/* Scans for the event record and adds them to the recovered records array
* Returns 1 if successful, 0 if not or -1 on error
*/
int libevt_io_handle_event_record_scan(
libevt_io_handle_t *io_handle,
libbfio_handle_t *file_io_handle,
off64_t file_offset,
size64_t size,
libfdata_list_t *recovered_records_list,
libcerror_error_t **error )
{
libevt_record_values_t *record_values = NULL;
uint8_t *scan_block = NULL;
static char *function = "libevt_io_handle_event_record_scan";
off64_t record_offset = 0;
size_t read_size = 0;
size_t scan_block_offset = 0;
size_t scan_block_size = 8192;
ssize_t read_count = 0;
int element_index = 0;
if( io_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid IO handle.",
function );
return( -1 );
}
if( file_offset < 0 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_VALUE_LESS_THAN_ZERO,
"%s: invalid file offset value less than zero.",
function );
return( -1 );
}
if( size > (off64_t) INT64_MAX )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_VALUE_EXCEEDS_MAXIMUM,
"%s: invalid size value exceeds maximum.",
function );
return( -1 );
}
scan_block = (uint8_t *) memory_allocate(
sizeof( uint8_t ) * scan_block_size );
if( scan_block == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_MEMORY,
LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
"%s: unable to create scan block.",
function );
goto on_error;
}
while( size > 0 )
{
if( libbfio_handle_seek_offset(
file_io_handle,
file_offset,
SEEK_SET,
error ) == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_SEEK_FAILED,
"%s: unable to seek scan block offset: %" PRIi64 ".",
function,
file_offset );
goto on_error;
}
if( scan_block_size > size )
{
read_size = (size_t) size;
}
else
{
read_size = scan_block_size;
}
read_count = libbfio_handle_read_buffer(
file_io_handle,
scan_block,
read_size,
error );
if( read_count != (ssize_t) read_size )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read scan block at offset: %" PRIi64 ".",
function,
file_offset );
goto on_error;
}
scan_block_offset = 0;
while( scan_block_offset < read_size )
{
if( memory_compare(
&( scan_block[ scan_block_offset ] ),
evt_file_signature,
4 ) != 0 )
{
scan_block_offset += 4;
continue;
}
record_offset = file_offset + scan_block_offset - 4;
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: reading recovered record at offset: %" PRIi64 " (0x%08" PRIx64 ")\n",
function,
record_offset,
record_offset );
}
#endif
if( libbfio_handle_seek_offset(
file_io_handle,
record_offset,
SEEK_SET,
error ) == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_SEEK_FAILED,
"%s: unable to seek record offset: %" PRIi64 ".",
function,
record_offset );
goto on_error;
}
if( record_values == NULL )
{
if( libevt_record_values_initialize(
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create record values.",
function );
goto on_error;
}
}
read_count = libevt_record_values_read(
record_values,
file_io_handle,
io_handle,
&record_offset,
0,
error );
if( read_count == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read record at offset: %" PRIi64 ".",
function,
record_offset );
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( ( error != NULL )
&& ( *error != NULL ) )
{
libcnotify_print_error_backtrace(
*error );
}
}
#endif
libcerror_error_free(
error );
scan_block_offset += 4;
continue;
}
if( record_values->type == LIBEVT_RECORD_TYPE_EVENT )
{
if( libfdata_list_append_element(
recovered_records_list,
&element_index,
0,
file_offset + scan_block_offset - 4,
(size64_t) read_count,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_APPEND_FAILED,
"%s: unable to append recovered record to records list.",
function );
goto on_error;
}
}
if( libevt_record_values_free(
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free record values.",
function );
goto on_error;
}
scan_block_offset += read_count - 4;
if( ( scan_block_offset + read_count - 4 ) > read_size )
{
break;
}
}
file_offset += scan_block_offset;
size -= scan_block_offset;
}
if( record_values != NULL )
{
if( libevt_record_values_free(
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free record values.",
function );
goto on_error;
}
}
memory_free(
scan_block );
scan_block = NULL;
return( 1 );
on_error:
if( record_values != NULL )
{
libevt_record_values_free(
&record_values,
