/* * Create an index for the given database path * @param env pointer to java environment this was called from * @param obj the java object this was called from * @param dbPathJ path for the database */ JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_createLookupIndexNat (JNIEnv * env, jclass obj, jstring dbPathJ) { TSK_TCHAR dbPathT[1024]; toTCHAR(env, dbPathT, 1024, dbPathJ); TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_NONE; TSK_HDB_INFO * temp = tsk_hdb_open(dbPathT, flags); if (temp == NULL) { throwTskError(env); return; } TSK_TCHAR dbType[1024]; if(temp->db_type == TSK_HDB_DBTYPE_MD5SUM_ID) { TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_MD5SUM_STR); } else if(temp->db_type == TSK_HDB_DBTYPE_HK_ID) { TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_HK_STR); } else { TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_NSRL_MD5_STR); } if (tsk_hdb_makeindex(temp, dbType)) { throwTskError(env); } tsk_hdb_close(temp); }
/** * @param db_path Path to DB, which probably does not exist. But it gets passed in because we need * it in a bunch of places. * @param idx_path Path to index file (should be superset of db_path) */ TSK_HDB_INFO *idxonly_open(const TSK_TCHAR *db_path, const TSK_TCHAR *idx_path) { TSK_HDB_BINSRCH_INFO *hdb_binsrch_info = NULL; TSK_TCHAR *ext; TSK_HDB_HTYPE_ENUM htype; hdb_binsrch_info = hdb_binsrch_open(NULL, db_path); if (NULL == hdb_binsrch_info) { return NULL; } hdb_binsrch_info->base.db_type = TSK_HDB_DBTYPE_IDXONLY_ID; // open the index ext = TSTRRCHR(idx_path, _TSK_T('-')); if (ext == NULL) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_HDB_ARG); tsk_error_set_errstr("idxonly_open: invalid file name (no extension): %" PRIttocTSK, idx_path); return NULL; } else if ((TSTRLEN(ext) == 8) && (TSTRICMP(ext, _TSK_T("-md5.idx")) == 0)) { htype = TSK_HDB_HTYPE_MD5_ID; } else if ((TSTRLEN(ext) == 9) && (TSTRICMP(ext, _TSK_T("-sha1.idx")) == 0)) { htype = TSK_HDB_HTYPE_SHA1_ID; } else { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_HDB_ARG); tsk_error_set_errstr("idxonly_open: invalid file name (unknown extension): %" PRIttocTSK, idx_path); return NULL; } if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, htype)) { return NULL; } if (idxonly_name(hdb_binsrch_info)) { hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info); return NULL; } hdb_binsrch_info->base.get_db_path = idxonly_get_db_path; hdb_binsrch_info->get_entry = idxonly_getentry; // Before returning, do one final check that we'll be able to open // the index file if (hdb_binsrch_open_idx((TSK_HDB_INFO*)hdb_binsrch_info, hdb_binsrch_info->hash_type)) { hdb_binsrch_close((TSK_HDB_INFO*)hdb_binsrch_info); return NULL; } return (TSK_HDB_INFO*)hdb_binsrch_info; }
int getopt(int argc, TSK_TCHAR * argv[], TSK_TCHAR * optstring) { static TSK_TCHAR *next = NULL; TSK_TCHAR c, *cp; if (optind == 0) next = NULL; optarg = NULL; if (next == NULL || *next == _TSK_T('\0')) { if (optind == 0) optind++; if (optind >= argc || argv[optind][0] != _TSK_T('-') || argv[optind][1] == _TSK_T('\0')) { optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } if (_tcscmp(argv[optind], _TSK_T("--")) == 0) { optind++; optarg = NULL; if (optind < argc) optarg = argv[optind]; return EOF; } next = argv[optind]; next++; // skip past - optind++; } c = *next++; cp = _tcschr(optstring, c); if (cp == NULL || c == _TSK_T(':')) return _TSK_T('?'); cp++; if (*cp == _TSK_T(':')) { if (*next != _TSK_T('\0')) { optarg = next; next = NULL; } else if (optind < argc) { optarg = argv[optind]; optind++; } else { return _TSK_T('?'); } } return c; }
void usage() { TFPRINTF(stderr, _TSK_T ("%s [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-BrvV] [-aAmM] [-t vstype] image [images]\n"), progname); tsk_fprintf(stderr, "\t-t vstype: The type of volume system (use '-t list' for list of supported types)\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for list supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n"); tsk_fprintf(stderr, "\t-B: print the rounded length in bytes\n"); tsk_fprintf(stderr, "\t-r: recurse and look for other partition tables in partitions (DOS Only)\n"); tsk_fprintf(stderr, "\t-v: verbose output\n"); tsk_fprintf(stderr, "\t-V: print the version\n"); tsk_fprintf(stderr, "Unless any of these are specified, all volume types are shown\n"); tsk_fprintf(stderr, "\t-a: Show allocated volumes\n"); tsk_fprintf(stderr, "\t-A: Show unallocated volumes\n"); tsk_fprintf(stderr, "\t-m: Show metadata volumes\n"); tsk_fprintf(stderr, "\t-M: Hide metadata volumes\n"); exit(1); }
