/* Returns 0 on success and 1 on error */ uint8_t tsk_fs_fls(TSK_FS_INFO * fs, TSK_FS_FLS_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_DIR_WALK_FLAG_ENUM flags, TSK_TCHAR * tpre, int32_t skew) { FLS_DATA data; data.flags = lclflags; data.sec_skew = skew; #ifdef TSK_WIN32 { size_t clen; UTF8 *ptr8; UTF16 *ptr16; int retval; if ((tpre != NULL) && (TSTRLEN(tpre) > 0)) { clen = TSTRLEN(tpre) * 4; data.macpre = (char *) tsk_malloc(clen); if (data.macpre == NULL) { return 1; } ptr8 = (UTF8 *) data.macpre; ptr16 = (UTF16 *) tpre; retval = tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *) & ptr16[TSTRLEN(tpre) + 1], &ptr8, (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion); if (retval != TSKconversionOK) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr ("Error converting fls mactime pre-text to UTF-8 %d\n", retval); return 1; } } else { data.macpre = (char *) tsk_malloc(1); if (data.macpre == NULL) { return 1; } data.macpre[0] = '\0'; } retval = tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data); free(data.macpre); data.macpre = NULL; return retval; } #else data.macpre = tpre; return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data); #endif }
/** * Find the meta data address for a given file TCHAR name * * @param fs FS to analyze * @param tpath Path of file to search for * @param [out] result Meta data address of file * @returns -1 on error, 0 if found, and 1 if not found */ int8_t tsk_fs_ifind_path(TSK_FS_INFO * fs, TSK_TCHAR * tpath, TSK_INUM_T * result) { #ifdef TSK_WIN32 // Convert the UTF-16 path to UTF-8 { size_t clen; UTF8 *ptr8; UTF16 *ptr16; int retval; char *cpath; clen = TSTRLEN(tpath) * 4; if ((cpath = (char *) tsk_malloc(clen)) == NULL) { return -1; } ptr8 = (UTF8 *) cpath; ptr16 = (UTF16 *) tpath; retval = tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *) & ptr16[TSTRLEN(tpath) + 1], &ptr8, (UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion); if (retval != TSKconversionOK) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr ("tsk_fs_ifind_path: Error converting path to UTF-8: %d", retval); free(cpath); return -1; } return tsk_fs_path2inum(fs, cpath, result, NULL); } #else return tsk_fs_path2inum(fs, (const char *) tpath, result, NULL); #endif }
TSK_IMG_INFO * aff_open(const TSK_TCHAR * const images[], unsigned int a_ssize) { IMG_AFF_INFO *aff_info; TSK_IMG_INFO *img_info; int type; char *image; #ifdef TSK_WIN32 // convert wchar_t* image path to char* to conform to // the AFFLIB API UTF16 *utf16 = (UTF16 *)images[0]; size_t ilen = wcslen(utf16); size_t olen = ilen*4 + 1; UTF8 *utf8 = (UTF8 *) tsk_malloc(olen); image = (char *) utf8; if ( image == NULL ) return NULL; TSKConversionResult retval = tsk_UTF16toUTF8_lclorder( (const UTF16 **) &utf16, &utf16[ilen], &utf8, &utf8[olen], TSKlenientConversion ); *utf8 = '\0'; if (retval != TSKconversionOK) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Error converting path to UTF-8 %d\n", images[0], retval); free(image); return NULL; } utf8 = (UTF8 *) image; while ( *utf8 ) { if ( *utf8 > 127 ) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNICODE); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Non-Latin paths are not supported for AFF images\n", images[0]); free(image); return NULL; } utf8++; } #else image = (char *) tsk_malloc( strlen(images[0])+1 ); if ( image == NULL ) return NULL; strncpy(image, images[0], strlen(images[0])+1 ); #endif if ((aff_info = (IMG_AFF_INFO *) tsk_img_malloc(sizeof(IMG_AFF_INFO))) == NULL) { free(image); return NULL; } img_info = (TSK_IMG_INFO *) aff_info; img_info->read = aff_read; img_info->close = aff_close; img_info->imgstat = aff_imgstat; img_info->sector_size = 512; if (a_ssize) img_info->sector_size = a_ssize; type = af_identify_file_type(image, 1); if ((type == AF_IDENTIFY_ERR) || (type == AF_IDENTIFY_NOEXIST)) { if (tsk_verbose) { tsk_fprintf(stderr, "aff_open: Error determining type of file: %" PRIttocTSK "\n", images[0]); perror("aff_open"); } tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Error checking type", images[0]); tsk_img_free(aff_info); free(image); return NULL; } else if (type == AF_IDENTIFY_AFF) { img_info->itype = TSK_IMG_TYPE_AFF_AFF; } else if (type == AF_IDENTIFY_AFD) { img_info->itype = TSK_IMG_TYPE_AFF_AFD; } else if (type == AF_IDENTIFY_AFM) { img_info->itype = TSK_IMG_TYPE_AFF_AFM; } else { img_info->itype = TSK_IMG_TYPE_AFF_ANY; } aff_info->af_file = af_open(image, O_RDONLY | O_BINARY, 0); if (!aff_info->af_file) { // @@@ Need to check here if the open failed because of an incorrect password. tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_OPEN); tsk_error_set_errstr("aff_open file: %" PRIttocTSK ": Error opening - %s", images[0], strerror(errno)); tsk_img_free(aff_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening AFF/AFD/AFM file\n"); perror("aff_open"); } free(image); return NULL; } // verify that a password was given and we can read encrypted data. if (af_cannot_decrypt(aff_info->af_file)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_IMG_PASSWD); tsk_error_set_errstr("aff_open file: %" PRIttocTSK, images[0]); tsk_img_free(aff_info); if (tsk_verbose) { tsk_fprintf(stderr, "Error opening AFF/AFD/AFM file (incorrect password)\n"); } free(image); return NULL; } aff_info->type = type; img_info->size = af_imagesize(aff_info->af_file); af_seek(aff_info->af_file, 0, SEEK_SET); aff_info->seek_pos = 0; free(image); return img_info; }
/* This interface needs some more thought because the size of wchar is not standard. * If the goal i to provide a constant wchar interface, then we need to incorporate * UTF-32 to UTF-8 support as well. If the goal is to provide a standard UTF-16 * interface, we should use another type besiddes wchar_t. */ TSK_IMG_INFO * tsk_img_open_utf16(int num_img, wchar_t * const images[], TSK_IMG_TYPE_ENUM type) { #if TSK_WIN32 return tsk_img_open(num_img, images, type); #else { TSK_IMG_INFO *retval; int i; char **images8; TSK_ENDIAN_ENUM endian; uint16_t tmp1; /* The unicode conversio routines are primarily to convert Unicode * in file and volume system images, which means they could be in * an endian ordering different from the local one. We need to figure * out our local ordering so we can give it the right flag */ tmp1 = 1; if (tsk_guess_end_u16(&endian, (uint8_t *) & tmp1, 1)) { // @@@@ return NULL; } // convert UTF16 to UTF8 if ((images8 = (char **) tsk_malloc(sizeof(char *) * num_img)) == NULL) { return NULL; } for (i = 0; i < num_img; i++) { size_t ilen; UTF16 *utf16; UTF8 *utf8; TSKConversionResult retval2; // we allocate the buffer to be four times the utf-16 length. ilen = wcslen(images[i]); ilen <<= 2; if ((images8[i] = (char *) tsk_malloc(ilen)) == NULL) { return NULL; } utf16 = (UTF16 *) images[i]; utf8 = (UTF8 *) images8[i]; retval2 = tsk_UTF16toUTF8_lclorder((const UTF16 **) &utf16, &utf16[wcslen(images[i]) + 1], &utf8, &utf8[ilen + 1], TSKlenientConversion); if (retval2 != TSKconversionOK) { tsk_errno = TSK_ERR_IMG_CONVERT; snprintf(tsk_errstr, TSK_ERRSTR_L, "tsk_img_open_utf16: Error converting image %d %d", i, retval2); return NULL; } *utf8 = '\0'; } retval = tsk_img_open(num_img, (const TSK_TCHAR **) images8, type); for (i = 0; i < num_img; i++) { free(images8[i]); } free(images8); return retval; } #endif }
int TskImageFileTsk::extractFiles() { // @@@ Add Sanity check that DB is empty if (m_img_info == NULL) { LOGERROR(L"TskImageFileTsk::extractFiles: Images not open yet\n"); return 1; } m_db.addImageInfo((int)m_img_info->itype, m_img_info->sector_size); for (uint32_t i = 0; i < m_images.size(); i++) { char *img_ptr = NULL; #ifdef TSK_WIN32 char img2[1024]; UTF8 *ptr8; UTF16 *ptr16; ptr8 = (UTF8 *) img2; ptr16 = (UTF16 *) m_images_ptrs[i]; TSKConversionResult retval = tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *) & ptr16[wcslen(m_images_ptrs[i]) + 1], &ptr8, (UTF8 *) ((uintptr_t) ptr8 + 1024), TSKlenientConversion); if (retval != TSKconversionOK) { std::wstringstream msg; msg << L"TskImageFileTsk::extractFiles: Error converting image to UTF-8" << std::endl; LOGERROR(msg.str()); return 1; } img_ptr = img2; #else img_ptr = (char *) a_images[i]; #endif m_db.addImageName(img_ptr); } TSKAutoImpl tskAutoImpl; if (tskAutoImpl.openImage(m_img_info)) { std::wstringstream msg; msg << L"TSKExtract::processImage - Error opening image: " << tsk_error_get() << std::endl; LOGERROR(msg.str()); return 1; } // TskAutoImpl will log errors as they occur tskAutoImpl.findFilesInImg(); // It's possible that this is an image with no volumes or file systems. // Scan the image for file systems starting at sector 0. // By default it will scan 1024 sectors. if (m_db.getNumVolumes() == 0) { tskAutoImpl.scanImgForFs(0); } return 0; }