/* Tries to recover records * Returns 1 if successful or -1 on error */ int libevt_io_handle_recover_records( libevt_io_handle_t *io_handle, libbfio_handle_t *file_io_handle, uint32_t first_record_offset, uint32_t end_of_file_record_offset, off64_t last_record_offset, libfdata_list_t *records_list, libfdata_list_t *recovered_records_list, libcerror_error_t **error ) { static char *function = "libevt_io_handle_recover_records"; int result = 0; if( io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid IO handle.", function ); return( -1 ); } if( last_record_offset == (off64_t) first_record_offset ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: no records found at specified offsets scanning for end-of-file record.\n", function ); } #endif io_handle->flags |= LIBEVT_IO_HANDLE_FLAG_IS_CORRUPTED; result = libevt_io_handle_end_of_file_record_scan( io_handle, file_io_handle, &first_record_offset, &end_of_file_record_offset, error ); if( result == -1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to scan for end of file record.", function ); return( -1 ); } else if( result != 0 ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: end-of-file record found at offset: 0x%08" PRIx64 ".\n", function, end_of_file_record_offset ); } #endif result = libevt_io_handle_read_records( io_handle, file_io_handle, first_record_offset, end_of_file_record_offset, records_list, &last_record_offset, error ); if( result != 1 ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcerror_error_free( error ); } } #endif libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read records.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif libcerror_error_free( error ); } } else { first_record_offset = (uint32_t) sizeof( evt_file_header_t ); last_record_offset = (off64_t) sizeof( evt_file_header_t ); } } if( io_handle->has_wrapped == 0 ) { if( first_record_offset > (uint32_t) sizeof( evt_file_header_t ) ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: scanning unused space before records at offset: 0x%08" PRIzd " - 0x%08" PRIx32 "\n", function, sizeof( evt_file_header_t ), first_record_offset ); } #endif if( libevt_io_handle_event_record_scan( io_handle, file_io_handle, (off64_t) sizeof( evt_file_header_t ), (size64_t) ( first_record_offset - sizeof( evt_file_header_t ) ), recovered_records_list, error ) != 1 ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcerror_error_free( error ); } } #endif libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to scan for event records.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif libcerror_error_free( error ); } } if( last_record_offset < (off64_t) io_handle->file_size ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( last_record_offset > (off64_t) sizeof( evt_file_header_t ) ) { libcnotify_printf( "%s: scanning unused space after records at offset: 0x%08" PRIx64 " - 0x%08" PRIx64 "\n", function, last_record_offset, io_handle->file_size ); } else { libcnotify_printf( "%s: scanning unused space after header at offset: 0x%08" PRIx64 " - 0x%08" PRIx64 "\n", function, last_record_offset, io_handle->file_size ); } } #endif if( libevt_io_handle_event_record_scan( io_handle, file_io_handle, last_record_offset, io_handle->file_size - last_record_offset, recovered_records_list, error ) != 1 ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcerror_error_free( error ); } } #endif libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to scan for event records.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif libcerror_error_free( error ); } } } else { if( last_record_offset < (off64_t) first_record_offset ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "%s: scanning unused space between records at offset: 0x%08" PRIx64 " - 0x%08" PRIx32 "\n", function, last_record_offset, first_record_offset ); } #endif if( libevt_io_handle_event_record_scan( io_handle, file_io_handle, last_record_offset, (size64_t) first_record_offset - last_record_offset, recovered_records_list, error ) != 1 ) { #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcerror_error_free( error ); } } #endif libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to scan for event records.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif libcerror_error_free( error ); } } } return( 1 ); }
/* Opens a file for reading * Returns 1 if successful or -1 on error */ int libevt_file_open_read( libevt_internal_file_t *internal_file, libcerror_error_t **error ) { static char *function = "libevt_file_open_read"; off64_t last_record_offset = 0; uint32_t end_of_file_record_offset = 0; uint32_t first_record_offset = 0; int result_record_read = 0; int result_record_recovery = 0; if( internal_file == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_ARGUMENTS, LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE, "%s: invalid internal file.", function ); return( -1 ); } if( internal_file->io_handle == NULL ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_RUNTIME, LIBCERROR_RUNTIME_ERROR_VALUE_MISSING, "%s: invalid internal file - missing IO handle.", function ); return( -1 ); } if( internal_file->io_handle->abort != 0 ) { internal_file->io_handle->abort = 0; } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "Reading file header:\n" ); } #endif if( libevt_io_handle_read_file_header( internal_file->io_handle, internal_file->file_io_handle, &first_record_offset, &end_of_file_record_offset, error ) != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read file header.", function ); return( -1 ); } #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { libcnotify_printf( "Reading records:\n" ); } #endif result_record_read = libevt_io_handle_read_records( internal_file->io_handle, internal_file->file_io_handle, first_record_offset, end_of_file_record_offset, internal_file->records_list, &last_record_offset, error ); if( result_record_read != 1 ) { libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to read records.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif } if( internal_file->io_handle->abort == 0 ) { result_record_recovery = libevt_io_handle_recover_records( internal_file->io_handle, internal_file->file_io_handle, first_record_offset, end_of_file_record_offset, last_record_offset, internal_file->records_list, internal_file->recovered_records_list, error ); if( result_record_recovery != 1 ) { #if defined( HAVE_DEBUG_OUTPUT ) if( result_record_read != 1 ) { libcerror_error_free( error ); } #endif libcerror_error_set( error, LIBCERROR_ERROR_DOMAIN_IO, LIBCERROR_IO_ERROR_READ_FAILED, "%s: unable to recover records.", function ); #if defined( HAVE_DEBUG_OUTPUT ) if( libcnotify_verbose != 0 ) { if( ( error != NULL ) && ( *error != NULL ) ) { libcnotify_print_error_backtrace( *error ); } } #endif } } if( ( result_record_read != 1 ) && ( result_record_recovery != 1 ) ) { return( -1 ); } if( ( error != NULL ) && ( *error != NULL ) ) { libcerror_error_free( error ); } if( internal_file->io_handle->abort != 0 ) { internal_file->io_handle->abort = 0; } return( 1 ); }