/*
* Create an index for the given database path
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param dbPathJ path for the database
*/
JNIEXPORT void JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_createLookupIndexNat (JNIEnv * env,
jclass obj, jstring dbPathJ)
{
TSK_TCHAR dbPathT[1024];
toTCHAR(env, dbPathT, 1024, dbPathJ);
TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_NONE;
TSK_HDB_INFO * temp = tsk_hdb_open(dbPathT, flags);
if (temp == NULL) {
throwTskError(env);
return;
}
TSK_TCHAR dbType[1024];
if(temp->db_type == TSK_HDB_DBTYPE_MD5SUM_ID) {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_MD5SUM_STR);
}
else if(temp->db_type == TSK_HDB_DBTYPE_HK_ID) {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_HK_STR);
}
else {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_NSRL_MD5_STR);
}
if (tsk_hdb_makeindex(temp, dbType)) {
throwTskError(env);
}
tsk_hdb_close(temp);
}
/**
* @param db_path Path to DB, which probably does not exist. But it gets passed in because we need
* it in a bunch of places.
* @param idx_path Path to index file (should be superset of db_path)
*/
TSK_HDB_INFO *idxonly_open(const TSK_TCHAR *db_path, const TSK_TCHAR *idx_path)
{
TSK_HDB_BINSRCH_INFO *hdb_binsrch_info = NULL;
TSK_TCHAR *ext;
TSK_HDB_HTYPE_ENUM htype;
hdb_binsrch_info = hdb_binsrch_open(NULL, db_path);
if (NULL == hdb_binsrch_info) {
return NULL;
}
hdb_binsrch_info->base.db_type = TSK_HDB_DBTYPE_IDXONLY_ID;
// open the index
ext = TSTRRCHR(idx_path, _TSK_T('-'));
if (ext == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("idxonly_open: invalid file name (no extension): %" PRIttocTSK, idx_path);
return NULL;
}
else if ((TSTRLEN(ext) == 8) && (TSTRICMP(ext, _TSK_T("-md5.idx")) == 0)) {
htype = TSK_HDB_HTYPE_MD5_ID;
}
else if ((TSTRLEN(ext) == 9) && (TSTRICMP(ext, _TSK_T("-sha1.idx")) == 0)) {
htype = TSK_HDB_HTYPE_SHA1_ID;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("idxonly_open: invalid file name (unknown extension): %" PRIttocTSK, idx_path);
return NULL;
}
if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, htype)) {
return NULL;
}
if (idxonly_name(hdb_binsrch_info)) {
hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info);
return NULL;
}
hdb_binsrch_info->base.get_db_path = idxonly_get_db_path;
hdb_binsrch_info->get_entry = idxonly_getentry;
// Before returning, do one final check that we'll be able to open
// the index file
if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, hdb_binsrch_info->hash_type)) {
hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info);
return NULL;
}
return (TSK_HDB_INFO*)hdb_binsrch_info;
}
int
getopt(int argc, TSK_TCHAR * argv[], TSK_TCHAR * optstring)
{
static TSK_TCHAR *next = NULL;
TSK_TCHAR c, *cp;
if (optind == 0)
next = NULL;
optarg = NULL;
if (next == NULL || *next == _TSK_T('\0')) {
if (optind == 0)
optind++;
if (optind >= argc || argv[optind][0] != _TSK_T('-')
|| argv[optind][1] == _TSK_T('\0')) {
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
if (_tcscmp(argv[optind], _TSK_T("--")) == 0) {
optind++;
optarg = NULL;
if (optind < argc)
optarg = argv[optind];
return EOF;
}
next = argv[optind];
next++; // skip past -
optind++;
}
c = *next++;
cp = _tcschr(optstring, c);
if (cp == NULL || c == _TSK_T(':'))
return _TSK_T('?');
cp++;
if (*cp == _TSK_T(':')) {
if (*next != _TSK_T('\0')) {
optarg = next;
next = NULL;
}
else if (optind < argc) {
optarg = argv[optind];
optind++;
}
else {
return _TSK_T('?');
}
}
return c;
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("%s [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM] [-t vstype] image [images]\n"),
progname);
tsk_fprintf(stderr,
"\t-t vstype: The type of volume system (use '-t list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n");
tsk_fprintf(stderr, "\t-B: print the rounded length in bytes\n");
tsk_fprintf(stderr,
"\t-r: recurse and look for other partition tables in partitions (DOS Only)\n");
tsk_fprintf(stderr, "\t-v: verbose output\n");
tsk_fprintf(stderr, "\t-V: print the version\n");
tsk_fprintf(stderr,