NULL );
}
if( scan_block != NULL )
{
memory_free(
scan_block );
}
return( -1 );
}
/* Opens a file for reading
* Returns 1 if successful or -1 on error
*/
int libevtx_file_open_read(
libevtx_internal_file_t *internal_file,
libbfio_handle_t *file_io_handle,
libcerror_error_t **error )
{
libevtx_chunk_t *chunk = NULL;
libevtx_record_values_t *record_values = NULL;
libevtx_chunks_table_t *chunks_table = NULL;
static char *function = "libevtx_file_open_read";
off64_t file_offset = 0;
size64_t file_size = 0;
uint16_t chunk_index = 0;
uint16_t number_of_chunks = 0;
uint16_t number_of_records = 0;
uint16_t record_index = 0;
int element_index = 0;
int result = 0;
int segment_index = 0;
#if defined( HAVE_VERBOSE_OUTPUT )
uint64_t previous_record_identifier = 0;
#endif
#if defined( HAVE_DEBUG_OUTPUT )
uint8_t *trailing_data = NULL;
size_t trailing_data_size = 0;
ssize_t read_count = 0;
#endif
if( internal_file == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid file.",
function );
return( -1 );
}
if( internal_file->io_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_MISSING,
"%s: invalid file - missing IO handle.",
function );
return( -1 );
}
if( internal_file->chunks_vector != NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
"%s: invalid file - chunks vector already set.",
function );
return( -1 );
}
if( internal_file->chunks_cache != NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
"%s: invalid file - chunks cache already set.",
function );
return( -1 );
}
if( internal_file->records_list != NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
"%s: invalid file - records list already set.",
function );
return( -1 );
}
if( internal_file->recovered_records_list != NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
"%s: invalid file - recovered records list already set.",
function );
return( -1 );
}
if( internal_file->records_cache != NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_ALREADY_SET,
"%s: invalid file - records cache already set.",
function );
return( -1 );
}
if( libbfio_handle_get_size(
file_io_handle,
&file_size,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve file size.",
function );
goto on_error;
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"Reading file header:\n" );
}
#endif
if( libevtx_io_handle_read_file_header(
internal_file->io_handle,
file_io_handle,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read file header.",
function );
goto on_error;
}
internal_file->io_handle->chunks_data_size = file_size
- internal_file->io_handle->chunks_data_offset;
/* TODO clone function ? */
if( libfdata_vector_initialize(
&( internal_file->chunks_vector ),
(size64_t) internal_file->io_handle->chunk_size,
(intptr_t *) internal_file->io_handle,
NULL,
NULL,
(int (*)(intptr_t *, intptr_t *, libfdata_vector_t *, libfcache_cache_t *, int, int, off64_t, size64_t, uint32_t, uint8_t, libcerror_error_t **)) &libevtx_io_handle_read_chunk,
NULL,
LIBFDATA_DATA_HANDLE_FLAG_NON_MANAGED,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create chunks vector.",
function );
goto on_error;
}
if( libfdata_vector_append_segment(
internal_file->chunks_vector,
&segment_index,
0,
internal_file->io_handle->chunks_data_offset,
internal_file->io_handle->chunks_data_size,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_APPEND_FAILED,
"%s: unable to append segment to chunks vector.",
function );
goto on_error;
}
if( libfcache_cache_initialize(
&( internal_file->chunks_cache ),
LIBEVTX_MAXIMUM_CACHE_ENTRIES_CHUNKS,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create chunks cache.",
function );
goto on_error;
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"Reading chunks:\n" );
}
#endif
if( libevtx_chunks_table_initialize(
&chunks_table,
internal_file->io_handle,
internal_file->chunks_vector,
internal_file->chunks_cache,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create chunks table.",
function );
goto on_error;
}
/* TODO clone function ? */
if( libfdata_list_initialize(
&( internal_file->records_list ),
(intptr_t *) chunks_table,
(int (*)(intptr_t **, libcerror_error_t **)) &libevtx_chunks_table_free,
NULL,
(int (*)(intptr_t *, intptr_t *, libfdata_list_element_t *, libfcache_cache_t *, int, off64_t, size64_t, uint32_t, uint8_t, libcerror_error_t **)) &libevtx_chunks_table_read_record,
