/* Parse TSK error and send it to the appliance. */
static void
reply_with_tsk_error (const char *funcname)
{
int ret = 0;
const char *buf = NULL;
ret = tsk_error_get_errno ();
if (ret != 0) {
buf = tsk_error_get ();
reply_with_error ("%s: %s", funcname, buf);
}
else
reply_with_error ("%s: unknown error", funcname);
}
uint8_t TskAuto::registerError() {
// add to our list of errors
error_record er;
er.code = tsk_error_get_errno();
er.msg1 = tsk_error_get_errstr();
er.msg2 = tsk_error_get_errstr2();
m_errors.push_back(er);
// call super class implementation
uint8_t retval = handleError();
tsk_error_reset();
return retval;
}
/*
* This thread sets error variables, updates the semaphore,
* waits on the semaphore, and reads them back.
*/
void * thread_1(void *arg) {
xErrorsTestShared * shared = (xErrorsTestShared*) arg;
// wait to be told to start.
#ifdef __APPLE__
kern_return_t se = semaphore_wait(shared->sync_barrier);
if (se != 0) {
fprintf(stderr, "sem_wait failed: %d\n", se);
shared->failure = true;
}
#else
if (sem_wait(&shared->sync_barrier) != 0) {
fprintf(stderr, "sem_wait failed: %s\n", strerror(errno));
shared->failure = true;
}
#endif
tsk_error_set_errno(42);
tsk_error_set_errstr("I just set errno to %d.", 42);
tsk_error_set_errstr2("Indeed, I just set errno to %d.", 42);
#ifdef __APPLE__
se = semaphore_signal(shared->sync_barrier);
if (se != 0) {
fprintf(stderr, "sem_signal failed: %d\n", se);
shared->failure = true;
}
se = semaphore_wait(shared->sync_barrier);
if (se != 0) {
fprintf(stderr, "sem_wait failed: %d\n", se);
shared->failure = true;
}
#else
sem_post(&shared->sync_barrier);
sem_wait(&shared->sync_barrier);
#endif
shared->errno_check_failed = 42 != tsk_error_get_errno();
char const * s = tsk_error_get_errstr();
shared->errstr_check_failed = 0 != strcmp("I just set errno to 42.", s);
s = tsk_error_get_errstr2();
shared->errstr2_check_failed = 0 != strcmp("Indeed, I just set errno to 42.", s);
return 0;
}
/* main - open file system, list inode info */
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_TCHAR *cp, *dash;
TSK_INUM_T istart = 0, ilast = 0;
int ch;
int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED;
int ils_flags = 0;
int set_range = 1;
TSK_TCHAR *image = NULL;
int32_t sec_skew = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
/*
* Provide convenience options for the most commonly selected feature
* combinations.
*/
while ((ch =
GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('e'):
flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC);
flags &= ~TSK_FS_META_FLAG_USED;
break;
case _TSK_T('m'):
ils_flags |= TSK_FS_ILS_MAC;
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('O'):
flags |= TSK_FS_META_FLAG_UNALLOC;
flags &= ~TSK_FS_META_FLAG_ALLOC;
ils_flags |= TSK_FS_ILS_OPEN;
break;
case _TSK_T('p'):
flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC);
flags &= ~TSK_FS_META_FLAG_ALLOC;
break;
case _TSK_T('r'):
flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED);
flags &= ~TSK_FS_META_FLAG_ALLOC;
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
/*
* Provide fine controls to tweak one feature at a time.