"Unless any of these are specified, all volume types are shown\n");
tsk_fprintf(stderr, "\t-a: Show allocated volumes\n");
tsk_fprintf(stderr, "\t-A: Show unallocated volumes\n");
tsk_fprintf(stderr, "\t-m: Show metadata volumes\n");
tsk_fprintf(stderr, "\t-M: Hide metadata volumes\n");
exit(1);
}
/* usage - explain and terminate */
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum\n"),
progname);
tsk_fprintf(stderr,
"\t-B num: force the display of NUM address of block pointers\n");
tsk_fprintf(stderr,
"\t-z zone: time zone of original machine (i.e. EST5EDT or GMT)\n");
tsk_fprintf(stderr,
"\t-s seconds: Time skew of original machine (in seconds)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: print version\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-u usize] image [images] unit_addr [num]\n"),
progname);
tsk_fprintf(stderr, "\t-a: displays in all ASCII \n");
tsk_fprintf(stderr, "\t-h: displays in hexdump-like fashion\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-s: display basic block stats such as unit size, fragments, etc.\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: display version\n");
tsk_fprintf(stderr, "\t-w: displays in web-like (html) fashion\n");
tsk_fprintf(stderr,
"\t-u usize: size of each data unit in image (for raw, blkls, swap)\n");
tsk_fprintf(stderr,
"\t[num] is the number of data units to display (default is 1)\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr, _TSK_T("Usage: %s [-f fstype ] [-o imgoffset ] [-v] image nthreads niters\n"), progname);
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-eqV] [-f lookup_file] [-i db_type] db_file [hashes]\n"),
progname);
tsk_fprintf(stderr,
"\t-e: Extended mode - where values other than just the name are printed\n");
tsk_fprintf(stderr,
"\t-q: Quick mode - where a 1 is printed if it is found, else 0\n");
tsk_fprintf(stderr, "\t-V: Print version to STDOUT\n");
tsk_fprintf(stderr,
"\t-f lookup_file: File with one hash per line to lookup\n");
tsk_fprintf(stderr,
"\t-i db_type: Create index file for a given hash database type\n");
tsk_fprintf(stderr,
"\tdb_file: The location of the original hash database\n");
tsk_fprintf(stderr,
"\t[hashes]: hashes to lookup (STDIN is used otherwise)\n");
tsk_fprintf(stderr, "\n\tSupported types: %s\n",
TSK_HDB_DBTYPE_SUPPORT_STR);
exit(1);
}
/* usage - explain and terminate */
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-emOpvV] [-aAlLzZ] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-s seconds] image [images] [inum[-end]]\n"),
progname);
tsk_fprintf(stderr, "\t-e: Display all inodes\n");
tsk_fprintf(stderr, "\t-m: Display output in the mactime format\n");
tsk_fprintf(stderr,
"\t-O: Display inodes that are unallocated, but were sill open (UFS/ExtX only)\n");
tsk_fprintf(stderr,
"\t-p: Display orphan inodes (unallocated with no file name)\n");
tsk_fprintf(stderr,
"\t-s seconds: Time skew of original machine (in seconds)\n");
tsk_fprintf(stderr, "\t-a: Allocated inodes\n");
tsk_fprintf(stderr, "\t-A: Unallocated inodes\n");
tsk_fprintf(stderr, "\t-l: Linked inodes\n");
tsk_fprintf(stderr, "\t-L: Unlinked inodes\n");
tsk_fprintf(stderr, "\t-z: Unused inodes\n");
tsk_fprintf(stderr, "\t-Z: Used inodes\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Display version number\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-dsu unit_addr] [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images]\n"),
progname);
tsk_fprintf(stderr, "Slowly calculates the opposite block number\n");
tsk_fprintf(stderr, "\tOne of the following must be given:\n");
tsk_fprintf(stderr,
"\t -d: The given address is from a 'dd' image \n");
tsk_fprintf(stderr,
"\t -s: The given address is from a 'blkls -s' (slack) image\n");
tsk_fprintf(stderr,
"\t -u: The given address is from a 'blkls' (unallocated) image\n");
tsk_fprintf(stderr,
"\t-f fstype: The file system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-alvV] [-f fstype] [-i imgtype] [-o imgoffset] [-d unit_addr] [-n file] [-p par_addr] [-z ZONE] image [images]\n"),
progname);
tsk_fprintf(stderr, "\t-a: find all inodes\n");