/* usage - explain and terminate */ static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum\n"), progname); tsk_fprintf(stderr, "\t-B num: force the display of NUM address of block pointers\n"); tsk_fprintf(stderr, "\t-z zone: time zone of original machine (i.e. EST5EDT or GMT)\n"); tsk_fprintf(stderr, "\t-s seconds: Time skew of original machine (in seconds)\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-f fstype: File system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: print version\n"); exit(1); }
void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-ahsvVw] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-u usize] image [images] unit_addr [num]\n"), progname); tsk_fprintf(stderr, "\t-a: displays in all ASCII \n"); tsk_fprintf(stderr, "\t-h: displays in hexdump-like fashion\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-f fstype: File system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-s: display basic block stats such as unit size, fragments, etc.\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: display version\n"); tsk_fprintf(stderr, "\t-w: displays in web-like (html) fashion\n"); tsk_fprintf(stderr, "\t-u usize: size of each data unit in image (for raw, blkls, swap)\n"); tsk_fprintf(stderr, "\t[num] is the number of data units to display (default is 1)\n"); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T("Usage: %s [-f fstype ] [-o imgoffset ] [-v] image nthreads niters\n"), progname); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-eqV] [-f lookup_file] [-i db_type] db_file [hashes]\n"), progname); tsk_fprintf(stderr, "\t-e: Extended mode - where values other than just the name are printed\n"); tsk_fprintf(stderr, "\t-q: Quick mode - where a 1 is printed if it is found, else 0\n"); tsk_fprintf(stderr, "\t-V: Print version to STDOUT\n"); tsk_fprintf(stderr, "\t-f lookup_file: File with one hash per line to lookup\n"); tsk_fprintf(stderr, "\t-i db_type: Create index file for a given hash database type\n"); tsk_fprintf(stderr, "\tdb_file: The location of the original hash database\n"); tsk_fprintf(stderr, "\t[hashes]: hashes to lookup (STDIN is used otherwise)\n"); tsk_fprintf(stderr, "\n\tSupported types: %s\n", TSK_HDB_DBTYPE_SUPPORT_STR); exit(1); }
/* usage - explain and terminate */ static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-emOpvV] [-aAlLzZ] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-s seconds] image [images] [inum[-end]]\n"), progname); tsk_fprintf(stderr, "\t-e: Display all inodes\n"); tsk_fprintf(stderr, "\t-m: Display output in the mactime format\n"); tsk_fprintf(stderr, "\t-O: Display inodes that are unallocated, but were sill open (UFS/ExtX only)\n"); tsk_fprintf(stderr, "\t-p: Display orphan inodes (unallocated with no file name)\n"); tsk_fprintf(stderr, "\t-s seconds: Time skew of original machine (in seconds)\n"); tsk_fprintf(stderr, "\t-a: Allocated inodes\n"); tsk_fprintf(stderr, "\t-A: Unallocated inodes\n"); tsk_fprintf(stderr, "\t-l: Linked inodes\n"); tsk_fprintf(stderr, "\t-L: Unlinked inodes\n"); tsk_fprintf(stderr, "\t-z: Unused inodes\n"); tsk_fprintf(stderr, "\t-Z: Used inodes\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-f fstype: File system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Display version number\n"); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-dsu unit_addr] [-vV] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] image [images]\n"), progname); tsk_fprintf(stderr, "Slowly calculates the opposite block number\n"); tsk_fprintf(stderr, "\tOne of the following must be given:\n"); tsk_fprintf(stderr, "\t -d: The given address is from a 'dd' image \n"); tsk_fprintf(stderr, "\t -s: The given address is from a 'blkls -s' (slack) image\n"); tsk_fprintf(stderr, "\t -u: The given address is from a 'blkls' (unallocated) image\n"); tsk_fprintf(stderr, "\t-f fstype: The file system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Print