/* main - open file system, list inode info */ int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_TCHAR *cp, *dash; TSK_INUM_T istart = 0, ilast = 0; int ch; int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED; int ils_flags = 0; int set_range = 1; TSK_TCHAR *image = NULL; int32_t sec_skew = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); /* * Provide convenience options for the most commonly selected feature * combinations. */ while ((ch = GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('e'): flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_USED; break; case _TSK_T('m'): ils_flags |= TSK_FS_ILS_MAC; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('O'): flags |= TSK_FS_META_FLAG_UNALLOC; flags &= ~TSK_FS_META_FLAG_ALLOC; ils_flags |= TSK_FS_ILS_OPEN; break; case _TSK_T('p'): flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('r'): flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); /* * Provide fine controls to tweak one feature at a time. */ case _TSK_T('a'): flags |= TSK_FS_META_FLAG_ALLOC; flags &= ~TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('A'): flags |= TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('l'): ils_flags |= TSK_FS_ILS_LINK; break; case _TSK_T('L'): ils_flags |= TSK_FS_ILS_UNLINK; break; case _TSK_T('z'): flags |= TSK_FS_META_FLAG_UNUSED; break; case _TSK_T('Z'): flags |= TSK_FS_META_FLAG_USED; break; } } if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) { tsk_fprintf(stderr, "ERROR: Only linked or unlinked should be used\n"); usage(); } /* We need to determine if an inode or inode range was given */ if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) { /* Check if is a single number */ istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { /* Single address set end addr to start */ ilast = istart; set_range = 0; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } else { /* We have a dash, but it could be part of the file name */ *dash = '\0'; istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ *dash = _TSK_T('-'); image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { dash++; ilast = TSTRTOULL(dash, &cp, 0); if (*cp || *cp == *dash) { /* Not a number - consider it a file name */ dash--; *dash = '-'; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { set_range = 0; /* It was a block range, so do not include it in the open */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } /* do we need to set the range or just check them? */ if (set_range) { istart = fs->first_inum; ilast = fs->last_inum; } else { if (istart < fs->first_inum) istart = fs->first_inum; if (ilast > fs->last_inum) ilast = fs->last_inum; } /* NTFS uses alloc and link different than UNIX so change * the default behavior * * The link value can be > 0 on deleted files (even when closed) */ /* NTFS and FAT have no notion of deleted but still open */ if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype) || TSK_FS_TYPE_ISFAT(fs->ftype))) { fprintf(stderr, "Error: '-O' argument does not work with NTFS and FAT images\n"); exit(1); } if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast, (TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; int ch; TSK_TCHAR *cp; uint8_t type = 0; int set = 0; TSK_DADDR_T count = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:d:f:i:o:s:u:vV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('d'): type |= TSK_FS_BLKCALC_DD; count = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG); usage(); } set = 1; break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): type |= TSK_FS_BLKCALC_SLACK; count = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG); usage(); } set = 1; break; case _TSK_T('u'): type |= TSK_FS_BLKCALC_BLKLS; count = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG); usage(); } set = 1; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND == argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((!type) || (set == 0)) { tsk_fprintf(stderr, "Calculation type not given (-u, -d, -s)\n"); usage(); } if ((type & TSK_FS_BLKCALC_DD) && (type & TSK_FS_BLKCALC_BLKLS) && (type & TSK_FS_BLKCALC_SLACK)) { tsk_fprintf(stderr, "Only one block type can be given\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } if (-1 == tsk_fs_blkcalc(fs, (TSK_FS_BLKCALC_FLAG_ENUM) type, count)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char ** argv1) { int ch; TSK_TCHAR *idx_type = NULL; TSK_TCHAR *db_file = NULL, *lookup_file = NULL; unsigned int flags = 0; TSK_HDB_INFO *hdb_info; TSK_TCHAR **argv; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if( argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **)argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("ef:i:qV"))) > 0) { switch (ch) { case _TSK_T('e'): flags |= TSK_HDB_FLAG_EXT; break; case _TSK_T('f'): lookup_file = OPTARG; break; case _TSK_T('i'): idx_type = OPTARG; break; case _TSK_T('q'): flags |= TSK_HDB_FLAG_QUICK; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); default: usage(); } } if (OPTIND + 1 > argc) { tsk_fprintf(stderr, "Error: You must provide the source hash database location\n"); usage(); } db_file = argv[OPTIND++]; if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) { tsk_error_print(stderr); return 1; } /* What mode are we going to run in * * Are we going to make an index? */ if (idx_type != NULL) { /* Get the flags right */ if (lookup_file != NULL) { fprintf(stderr, "'-f' flag can't be used with '-i'\n"); usage(); } if (flags & TSK_HDB_FLAG_QUICK) { fprintf(stderr, "'-q' flag can't be used with '-i'\n"); usage(); } if (flags & TSK_HDB_FLAG_EXT) { fprintf(stderr, "'-e' flag can't be used with '-i'\n"); usage(); } if (tsk_hdb_makeindex(hdb_info, idx_type)) { tsk_error_print(stderr); tsk_hdb_close(hdb_info); return 1; } printf("Index Created\n"); tsk_hdb_close(hdb_info); return 0; } /* Do some hash lookups * * Check if the values were passed on the command line or via a file */ if (OPTIND < argc) { if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) { fprintf(stderr, "Error: Only one hash can be given with quick option\n"); usage(); } if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) { fprintf(stderr, "'-e' flag can't be used with '-q'\n"); usage(); } if (lookup_file != NULL) { fprintf(stderr, "Error: -f can't be used when hashes are also given\n"); usage(); } /* Loop through all provided hash values */ while (OPTIND < argc) { char htmp[128]; int i; int retval; // convert to char -- lazy way to deal with WCHARs.. for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) { htmp[i] = (char) argv[OPTIND][i]; } htmp[i] = '\0'; /* Perform lookup */ retval = tsk_hdb_lookup_str(hdb_info, (const char *)htmp, (TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL); if (retval == -1) { tsk_error_print(stderr); return 1; } if (flags & TSK_HDB_FLAG_QUICK) { printf("%d\n", retval); } else if (retval == 0) { print_notfound(htmp); } OPTIND++; } } /* Hash were given from stdin or a file */ else { char buf[100]; /* If the file was specified, use that - otherwise stdin */ #ifdef TSK_WIN32 HANDLE handle = NULL; if (lookup_file != NULL) { if ((handle = CreateFile(lookup_file, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) == INVALID_HANDLE_VALUE) { TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"), lookup_file); exit(1); } } else { handle = GetStdHandle(STD_INPUT_HANDLE); } #else FILE *handle = NULL; if (lookup_file != NULL) { handle = fopen(lookup_file, "r"); if (!handle) { fprintf(stderr, "Error opening hash file: %s\n", lookup_file); exit(1); } } else { handle = stdin; } #endif while (1) { int retval; memset(buf, 0, 100); #ifdef TSK_WIN32 int done = 0; // win32 doesn't have a fgets equivalent, so we make an equivalent one for (int i = 0; i < 100; i++) { DWORD nread; if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) { done = 1; break; } // skip the windows CR else if (buf[i] == '\r') { buf[i] = '\0'; i--; continue; } else if (buf[i] == '\n') { break; } } if (done) break; #else if (NULL == fgets(buf, 100, handle)) { break; } #endif /* Remove the newline */ buf[strlen(buf) - 1] = '\0'; retval = tsk_hdb_lookup_str(hdb_info, (const char *)buf, (TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL); if (retval == -1) { tsk_error_print(stderr); return 1; } if (flags & TSK_HDB_FLAG_QUICK) { printf("%d\n", retval); break; } else if (retval == 0) { print_notfound(buf); } } #ifdef TSK_WIN32 if (lookup_file != NULL) CloseHandle(handle); #else if (lookup_file != NULL) fclose(handle); #endif } tsk_hdb_close(hdb_info); return 0; }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_INUM_T inum; int ch; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:f:i:o:vV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* open image - there is an optional inode address at the end of args * * Check the final argument and see if it is a number */ if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) { /* Not an inode at the end */ if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } inum = fs->journ_inum; } else { if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } } if (fs->jopen == NULL) { tsk_fprintf(stderr, "Journal support does not exist for this file system\n"); fs->close(fs); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Inode value is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Inode value is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->jopen(fs, inum)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } if (fs->jentry_walk(fs, 0, 0, NULL)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; int ch; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; int32_t sec_skew = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:i:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case 'z': { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG); if (0 != TPUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } /* we should be checking this somehow */ TZSET(); } break; } } /* We need at least one more argument */ if (OPTIND > argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } TskGetTimes tskGetTimes(sec_skew); if (tskGetTimes.openImage(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) { tsk_error_print(stderr); exit(1); } if (tskGetTimes.findFilesInImg()) { tsk_error_print(stderr); exit(1); } exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } print_stats(vs); tsk_vs_close(vs); tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_DADDR_T addr = 0; TSK_TCHAR *cp; TSK_DADDR_T read_num_units; /* Number of data units */ int usize = 0; /* Length of each data unit */ int ch; char format = 0; extern int OPTIND; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("ab:f:hi:o:su:vVw"))) > 0) { switch (ch) { case _TSK_T('a'): format |= TSK_FS_BLKCAT_ASCII; break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, BLKLS_TYPE) == 0) { fstype = TSK_FS_TYPE_RAW; } else if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fprintf(stderr, "\t%" PRIttocTSK " (Unallocated Space)\n", BLKLS_TYPE); tsk_fs_type_print(stderr); exit(1); } else { fstype = tsk_fs_type_toid(OPTARG); } if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('h'): format |= TSK_FS_BLKCAT_HEX; break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): format |= TSK_FS_BLKCAT_STAT; break; case _TSK_T('u'): usize = TSTRTOUL(OPTARG, &cp, 0); if (*cp || cp == OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid block size: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); break; case _TSK_T('w'): format |= TSK_FS_BLKCAT_HTML; break; case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); } } if (format & TSK_FS_BLKCAT_STAT) { if (OPTIND == argc) usage(); if (format & (TSK_FS_BLKCAT_HTML | TSK_FS_BLKCAT_ASCII | TSK_FS_BLKCAT_HEX)) { tsk_fprintf(stderr, "NOTE: Additional flags will be ignored\n"); } } /* We need at least two more arguments */ else if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } if ((format & TSK_FS_BLKCAT_ASCII) && (format & TSK_FS_BLKCAT_HEX)) { tsk_fprintf(stderr, "Ascii and Hex flags can not be used together\n"); usage(); } /* We need to figure out if there is a length argument... */ /* Check out the second argument from the end */ /* default number of units is 1 */ read_num_units = 1; /* Get the block address */ if (format & TSK_FS_BLKCAT_STAT) { if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { addr = TSTRTOULL(argv[argc - 2], &cp, 0); if (*cp || *cp == *argv[argc - 2]) { /* Not a number, so it is the image name and we do not have a length */ addr = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"), argv[argc - 1]); usage(); } if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { /* We got a number, so take the length as well while we are at it */ read_num_units = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { TFPRINTF(stderr, _TSK_T("Invalid size: %s\n"), argv[argc - 1]); usage(); } else if (read_num_units <= 0) { tsk_fprintf(stderr, "Invalid size: %" PRIuDADDR "\n", read_num_units); usage(); } if ((img = tsk_img_open(argc - OPTIND - 2, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } /* open the file */ if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } /* Set the default size if given */ if ((usize != 