/*
* Create an index for the given database path
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param dbPathJ path for the database
*/
JNIEXPORT void JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_createLookupIndexNat (JNIEnv * env,
jclass obj, jstring dbPathJ)
{
TSK_TCHAR dbPathT[1024];
toTCHAR(env, dbPathT, 1024, dbPathJ);
TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_NONE;
TSK_HDB_INFO * temp = tsk_hdb_open(dbPathT, flags);
if (temp == NULL) {
throwTskError(env);
return;
}
TSK_TCHAR dbType[1024];
if(temp->db_type == TSK_HDB_DBTYPE_MD5SUM_ID) {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_MD5SUM_STR);
}
else if(temp->db_type == TSK_HDB_DBTYPE_HK_ID) {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_HK_STR);
}
else {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_NSRL_MD5_STR);
}
if (tsk_hdb_makeindex(temp, dbType)) {
throwTskError(env);
}
tsk_hdb_close(temp);
}
static int
toTCHAR(JNIEnv * env, TSK_TCHAR * buffer, size_t size, jstring strJ)
{
jboolean isCopy;
char *str8 = (char *) env->GetStringUTFChars(strJ, &isCopy);
return TSNPRINTF(buffer, size, _TSK_T("%") PRIcTSK, str8);
}
/**
* Setup the hash-type specific information (such as length, index entry
* sizes, index name etc.) in the HDB_INFO structure.
*
* @param hdb_info Structure to fill in.
* @param htype Hash type being used
* @return 1 on error and 0 on success
*/
static uint8_t
hdb_setuphash(TSK_HDB_INFO * hdb_info, uint8_t htype)
{
size_t flen;
if (hdb_info->hash_type != 0) {
return 0;
}
/* Make the name for the index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
hdb_info->idx_fname =
(TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
if (hdb_info->idx_fname == NULL) {
return 1;
}
/* Get hash type specific information */
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
hdb_info->hash_type = htype;
hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN;
hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_MD5_STR));
return 0;
case TSK_HDB_HTYPE_SHA1_ID:
hdb_info->hash_type = htype;
hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN;
hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_SHA1_STR));
return 0;
}
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_setuphash: Invalid hash type as argument: %d", htype);
return 1;
}
TSK_FILTER_ENUM
TskGetTimes::filterFs(TSK_FS_INFO * fs_info)
{
TSK_TCHAR volName[32];
if (m_curVolAddr > -1)
TSNPRINTF(volName, 32, _TSK_T("vol%d/"),m_curVolAddr);
else
volName[0] = '\0';
if (tsk_fs_fls(fs_info, (TSK_FS_FLS_FLAG_ENUM)(TSK_FS_FLS_MAC | TSK_FS_FLS_DIR | TSK_FS_FLS_FILE | TSK_FS_FLS_FULL),
fs_info->root_inum, (TSK_FS_DIR_WALK_FLAG_ENUM)(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC | TSK_FS_DIR_WALK_FLAG_RECURSE), volName, m_secSkew)) {
}
return TSK_FILTER_SKIP;
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
int ch;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
int32_t sec_skew = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:s:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case 'z':
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG);
if (0 != TPUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
/* we should be checking this somehow */
TZSET();
}
break;
}
}
/* We need at least one more argument */
if (OPTIND > argc) {
tsk_fprintf(stderr,
"Missing image name\n");
usage();
}
TskGetTimes tskGetTimes(sec_skew);
if (tskGetTimes.openImage(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) {
tsk_error_print(stderr);
exit(1);
}
if (tskGetTimes.findFilesInImg()) {
tsk_error_print(stderr);
exit(1);
}
exit(0);
}
/** Initialize the TSK hash DB index file. This creates the intermediate file,
* which will have entries added to it. This file must be sorted before the
* process is finished.