version\n"); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-alvV] [-f fstype] [-i imgtype] [-o imgoffset] [-d unit_addr] [-n file] [-p par_addr] [-z ZONE] image [images]\n"), progname); tsk_fprintf(stderr, "\t-a: find all inodes\n"); tsk_fprintf(stderr, "\t-d unit_addr: Find the meta data given the data unit\n"); tsk_fprintf(stderr, "\t-l: long format when -p is given\n"); tsk_fprintf(stderr, "\t-n file: Find the meta data given the file name\n"); tsk_fprintf(stderr, "\t-p par_addr: Find UNALLOCATED MFT entries given the parent's meta address (NTFS only)\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-f fstype: File system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-v: Verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Print version\n"); tsk_fprintf(stderr, "\t-z ZONE: Time zone setting when -l -p is given\n"); exit(1); }
static int toTCHAR(JNIEnv * env, TSK_TCHAR * buffer, size_t size, jstring strJ) { jboolean isCopy; char *str8 = (char *) env->GetStringUTFChars(strJ, &isCopy); return TSNPRINTF(buffer, size, _TSK_T("%") PRIcTSK, str8); }
int main(int argc, char **argv1) { TSK_IMG_INFO *img_info; TSK_TCHAR **argv; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif if (argc != 2) { fprintf(stderr, "Missing image name\n"); exit(1); } #if DO_HASHLOOKUP /* Setup hash infrastructure */ if ((hdb_info = tsk_hdb_open(_TSK_T("/XXX/NSRLFile.txt"), TSK_HDB_OPEN_NONE)) == NULL) { tsk_error_print(stderr); exit(1); } if (tsk_hdb_hasindex(hdb_info, TSK_HDB_HTYPE_MD5_ID) == 0) { fprintf(stderr, "Hash database does not have an index (create one using hfind -i nsrl-md5 HASHFILE\n"); exit(1); } #else hdb_info = NULL; #endif img_info = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { fprintf(stderr, "Error opening file\n"); tsk_error_print(stderr); exit(1); } if (proc_vs(img_info, 0)) { tsk_error_print(stderr); tsk_img_close(img_info); exit(1); } tsk_img_close(img_info); return 0; }
/** * Setup the hash-type specific information (such as length, index entry * sizes, index name etc.) in the HDB_INFO structure. * * @param hdb_info Structure to fill in. * @param htype Hash type being used * @return 1 on error and 0 on success */ static uint8_t hdb_setuphash(TSK_HDB_INFO * hdb_info, uint8_t htype) { size_t flen; if (hdb_info->hash_type != 0) { return 0; } /* Make the name for the index file */ flen = TSTRLEN(hdb_info->db_fname) + 32; hdb_info->idx_fname = (TSK_TCHAR *) talloc_size(hdb_info, flen * sizeof(TSK_TCHAR)); if (hdb_info->idx_fname == NULL) { return 1; } /* Get hash type specific information */ switch (htype) { case TSK_HDB_HTYPE_MD5_ID: hdb_info->hash_type = htype; hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN; hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype); TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"), hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_MD5_STR)); return 0; case TSK_HDB_HTYPE_SHA1_ID: hdb_info->hash_type = htype; hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN; hdb_info->idx_llen = TSK_HDB_IDX_LEN(htype); TSNPRINTF(hdb_info->idx_fname, flen, _TSK_T("%s-%s.idx"), hdb_info->db_fname, _TSK_T(TSK_HDB_HTYPE_SHA1_STR)); return 0; } tsk_error_reset(); tsk_errno = TSK_ERR_HDB_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "hdb_setuphash: Invalid hash type as argument: %d", htype); return 1; }
/** * \ingroup hashdblib * Creates a new hash database. * @param file_path Path for database to create. * @return 0 on success, 1 otherwise */ uint8_t tsk_hdb_create(TSK_TCHAR *file_path) { TSK_TCHAR *ext = NULL; if (NULL == file_path) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_HDB_ARG); tsk_error_set_errstr("tsk_hdb_create: NULL file path"); return 1; } ext = TSTRRCHR(file_path, _TSK_T('.')); if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) { return sqlite_hdb_create_db(file_path); } else { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_HDB_ARG); tsk_error_set_errstr("tsk_hdb_create: path must end in .kdb extension"); return 1; } }