NULL,
LIBFDATA_DATA_HANDLE_FLAG_MANAGED,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create records list.",
function );
goto on_error;
}
/* The chunks_table is managed by the list */
if( libfdata_list_initialize(
&( internal_file->recovered_records_list ),
(intptr_t *) chunks_table,
NULL,
NULL,
(int (*)(intptr_t *, intptr_t *, libfdata_list_element_t *, libfcache_cache_t *, int, off64_t, size64_t, uint32_t, uint8_t, libcerror_error_t **)) &libevtx_chunks_table_read_record,
NULL,
LIBFDATA_DATA_HANDLE_FLAG_NON_MANAGED,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create recovered records list.",
function );
chunks_table = NULL;
goto on_error;
}
chunks_table = NULL;
if( libfcache_cache_initialize(
&( internal_file->records_cache ),
LIBEVTX_MAXIMUM_CACHE_ENTRIES_RECORDS,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create records cache.",
function );
goto on_error;
}
file_offset = internal_file->io_handle->chunks_data_offset;
while( ( file_offset + internal_file->io_handle->chunk_size ) <= (off64_t) file_size )
{
if( libevtx_chunk_initialize(
&chunk,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create chunk: %" PRIu16 ".",
function,
chunk_index );
goto on_error;
}
result = libevtx_chunk_read(
chunk,
internal_file->io_handle,
file_io_handle,
file_offset,
error );
if( result == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read chunk: %" PRIu16 ".",
function,
chunk_index );
goto on_error;
}
else if( result == 0 )
{
if( chunk_index < internal_file->io_handle->number_of_chunks )
{
#if defined( HAVE_VERBOSE_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: corruption detected in chunk: %" PRIu16 ".\n",
function,
chunk_index );
}
#endif
internal_file->io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED;
}
}
else
{
if( ( chunk->flags & LIBEVTX_CHUNK_FLAG_IS_CORRUPTED ) != 0 )
{
#if defined( HAVE_VERBOSE_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: corruption detected in chunk: %" PRIu16 ".\n",
function,
chunk_index );
}
#endif
if( chunk_index < internal_file->io_handle->number_of_chunks )
{
internal_file->io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED;
}
}
if( ( chunk_index < internal_file->io_handle->number_of_chunks )
|| ( ( chunk->flags & LIBEVTX_CHUNK_FLAG_IS_CORRUPTED ) == 0 ) )
{
number_of_chunks++;
}
if( libevtx_chunk_get_number_of_records(
chunk,
&number_of_records,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve chunk: %" PRIu16 " number of records.",
function,
chunk_index );
goto on_error;
}
for( record_index = 0;
record_index < number_of_records;
record_index++ )
{
if( libevtx_chunk_get_record(
chunk,
record_index,
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve chunk: %" PRIu16 " record: %" PRIu16 ".",
function,
chunk_index,
record_index );
goto on_error;
}
if( record_values == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_MISSING,
"%s: missing chunk: %" PRIu16 " record: %" PRIu16 ".",
function,
chunk_index,
record_index );
goto on_error;
}
if( record_values->identifier < internal_file->io_handle->first_record_identifier )
{
internal_file->io_handle->first_record_identifier = record_values->identifier;
}
if( record_values->identifier > internal_file->io_handle->last_record_identifier )
{
internal_file->io_handle->last_record_identifier = record_values->identifier;
}
#if defined( HAVE_VERBOSE_OUTPUT )
if( ( chunk_index == 0 )
&& ( record_index == 0 ) )
{
previous_record_identifier = record_values->identifier;
}
else
{
previous_record_identifier++;
if( record_values->identifier != previous_record_identifier )
{
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: detected gap in record identifier ( %" PRIu64 " != %" PRIu64 " ).\n",
function,
previous_record_identifier,
record_values->identifier );
}
previous_record_identifier = record_values->identifier;
}
}
#endif
/* The chunk index is stored in the element data size
*/
if( ( chunk_index < internal_file->io_handle->number_of_chunks )
|| ( ( internal_file->io_handle->file_flags & LIBEVTX_FILE_FLAG_IS_DIRTY ) != 0 ) )
{
if( libfdata_list_append_element(
internal_file->records_list,
&element_index,
0,
file_offset + record_values->chunk_data_offset,
(size64_t) chunk_index,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_APPEND_FAILED,