*
* @param hdb_info Hash database state structure
* @param htype String of index type to create
*
* @return 1 on error and 0 on success
*
*/
uint8_t
tsk_hdb_idxinitialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype)
{
size_t flen;
char dbtmp[32];
int i;
/* Use the string of the index/hash type to figure out some
* settings */
// convert to char -- cheating way to deal with WCHARs..
for (i = 0; i < 31 && htype[i] != '\0'; i++) {
dbtmp[i] = (char) htype[i];
}
dbtmp[i] = '\0';
if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_MD5_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_SHA1_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_SHA1_ID);
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_MD5SUM_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_MD5SUM_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_MD5SUM_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_HK_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_HK_ID) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_HK_ID);
return 1;
}
hdb_setuphash(hdb_info, TSK_HDB_HTYPE_MD5_ID);
}
else {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: Unknown database type request: %s",
dbtmp);
return 1;
}
/* Setup the internal hash information */
if (hdb_setuphash(hdb_info, hdb_info->hash_type)) {
return 1;
}
/* Make the name for the unsorted intermediate index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
hdb_info->uns_fname =
(TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
if (hdb_info->uns_fname == NULL) {
return 1;
}
TSNPRINTF(hdb_info->uns_fname, flen,
_TSK_T("%s-%") PRIcTSK _TSK_T("-ns.idx"), hdb_info->db_fname,
TSK_HDB_HTYPE_STR(hdb_info->hash_type));
/* Create temp unsorted file of offsets */
#ifdef TSK_WIN32
{
HANDLE hWin;
if ((hWin = CreateFile(hdb_info->uns_fname, GENERIC_WRITE,
0, 0, CREATE_ALWAYS, 0, 0)) ==
INVALID_HANDLE_VALUE) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_CREATE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: %s GetFileSize: %d",
hdb_info->uns_fname, GetLastError());
return 1;
}
hdb_info->hIdxTmp =
_fdopen(_open_osfhandle((intptr_t) hWin, _O_WRONLY), "wb");
if (hdb_info->hIdxTmp == NULL) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_OPEN;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_idxinitialize: Error converting Windows handle to C handle");
talloc_free(hdb_info);
return 1;
}
}
#else
if (NULL == (hdb_info->hIdxTmp = fopen(hdb_info->uns_fname, "w"))) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_CREATE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error creating temp index file: %s",
hdb_info->uns_fname);
return 1;
}
#endif
/* Print the header */
switch (hdb_info->db_type) {
case TSK_HDB_DBTYPE_NSRL_ID:
fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
TSK_HDB_DBTYPE_NSRL_STR);
break;
case TSK_HDB_DBTYPE_MD5SUM_ID:
fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
TSK_HDB_DBTYPE_MD5SUM_STR);
break;
case TSK_HDB_DBTYPE_HK_ID:
fprintf(hdb_info->hIdxTmp, "%s|%s\n", TSK_HDB_IDX_HEAD_STR,
TSK_HDB_DBTYPE_HK_STR);
break;
/* Used to stop warning messages about missing enum value */
case TSK_HDB_DBTYPE_IDXONLY_ID:
default:
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_CREATE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "idxinit: Invalid db type\n");
return 1;
}
return 0;
}
/**
* Finalize index creation process by sorting the index and removing the
* intermediate temp file.