0) && (TSK_FS_TYPE_ISRAW(fs->ftype) || TSK_FS_TYPE_ISSWAP(fs->ftype))) { TSK_DADDR_T sectors; int orig_dsize, new_dsize; if (usize % 512) { tsk_fprintf(stderr, "New data unit size not a multiple of 512 (%d)\n", usize); usage(); } /* We need to do some math to update the block_count value */ /* Get the original number of sectors */ orig_dsize = fs->block_size / 512; sectors = fs->block_count * orig_dsize; /* Convert that to the new size */ new_dsize = usize / 512; fs->block_count = sectors / new_dsize; if (sectors % new_dsize) fs->block_count++; fs->last_block = fs->block_count - 1; fs->block_size = usize; } if (addr > fs->last_block) { tsk_fprintf(stderr, "Data unit address too large for image (%" PRIuDADDR ")\n", fs->last_block); fs->close(fs); img->close(img); exit(1); } if (addr < fs->first_block) { tsk_fprintf(stderr, "Data unit address too small for image (%" PRIuDADDR ")\n", fs->first_block); fs->close(fs); img->close(img); exit(1); } if (tsk_fs_blkcat(fs, (TSK_FS_BLKCAT_FLAG_ENUM) format, addr, read_num_units)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_TCHAR **argv; extern int OPTIND; int ch; struct STAT_STR stat_buf; TSK_TCHAR *pipeline_config = NULL; TSK_TCHAR *framework_config = NULL; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif while ((ch = GETOPT(argc, argv, _TSK_T("c:p:vV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('c'): framework_config = OPTARG; break; case _TSK_T('p'): pipeline_config = OPTARG; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND == argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } TSK_TCHAR *imagePath = argv[OPTIND]; // Load the framework config if they specified it Poco::AutoPtr<Poco::Util::XMLConfiguration> pXMLConfig; if (framework_config) { // @@@ Not Unix-friendly try { pXMLConfig = new Poco::Util::XMLConfiguration(TskUtilities::toUTF8(framework_config)); } catch (std::exception& e) { fprintf(stderr, "Error opening framework config file (%s)\n", e.what()); return 1; } // Initialize properties based on the config file. TskSystemPropertiesImpl *systemProperties = new TskSystemPropertiesImpl(); systemProperties->initialize(*pXMLConfig); TskServices::Instance().setSystemProperties(*systemProperties); } // make up an output folder to store the database and such in TSK_TCHAR outDirPath[1024]; TSNPRINTF(outDirPath, 1024, _TSK_T("%s_tsk_out"), imagePath); if (TSTAT(outDirPath, &stat_buf) == 0) { fprintf(stderr, "Output directory already exists (%"PRIttocTSK")\n", outDirPath); return 1; } if (makeDir(outDirPath)) { return 1; } // @@@ Not UNIX-friendly TSK_SYS_PROP_SET(TskSystemPropertiesImpl::OUT_DIR, outDirPath); // Create and register our SQLite ImgDB class std::auto_ptr<TskImgDB> pImgDB(NULL); pImgDB = std::auto_ptr<TskImgDB>(new TskImgDBSqlite(outDirPath)); if (pImgDB->initialize() != 0) { fprintf(stderr, "Error initializing SQLite database\n"); tsk_error_print(stderr); return 1; } // @@@ Call pImgDB->addToolInfo() as needed to set version info... TskServices::Instance().setImgDB(*pImgDB); // Create a Blackboard and register it with the framework. TskServices::Instance().setBlackboard(TskDBBlackboard::instance()); // @@@ Not UNIX-friendly if (pipeline_config != NULL) TSK_SYS_PROP_SET(TskSystemPropertiesImpl::PIPELINE_CONFIG, pipeline_config); // Create an ImageFile and register it with the framework. TskImageFileTsk imageFileTsk; if (imageFileTsk.open(imagePath) != 0) { fprintf(stderr, "Error opening image: %"PRIttocTSK"\n", imagePath); tsk_error_print(stderr); return 1; } TskServices::Instance().setImageFile(imageFileTsk); // Let's get the pipelines setup to make sure there are no errors. TskPipelineManager pipelineMgr; TskPipeline *filePipeline; try { filePipeline = pipelineMgr.createPipeline(TskPipelineManager::FILE_ANALYSIS_PIPELINE); } catch (TskException &e ) { fprintf(stderr, "Error creating file analysis pipeline\n"); std::cerr << e.message() << endl; filePipeline = NULL; } TskPipeline *reportPipeline; try { reportPipeline = pipelineMgr.createPipeline(TskPipelineManager::REPORTING_PIPELINE); } catch (TskException &e ) { fprintf(stderr, "Error creating reporting pipeline\n"); std::cerr << e.message() << endl; reportPipeline = NULL; } // now we analyze the data. // Extract if (imageFileTsk.extractFiles() != 0) { fprintf(stderr, "Error adding file system info to database\n"); tsk_error_print(stderr); return 1; } //Run pipeline on all files // @@@ this needs to cycle over the files to analyze, 10 is just here for testing if (filePipeline) { for (int i = 0; i < 10; i++) { try { filePipeline->run(i); } catch (...) { // error message has been logged already. } } } if (reportPipeline) { try { reportPipeline->run(); } catch (...) { fprintf(stderr, "Error running reporting pipeline\n"); return 1; } } fprintf(stderr, "image analysis complete\n"); return 0; }