tsk_fprintf(stderr,
"\t-d unit_addr: Find the meta data given the data unit\n");
tsk_fprintf(stderr, "\t-l: long format when -p is given\n");
tsk_fprintf(stderr,
"\t-n file: Find the meta data given the file name\n");
tsk_fprintf(stderr,
"\t-p par_addr: Find UNALLOCATED MFT entries given the parent's meta address (NTFS only)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: Verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
tsk_fprintf(stderr,
"\t-z ZONE: Time zone setting when -l -p is given\n");
exit(1);
}
static int
toTCHAR(JNIEnv * env, TSK_TCHAR * buffer, size_t size, jstring strJ)
{
jboolean isCopy;
char *str8 = (char *) env->GetStringUTFChars(strJ, &isCopy);
return TSNPRINTF(buffer, size, _TSK_T("%") PRIcTSK, str8);
}
int
main(int argc, char **argv1)
{
TSK_IMG_INFO *img_info;
TSK_TCHAR **argv;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
if (argc != 2) {
fprintf(stderr, "Missing image name\n");
exit(1);
}
#if DO_HASHLOOKUP
/* Setup hash infrastructure */
if ((hdb_info =
tsk_hdb_open(_TSK_T("/XXX/NSRLFile.txt"),
TSK_HDB_OPEN_NONE)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if (tsk_hdb_hasindex(hdb_info, TSK_HDB_HTYPE_MD5_ID) == 0) {
fprintf(stderr,
"Hash database does not have an index (create one using hfind -i nsrl-md5 HASHFILE\n");
exit(1);
}
#else
hdb_info = NULL;
#endif
img_info = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0);
if (img_info == NULL) {
fprintf(stderr, "Error opening file\n");
tsk_error_print(stderr);
exit(1);
}
if (proc_vs(img_info, 0)) {
tsk_error_print(stderr);
tsk_img_close(img_info);
exit(1);
}
tsk_img_close(img_info);
return 0;
}
/**
* Setup the hash-type specific information (such as length, index entry
* sizes, index name etc.) in the HDB_INFO structure.
*
* @param hdb_info Structure to fill in.
* @param htype Hash type being used
* @return 1 on error and 0 on success
*/
static uint8_t
hdb_setuphash(TSK_HDB_INFO * hdb_info, uint8_t htype)
{
size_t flen;
if (hdb_info->hash_type != 0) {
return 0;
}
/* Make the name for the index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
hdb_info->idx_fname =
(TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR));
if (hdb_info->idx_fname == NULL) {
return 1;
}
/* Get hash type specific information */
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
hdb_info->hash_type = htype;
hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN;
hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_MD5_STR));
return 0;
case TSK_HDB_HTYPE_SHA1_ID:
hdb_info->hash_type = htype;
hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN;
hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype);
TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"),
hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_SHA1_STR));
return 0;
}
tsk_error_reset();
tsk_errno = TSK_ERR_HDB_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L,
"hdb_setuphash: Invalid hash type as argument: %d", htype);
return 1;
}
/**
* \ingroup hashdblib
* Creates a new hash database.
* @param file_path Path for database to create.
* @return 0 on success, 1 otherwise
*/
uint8_t
tsk_hdb_create(TSK_TCHAR *file_path)
{
TSK_TCHAR *ext = NULL;
if (NULL == file_path) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("tsk_hdb_create: NULL file path");
return 1;
}
ext = TSTRRCHR(file_path, _TSK_T('.'));
if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) {
return sqlite_hdb_create_db(file_path);
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr("tsk_hdb_create: path must end in .kdb extension");
return 1;
}
}
TSK_FILTER_ENUM
TskGetTimes::filterFs(TSK_FS_INFO * fs_info)
{
TSK_TCHAR volName[32];
if (m_curVolAddr > -1)
TSNPRINTF(volName, 32, _TSK_T("vol%d/"),m_curVolAddr);
else
volName[0] = '\0';
if (tsk_fs_fls(fs_info, (TSK_FS_FLS_FLAG_ENUM)(TSK_FS_FLS_MAC | TSK_FS_FLS_DIR | TSK_FS_FLS_FILE | TSK_FS_FLS_FULL),
fs_info->root_inum, (TSK_FS_DIR_WALK_FLAG_ENUM)(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC | TSK_FS_DIR_WALK_FLAG_RECURSE), volName, m_secSkew)) {
}
return TSK_FILTER_SKIP;
}
void
tsk_printf(char *msg, ...)
{
va_list args;
va_start(args, msg);
#ifdef TSK_WIN32
{
WCHAR wbuf[2048];
tsk_printf_conv(wbuf, 2048, msg, &args);
wprintf(_TSK_T("%s"), wbuf);
}
#else
vprintf(msg, args);
#endif
va_end(args);
}
void
tsk_fprintf(FILE * fd, const char *msg, ...)
{
va_list args;
va_start(args, msg);
#ifdef TSK_WIN32
{
WCHAR wbuf[2048];
tsk_printf_conv(wbuf, 2048, msg, &args);
fwprintf(fd, _TSK_T("%s"), wbuf);
}
#else
vfprintf(fd, msg, args);
#endif
va_end(args);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-tvV] [-i imgtype] [-b dev_sector_size] image\n"),
progname);
tsk_fprintf(stderr, "\t-t: display type only\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-tvV] [-f fstype] [-i imgtype] [-o imgoffset] image\n"),
progname);
tsk_fprintf(stderr, "\t-t: display type only\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
/* usage - explain and terminate */
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] image [inode]\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-f fstype: File system type (use '-f list' for supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: The offset of the file system in the image (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: print version\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("%s [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images]\n"),
progname);
tsk_fprintf(stderr,
"\t-t vstype: The volume system type (use '-t list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n");
tsk_fprintf(stderr, "\t-v: verbose output\n");
tsk_fprintf(stderr, "\t-V: print the version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-vV] [-i imgtype] [-b dev_sector_size] [-s start_sector] [-e stop_sector] image\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use 'i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr,
"\t-s start_sector: The sector number to start at\n");
tsk_fprintf(stderr,
"\t-e stop_sector: The sector number to stop at\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
exit(1);
}
void
usage()
{
TFPRINTF(stderr,
_TSK_T
("%s [-i imgtype] [-o imgoffset] [-brvV] [-t mmtype] image [images]\n"),
progname);
tsk_fprintf(stderr,
"\t-t mmtype: The type of partition system (use '-t list' for list of supported types)\n");
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for list supported types)\n");
tsk_fprintf(stderr,
"\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n");
tsk_fprintf(stderr, "\t-b: print the rounded length in bytes\n");
tsk_fprintf(stderr,
"\t-r: recurse and look for other partition tables in partitions (DOS Only)\n");
tsk_fprintf(stderr, "\t-v: verbose output\n");
tsk_fprintf(stderr, "\t-V: print the version\n");
exit(1);
}
static void
usage()
{
TFPRINTF(stderr,
_TSK_T
("usage: %s [-vV] [-i imgtype] [-b dev_sector_size] [-z zone] [-s seconds] image [image]\n"),
progname);
tsk_fprintf(stderr,
"\t-i imgtype: The format of the image file (use '-i list' for supported types)\n");
tsk_fprintf(stderr,
"\t-b dev_sector_size: The size (in bytes) of the device sectors\n");
tsk_fprintf(stderr, "\t-v: verbose output to stderr\n");
tsk_fprintf(stderr, "\t-V: Print version\n");
tsk_fprintf(stderr,
"\t-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)\n");
tsk_fprintf(stderr,
"\t-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)\n");
exit(1);
}
/* main - open file system, list inode info */
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_TCHAR *cp, *dash;
TSK_INUM_T istart = 0, ilast = 0;
int ch;
int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED;
int ils_flags = 0;
int set_range = 1;
TSK_TCHAR *image = NULL;
int32_t sec_skew = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
/*
* Provide convenience options for the most commonly selected feature
* combinations.
*/
while ((ch =
GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('e'):
flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC);
flags &= ~TSK_FS_META_FLAG_USED;
break;
case _TSK_T('m'):
ils_flags |= TSK_FS_ILS_MAC;
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('O'):
flags |= TSK_FS_META_FLAG_UNALLOC;
flags &= ~TSK_FS_META_FLAG_ALLOC;
ils_flags |= TSK_FS_ILS_OPEN;
break;
case _TSK_T('p'):
flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC);
flags &= ~TSK_FS_META_FLAG_ALLOC;
break;
case _TSK_T('r'):
flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED);
flags &= ~TSK_FS_META_FLAG_ALLOC;
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
/*
* Provide fine controls to tweak one feature at a time.