*/
case _TSK_T('a'):
flags |= TSK_FS_META_FLAG_ALLOC;
flags &= ~TSK_FS_META_FLAG_UNALLOC;
break;
case _TSK_T('A'):
flags |= TSK_FS_META_FLAG_UNALLOC;
break;
case _TSK_T('l'):
ils_flags |= TSK_FS_ILS_LINK;
break;
case _TSK_T('L'):
ils_flags |= TSK_FS_ILS_UNLINK;
break;
case _TSK_T('z'):
flags |= TSK_FS_META_FLAG_UNUSED;
break;
case _TSK_T('Z'):
flags |= TSK_FS_META_FLAG_USED;
break;
}
}
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) {
tsk_fprintf(stderr,
"ERROR: Only linked or unlinked should be used\n");
usage();
}
/* We need to determine if an inode or inode range was given */
if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) {
/* Check if is a single number */
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
/* Single address set end addr to start */
ilast = istart;
set_range = 0;
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
else {
/* We have a dash, but it could be part of the file name */
*dash = '\0';
istart = TSTRTOULL(argv[argc - 1], &cp, 0);
if (*cp || *cp == *argv[argc - 1]) {
/* Not a number - consider it a file name */
*dash = _TSK_T('-');
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
dash++;
ilast = TSTRTOULL(dash, &cp, 0);
if (*cp || *cp == *dash) {
/* Not a number - consider it a file name */
dash--;
*dash = '-';
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
else {
set_range = 0;
/* It was a block range, so do not include it in the open */
image = argv[OPTIND];
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
}
}
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
/* do we need to set the range or just check them? */
if (set_range) {
istart = fs->first_inum;
ilast = fs->last_inum;
}
else {
if (istart < fs->first_inum)
istart = fs->first_inum;
if (ilast > fs->last_inum)
ilast = fs->last_inum;
}
/* NTFS uses alloc and link different than UNIX so change
* the default behavior
*
* The link value can be > 0 on deleted files (even when closed)
*/
/* NTFS and FAT have no notion of deleted but still open */
if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype)
|| TSK_FS_TYPE_ISFAT(fs->ftype))) {
fprintf(stderr,
"Error: '-O' argument does not work with NTFS and FAT images\n");
exit(1);
}
if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast,
(TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
static uint8_t
process_tsk_file(TSK_FS_FILE * fs_file, const char *path)
{
/* Use a flag to determine if a file is generically fit for plugins. */
bool can_run_plugin;
/* Make sure that the SleuthKit structures are properly set */
if (fs_file->name == NULL)
return 1;
if (fs_file->meta == NULL && opt_debug)
printf("File: %s %s has no meta\n", path, fs_file->name->name);
/* SleuthKit meta types are defined in tsk_fs.h.*/
if (opt_debug) printf("Processing %s%s type=%s (0x%x) \n",
path, fs_file->name->name,
tsk_fs_name_type_str[fs_file->name->type],fs_file->name->type);
/* Recover the filename from the fs_dent, if it is provided */
content ci(fs_file->fs_info->img_info); // where the content will go
ci.evidence_dirname = path;
ci.set_filename(fs_file->name->name);
/* If we are filtering and we have a filename, see if we want this file. */
if (ci.name_filtered()) return 0;
/* Looks like we are processing */
if(a) a->new_row(); // tell ARFF we are starting a new row
if(x) x->push("fileobject"); // tell XML we are starting a new XML object
if(opt_parent_tracking)
{
if(fs_file->name->par_addr) {
if(x)
{
x->push("parent_object");
file_info("inode", fs_file->name->par_addr);
if(x) x->pop();
}
if((t||a) && !opt_body_file)
{
file_info("parent_inode", fs_file->name->par_addr);
}
}
}
if(fs_file->meta != NULL)
{
/* Get the content if needed */
if(ci.need_file_walk() && (opt_maxgig==0 || fs_file->meta->size/1000000000 < opt_maxgig)) {
int myflags = TSK_FS_FILE_WALK_FLAG_NOID;
if (opt_no_data) myflags |= TSK_FS_FILE_WALK_FLAG_AONLY;
if (tsk_fs_file_walk (fs_file, (TSK_FS_FILE_WALK_FLAG_ENUM) myflags, file_act, (void *) &ci)) {
// ignore errors from deleted files that were being recovered
//if (tsk_errno != TSK_ERR_FS_RECOVER) {
if (tsk_error_get_errno() != TSK_ERR_FS_RECOVER) {
if(opt_debug) {
fprintf(stderr,"Processing: %s/%s (%" PRIuINUM ")\n", path,
fs_file->name->name, fs_file->meta->addr);
tsk_error_print(stderr);
}
}
tsk_error_reset();
}
}
}
if(file_count_max && file_count>file_count_max) return TSK_WALK_STOP;
file_count++;
/* Send through to the plugin if we were doing that.