TSK_FILTER_ENUM TskGetTimes::filterFs(TSK_FS_INFO * fs_info) { TSK_TCHAR volName[32]; if (m_curVolAddr > -1) TSNPRINTF(volName, 32, _TSK_T("vol%d/"),m_curVolAddr); else volName[0] = '\0'; if (tsk_fs_fls(fs_info, (TSK_FS_FLS_FLAG_ENUM)(TSK_FS_FLS_MAC | TSK_FS_FLS_DIR | TSK_FS_FLS_FILE | TSK_FS_FLS_FULL), fs_info->root_inum, (TSK_FS_DIR_WALK_FLAG_ENUM)(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC | TSK_FS_DIR_WALK_FLAG_RECURSE), volName, m_secSkew)) { } return TSK_FILTER_SKIP; }
void tsk_printf(char *msg, ...) { va_list args; va_start(args, msg); #ifdef TSK_WIN32 { WCHAR wbuf[2048]; tsk_printf_conv(wbuf, 2048, msg, &args); wprintf(_TSK_T("%s"), wbuf); } #else vprintf(msg, args); #endif va_end(args); }
void tsk_fprintf(FILE * fd, const char *msg, ...) { va_list args; va_start(args, msg); #ifdef TSK_WIN32 { WCHAR wbuf[2048]; tsk_printf_conv(wbuf, 2048, msg, &args); fwprintf(fd, _TSK_T("%s"), wbuf); } #else vfprintf(fd, msg, args); #endif va_end(args); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-tvV] [-i imgtype] [-b dev_sector_size] image\n"), progname); tsk_fprintf(stderr, "\t-t: display type only\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for list of supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Print version\n"); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-tvV] [-f fstype] [-i imgtype] [-o imgoffset] image\n"), progname); tsk_fprintf(stderr, "\t-t: display type only\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-f fstype: File system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Print version\n"); exit(1); }
/* usage - explain and terminate */ static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] image [inode]\n"), progname); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-f fstype: File system type (use '-f list' for supported types)\n"); tsk_fprintf(stderr, "\t-o imgoffset: The offset of the file system in the image (in sectors)\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: print version\n"); exit(1); }
void usage() { TFPRINTF(stderr, _TSK_T ("%s [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-vV] [-t vstype] image [images]\n"), progname); tsk_fprintf(stderr, "\t-t vstype: The volume system type (use '-t list' for list of supported types)\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for list of supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n"); tsk_fprintf(stderr, "\t-v: verbose output\n"); tsk_fprintf(stderr, "\t-V: print the version\n"); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-vV] [-i imgtype] [-b dev_sector_size] [-s start_sector] [-e stop_sector] image\n"), progname); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use 'i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-s start_sector: The sector number to start at\n"); tsk_fprintf(stderr, "\t-e stop_sector: The sector number to stop at\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Print version\n"); exit(1); }
void usage() { TFPRINTF(stderr, _TSK_T ("%s [-i imgtype] [-o imgoffset] [-brvV] [-t mmtype] image [images]\n"), progname); tsk_fprintf(stderr, "\t-t mmtype: The type of partition system (use '-t list' for list of supported types)\n"); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for list supported types)\n"); tsk_fprintf(stderr, "\t-o imgoffset: Offset to the start of the volume that contains the partition system (in sectors)\n"); tsk_fprintf(stderr, "\t-b: print the rounded length in bytes\n"); tsk_fprintf(stderr, "\t-r: recurse and look for other partition tables in partitions (DOS Only)\n"); tsk_fprintf(stderr, "\t-v: verbose output\n"); tsk_fprintf(stderr, "\t-V: print the version\n"); exit(1); }
static void usage() { TFPRINTF(stderr, _TSK_T ("usage: %s [-vV] [-i imgtype] [-b dev_sector_size] [-z zone] [-s seconds] image [image]\n"), progname); tsk_fprintf(stderr, "\t-i imgtype: The format of the image file (use '-i list' for supported types)\n"); tsk_fprintf(stderr, "\t-b dev_sector_size: The size (in bytes) of the device sectors\n"); tsk_fprintf(stderr, "\t-v: verbose output to stderr\n"); tsk_fprintf(stderr, "\t-V: Print version\n"); tsk_fprintf(stderr, "\t-z: Time zone of original machine (i.e. EST5EDT or GMT) (only useful with -l)\n"); tsk_fprintf(stderr, "\t-s seconds: Time skew of original machine (in seconds) (only useful with -l & -m)\n"); exit(1); }