int main(int argc, char **argv1) { TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; int ch; TSK_OFF_T start_sector = 0; TSK_OFF_T end_sector = 0; ssize_t cnt; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:vVs:e:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('s'): start_sector = TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || start_sector < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: start sector must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('e'): end_sector = TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || end_sector < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: end sector must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } #ifdef TSK_WIN32 if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { fprintf(stderr, "error setting stdout to binary: %s", strerror(errno)); exit(1); } #endif TSK_OFF_T start_byte = 0; if (start_sector) start_byte = start_sector * img->sector_size; TSK_OFF_T end_byte = 0; if (end_sector) end_byte = (end_sector + 1) * img->sector_size; else end_byte = img->size; for (TSK_OFF_T done = start_byte; done < end_byte; done += cnt) { char buf[16 * 1024]; size_t len; if (done + (TSK_OFF_T) sizeof(buf) > end_byte) { len = (size_t) (end_byte - done); } else { len = sizeof(buf); } cnt = tsk_img_read(img, done, buf, len); if (cnt != (ssize_t) len) { if (cnt >= 0) { tsk_fprintf(stderr, "img_cat: Error reading image file at offset: %" PRIuOFF ", len: %" PRIuOFF ", return: %" PRIuOFF "\n", done, len, cnt); } else { tsk_error_print(stderr); } tsk_img_close(img); exit(1); } if (fwrite(buf, cnt, 1, stdout) != 1) { fprintf(stderr, "img_cat: Error writing to stdout: %s", strerror(errno)); tsk_img_close(img); exit(1); } } tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; int ch; TSK_OFF_T imgaddr = 0; int flags = 0; TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; uint8_t hide_meta = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) { switch (ch) { case _TSK_T('a'): flags |= TSK_VS_PART_FLAG_ALLOC; break; case _TSK_T('A'): flags |= TSK_VS_PART_FLAG_UNALLOC; break; case _TSK_T('B'): print_bytes = 1; break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('m'): flags |= (TSK_VS_PART_FLAG_META); break; case _TSK_T('M'): // we'll set this after all flags have been set hide_meta = 1; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('r'): recurse = 1; break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('?'): default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } // if they want to hide metadata volumes, set that now if (hide_meta) { if (flags == 0) flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC); else flags &= ~TSK_VS_PART_FLAG_META; } else if (flags == 0) { flags = TSK_VS_PART_FLAG_ALL; } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize); if (img == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype); if (vs == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); tsk_img_close(img); exit(1); } print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_print(stderr); tsk_vs_close(vs); tsk_img_close(img); exit(1); } tsk_vs_close(vs); if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) { int i; /* disable recursing incase we hit another DOS partition * future versions may support more layers */ recurse = 0; for (i = 0; i < recurse_cnt; i++) { vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT); if (vs != NULL) { tsk_printf("\n\n"); print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_reset(); } tsk_vs_close(vs); } else { /* Ignore error in this case and reset */ tsk_error_reset(); } } } tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_PNUM_T pnum; TSK_DADDR_T addr; const TSK_VS_PART_INFO *vs_part; char *buf; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least two more arguments */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or partition number\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if (tsk_parse_pnum(argv[argc - 