* Currently results only go to ARFF file, not to the XML file.
*/
/* Finally output the informaton */
if(opt_body_file && (fs_file->meta != NULL)) {
char ls[64];
tsk_fs_meta_make_ls(fs_file->meta,ls,sizeof(ls));
fprintf(t,"%s|%s|%" PRId64 "|%s|%d|%d|%" PRId64 "|%d|%d|%d|%d\n",
ci.h_md5.final().hexdigest().c_str(),ci.filename().c_str(),fs_file->meta->addr,
ls,fs_file->meta->uid,fs_file->meta->gid,
fs_file->meta->size,
(uint32_t)(fs_file->meta->atime),
(uint32_t)fs_file->meta->mtime,
(uint32_t)fs_file->meta->ctime,
(uint32_t)fs_file->meta->crtime);
return TSK_WALK_CONT;
}
void ErrorsTest::testMultithreaded()
{
xErrorsTestShared shared;
tsk_error_reset();
// start semaphore unlocked. Thread will lock.
#ifdef __APPLE__
kern_return_t se;
se = semaphore_create(mach_task_self(), &shared.sync_barrier, SYNC_POLICY_FIFO, 0);
if (se != 0) {
fprintf(stderr, "sem_init failed: %d\n", se);
CPPUNIT_FAIL("Could not initialize semaphore");
}
#else
if (sem_init(&shared.sync_barrier, 0, 0)) {
fprintf(stderr, "sem_init failed: %s\n", strerror(errno));
CPPUNIT_FAIL("Could not initialize semaphore");
}
#endif
pthread_t thread1;
int pte = pthread_create(&thread1, 0, thread_1, &shared);
if (pte != 0) {
fprintf(stderr, "pthread_create failed: %d\n", pte);
CPPUNIT_FAIL("pthread_create failed.");
}
#ifdef __APPLE__
se = semaphore_signal(shared.sync_barrier);
if (se != 0) {
fprintf(stderr, "semaphore_signal failed: %d\n", se);
CPPUNIT_FAIL("Could not post to semaphore");
}
se = semaphore_wait(shared.sync_barrier);
if (se != 0) {
fprintf(stderr, "semaphore_wait failed: %d\n", se);
CPPUNIT_FAIL("Could not post to semaphore");
}
#else
// give thread permission to proceed
if (sem_post(&shared.sync_barrier) != 0) {
fprintf(stderr, "sem_post failed: %s\n", strerror(errno));
CPPUNIT_FAIL("Could not post to semaphore");
}
// wait for thread to set some things.
if (sem_wait(&shared.sync_barrier) != 0) {
fprintf(stderr, "sem_wait failed: %s\n", strerror(errno));
CPPUNIT_FAIL("Could not wait on semaphore");
}
#endif
CPPUNIT_ASSERT(0 == tsk_error_get_errno());
CPPUNIT_ASSERT(0 == tsk_error_get_errstr()[0]);
CPPUNIT_ASSERT(0 == tsk_error_get_errstr2()[0]);
// give thread permission to proceed
#ifdef __APPLE__
se = semaphore_signal(shared.sync_barrier);
if (se != 0) {
fprintf(stderr, "semaphore_signal failed: %d\n", se);
CPPUNIT_FAIL("Could not post to semaphore");
}
#else
if (sem_post(&shared.sync_barrier) != 0) {
fprintf(stderr, "sem_post failed: %s\n", strerror(errno));
CPPUNIT_FAIL("Could not post to semaphore");
}
#endif
void *exitval = 0;
pte = pthread_join(thread1, &exitval);
if (pte != 0) {
fprintf(stderr, "pthread_join failed: %d\n", pte);
CPPUNIT_FAIL("pthread_join failed.");
}
CPPUNIT_ASSERT(!shared.errno_check_failed);
CPPUNIT_ASSERT(!shared.errstr_check_failed);
CPPUNIT_ASSERT(!shared.errstr2_check_failed);
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
int ch;
TSK_TCHAR *cp;
uint8_t type = 0;
int set = 0;
TSK_DADDR_T count = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:d:f:i:o:s:u:vV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('d'):
type |= TSK_FS_BLKCALC_DD;
count = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG);
usage();
}
set = 1;
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('s'):
type |= TSK_FS_BLKCALC_SLACK;
count = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG);
usage();
}
set = 1;
break;
case _TSK_T('u'):
type |= TSK_FS_BLKCALC_BLKLS;
count = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG) {
TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG);
usage();
}
set = 1;
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND == argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((!type) || (set == 0)) {
tsk_fprintf(stderr, "Calculation type not given (-u, -d, -s)\n");
usage();
}
if ((type & TSK_FS_BLKCALC_DD) && (type & TSK_FS_BLKCALC_BLKLS)
&& (type & TSK_FS_BLKCALC_SLACK)) {
tsk_fprintf(stderr, "Only one block type can be given\n");
usage();
}
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
if (-1 == tsk_fs_blkcalc(fs, (TSK_FS_BLKCALC_FLAG_ENUM) type, count)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
/**
* \ingroup imglib
* Opens one or more disk image files so that they can be read. If a file format
* type is specified, this function will call the specific routine to open the file.