"%s: unable to append element to records list.",
function );
goto on_error;
}
}
else
{
/* If the file is not dirty, records found in chunks outside the indicated
* range are considered recovered
*/
if( libfdata_list_append_element(
internal_file->recovered_records_list,
&element_index,
0,
file_offset + record_values->chunk_data_offset,
(size64_t) chunk_index,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_APPEND_FAILED,
"%s: unable to append element to recovered records list.",
function );
goto on_error;
}
}
/* TODO cache record values ? */
}
if( libevtx_chunk_get_number_of_recovered_records(
chunk,
&number_of_records,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve chunk: %" PRIu16 " number of recovered records.",
function,
chunk_index );
goto on_error;
}
for( record_index = 0;
record_index < number_of_records;
record_index++ )
{
if( libevtx_chunk_get_recovered_record(
chunk,
record_index,
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_GET_FAILED,
"%s: unable to retrieve chunk: %" PRIu16 " recovered record: %" PRIu16 ".",
function,
chunk_index,
record_index );
goto on_error;
}
if( record_values == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_MISSING,
"%s: missing chunk: %" PRIu16 " recovered record: %" PRIu16 ".",
function,
chunk_index,
record_index );
goto on_error;
}
/* TODO check for and remove duplicate identifiers ? */
/* The chunk index is stored in the element data size
*/
if( libfdata_list_append_element(
internal_file->recovered_records_list,
&element_index,
0,
file_offset + record_values->chunk_data_offset,
(size64_t) chunk_index,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_APPEND_FAILED,
"%s: unable to append element to recovered records list.",
function );
goto on_error;
}
}
}
file_offset += chunk->data_size;
if( libevtx_chunk_free(
&chunk,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free chunk: %" PRIu16 ".",
function,
chunk_index );
goto on_error;
}
chunk_index++;
}
internal_file->io_handle->chunks_data_size = file_offset
- internal_file->io_handle->chunks_data_offset;
if( number_of_chunks != internal_file->io_handle->number_of_chunks )
{
#if defined( HAVE_VERBOSE_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: mismatch in number of chunks ( %" PRIu16 " != %" PRIu16 " ).\n",
function,
internal_file->io_handle->number_of_chunks,
chunk_index );
}
#endif
internal_file->io_handle->flags |= LIBEVTX_IO_HANDLE_FLAG_IS_CORRUPTED;
}
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
if( file_offset < (off64_t) file_size )
{
trailing_data_size = (size_t) ( file_size - file_offset );
trailing_data = (uint8_t *) memory_allocate(
sizeof( uint8_t ) * trailing_data_size );
if( trailing_data == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_MEMORY,
LIBCERROR_MEMORY_ERROR_INSUFFICIENT,
"%s: unable to create trailing data.",
function );
goto on_error;
}
read_count = libbfio_handle_read_buffer(
file_io_handle,
trailing_data,
trailing_data_size,
error );
if( read_count != (ssize_t) trailing_data_size )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read trailing data.",
function );
memory_free(
trailing_data );
goto on_error;
}
file_offset += read_count;
libcnotify_printf(
"%s: trailing data:\n",
function );
libcnotify_print_data(
trailing_data,
trailing_data_size,
LIBCNOTIFY_PRINT_DATA_FLAG_GROUP_DATA );
memory_free(
trailing_data );
trailing_data = NULL;
}
}
#endif
return( 1 );
on_error:
#if defined( HAVE_DEBUG_OUTPUT )
if( trailing_data != NULL )
{
memory_free(
trailing_data );
}
#endif
if( chunk != NULL )
{
libevtx_chunk_free(
&chunk,
NULL );
}
if( internal_file->records_cache != NULL )
{
libfcache_cache_free(
&( internal_file->records_cache ),
NULL );
}
if( internal_file->records_list != NULL )
{
libfdata_list_free(
&( internal_file->records_list ),
NULL );
}
if( chunks_table != NULL )
{
libevtx_chunks_table_free(
&chunks_table,
NULL );
}
if( internal_file->chunks_cache != NULL )
{
libfcache_cache_free(
&( internal_file->chunks_cache ),
NULL );
}
if( internal_file->chunks_vector != NULL )
{
libfdata_vector_free(
&( internal_file->chunks_vector ),
NULL );
}
return( -1 );
}
/* Reads the records into the records array
* Returns 1 if successful or -1 on error
*/
int libevt_io_handle_read_records(