*/
case _TSK_T('a'):
flags |= TSK_FS_META_FLAG_ALLOC;
flags &= ~TSK_FS_META_FLAG_UNALLOC;
break;
case _TSK_T('A'):
flags |= TSK_FS_META_FLAG_UNALLOC;
break;
case _TSK_T('l'):
ils_flags |= TSK_FS_ILS_LINK;
break;
case _TSK_T('L'):
ils_flags |= TSK_FS_ILS_UNLINK;
break;
case _TSK_T('z'):
flags |= TSK_FS_META_FLAG_UNUSED;
break;
case _TSK_T('Z'):
flags |= TSK_FS_META_FLAG_USED;
break;
}
}
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) {
tsk_fprintf(stderr,
"ERROR: Only linked or unlinked should be used\n");
usage();
}
/* We need to determine if an inode or inode range was given */
if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) {
/* Check if is a single number */
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
/* Single address set end addr to start */
ilast = istart;
set_range = 0;
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
else {
/* We have a dash, but it could be part of the file name */
*dash = '\0';
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
*dash = _TSK_T('-');
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
dash++;
ilast = TSTRTOULL(dash, &cp, 0);
if (*cp || *cp == *dash) {
/* Not a number - consider it a file name */
dash--;
*dash = '-';
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
set_range = 0;
/* It was a block range, so do not include it in the open */
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
/* do we need to set the range or just check them? */
if (set_range) {
istart = fs->first_inum;
ilast = fs->last_inum;
}
else {
if (istart < fs->first_inum)
istart = fs->first_inum;
if (ilast > fs->last_inum)
ilast = fs->last_inum;
}
/* NTFS uses alloc and link different than UNIX so change
* the default behavior
*
* The link value can be > 0 on deleted files (even when closed)
*/
/* NTFS and FAT have no notion of deleted but still open */
if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype)
|| TSK_FS_TYPE_ISFAT(fs->ftype))) {
fprintf(stderr,
"Error: '-O' argument does not work with NTFS and FAT images\n");
exit(1);
}
if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast,
(TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
/**
* Process the database to create a sorted index of it. Consecutive
* entries with the same hash value are not added to the index, but
* will be found during lookup.
*
* @param hdb_info Hash database to make index of
* @param dbtype Text of database type (should always be TSK_HDB_DBTYPE_HK_STR)
*
* @return 1 on error and 0 on success.
*/
uint8_t
hk_makeindex(TSK_HDB_INFO * hdb_info, TSK_TCHAR * dbtype)
{
int i;
size_t len = 0;
char buf[TSK_HDB_MAXLEN];
char *hash = NULL, phash[TSK_HDB_HTYPE_MD5_LEN + 1];
TSK_OFF_T offset = 0;
int db_cnt = 0, idx_cnt = 0, ig_cnt = 0;
if (tsk_hdb_idxinitialize(hdb_info, dbtype)) {
tsk_error_set_errstr2( "hk_makeindex");
return 1;
}
fseek(hdb_info->hDb, 0, SEEK_SET);
/* Status */
if (tsk_verbose)
TFPRINTF(stderr, _TSK_T("Extracting Data from Database (%s)\n"),
hdb_info->db_fname);
/* Allocate a buffer to hold the previous hash values */
memset(phash, '0', TSK_HDB_HTYPE_MD5_LEN + 1);
/* read each line of the file */
fseek(hdb_info->hDb, 0, SEEK_SET);
for (i = 0; NULL != fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb);
offset += (TSK_OFF_T) len, i++) {
len = strlen(buf);
/* Parse each line to get the MD5 value */
if (hk_parse_md5(buf, &hash, NULL, 0, NULL, 0)) {
ig_cnt++;
continue;
}
db_cnt++;
/* If this entry is for the same hash value as the last entry,
* the skip it -- we'll look for it during lookup */
if (memcmp(hash, phash, TSK_HDB_HTYPE_MD5_LEN) == 0) {
continue;
}
/* Add the entry to the index */
if (tsk_hdb_idxaddentry(hdb_info, hash, offset)) {
tsk_error_set_errstr2( "hk_makeindex");
return 1;
}
idx_cnt++;
/* Set the previous hash value */
strncpy(phash, hash, TSK_HDB_HTYPE_MD5_LEN + 1);
}
if (idx_cnt > 0) {
if (tsk_verbose) {
fprintf(stderr, " Valid Database Entries: %d\n", db_cnt);
fprintf(stderr,
" Invalid Database Entries (headers or errors): %d\n",
ig_cnt);
fprintf(stderr, " Index File Entries %s: %d\n",
(idx_cnt == db_cnt) ? "" : "(optimized)", idx_cnt);
}
/* Finish the index making process */
if (tsk_hdb_idxfinalize(hdb_info)) {
tsk_error_set_errstr2( "hk_makeindex");
return 1;
}
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_CORRUPT);
tsk_error_set_errstr(
"hk_makeindex: No valid entries found in database");
return 1;
}
return 0;
}
/**
* \ingroup imglib
* Opens one or more disk image files so that they can be read. If a file format
* type is specified, this function will call the specific routine to open the file.
