uint8_t
tsk_fs_blkstat(TSK_FS_INFO * fs, TSK_DADDR_T addr)
{
int flags =
(TSK_FS_BLOCK_WALK_FLAG_UNALLOC | TSK_FS_BLOCK_WALK_FLAG_ALLOC |
TSK_FS_BLOCK_WALK_FLAG_META | TSK_FS_BLOCK_WALK_FLAG_CONT |
TSK_FS_BLOCK_WALK_FLAG_AONLY);
return tsk_fs_block_walk(fs, addr, addr, flags, blkstat_act, NULL);
}
/* Return 1 on error and 0 on success */
uint8_t
tsk_fs_blkls(TSK_FS_INFO * fs, TSK_FS_BLKLS_FLAG_ENUM a_blklsflags,
TSK_DADDR_T bstart, TSK_DADDR_T blast,
TSK_FS_BLOCK_WALK_FLAG_ENUM a_block_flags)
{
BLKLS_DATA data;
if (a_blklsflags & TSK_FS_BLKLS_SLACK) {
/* get the info on each allocated inode */
if (fs->inode_walk(fs, fs->first_inum, fs->last_inum,
TSK_FS_META_FLAG_ALLOC, slack_inode_act, &data))
return 1;
}
else if (a_blklsflags & TSK_FS_BLKLS_LIST) {
if (print_list_head(fs))
return 1;
a_block_flags |= TSK_FS_BLOCK_WALK_FLAG_AONLY;
if (tsk_fs_block_walk(fs, bstart, blast, a_block_flags, print_list,
&data))
return 1;
}
else {
#ifdef TSK_WIN32
if (-1 == _setmode(_fileno(stdout), _O_BINARY)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WRITE);
tsk_error_set_errstr
("blkls_lib: error setting stdout to binary: %s",
strerror(errno));
return 1;
}
#endif
if (tsk_fs_block_walk(fs, bstart, blast, a_block_flags,
print_block, &data))
return 1;
}
return 0;
}
/*
* Class: edu_uw_apl_commons_tsk4j_filesys_FileSystem
* Method: blockWalk
* Signature: (JJJILedu/uw/apl/commons/tsk4j/filesys/BlockWalk/Callback;)I
*/
JNIEXPORT jint JNICALL
Java_edu_uw_apl_commons_tsk4j_filesys_FileSystem_blockWalk
(JNIEnv *env, jobject thiz, jlong nativePtr,
jlong startBlk, jlong endBlk, jint flags, jobject callback ) {
// We need three handles in the C callback, so package them here. Gruesome!
void* vs[3] = { env, thiz, callback };
TSK_FS_INFO* info = (TSK_FS_INFO*)nativePtr;
return (jint)tsk_fs_block_walk( info, startBlk, endBlk, flags,
blockWalkCallback, (void*)vs );
}
/* Return 1 if block is not found, 0 if it was found, and -1 on error */
int8_t
tsk_fs_blkcalc(TSK_FS_INFO * fs, TSK_FS_BLKCALC_FLAG_ENUM a_lclflags,
TSK_DADDR_T a_cnt)
{
BLKCALC_DATA data;
data.count = a_cnt;
data.found = 0;
if (a_lclflags == TSK_FS_BLKCALC_BLKLS) {
if (tsk_fs_block_walk(fs, fs->first_block, fs->last_block,
(TSK_FS_BLOCK_FLAG_UNALLOC |
TSK_FS_BLOCK_FLAG_META | TSK_FS_BLOCK_FLAG_CONT),
count_blkls_act, &data))
return -1;
}
else if (a_lclflags == TSK_FS_BLKCALC_DD) {
if (tsk_fs_block_walk(fs, fs->first_block, fs->last_block,
(TSK_FS_BLOCK_FLAG_ALLOC | TSK_FS_BLOCK_FLAG_UNALLOC |
TSK_FS_BLOCK_FLAG_META | TSK_FS_BLOCK_FLAG_CONT),
count_dd_act, &data))
return -1;
}
else if (a_lclflags == TSK_FS_BLKCALC_SLACK) {
if (fs->inode_walk(fs, fs->first_inum, fs->last_inum,
TSK_FS_META_FLAG_ALLOC, count_slack_inode_act, &data))
return -1;
}
if (data.found == 0) {
tsk_printf("Block too large\n");
return 1;
}
else {
return 0;
}
}
TSK_WALK_RET_ENUM part_act(
TSK_VS_INFO* pVsInfo,
const TSK_VS_PART_INFO* pPartInfo,
void* pData)
{
TSK_FS_INFO* lFsInfo = NULL;
OS_FH_TYPE lOut = (OS_FH_TYPE)pData;
unsigned long long lCnt = 0;
char lBuf[32768] = { 0 };
unsigned long long lOffsetBlock = 0;
/* open file system */
if ((lFsInfo = tsk_fs_open_vol(
pPartInfo, /* partition to open */
TSK_FS_TYPE_DETECT /* auto-detect mode on */
)) != NULL)
{
/* known file-system */
/* iterate over unallocated blocks of fs */
tsk_fs_block_walk(
lFsInfo, /* file-system info */
0, /* start */
lFsInfo->block_count - 1, /* end */
TSK_FS_BLOCK_WALK_FLAG_UNALLOC, /* only unallocated blocks */
block_act, /* callback */
pData /* file-handle */
);
/* close fs */
tsk_fs_close(lFsInfo);
}
else
{
/* unknown file-system */
/* iterate through all blocks of this volume regardless of their state */
for (lCnt = 0; lCnt < pPartInfo->len; lCnt++)
{
lOffsetBlock = (pPartInfo->start + lCnt) * pPartInfo->vs->block_size;
LOGGING_DEBUG(
"Block in unknown partition (Len: %lu blocks). "
"Size: %u, Absolute address (Bytes): %lld\n",
pPartInfo->len,
pPartInfo->vs->block_size,
lOffsetBlock);
/* use the following function so that forensic images are supported */
/* HINT: this is not the case with fopen/fseek/fread/fclose functions */
tsk_vs_part_read_block(
pPartInfo,
lCnt, /* start address (blocks) relative to start of volume */
lBuf, /* buffer to store data in */
pPartInfo->vs->block_size /* amount of data to read */
);
data_act(lBuf,
pPartInfo->vs->block_size,
lOffsetBlock,
lOut);
}
}
return TSK_WALK_CONT;
}
uint8_t
tsk_fs_blkstat(TSK_FS_INFO * fs, TSK_DADDR_T addr,
TSK_FS_BLOCK_FLAG_ENUM flags)
{
return tsk_fs_block_walk(fs, addr, addr, flags, blkstat_act, NULL);
}