1], &pnum)) { tsk_error_print(stderr); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } if (pnum >= vs->part_count) { tsk_fprintf(stderr, "Partition address is too large (maximum: %" PRIuPNUM ")\n", vs->part_count); exit(1); } vs_part = tsk_vs_part_get(vs, pnum); if (vs_part == NULL) { tsk_fprintf(stderr, "Error looking up partition\n"); exit(1); } buf = (char *) malloc(vs->block_size); if (buf == NULL) { tsk_error_print(stderr); exit(1); } #ifdef TSK_WIN32 char strerror_buffer[1024]; if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_WRITE); tsk_error_set_errstr( "mmcat: error setting stdout to binary: %s", strerror_s(strerror_buffer, 1024, errno)); return 1; } #endif for (addr = 0; addr < vs_part->len; addr++) { ssize_t retval; retval = tsk_vs_part_read_block(vs_part, addr, buf, vs->block_size); if (retval == -1) { tsk_error_print(stderr); exit(1); } if ((size_t) retval != fwrite(buf, 1, retval, stdout)) { tsk_fprintf(stderr, "Error writing data to stdout\n"); exit(1); } } tsk_vs_close(vs); tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; int ch; uint8_t type = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:tvV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('t'): type = 1; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if (type) { const char *str = tsk_img_type_toname(img->itype); tsk_printf("%s\n", str); } else { img->imgstat(img, stdout); } tsk_img_close(img); exit(0); }
int main(int argc, char ** argv1) { int ch; TSK_TCHAR *idx_type = NULL; TSK_TCHAR *db_file = NULL; TSK_TCHAR *lookup_file = NULL; unsigned int flags = 0; TSK_HDB_INFO *hdb_info; TSK_TCHAR **argv; bool create = false; bool addHash = false; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if( argv == NULL) { tsk_fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **)argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("cef:i:aqV"))) > 0) { switch (ch) { case _TSK_T('e'): flags |= TSK_HDB_FLAG_EXT; break; case _TSK_T('f'): lookup_file = OPTARG; break; case _TSK_T('i'): idx_type = OPTARG; break; case _TSK_T('c'): create = true; break; case _TSK_T('a'): addHash = true; break; case _TSK_T('q'): flags |= TSK_HDB_FLAG_QUICK; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); default: usage(); } } if ((addHash) && ((idx_type != NULL) || (create))) { tsk_fprintf(stderr, "-a cannot be specified with -c or -i\n"); usage(); } if (OPTIND + 1 > argc) { tsk_fprintf(stderr, "Error: You must provide the source hash database location\n"); usage(); } db_file = argv[OPTIND++]; // Running in create mode (-c option). Make a new hash database and exit. if (create) { if (idx_type != NULL) { tsk_fprintf(stderr, "-c and -i cannot be specified at same time\n"); usage(); } TSK_TCHAR *ext = TSTRRCHR(db_file, _TSK_T('.')); if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) { if (0 == tsk_hdb_create(db_file)) { tsk_fprintf(stdout, "New database %" PRIttocTSK" created\n", db_file); return 0; } else { tsk_fprintf(stderr, "Failed to create new database %" PRIttocTSK"\n", db_file); return 1; } } else { tsk_fprintf(stderr, "New database path must end in .kdb extension\n"); return 1; } } // Opening an existing database. if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) { tsk_error_print(stderr); return 1; } // Now that the database is open and its type is known, if running in add hashes mode (-a option) // see if it takes updates. if (addHash && !tsk_hdb_accepts_updates(hdb_info)) { tsk_fprintf(stderr, "-a option specified, but the specified database does not allow hashes to be added\n"); usage(); } // Running in indexing mode (-i option). Create an index file and exit. if (idx_type != NULL) { if (lookup_file != NULL) { tsk_fprintf(stderr, "'-f' flag can't be used with '-i'\n"); usage(); } if (flags & TSK_HDB_FLAG_QUICK) { tsk_fprintf(stderr, "'-q' flag can't be used with '-i'\n"); usage(); } if (flags & TSK_HDB_FLAG_EXT) { tsk_fprintf(stderr, "'-e' flag can't be used with '-i'\n"); usage(); } if (!tsk_hdb_uses_external_indexes(hdb_info)) { tsk_fprintf(stderr, "Database does not use external indexes, can't be used with '-i'\n"); } if (tsk_hdb_is_idx_only(hdb_info)) { tsk_fprintf(stderr, "Database is index only, can be used for look ups, but can't be used with '-i'\n"); } if (tsk_hdb_make_index(hdb_info, idx_type)) { tsk_error_print(stderr); tsk_hdb_close(hdb_info); return 1; } tsk_fprintf(stdout, "Index created\n"); tsk_hdb_close(hdb_info); return 