/* main - open file system, list inode info */ int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_TCHAR *cp, *dash; TSK_INUM_T istart = 0, ilast = 0; int ch; int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED; int ils_flags = 0; int set_range = 1; TSK_TCHAR *image = NULL; int32_t sec_skew = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); /* * Provide convenience options for the most commonly selected feature * combinations. */ while ((ch = GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('e'): flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_USED; break; case _TSK_T('m'): ils_flags |= TSK_FS_ILS_MAC; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('O'): flags |= TSK_FS_META_FLAG_UNALLOC; flags &= ~TSK_FS_META_FLAG_ALLOC; ils_flags |= TSK_FS_ILS_OPEN; break; case _TSK_T('p'): flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('r'): flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); /* * Provide fine controls to tweak one feature at a time. */ case _TSK_T('a'): flags |= TSK_FS_META_FLAG_ALLOC; flags &= ~TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('A'): flags |= TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('l'): ils_flags |= TSK_FS_ILS_LINK; break; case _TSK_T('L'): ils_flags |= TSK_FS_ILS_UNLINK; break; case _TSK_T('z'): flags |= TSK_FS_META_FLAG_UNUSED; break; case _TSK_T('Z'): flags |= TSK_FS_META_FLAG_USED; break; } } if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) { tsk_fprintf(stderr, "ERROR: Only linked or unlinked should be used\n"); usage(); } /* We need to determine if an inode or inode range was given */ if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) { /* Check if is a single number */ istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { /* Single address set end addr to start */ ilast = istart; set_range = 0; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } else { /* We have a dash, but it could be part of the file name */ *dash = '\0'; istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ *dash = _TSK_T('-'); image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { dash++; ilast = TSTRTOULL(dash, &cp, 0); if (*cp || *cp == *dash) { /* Not a number - consider it a file name */ dash--; *dash = '-'; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { set_range = 0; /* It was a block range, so do not include it in the open */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } /* do we need to set the range or just check them? */ if (set_range) { istart = fs->first_inum; ilast = fs->last_inum; } else { if (istart < fs->first_inum) istart = fs->first_inum; if (ilast > fs->last_inum) ilast = fs->last_inum; } /* NTFS uses alloc and link different than UNIX so change * the default behavior * * The link value can be > 0 on deleted files (even when closed) */ /* NTFS and FAT have no notion of deleted but still open */ if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype) || TSK_FS_TYPE_ISFAT(fs->ftype))) { fprintf(stderr, "Error: '-O' argument does not work with NTFS and FAT images\n"); exit(1); } if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast, (TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
/** * Process the database to create a sorted index of it. Consecutive * entries with the same hash value are not added to the index, but * will be found during lookup. * * @param hdb_info Hash database to make index of * @param dbtype Text of database type (should always be TSK_HDB_DBTYPE_HK_STR) * * @return 1 on error and 0 on success. */ uint8_t hk_makeindex(TSK_HDB_INFO * hdb_info, TSK_TCHAR * dbtype) { int i; size_t len = 0; char buf[TSK_HDB_MAXLEN]; char *hash = NULL, phash[TSK_HDB_HTYPE_MD5_LEN + 1]; TSK_OFF_T offset = 0; int db_cnt = 0, idx_cnt = 0, ig_cnt = 0; if (tsk_hdb_idxinitialize(hdb_info, dbtype)) { tsk_error_set_errstr2( "hk_makeindex"); return 1; } fseek(hdb_info->hDb, 0, SEEK_SET); /* Status */ if (tsk_verbose) TFPRINTF(stderr, _TSK_T("Extracting Data from Database (%s)\n"), hdb_info->db_fname); /* Allocate a buffer to hold the previous hash values */ memset(phash, '0', TSK_HDB_HTYPE_MD5_LEN + 1); /* read each line of the file */ fseek(hdb_info->hDb, 0, SEEK_SET); for (i = 0; NULL != fgets(buf, TSK_HDB_MAXLEN, hdb_info->hDb); offset += (TSK_OFF_T) len, i++) { len = strlen(buf); /* Parse each line to get the MD5 value */ if (hk_parse_md5(buf, &hash, NULL, 