*
* @param hdb_info Hash database state info structure.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxfinalize(TSK_HDB_INFO * hdb_info)
{
#ifdef TSK_WIN32
wchar_t buf[TSK_HDB_MAXLEN];
/// @@ Expand this to be SYSTEM_ROOT -- GetWindowsDirectory()
wchar_t *sys32 = _TSK_T("C:\\WINDOWS\\System32\\sort.exe");
DWORD stat;
STARTUPINFO myStartInfo;
PROCESS_INFORMATION pinfo;
/* Close the unsorted file */
fclose(hdb_info->hIdxTmp);
hdb_info->hIdxTmp = NULL;
/* Close the existing index if it is open */
if (hdb_info->hIdx) {
fclose(hdb_info->hIdx);
hdb_info->hIdx = NULL;
}
if (tsk_verbose)
tsk_fprintf(stderr, "hdb_idxfinalize: Sorting index\n");
stat = GetFileAttributes(sys32);
if ((stat != -1) && ((stat & FILE_ATTRIBUTE_DIRECTORY) == 0)) {
TSNPRINTF(buf, TSK_HDB_MAXLEN, _TSK_T("%s /o \"%s\" \"%s\""),
sys32, hdb_info->idx_fname, hdb_info->uns_fname);
}
else {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_MISSING;
snprintf(tsk_errstr, TSK_ERRSTR_L, "Cannot find sort executable");
return 1;
}
GetStartupInfo(&myStartInfo);
if (FALSE ==
CreateProcess(NULL, buf, NULL, NULL, FALSE, 0, NULL, NULL,
&myStartInfo, &pinfo)) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_PROC;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error starting sorting index file using %S", buf);
return 1;
}
if (WAIT_FAILED == WaitForSingleObject(pinfo.hProcess, INFINITE)) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_PROC;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error (waiting) sorting index file using %S", buf);
return 1;
}
if (FALSE == DeleteFile(hdb_info->uns_fname)) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_DELETE;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error deleting temp file: %d", GetLastError());
return 1;
}
#else
char buf[TSK_HDB_MAXLEN];
char *root = "/bin/sort";
char *usr = "******";
char *local = "/usr/local/bin/sort";
struct stat stats;
if (tsk_verbose)
tsk_fprintf(stderr, "hdb_idxfinalize: Sorting index\n");
/* Close the unsorted file */
fclose(hdb_info->hIdxTmp);
hdb_info->hIdxTmp = NULL;
/* Close the existing index if it is open */
if (hdb_info->hIdx) {
fclose(hdb_info->hIdx);
hdb_info->hIdx = NULL;
}
if (0 == stat(local, &stats)) {
snprintf(buf, TSK_HDB_MAXLEN, "%s -o %s %s", local,
hdb_info->idx_fname, hdb_info->uns_fname);
}
else if (0 == stat(usr, &stats)) {
snprintf(buf, TSK_HDB_MAXLEN, "%s -o \"%s\" \"%s\"",
usr, hdb_info->idx_fname, hdb_info->uns_fname);
}
else if (0 == stat(root, &stats)) {
snprintf(buf, TSK_HDB_MAXLEN, "%s -o \"%s\" \"%s\"",
root, hdb_info->idx_fname, hdb_info->uns_fname);
}
else {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_MISSING;
snprintf(tsk_errstr, TSK_ERRSTR_L, "Cannot find sort executable");
return 1;
}
if (0 != system(buf)) {
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_PROC;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"Error sorting index file using %s", buf);
return 1;
}
unlink(hdb_info->uns_fname);
#endif
return 0;
}
int
MAIN(int argc, TSK_TCHAR ** argv)
{
TSK_TCHAR *imgtype = NULL;
TSK_TCHAR *fstype = NULL;
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
int ch;
TSK_TCHAR *cp;
extern int optind;
DADDR_T block = 0; /* the block to find */
INUM_T parinode = 0;
TSK_TCHAR *path = NULL;
SSIZE_T imgoff = 0;
progname = argv[0];
setlocale(LC_ALL, "");
localflags = 0;
while ((ch = getopt(argc, argv, _TSK_T("ad:f:i:ln:o:p:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('a'):
localflags |= TSK_FS_IFIND_ALL;
break;
case _TSK_T('d'):
if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_PATH)) {
tsk_fprintf(stderr,
"error: only one address type can be given\n");
usage();
}
localflags |= TSK_FS_IFIND_DATA;
block = TSTRTOULL(optarg, &cp, 0);
if (*cp || *cp == *optarg) {
TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"),
optarg);
usage();
}
break;
case _TSK_T('f'):
fstype = optarg;
if (TSTRCMP(fstype, _TSK_T("list")) == 0) {
tsk_fs_print_types(stderr);
exit(1);
}
break;
case _TSK_T('i'):
imgtype = optarg;
if (TSTRCMP(imgtype, _TSK_T("list")) == 0) {
tsk_img_print_types(stderr);
exit(1);
}
break;
case _TSK_T('l'):