* Otherwise, it will detect the type (it will default to raw if no specific type can
* be detected). This function must be called before a disk image can be read from.
* Note that the data type used to store the image paths is a TSK_TCHAR, which changes
* depending on a Unix or Windows build. If you will always have UTF8, then consider
* using tsk_img_open_utf8().
*
* @param num_img The number of images to open (will be > 1 for split images).
* @param images The path to the image files (the number of files must
* be equal to num_img and they must be in a sorted order)
* @param type The disk image type (can be autodetection)
* @param a_ssize Size of device sector in bytes (or 0 for default)
*
* @return Pointer to TSK_IMG_INFO or NULL on error
*/
TSK_IMG_INFO *
tsk_img_open(int num_img,
const TSK_TCHAR * const images[], TSK_IMG_TYPE_ENUM type,
unsigned int a_ssize)
{
TSK_IMG_INFO *img_info = NULL;
// Get rid of any old error messages laying around
tsk_error_reset();
if ((num_img == 0) || (images[0] == NULL)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_NOFILE);
tsk_error_set_errstr("tsk_img_open");
return NULL;
}
if ((a_ssize > 0) && (a_ssize < 512)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_ARG);
tsk_error_set_errstr("sector size is less than 512 bytes (%d)",
a_ssize);
return NULL;
}
if ((a_ssize % 512) != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_ARG);
tsk_error_set_errstr("sector size is not a multiple of 512 (%d)",
a_ssize);
return NULL;
}
if (tsk_verbose)
TFPRINTF(stderr,
_TSK_T("tsk_img_open: Type: %d NumImg: %d Img1: %s\n"),
type, num_img, images[0]);
/* If no type is given, then we use the autodetection methods
* In case the image file matches the signatures of multiple formats,
* we try all of the embedded formats
*/
if (type == TSK_IMG_TYPE_DETECT) {
TSK_IMG_INFO *img_set = NULL;
#if HAVE_LIBAFFLIB || HAVE_LIBEWF
char *set = NULL;
#endif
// we rely on tsk_errno, so make sure it is 0
tsk_error_reset();
/* Try the non-raw formats first */
#if HAVE_LIBAFFLIB
if ((img_info = aff_open(images, a_ssize)) != NULL) {
/* we don't allow the "ANY" when autodetect is used because
* we only want to detect the tested formats. */
if (img_info->itype == TSK_IMG_TYPE_AFF_ANY) {
img_info->close(img_info);
}
else {
set = "AFF";
img_set = img_info;
}
}
else {
// If AFF is otherwise happy except for a password, stop trying to guess
if (tsk_error_get_errno() == TSK_ERR_IMG_PASSWD) {
return NULL;
}
tsk_error_reset();
}
#endif
#if HAVE_LIBEWF
if ((img_info = ewf_open(num_img, images, a_ssize)) != NULL) {
if (set == NULL) {
set = "EWF";
img_set = img_info;
}
else {
img_set->close(img_set);
img_info->close(img_info);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_UNKTYPE);
tsk_error_set_errstr("EWF or %s", set);
return NULL;
}
}
else {
tsk_error_reset();
}
#endif
// if any of the non-raw formats were detected, then use it.