0, NULL, 0)) { ig_cnt++; continue; } db_cnt++; /* If this entry is for the same hash value as the last entry, * the skip it -- we'll look for it during lookup */ if (memcmp(hash, phash, TSK_HDB_HTYPE_MD5_LEN) == 0) { continue; } /* Add the entry to the index */ if (tsk_hdb_idxaddentry(hdb_info, hash, offset)) { tsk_error_set_errstr2( "hk_makeindex"); return 1; } idx_cnt++; /* Set the previous hash value */ strncpy(phash, hash, TSK_HDB_HTYPE_MD5_LEN + 1); } if (idx_cnt > 0) { if (tsk_verbose) { fprintf(stderr, " Valid Database Entries: %d\n", db_cnt); fprintf(stderr, " Invalid Database Entries (headers or errors): %d\n", ig_cnt); fprintf(stderr, " Index File Entries %s: %d\n", (idx_cnt == db_cnt) ? "" : "(optimized)", idx_cnt); } /* Finish the index making process */ if (tsk_hdb_idxfinalize(hdb_info)) { tsk_error_set_errstr2( "hk_makeindex"); return 1; } } else { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_HDB_CORRUPT); tsk_error_set_errstr( "hk_makeindex: No valid entries found in database"); return 1; } return 0; }
/** * \ingroup imglib * Opens one or more disk image files so that they can be read. If a file format * type is specified, this function will call the specific routine to open the file. * Otherwise, it will detect the type (it will default to raw if no specific type can * be detected). This function must be called before a disk image can be read from. * Note that the data type used to store the image paths is a TSK_TCHAR, which changes * depending on a Unix or Windows build. If you will always have UTF8, then consider * using tsk_img_open_utf8(). * * @param num_img The number of images to open (will be > 1 for split images). * @param images The path to the image files (the number of files must * be equal to num_img and they must be in a sorted order) * @param type The disk image type (can be autodetection) * @param a_ssize Size of device sector in bytes (or 0 for default) * * @return Pointer to TSK_IMG_INFO or NULL on error */ TSK_IMG_INFO * tsk_img_open(int num_img, const TSK_TCHAR * const images[], TSK_IMG_TYPE_ENUM type, unsigned int a_ssize) { TSK_IMG_INFO *img_info = NULL; // Get rid of any old error messages laying around tsk_error_reset(); if ((num_img == 0) || (images[0] == NULL)) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_NOFILE; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open"); return NULL; } if ((a_ssize > 0) && (a_ssize < 512)) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "sector size is less than 512 bytes (%d)", a_ssize); return NULL; } if ((a_ssize % 512) != 0) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_ARG; snprintf(tsk_errstr, TSK_ERRSTR_L, "sector size is not a multiple of 512 (%d)", a_ssize); return NULL; } if (tsk_verbose) TFPRINTF(stderr, _TSK_T("tsk_img_open: Type: %d NumImg: %d Img1: %s\n"), type, num_img, images[0]); /* If no type is given, then we use the autodetection methods * In case the image file matches the signatures of multiple formats, * we try all of the embedded formats */ if (type == TSK_IMG_TYPE_DETECT) { TSK_IMG_INFO *img_set = NULL; #if HAVE_LIBAFFLIB || HAVE_LIBEWF char *set = NULL; #endif struct STAT_STR stat_buf; // we rely on tsk_errno, so make sure it is 0 tsk_error_reset(); /* Try the non-raw formats first */ #if HAVE_LIBAFFLIB if ((img_info = aff_open(images, a_ssize)) != NULL) { /* we don't allow the "ANY" when autodetect is used because * we only want to detect the tested formats. */ if (img_info->itype == TSK_IMG_TYPE_AFF_ANY) { img_info->close(img_info); } else { set = "AFF"; img_set = img_info; } } else { // If AFF is otherwise happy except for a password, stop trying to guess if (tsk_errno == TSK_ERR_IMG_PASSWD) { return NULL; } tsk_error_reset(); } #endif #if HAVE_LIBEWF if ((img_info = ewf_open(num_img, images, a_ssize)) != NULL) { if (set == NULL) { set = "EWF"; img_set = img_info; } else { img_set->close(img_set); img_info->close(img_info); tsk_error_reset(); tsk_errno = TSK_ERR_IMG_UNKTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF or %s", set); return NULL; } } else { tsk_error_reset(); } #endif // if any of the non-raw formats were detected, then use it. if (img_set != NULL) return img_set; /* We'll use the raw format */ if (num_img == 1) { if ((img_info = raw_open(images[0], a_ssize)) != NULL) { return img_info; } else if (tsk_errno) { return NULL; } } else { if ((img_info = split_open(num_img, images, a_ssize)) != NULL) { return img_info; } else if (tsk_errno) { return NULL; } } /* To improve the error message, verify the file can be read. */ if (TSTAT(images[0], &stat_buf) < 0) { // special case to handle windows objects #if defined(TSK_WIN32) || defined(__CYGWIN__) if (TSTRNCMP(_TSK_T("\\\\.