localflags |= TSK_FS_IFIND_PAR_LONG;
break;
case _TSK_T('n'):
{
size_t len;
if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_DATA)) {
tsk_fprintf(stderr,
"error: only one address type can be given\n");
usage();
}
localflags |= TSK_FS_IFIND_PATH;
len = (TSTRLEN(optarg) + 1) * sizeof(TSK_TCHAR);
if ((path = (TSK_TCHAR *) tsk_malloc(len)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
TSTRNCPY(path, optarg, TSTRLEN(optarg) + 1);
break;
}
case 'o':
if ((imgoff = tsk_parse_offset(optarg)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case 'p':
if (localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA)) {
tsk_fprintf(stderr,
"error: only one address type can be given\n");
usage();
}
localflags |= TSK_FS_IFIND_PAR;
if (tsk_parse_inum(optarg, &parinode, NULL, NULL, NULL)) {
TFPRINTF(stderr, _TSK_T("Invalid inode address: %s\n"),
optarg);
usage();
}
break;
case 'v':
tsk_verbose++;
break;
case 'V':
tsk_print_version(stdout);
exit(0);
case 'z':
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg);
if (0 != PUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
/* we should be checking this somehow */
TZSET();
break;
}
case '?':
default:
tsk_fprintf(stderr, "Invalid argument: %s\n", argv[optind]);
usage();
}
}
/* We need at least one more argument */
if (optind >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
if (path)
free(path);
usage();
}
if (0 ==
(localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA |
TSK_FS_IFIND_PAR))) {
tsk_fprintf(stderr, "-d, -n, or -p must be given\n");
usage();
}
if ((img =
tsk_img_open(imgtype, argc - optind,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
if (path)
free(path);
exit(1);
}
if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_print_types(stderr);
img->close(img);
if (path)
free(path);
exit(1);
}
if (localflags & TSK_FS_IFIND_DATA) {
if (block > fs->last_block) {
tsk_fprintf(stderr,
"Block %" PRIuDADDR
" is larger than last block in image (%" PRIuDADDR
")\n", block, fs->last_block);
fs->close(fs);
img->close(img);
exit(1);
}
else if (block == 0) {
tsk_printf("Inode not found\n");
fs->close(fs);
img->close(img);
exit(1);
}
if (tsk_fs_ifind_data(fs, localflags, block)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
}
else if (localflags & TSK_FS_IFIND_PAR) {
if ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) !=
TSK_FS_INFO_TYPE_NTFS_TYPE) {
tsk_fprintf(stderr, "-p works only with NTFS file systems\n");
fs->close(fs);
img->close(img);
exit(1);
}
else if (parinode > fs->last_inum) {
tsk_fprintf(stderr,
"Meta data %" PRIuINUM
" is larger than last MFT entry in image (%" PRIuINUM
")\n", parinode, fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (tsk_fs_ifind_par(fs, localflags, parinode)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
}
else if (localflags & TSK_FS_IFIND_PATH) {
int retval;
INUM_T inum;
if (-1 == (retval =
tsk_fs_ifind_path(fs, localflags, path, &inum))) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
free(path);
exit(1);
}
free(path);
if (retval == 1)
tsk_printf("File not found\n");
else
tsk_printf("%" PRIuINUM "\n", inum);
}
fs->close(fs);
img->close(img);
exit(0);
}
int main(int argc, char **argv1)
{
TSK_TCHAR **argv;
extern int OPTIND;
int ch;
struct STAT_STR stat_buf;
TSK_TCHAR *pipeline_config = NULL;
TSK_TCHAR *framework_config = NULL;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
while ((ch =
GETOPT(argc, argv, _TSK_T("c:p:vV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('c'):
framework_config = OPTARG;
break;
case _TSK_T('p'):
pipeline_config = OPTARG;
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND == argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
TSK_TCHAR *imagePath = argv[OPTIND];
// Load the framework config if they specified it
Poco::AutoPtr<Poco::Util::XMLConfiguration> pXMLConfig;
if (framework_config) {
// @@@ Not Unix-friendly
try {
pXMLConfig = new Poco::Util::XMLConfiguration(TskUtilities::toUTF8(framework_config));
}
catch (std::exception& e) {
fprintf(stderr, "Error opening framework config file (%s)\n", e.what());
return 1;
}
// Initialize properties based on the config file.
TskSystemPropertiesImpl *systemProperties = new TskSystemPropertiesImpl();
systemProperties->initialize(*pXMLConfig);
TskServices::Instance().setSystemProperties(*systemProperties);
}
// make up an output folder to store the database and such in
TSK_TCHAR outDirPath[1024];
TSNPRINTF(outDirPath, 1024, _TSK_T("%s_tsk_out"), imagePath);
if (TSTAT(outDirPath, &stat_buf) == 0) {
fprintf(stderr, "Output directory already exists (%"PRIttocTSK")\n", outDirPath);
return 1;
}
if (makeDir(outDirPath)) {
return 1;
}
// @@@ Not UNIX-friendly
TSK_SYS_PROP_SET(TskSystemPropertiesImpl::OUT_DIR, outDirPath);
// Create and register our SQLite ImgDB class
std::auto_ptr<TskImgDB> pImgDB(NULL);
pImgDB = std::auto_ptr<TskImgDB>(new TskImgDBSqlite(outDirPath));
if (pImgDB->initialize() != 0) {
fprintf(stderr, "Error initializing SQLite database\n");
tsk_error_print(stderr);
return 1;
}
// @@@ Call pImgDB->addToolInfo() as needed to set version info...
TskServices::Instance().setImgDB(*pImgDB);
// Create a Blackboard and register it with the framework.
TskServices::Instance().setBlackboard(TskDBBlackboard::instance());
// @@@ Not UNIX-friendly
if (pipeline_config != NULL)
TSK_SYS_PROP_SET(TskSystemPropertiesImpl::PIPELINE_CONFIG, pipeline_config);
// Create an ImageFile and register it with the framework.
TskImageFileTsk imageFileTsk;
if (imageFileTsk.open(imagePath) != 0) {
fprintf(stderr, "Error opening image: %"PRIttocTSK"\n", imagePath);
tsk_error_print(stderr);
return 1;
}
TskServices::Instance().setImageFile(imageFileTsk);
// Let's get the pipelines setup to make sure there are no errors.
TskPipelineManager pipelineMgr;
TskPipeline *filePipeline;
try {
filePipeline = pipelineMgr.createPipeline(TskPipelineManager::FILE_ANALYSIS_PIPELINE);
}
catch (TskException &e ) {
fprintf(stderr, "Error creating file analysis pipeline\n");
std::cerr << e.message() << endl;
filePipeline = NULL;
}
TskPipeline *reportPipeline;
try {
reportPipeline = pipelineMgr.createPipeline(TskPipelineManager::REPORTING_PIPELINE);
}
catch (TskException &e ) {
fprintf(stderr, "Error creating reporting pipeline\n");
std::cerr << e.message() << endl;
reportPipeline = NULL;
}
// now we analyze the data.
// Extract
if (imageFileTsk.extractFiles() != 0) {
fprintf(stderr, "Error adding file system info to database\n");
tsk_error_print(stderr);
return 1;
}
//Run pipeline on all files
// @@@ this needs to cycle over the files to analyze, 10 is just here for testing
if (filePipeline) {
for (int i = 0; i < 10; i++) {
try {
filePipeline->run(i);
}
catch (...) {
// error message has been logged already.