0; } /* Either lookup hash values or add them to DB. * Check if the values were passed on the command line or via a file */ if (OPTIND < argc) { if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) { fprintf(stderr, "Error: Only one hash can be given with quick option\n"); usage(); } if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) { fprintf(stderr, "'-e' flag can't be used with '-q'\n"); usage(); } if (lookup_file != NULL) { fprintf(stderr, "Error: -f can't be used when hashes are also given\n"); usage(); } /* Loop through all provided hash values */ while (OPTIND < argc) { char htmp[128]; int i; int retval; // convert to char -- lazy way to deal with WCHARs.. for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) { htmp[i] = (char) argv[OPTIND][i]; } htmp[i] = '\0'; if (addHash) { // Write a new hash to the database/index, if it's updateable //@todo support sha1 and sha2-256 retval = tsk_hdb_add_entry(hdb_info, NULL, (const char *)htmp, NULL, NULL, NULL); if (retval == 1) { printf("There was an error adding the hash.\n"); tsk_error_print(stderr); return 1; } else if (retval == 0) { printf("Hash %s added.\n", htmp); } } else { /* Perform lookup */ retval = tsk_hdb_lookup_str(hdb_info, (const char *)htmp, (TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL); if (retval == -1) { tsk_error_print(stderr); return 1; } if (flags & TSK_HDB_FLAG_QUICK) { printf("%d\n", retval); } else if (retval == 0) { print_notfound(htmp); } } OPTIND++; } } /* Hash were given from stdin or a file */ else { char buf[100]; /* If the file was specified, use that - otherwise stdin */ #ifdef TSK_WIN32 HANDLE handle = NULL; if (lookup_file != NULL) { if ((handle = CreateFile(lookup_file, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) == INVALID_HANDLE_VALUE) { TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"), lookup_file); exit(1); } } else { handle = GetStdHandle(STD_INPUT_HANDLE); } #else FILE *handle = NULL; if (lookup_file != NULL) { handle = fopen(lookup_file, "r"); if (!handle) { fprintf(stderr, "Error opening hash file: %s\n", lookup_file); exit(1); } } else { handle = stdin; } #endif while (1) { int retval; memset(buf, 0, 100); #ifdef TSK_WIN32 int done = 0; // win32 doesn't have a fgets equivalent, so we make an equivalent one for (int i = 0; i < 100; i++) { DWORD nread; if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) { done = 1; break; } // skip the windows CR else if (buf[i] == '\r') { buf[i] = '\0'; i--; continue; } else if (buf[i] == '\n') { break; } } if (done) break; #else if (NULL == fgets(buf, 100, handle)) { break; } #endif /* Remove the newline */ buf[strlen(buf) - 1] = '\0'; retval = tsk_hdb_lookup_str(hdb_info, (const char *)buf, (TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL); if (retval == -1) { tsk_error_print(stderr); return 1; } if (flags & TSK_HDB_FLAG_QUICK) { printf("%d\n", retval); break; } else if (retval == 0) { print_notfound(buf); } } #ifdef TSK_WIN32 if (lookup_file != NULL) CloseHandle(handle); #else if (lookup_file != NULL) fclose(handle); #endif } tsk_hdb_close(hdb_info); return 0; }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_INUM_T inum; int ch; TSK_TCHAR *cp; int32_t sec_skew = 0; /* When > 0 this is the number of blocks to print, used for -B arg */ TSK_DADDR_T numblock = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:B:f:i:o:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('B'): numblock = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || numblock < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: block count must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('z'): { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG); if (0 != TPUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } TZSET(); } break; } } /* We need at least two more argument */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* if we are given the inode in the inode-type-id form, then ignore * the other stuff w/out giving an error * * This will make scripting easier */ if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) { TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"), argv[argc - 1]); usage(); } /* * Open the file system. */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Metadata address is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Metadata address is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }