bool FSNTFSWIN::excludeFiles( const std::string& path, const std::string& fn_contains )
{
HANDLE fHandle;
WIN32_FIND_DATAW wfd;
std::wstring tpath=Server->ConvertToWchar(path);
if(!tpath.empty() && tpath[tpath.size()-1]=='\\' ) tpath.erase(path.size()-1, 1);
fHandle=FindFirstFileW((tpath+L"\\*"+Server->ConvertToWchar(fn_contains)+L"*").c_str(),&wfd);
if(fHandle==INVALID_HANDLE_VALUE)
{
Server->Log("Error opening find handle to "+path+" err: "+convert((int)GetLastError()), LL_DEBUG);
return false;
}
bool ret=true;
do
{
std::string name = Server->ConvertFromWchar(wfd.cFileName);
if(name=="." || name==".." )
continue;
if(!(wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY))
{
if(!excludeFile(Server->ConvertFromWchar(tpath+L"\\"+wfd.cFileName)))
{
ret=false;
}
}
}
while (FindNextFileW(fHandle,&wfd) );
FindClose(fHandle);
return ret;
}
void TskFileAnalysisPipeline::run(TskFile* file)
{
if (file == NULL)
{
LOGERROR(L"TskFileAnalysisPipeline::run - Passed NULL file pointer.");
throw TskNullPointerException();
}
TskImgDB& imgDB = TskServices::Instance().getImgDB();
try
{
// If this is an excluded file or the file is not ready for analysis
// we return without processing.
if (excludeFile(file))
{
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_SKIPPED);
return;
}
if (file->status() != TskImgDB::IMGDB_FILES_STATUS_READY_FOR_ANALYSIS)
return;
// Update status to indicate analysis is in progress.
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS);
// If there is an Executable module in the pipeline we must
// ensure that the file exists on disk.
bool bCreated = false;
if (!file->exists())
{
TskFileManagerImpl::instance().saveFile(file);
bCreated = true;
}
for (int i = 0; i < m_modules.size(); i++)
{
TskModule::Status status = m_modules[i]->run(file);
imgDB.setModuleStatus(file->id(), m_modules[i]->getModuleId(), (int)status);
// Stop processing the file when a module tells us to.
if (status == TskModule::STOP)
break;
}
// Delete the file if we created it above.
if (bCreated)
TskFileManagerImpl::instance().deleteFile(file);
// We allow modules to set status on the file so we only update it
// if the modules haven't
if (file->status() == TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS)
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_COMPLETE);
}
catch (std::exception& ex)
{
std::wstringstream msg;
msg << L"TskFileAnalysisPipeline::run - Error while processing file id (" << file->id()
<< L") : " << ex.what();
LOGERROR(msg.str());
imgDB.updateFileStatus(file->id(), TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_FAILED);
// Rethrow the exception
throw;
}
}
void TskFileAnalysisPipeline::run(TskFile* file)
{
const std::string MSG_PREFIX = "TskFileAnalysisPipeline::run : ";
if (m_modules.size() == 0)
return;
if (file == NULL)
{
LOGERROR(MSG_PREFIX + "passed NULL file pointer");
throw TskNullPointerException();
}
TskImgDB& imgDB = TskServices::Instance().getImgDB();
try
{
// If this is an excluded file or the file is not ready for analysis
// we return without processing.
if (excludeFile(file))
{
std::stringstream msg;
msg << MSG_PREFIX << "skipping file (excluded) " << file->getName() << "(" << file->getId() << ")";
LOGINFO(msg.str());
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_SKIPPED);
return;
}
if (file->getStatus() != TskImgDB::IMGDB_FILES_STATUS_READY_FOR_ANALYSIS)
{
std::stringstream msg;
msg << MSG_PREFIX << "skipping file (not ready) " << file->getName() << "(" << file->getId() << ")";
LOGINFO(msg.str());
return;
}
// Update status to indicate analysis is in progress.
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS);
std::stringstream msg;
msg << MSG_PREFIX << "analyzing " << file->getName() << "(" << file->getId() << ")";
LOGINFO(msg.str());
// If there is an Executable module in the pipeline we must
// ensure that the file exists on disk.
if (m_hasExeModule && !file->exists())
{
TskFileManagerImpl::instance().saveFile(file);
}
bool bModuleFailed = false;
Poco::Stopwatch stopWatch;
for (int i = 0; i < m_modules.size(); i++)
{
// we have no way of knowing if the file was closed by a module,
// so always make sure it is open
file->open();
// Reset the file offset to the beginning of the file.
file->seek(0);
stopWatch.restart();
TskModule::Status status = m_modules[i]->run(file);
stopWatch.stop();
updateModuleExecutionTime(m_modules[i]->getModuleId(), stopWatch.elapsed());
imgDB.setModuleStatus(file->getId(), m_modules[i]->getModuleId(), (int)status);
// If any module encounters a failure while processing a file
// we will set the file status to failed once the pipeline is complete.
if (status == TskModule::FAIL)
bModuleFailed = true;
// Stop processing the file when a module tells us to.
else if (status == TskModule::STOP)
break;
}
// Delete the file if it exists. The file may have been created by us
// above or by a module that required it to exist on disk.
// Carved and derived files should not be deleted since the content is
// typically created by external tools.
if (file->getTypeId() != TskImgDB::IMGDB_FILES_TYPE_CARVED &&
file->getTypeId() != TskImgDB::IMGDB_FILES_TYPE_DERIVED &&
file->exists())
{
TskFileManagerImpl::instance().deleteFile(file);
}
// We allow modules to set status on the file so we only update it
// if the modules haven't.
if (file->getStatus() == TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS)
{
if (bModuleFailed)
{
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_FAILED);
}
else
{
file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_COMPLETE);
}
}
}
catch (std::exception& ex)
{
std::stringstream msg;
msg << MSG_PREFIX << "error while processing file id (" << file->getId() << ") : " << ex.what();
LOGERROR(msg.str());
imgDB.updateFileStatus(file->getId(), TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_FAILED);
// Rethrow the exception
throw;
}
}
