE
" bytes read from %s file %s\n", cnt, len,
((fs_file->name->
flags & TSK_FS_NAME_FLAG_UNALLOC)
|| (fs_file->meta->
flags & TSK_FS_META_FLAG_UNALLOC)) ?
"unallocated" : "allocated",
fs_file->name->name);
}
// do something with the data...
}
}
// recurse into another directory (unless it is a '.' or '..')
else if (fs_file->meta->type == TSK_FS_META_TYPE_DIR) {
if (TSK_FS_ISDOT(fs_file->name->name) == 0) {
// only go in if it is not on our stack
if (tsk_stack_find(stack, fs_file->meta->addr) == 0) {
// add the address to the top of the stack
tsk_stack_push(stack, fs_file->meta->addr);
snprintf(path2, 4096, "%s/%s", path,
fs_file->name->name);
if (proc_dir(fs_info, stack, fs_file->meta->addr,
path2)) {
tsk_fs_file_close(fs_file);
tsk_fs_dir_close(fs_dir);
free(path2);
free(buf);
return 1;
}
// pop the address
tsk_stack_pop(stack);
}
}
}
}
tsk_fs_file_close(fs_file);
}
tsk_fs_dir_close(fs_dir);
free(path2);
free(buf);
return 0;
}