\\"), images[0], 4) == 0) { if (tsk_verbose) TFPRINTF(stderr, _TSK_T ("tsk_img_open: Ignoring stat error because of windows object: %s\n"), images[0]); } else { #endif tsk_error_reset(); tsk_errno = TSK_ERR_IMG_STAT; snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK " : %s", images[0], strerror(errno)); return NULL; #if defined(TSK_WIN32) || defined(__CYGWIN__) } #endif } tsk_errno = TSK_ERR_IMG_UNKTYPE; tsk_errstr[0] = '\0'; tsk_errstr2[0] = '\0'; return NULL; } /* * Type values * Make a local copy that we can modify the string as we parse it */ switch (type) { case TSK_IMG_TYPE_RAW_SING: /* If we have more than one image name, and raw was the only * type given, then use split */ if (num_img > 1) img_info = split_open(num_img, images, a_ssize); else img_info = raw_open(images[0], a_ssize); break; case TSK_IMG_TYPE_RAW_SPLIT: /* If only one image file is given, and only one type was * given then use raw */ if (num_img == 1) img_info = raw_open(images[0], a_ssize); else img_info = split_open(num_img, images, a_ssize); break; #if HAVE_LIBAFFLIB case TSK_IMG_TYPE_AFF_AFF: case TSK_IMG_TYPE_AFF_AFD: case TSK_IMG_TYPE_AFF_AFM: case TSK_IMG_TYPE_AFF_ANY: img_info = aff_open(images, a_ssize); break; #endif #if HAVE_LIBEWF case TSK_IMG_TYPE_EWF_EWF: img_info = ewf_open(num_img, images, a_ssize); break; #endif case TSK_IMG_TYPE_QEMU: img_info = qemu_open(images[0], a_ssize); break; default: tsk_error_reset(); tsk_errno = TSK_ERR_IMG_UNSUPTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "%d", type); return NULL; } return img_info; }
int main(int argc, char** argv1) { TSK_TCHAR **argv; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_OFF_T imgaddr = 0; int ch; while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) { switch (ch) { case _TSK_T('f'): fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose = 1; break; default: usage(); break; } } if (argc - OPTIND != 3) { usage(); } const TSK_TCHAR* image = argv[OPTIND]; size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0); if (nthreads == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0); if (niters == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0); if (img == 0) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype); if (fs == 0) { tsk_img_close(img); tsk_error_print(stderr); exit(1); } TskThread** threads = new TskThread*[nthreads]; for (size_t i = 0; i < nthreads; ++i) { threads[i] = new MyThread(i, fs, niters); } TskThread::run(threads, nthreads); for (size_t i = 0; i < nthreads; ++i) { delete threads[i]; } delete[] threads; tsk_fs_close(fs); tsk_img_close(img); exit(0); }
/** * Open one or more files as a disk image. This serves as a * wrapper around the specific types of disk image formats. You * can specify the type or autodetection can be used. * * @param type The text a user supplied for the type of format. * Examples include "raw", "split", "aff", etc. * @param num_img The number of images that are being considered. * @param images The path to the files (the number of files must * be equal to num_img) * * @return Pointer to the Image state structure or NULL on error */ TSK_IMG_INFO * tsk_img_open(const TSK_TCHAR * type, const int num_img, const TSK_TCHAR ** images) { TSK_IMG_INFO *img_info = NULL; TSK_TCHAR *tp, *next; TSK_TCHAR type_lcl[128], *type_lcl_p; const TSK_TCHAR **img_tmp; int num_img_tmp = num_img; // Get rid of any old error messages laying around tsk_error_reset(); if ((num_img == 0) || (images[0] == NULL)) { tsk_error_reset(); tsk_errno = TSK_ERR_IMG_NOFILE; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open"); tsk_errstr2[0] = '\0'; return NULL; } if (tsk_verbose) TFPRINTF(stderr, _TSK_T("tsk_img_open: Type: %s NumImg: %d Img1: %s\n"), (type ? type : _TSK_T("n/a")), num_img, images[0]); // only