}
}
}
if (reportPipeline) {
try {
reportPipeline->run();
}
catch (...) {
fprintf(stderr, "Error running reporting pipeline\n");
return 1;
}
}
fprintf(stderr, "image analysis complete\n");
return 0;
}
int
MAIN(int argc, TSK_TCHAR ** argv)
{
TSK_TCHAR *imgtype = NULL;
TSK_TCHAR *fstype = NULL;
TSK_IMG_INFO *img;
TSK_FS_INFO *fs;
INUM_T inum;
int ch;
TSK_TCHAR *cp;
int32_t sec_skew = 0;
SSIZE_T imgoff = 0;
/* When > 0 this is the number of blocks to print, used for -b arg */
DADDR_T numblock = 0;
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = getopt(argc, argv, _TSK_T("b:f:i:o:s:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[optind]);
usage();
case _TSK_T('b'):
numblock = TSTRTOULL(optarg, &cp, 0);
if (*cp || *cp == *optarg || numblock < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: block count must be positive: %s\n"),
optarg);
usage();
}
break;
case _TSK_T('f'):
fstype = optarg;
if (TSTRCMP(fstype, _TSK_T("list")) == 0) {
tsk_fs_print_types(stderr);
exit(1);
}
break;
case _TSK_T('i'):
imgtype = optarg;
if (TSTRCMP(imgtype, _TSK_T("list")) == 0) {
tsk_img_print_types(stderr);
exit(1);
}
break;
case _TSK_T('o'):
if ((imgoff = tsk_parse_offset(optarg)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('s'):
sec_skew = TATOI(optarg);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_print_version(stdout);
exit(0);
case _TSK_T('z'):
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg);
if (0 != PUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
TZSET();
}
break;
}
}
/* We need at least two more argument */
if (optind + 1 >= argc) {
tsk_fprintf(stderr, "Missing image name and/or address\n");
usage();
}
/* if we are given the inode in the inode-type-id form, then ignore
* the other stuff w/out giving an error
*
* This will make scripting easier
*/
if (tsk_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL)) {
TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"),
argv[argc - 1]);
usage();
}
/*
* Open the file system.
*/
if ((img =
tsk_img_open(imgtype, argc - optind - 1,
(const TSK_TCHAR **) &argv[optind])) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_errno == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_print_types(stderr);
img->close(img);
exit(1);
}
if (inum > fs->last_inum) {
tsk_fprintf(stderr,
"Metadata address is too large for image (%" PRIuINUM ")\n",
fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (inum < fs->first_inum) {
tsk_fprintf(stderr,
"Metadata address is too small for image (%" PRIuINUM ")\n",
fs->first_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_INUM_T inum;
int ch;
TSK_TCHAR *cp;
int32_t sec_skew = 0;
/* When > 0 this is the number of blocks to print, used for -B arg */
TSK_DADDR_T numblock = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:B:f:i:o:s:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('B'):
numblock = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || numblock < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: block count must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case _TSK_T('z'):
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG);
if (0 != TPUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
TZSET();
}
break;
}
}
/* We need at least two more argument */
if (OPTIND + 1 >= argc) {
tsk_fprintf(stderr, "Missing image name and/or address\n");
usage();
}
/* if we are given the inode in the inode-type-id form, then ignore
* the other stuff w/out giving an error
*
* This will make scripting easier
*/
if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) {
TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"),
argv[argc - 1]);
usage();
}
/*
* Open the file system.
*/
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
if (inum > fs->last_inum) {
tsk_fprintf(stderr,
"Metadata address is too large for image (%" PRIuINUM ")\n",
fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (inum < fs->first_inum) {
tsk_fprintf(stderr,
"Metadata address is too small for image (%" PRIuINUM ")\n",
fs->first_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}