* Otherwise, it will detect the type (it will default to raw if no specific type can
* be detected). This function must be called before a disk image can be read from.
* Note that the data type used to store the image paths is a TSK_TCHAR, which changes
* depending on a Unix or Windows build. If you will always have UTF8, then consider
* using tsk_img_open_utf8().
*
* @param num_img The number of images to open (will be > 1 for split images).
* @param images The path to the image files (the number of files must
* be equal to num_img and they must be in a sorted order)
* @param type The disk image type (can be autodetection)
* @param a_ssize Size of device sector in bytes (or 0 for default)
*
* @return Pointer to TSK_IMG_INFO or NULL on error
*/
TSK_IMG_INFO *
tsk_img_open(int num_img,
const TSK_TCHAR * const images[], TSK_IMG_TYPE_ENUM type,
unsigned int a_ssize)
{
TSK_IMG_INFO *img_info = NULL;
// Get rid of any old error messages laying around
tsk_error_reset();
if ((num_img == 0) || (images[0] == NULL)) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_NOFILE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open");
return NULL;
}
if ((a_ssize > 0) && (a_ssize < 512)) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L, "sector size is less than 512 bytes (%d)", a_ssize);
return NULL;
}
if ((a_ssize % 512) != 0) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_ARG;
snprintf(tsk_errstr, TSK_ERRSTR_L, "sector size is not a multiple of 512 (%d)", a_ssize);
return NULL;
}
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("tsk_img_open: Type: %d NumImg: %d Img1: %s\n"),
type, num_img, images[0]);
/* If no type is given, then we use the autodetection methods
* In case the image file matches the signatures of multiple formats,
* we try all of the embedded formats
*/
if (type == TSK_IMG_TYPE_DETECT) {
TSK_IMG_INFO *img_set = NULL;
#if HAVE_LIBAFFLIB || HAVE_LIBEWF
char *set = NULL;
#endif
struct STAT_STR stat_buf;
// we rely on tsk_errno, so make sure it is 0
tsk_error_reset();
/* Try the non-raw formats first */
#if HAVE_LIBAFFLIB
if ((img_info = aff_open(images, a_ssize)) != NULL) {
/* we don't allow the "ANY" when autodetect is used because
* we only want to detect the tested formats. */
if (img_info->itype == TSK_IMG_TYPE_AFF_ANY) {
img_info->close(img_info);
}
else {
set = "AFF";
img_set = img_info;
}
}
else {
// If AFF is otherwise happy except for a password, stop trying to guess
if (tsk_errno == TSK_ERR_IMG_PASSWD) {
return NULL;
}
tsk_error_reset();
}
#endif
#if HAVE_LIBEWF
if ((img_info = ewf_open(num_img, images, a_ssize)) != NULL) {
if (set == NULL) {
set = "EWF";
img_set = img_info;
}
else {
img_set->close(img_set);
img_info->close(img_info);
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF or %s", set);
return NULL;
}
}
else {
tsk_error_reset();
}
#endif
// if any of the non-raw formats were detected, then use it.