the first in list (lowest) layer gets the files img_tmp = images; /* If no type is given, then we use the autodetection methods * In case the image file matches the signatures of multiple formats, * we try all of the embedded formats */ if (type == NULL) { TSK_IMG_INFO *img_set = NULL; #if HAVE_LIBAFFLIB || HAVE_LIBEWF char *set = NULL; #endif struct STAT_STR stat_buf; /* First verify that the image file exists */ if (TSTAT(images[0], &stat_buf) < 0) { // special case to handle windows objects #if defined(TSK_WIN32) if ((images[0][0] == _TSK_T('\\')) && (images[0][1] == _TSK_T('\\')) && (images[0][2] == _TSK_T('.')) && (images[0][3] == _TSK_T('\\'))) { if (tsk_verbose) TFPRINTF(stderr, _TSK_T ("tsk_img_open: Ignoring stat error because of windows object: %s\n"), images[0]); } #endif /* AFFLIB supports s3 storage on Amazon, so skip those 'file' paths */ #if HAVE_LIBAFFLIB #if defined(TSK_WIN32) else #endif if (((images[0][0] == _TSK_T('s')) && (images[0][1] == _TSK_T('3')) && (images[0][2] == _TSK_T(':')) && (images[0][3] == _TSK_T('/')) && (images[0][4] == _TSK_T('/'))) || ((images[0][0] == _TSK_T('h')) && (images[0][1] == _TSK_T('t')) && (images[0][2] == _TSK_T('t')) && (images[0][3] == _TSK_T('p')) && (images[0][4] == _TSK_T(':')) && (images[0][5] == _TSK_T('/')) && (images[0][6] == _TSK_T('/')))) { if (tsk_verbose) TFPRINTF(stderr, _TSK_T ("tsk_img_open: Ignoring stat error because of s3/http object: %s\n"), images[0]); } #endif #if HAVE_LIBAFFLIB || defined(TSK_WIN32) else { #endif tsk_error_reset(); tsk_errno = TSK_ERR_IMG_STAT; snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK " : %s", images[0], strerror(errno)); return NULL; #if HAVE_LIBAFFLIB || defined(TSK_WIN32) } #endif } // we rely on tsk_errno, so make sure it is 0 tsk_error_reset(); /* Try the non-raw formats first */ #if HAVE_LIBAFFLIB if ((img_info = aff_open(images, NULL)) != NULL) { set = "AFF"; img_set = img_info; } else { tsk_error_reset(); } #endif #if HAVE_LIBEWF if ((img_info = ewf_open(num_img, images, NULL)) != NULL) { if (set == NULL) { set = "EWF"; img_set = img_info; } else { img_set->close(img_set); img_info->close(img_info); tsk_error_reset(); tsk_errno = TSK_ERR_IMG_UNKTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "EWF or %s", set); return NULL; } } else { tsk_error_reset(); } #endif if (img_set != NULL) return img_set; /* We'll use the raw format */ if (num_img == 1) { if ((img_info = raw_open(images, NULL)) != NULL) { return img_info; } else if (tsk_errno) { return NULL; } } else { if ((img_info = split_open(num_img, images, NULL)) != NULL) { return img_info; } else if (tsk_errno) { return NULL; } } tsk_errno = TSK_ERR_IMG_UNKTYPE; tsk_errstr[0] = '\0'; tsk_errstr2[0] = '\0'; return NULL; } /* * Type values * Make a local copy that we can modify the string as we parse it */ TSTRNCPY(type_lcl, type, 128); type_lcl_p = type_lcl; /* We parse this and go up in the layers */ tp = TSTRTOK(type_lcl, _TSK_T(",")); while (tp != NULL) { uint8_t imgtype; next = TSTRTOK(NULL, _TSK_T(",")); imgtype = tsk_img_parse_type(type); switch (imgtype) { case TSK_IMG_INFO_TYPE_RAW_SING: /* If we have more than one image name, and raw was the only * type given, then use split */ if ((num_img > 1) && (next == NULL) && (img_tmp != NULL)) { img_info = split_open(num_img_tmp, img_tmp, img_info); num_img_tmp = 0; } else { img_info = raw_open(img_tmp, img_info); } img_tmp = NULL; break; case TSK_IMG_INFO_TYPE_RAW_SPLIT: /* If only one image file is given, and only one type was * given then use raw */ if ((num_img == 1) && (next == NULL) && (img_tmp != NULL)) { img_info = raw_open(img_tmp, img_info); } else { img_info = split_open(num_img_tmp, img_tmp, img_info); num_img_tmp = 0; } img_tmp = NULL; break; #if HAVE_LIBAFFLIB case TSK_IMG_INFO_TYPE_AFF_AFF: case TSK_IMG_INFO_TYPE_AFF_AFD: case TSK_IMG_INFO_TYPE_AFF_AFM: img_info = aff_open(img_tmp, img_info); break; #endif #if HAVE_LIBEWF case TSK_IMG_INFO_TYPE_EWF_EWF: img_info = ewf_open(num_img_tmp, img_tmp, img_info); break; #endif default: tsk_error_reset(); tsk_errno = TSK_ERR_IMG_UNSUPTYPE; snprintf(tsk_errstr, TSK_ERRSTR_L, "%" PRIttocTSK, tp); return NULL; } /* Advance the pointer */ tp = next; } /* Return the highest layer */ return img_info; }