libevt_io_handle_t *io_handle,
libbfio_handle_t *file_io_handle,
uint32_t first_record_offset,
uint32_t end_of_file_record_offset,
libfdata_list_t *records_list,
off64_t *last_record_offset,
libcerror_error_t **error )
{
libevt_record_values_t *record_values = NULL;
static char *function = "libevt_io_handle_read_records";
off64_t file_offset = 0;
ssize_t read_count = 0;
uint32_t record_iterator = 0;
uint8_t record_type = 0;
int element_index = 0;
if( io_handle == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid IO handle.",
function );
return( -1 );
}
if( last_record_offset == NULL )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_ARGUMENTS,
LIBCERROR_ARGUMENT_ERROR_INVALID_VALUE,
"%s: invalid last record offset.",
function );
return( -1 );
}
file_offset = (off64_t) first_record_offset;
if( ( file_offset < (off64_t) sizeof( evt_file_header_t ) )
|| ( (size64_t) file_offset >= io_handle->file_size ) )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_VALUE_OUT_OF_BOUNDS,
"%s: file offset value out of bounds.",
function );
goto on_error;
}
if( libbfio_handle_seek_offset(
file_io_handle,
file_offset,
SEEK_SET,
error ) == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_SEEK_FAILED,
"%s: unable to seek record offset: %" PRIi64 ".",
function,
file_offset );
goto on_error;
}
do
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: reading record: %" PRIu32 " at offset: %" PRIi64 " (0x%08" PRIx64 ")\n",
function,
record_iterator,
file_offset,
file_offset );
}
#endif
if( libevt_record_values_initialize(
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_INITIALIZE_FAILED,
"%s: unable to create record values.",
function );
goto on_error;
}
*last_record_offset = file_offset;
read_count = libevt_record_values_read(
record_values,
file_io_handle,
io_handle,
&file_offset,
1,
error );
if( read_count == -1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_IO,
LIBCERROR_IO_ERROR_READ_FAILED,
"%s: unable to read record: %" PRIu32 ".",
function,
record_iterator );
goto on_error;
}
if( *last_record_offset > file_offset )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: wrapped at offset: 0x%08" PRIx64 ".\n",
function,
*last_record_offset );
}
#endif
io_handle->has_wrapped = 1;
}
record_type = record_values->type;
if( record_type == LIBEVT_RECORD_TYPE_EVENT )
{
if( libfdata_list_append_element(
records_list,
&element_index,
0,
*last_record_offset,
(size64_t) read_count,
0,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_APPEND_FAILED,
"%s: unable to append record to records list.",
function );
goto on_error;
}
}
if( libevt_record_values_free(
&record_values,
error ) != 1 )
{
libcerror_error_set(
error,
LIBCERROR_ERROR_DOMAIN_RUNTIME,
LIBCERROR_RUNTIME_ERROR_FINALIZE_FAILED,
"%s: unable to free record values.",
function );
goto on_error;
}
if( record_type == LIBEVT_RECORD_TYPE_END_OF_FILE )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: end-of-file record found at offset: 0x%08" PRIx64 ".\n",
function,
file_offset );
}
#endif
break;
}
if( ( file_offset > (off64_t) end_of_file_record_offset )
&& ( file_offset < (off64_t) ( end_of_file_record_offset + read_count ) ) )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: file offset: 0x%08" PRIx64 " exceeds end-of-file offset: 0x%08" PRIx64 ".\n",
function,
file_offset,
end_of_file_record_offset );
}
#endif
break;
}
record_iterator++;
}
while( record_type != LIBEVT_RECORD_TYPE_END_OF_FILE );
if( record_type == LIBEVT_RECORD_TYPE_END_OF_FILE )
{
if( *last_record_offset != (off64_t) end_of_file_record_offset )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: mismatch in end of file record offset ( %" PRIi64 " != %" PRIu32 " ).\n",
function,
*last_record_offset,
end_of_file_record_offset );
}
#endif
io_handle->flags |= LIBEVT_IO_HANDLE_FLAG_IS_CORRUPTED;
}
*last_record_offset += read_count;
}
if( ( io_handle->has_wrapped != 0 )
&& ( ( io_handle->flags & LIBEVT_FILE_FLAG_HAS_WRAPPED ) == 0 ) )
{
#if defined( HAVE_DEBUG_OUTPUT )
if( libcnotify_verbose != 0 )
{
libcnotify_printf(
"%s: file has wrapped but file flags indicate otherwise.\n",
function );
}
#endif
io_handle->flags |= LIBEVT_IO_HANDLE_FLAG_IS_CORRUPTED;
}
return( 1 );
on_error:
if( record_values != NULL )
{
libevt_record_values_free(
&record_values,
NULL );
}
return( -1 );
}