if (img_set != NULL)
return img_set;
/* We'll use the raw format */
if (num_img == 1) {
if ((img_info = raw_open(images[0], a_ssize)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
else {
if ((img_info = split_open(num_img, images, a_ssize)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
/* To improve the error message, verify the file can be read. */
if (TSTAT(images[0], &stat_buf) < 0) {
// special case to handle windows objects
#if defined(TSK_WIN32) || defined(__CYGWIN__)
if (TSTRNCMP(_TSK_T("\\\\.\\"), images[0], 4) == 0) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T
("tsk_img_open: Ignoring stat error because of windows object: %s\n"),
images[0]);
}
else {
#endif
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_STAT;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK " : %s",
images[0], strerror(errno));
return NULL;
#if defined(TSK_WIN32) || defined(__CYGWIN__)
}
#endif
}
tsk_errno = TSK_ERR_IMG_UNKTYPE;
tsk_errstr[0] = '\0';
tsk_errstr2[0] = '\0';
return NULL;
}
/*
* Type values
* Make a local copy that we can modify the string as we parse it
*/
switch (type) {
case TSK_IMG_TYPE_RAW_SING:
/* If we have more than one image name, and raw was the only
* type given, then use split */
if (num_img > 1)
img_info = split_open(num_img, images, a_ssize);
else
img_info = raw_open(images[0], a_ssize);
break;
case TSK_IMG_TYPE_RAW_SPLIT:
/* If only one image file is given, and only one type was
* given then use raw */
if (num_img == 1)
img_info = raw_open(images[0], a_ssize);
else
img_info = split_open(num_img, images, a_ssize);
break;
#if HAVE_LIBAFFLIB
case TSK_IMG_TYPE_AFF_AFF:
case TSK_IMG_TYPE_AFF_AFD:
case TSK_IMG_TYPE_AFF_AFM:
case TSK_IMG_TYPE_AFF_ANY:
img_info = aff_open(images, a_ssize);
break;
#endif
#if HAVE_LIBEWF
case TSK_IMG_TYPE_EWF_EWF:
img_info = ewf_open(num_img, images, a_ssize);
break;
#endif
case TSK_IMG_TYPE_QEMU:
img_info = qemu_open(images[0], a_ssize);
break;
default:
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNSUPTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%d", type);
return NULL;
}
return img_info;
}
int
main(int argc, char** argv1)
{
TSK_TCHAR **argv;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_OFF_T imgaddr = 0;
int ch;
while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) {
switch (ch) {
case _TSK_T('f'):
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('v'):
tsk_verbose = 1;
break;
default:
usage();
break;
}
}
if (argc - OPTIND != 3) {
usage();
}
const TSK_TCHAR* image = argv[OPTIND];
size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0);
if (nthreads == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0);
if (niters == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0);
if (img == 0) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype);
if (fs == 0) {
tsk_img_close(img);
tsk_error_print(stderr);
exit(1);
}
TskThread** threads = new TskThread*[nthreads];
for (size_t i = 0; i < nthreads; ++i) {
threads[i] = new MyThread(i, fs, niters);
}
TskThread::run(threads, nthreads);
for (size_t i = 0; i < nthreads; ++i) {
delete threads[i];
}
delete[] threads;
tsk_fs_close(fs);
tsk_img_close(img);
exit(0);
}
/**
* Open one or more files as a disk image. This serves as a
* wrapper around the specific types of disk image formats. You
* can specify the type or autodetection can be used.
*
* @param type The text a user supplied for the type of format.
* Examples include "raw", "split", "aff", etc.
* @param num_img The number of images that are being considered.
* @param images The path to the files (the number of files must
* be equal to num_img)
*
* @return Pointer to the Image state structure or NULL on error
*/
TSK_IMG_INFO *
tsk_img_open(const TSK_TCHAR * type, const int num_img,
const TSK_TCHAR ** images)
{
TSK_IMG_INFO *img_info = NULL;
TSK_TCHAR *tp, *next;
TSK_TCHAR type_lcl[128], *type_lcl_p;
const TSK_TCHAR **img_tmp;
int num_img_tmp = num_img;
// Get rid of any old error messages laying around
tsk_error_reset();
if ((num_img == 0) || (images[0] == NULL)) {
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_NOFILE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open");
tsk_errstr2[0] = '\0';
return NULL;
}
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("tsk_img_open: Type: %s NumImg: %d Img1: %s\n"),
(type ? type : _TSK_T("n/a")), num_img, images[0]);
// only the first in list (lowest) layer gets the files
img_tmp = images;
/* If no type is given, then we use the autodetection methods
* In case the image file matches the signatures of multiple formats,
* we try all of the embedded formats
*/
if (type == NULL) {
TSK_IMG_INFO *img_set = NULL;
#if HAVE_LIBAFFLIB || HAVE_LIBEWF
char *set = NULL;
#endif
struct STAT_STR stat_buf;
/* First verify that the image file exists */
if (TSTAT(images[0], &stat_buf) < 0) {
// special case to handle windows objects
#if defined(TSK_WIN32)
if ((images[0][0] == _TSK_T('\\'))
&& (images[0][1] == _TSK_T('\\'))
&& (images[0][2] == _TSK_T('.'))
