/* Tries to recover records
* Returns 1 if successful or -1 on error
*/
int libevt_io_handle_recover_records(
libevt_io_handle_t *io_handle,
libbfio_handle_t *file_io_handle,
uint32_t first_record_offset,
uint32_t end_of_file_record_offset,
off64_t last_record_offset,
libfdata_list_t *records_list,
libfdata_list_t *recovered_records_list,
libcerror_error_t **error )
{
static char *function = "libevt_io_handle_recover_records";
int result = 0;
if( io_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid IO handle.",
function );
return( -1 );
}
if( last_record_offset == (off64_t) first_record_offset )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: no records found at specified offsets scanning for end-of-file record.\n",
function );
}
#endif
io_handle->flags |= LIBEVT_IO_HANDLE_FLAG_IS_CORRUPTED;
result = libevt_io_handle_end_of_file_record_scan(
io_handle,
file_io_handle,
&first_record_offset,
&end_of_file_record_offset,
error );
if( result == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to scan for end of file record.",
function );
return( -1 );
}
else if( result != 0 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: end-of-file record found at offset: 0x%08" PRIx64 ".\n",
function,
end_of_file_record_offset );
}
#endif
result = libevt_io_handle_read_records(
io_handle,
file_io_handle,
first_record_offset,
end_of_file_record_offset,
records_list,
&last_record_offset,
error );
if( result != 1 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcerror_error_free(
error );
}
}
#endif
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read records.",
function );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
libcerror_error_free(
error );
}
}
else
{
first_record_offset = (uint32_t) sizeof( evt_file_header_t );
last_record_offset = (off64_t) sizeof( evt_file_header_t );
}
}
if( io_handle->has_wrapped == 0 )
{
if( first_record_offset > (uint32_t) sizeof( evt_file_header_t ) )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: scanning unused space before records at offset: 0x%08" PRIzd " - 0x%08" PRIx32 "\n",
function,
sizeof( evt_file_header_t ),
first_record_offset );
}
#endif
if( libevt_io_handle_event_record_scan(
io_handle,
file_io_handle,
(off64_t) sizeof( evt_file_header_t ),
(size64_t) ( first_record_offset - sizeof( evt_file_header_t ) ),
recovered_records_list,
error ) != 1 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcerror_error_free(
error );
}
}
#endif
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to scan for event records.",
function );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
libcerror_error_free(
error );
}
}
if( last_record_offset < (off64_t) io_handle->file_size )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( last_record_offset > (off64_t) sizeof( evt_file_header_t ) )
{
libcnotify_printf(
"%s: scanning unused space after records at offset: 0x%08" PRIx64 " - 0x%08" PRIx64 "\n",
function,
last_record_offset,
io_handle->file_size );
}
else
{
libcnotify_printf(
"%s: scanning unused space after header at offset: 0x%08" PRIx64 " - 0x%08" PRIx64 "\n",
function,
last_record_offset,
io_handle->file_size );
}
}
#endif
if( libevt_io_handle_event_record_scan(
io_handle,
file_io_handle,
last_record_offset,
io_handle->file_size - last_record_offset,
recovered_records_list,
error ) != 1 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcerror_error_free(
error );
}
}
#endif
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to scan for event records.",
function );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
libcerror_error_free(
error );
}
}
}
else
{
if( last_record_offset < (off64_t) first_record_offset )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: scanning unused space between records at offset: 0x%08" PRIx64 " - 0x%08" PRIx32 "\n",
function,
last_record_offset,
first_record_offset );
}
#endif
if( libevt_io_handle_event_record_scan(
io_handle,
file_io_handle,
last_record_offset,
(size64_t) first_record_offset - last_record_offset,
recovered_records_list,
error ) != 1 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcerror_error_free(
error );
}
}
#endif
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to scan for event records.",
function );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
libcerror_error_free(
error );
}
}
}
return( 1 );
}
/* Opens a file for reading
* Returns 1 if successful or -1 on error
*/
int libevt_file_open_read(
libevt_internal_file_t *internal_file,
libcerror_error_t **error )
{
static char *function = "libevt_file_open_read";
off64_t last_record_offset = 0;
uint32_t end_of_file_record_offset = 0;
uint32_t first_record_offset = 0;
int result_record_read = 0;
int result_record_recovery = 0;
if( internal_file == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid internal file.",
function );
return( -1 );
}
if( internal_file->io_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_MISSING,
"%s: invalid internal file - missing IO handle.",
function );
return( -1 );
}
if( internal_file->io_handle->abort != 0 )
{
internal_file->io_handle->abort = 0;
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"Reading file header:\n" );
}
#endif
if( libevt_io_handle_read_file_header(
internal_file->io_handle,
internal_file->file_io_handle,
&first_record_offset,
&end_of_file_record_offset,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read file header.",
function );
return( -1 );
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"Reading records:\n" );
}
#endif
result_record_read = libevt_io_handle_read_records(
internal_file->io_handle,
internal_file->file_io_handle,
first_record_offset,
end_of_file_record_offset,
internal_file->records_list,
&last_record_offset,
error );
if( result_record_read != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read records.",
function );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
}
if( internal_file->io_handle->abort == 0 )
{
result_record_recovery = libevt_io_handle_recover_records(
internal_file->io_handle,
internal_file->file_io_handle,
first_record_offset,
end_of_file_record_offset,
last_record_offset,
internal_file->records_list,
internal_file->recovered_records_list,
error );
if( result_record_recovery != 1 )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( result_record_read != 1 )
{
libcerror_error_free(
error );
}
#endif
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to recover records.",
function );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
}
}
if( ( result_record_read != 1 )
&& ( result_record_recovery != 1 ) )
{
return( -1 );
}
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcerror_error_free(
error );
}
if( internal_file->io_handle->abort != 0 )
{
internal_file->io_handle->abort = 0;
}
return( 1 );
}