&& (images[0][3] == _TSK_T('\\'))) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T
("tsk_img_open: Ignoring stat error because of windows object: %s\n"),
images[0]);
}
#endif
/* AFFLIB supports s3 storage on Amazon, so skip those 'file' paths */
#if HAVE_LIBAFFLIB
#if defined(TSK_WIN32)
else
#endif
if (((images[0][0] == _TSK_T('s'))
&& (images[0][1] == _TSK_T('3'))
&& (images[0][2] == _TSK_T(':'))
&& (images[0][3] == _TSK_T('/'))
&& (images[0][4] == _TSK_T('/'))) ||
((images[0][0] == _TSK_T('h'))
&& (images[0][1] == _TSK_T('t'))
&& (images[0][2] == _TSK_T('t'))
&& (images[0][3] == _TSK_T('p'))
&& (images[0][4] == _TSK_T(':'))
&& (images[0][5] == _TSK_T('/'))
&& (images[0][6] == _TSK_T('/')))) {
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T
("tsk_img_open: Ignoring stat error because of s3/http object: %s\n"),
images[0]);
}
#endif
#if HAVE_LIBAFFLIB || defined(TSK_WIN32)
else {
#endif
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_STAT;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK " : %s",
images[0], strerror(errno));
return NULL;
#if HAVE_LIBAFFLIB || defined(TSK_WIN32)
}
#endif
}
// we rely on tsk_errno, so make sure it is 0
tsk_error_reset();
/* Try the non-raw formats first */
#if HAVE_LIBAFFLIB
if ((img_info = aff_open(images, NULL)) != NULL) {
set = "AFF";
img_set = img_info;
}
else {
tsk_error_reset();
}
#endif
#if HAVE_LIBEWF
if ((img_info = ewf_open(num_img, images, NULL)) != NULL) {
if (set == NULL) {
set = "EWF";
img_set = img_info;
}
else {
img_set->close(img_set);
img_info->close(img_info);
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNKTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF or %s", set);
return NULL;
}
}
else {
tsk_error_reset();
}
#endif
if (img_set != NULL)
return img_set;
/* We'll use the raw format */
if (num_img == 1) {
if ((img_info = raw_open(images, NULL)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
else {
if ((img_info = split_open(num_img, images, NULL)) != NULL) {
return img_info;
}
else if (tsk_errno) {
return NULL;
}
}
tsk_errno = TSK_ERR_IMG_UNKTYPE;
tsk_errstr[0] = '\0';
tsk_errstr2[0] = '\0';
return NULL;
}
/*
* Type values
* Make a local copy that we can modify the string as we parse it
*/
TSTRNCPY(type_lcl, type, 128);
type_lcl_p = type_lcl;
/* We parse this and go up in the layers */
tp = TSTRTOK(type_lcl, _TSK_T(","));
while (tp != NULL) {
uint8_t imgtype;
next = TSTRTOK(NULL, _TSK_T(","));
imgtype = tsk_img_parse_type(type);
switch (imgtype) {
case TSK_IMG_INFO_TYPE_RAW_SING:
/* If we have more than one image name, and raw was the only
* type given, then use split */
if ((num_img > 1) && (next == NULL) && (img_tmp != NULL)) {
img_info = split_open(num_img_tmp, img_tmp, img_info);
num_img_tmp = 0;
}
else {
img_info = raw_open(img_tmp, img_info);
}
img_tmp = NULL;
break;
case TSK_IMG_INFO_TYPE_RAW_SPLIT:
/* If only one image file is given, and only one type was
* given then use raw */
if ((num_img == 1) && (next == NULL) && (img_tmp != NULL)) {
img_info = raw_open(img_tmp, img_info);
}
else {
img_info = split_open(num_img_tmp, img_tmp, img_info);
num_img_tmp = 0;
}
img_tmp = NULL;
break;
#if HAVE_LIBAFFLIB
case TSK_IMG_INFO_TYPE_AFF_AFF:
case TSK_IMG_INFO_TYPE_AFF_AFD:
case TSK_IMG_INFO_TYPE_AFF_AFM:
img_info = aff_open(img_tmp, img_info);
break;
#endif
#if HAVE_LIBEWF
case TSK_IMG_INFO_TYPE_EWF_EWF:
img_info = ewf_open(num_img_tmp, img_tmp, img_info);
break;
#endif
default:
tsk_error_reset();
tsk_errno = TSK_ERR_IMG_UNSUPTYPE;
snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK, tp);
return NULL;
}
/* Advance the pointer */
tp = next;
}
/* Return the highest layer */
return img_info;
}