if (img_set != NULL)
return img_set;
// otherwise, try raw
if ((img_info = raw_open(num_img, images, a_ssize)) != NULL) {
return img_info;
}
else if (tsk_error_get_errno() != 0) {
return NULL;
}
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_UNKTYPE);
return NULL;
}
/*
* Type values
*/
switch (type) {
case TSK_IMG_TYPE_RAW:
img_info = raw_open(num_img, images, a_ssize);
break;
#if HAVE_LIBAFFLIB
case TSK_IMG_TYPE_AFF_AFF:
case TSK_IMG_TYPE_AFF_AFD:
case TSK_IMG_TYPE_AFF_AFM:
case TSK_IMG_TYPE_AFF_ANY:
img_info = aff_open(images, a_ssize);
break;
#endif
#if HAVE_LIBEWF
case TSK_IMG_TYPE_EWF_EWF:
img_info = ewf_open(num_img, images, a_ssize);
break;
#endif
default:
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_IMG_UNSUPTYPE);
tsk_error_set_errstr("%d", type);
return NULL;
}
return img_info;
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_INUM_T inum;
int ch;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:f:i:o:vV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name and/or address\n");
usage();
}
/* open image - there is an optional inode address at the end of args
*
* Check the final argument and see if it is a number
*/
if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) {
/* Not an inode at the end */
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
inum = fs->journ_inum;
}
else {
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
}
if (fs->jopen == NULL) {
tsk_fprintf(stderr,
"Journal support does not exist for this file system\n");
fs->close(fs);
img->close(img);
exit(1);
}
if (inum > fs->last_inum) {
tsk_fprintf(stderr,
"Inode value is too large for image (%" PRIuINUM ")\n",
fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (inum < fs->first_inum) {
tsk_fprintf(stderr,
"Inode value is too small for image (%" PRIuINUM ")\n",
fs->first_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->jopen(fs, inum)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->jentry_walk(fs, 0, 0, NULL)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int ch;
TSK_OFF_T imgaddr = 0;
TSK_IMG_INFO *img;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) {
switch (ch) {
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case 'v':
tsk_verbose++;
break;
case 'V':
tsk_version_print(stdout);
exit(0);
case '?':
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
/* open the image */
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
/* process the partition tables */
if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
exit(1);
}
print_stats(vs);
tsk_vs_close(vs);
tsk_img_close(img);
exit(0);
}
/* Verify that all attributes can be accessed from both get_idx and get_type...
* @param a_addr The metadata address of the file to analyze
* @param a_len Expected number of attributes in file.
* @returns 1 if a test failed
*/
static int
test_get_apis(TSK_FS_INFO * a_fs, TSK_INUM_T a_addr, int a_len)
{
TSK_FS_FILE *fs_file;
int retval = 0;
// open the file
fs_file = tsk_fs_file_open_meta(a_fs, NULL, a_addr);
if (!fs_file) {
fprintf(stderr, "Error opening file %" PRIuINUM " via meta\n",
a_addr);
tsk_error_print(stderr);
return 1;
}
int len = tsk_fs_file_attr_getsize(fs_file);
if (len != a_len) {
fprintf(stderr,
"%" PRIuINUM
" attribute count diff from expected (%d vs %d)\n", a_addr,
a_len, len);
tsk_error_print(stderr);
return 1;
}
for (int i = 0; i < len; i++) {
// get the attribute by index
const TSK_FS_ATTR *fs_attr = tsk_fs_file_attr_get_idx(fs_file, i);
if (!fs_attr) {
fprintf(stderr,
"Error getting attribute %d from %" PRIuINUM "\n", i,
a_addr);
tsk_error_print(stderr);
return 1;
}
// verify we can also get it via type / id
const TSK_FS_ATTR *fs_attr2 =
tsk_fs_file_attr_get_type(fs_file, fs_attr->type, fs_attr->id,
1);
if (!fs_attr2) {
fprintf(stderr,
"Error getting attribute %d-%d from %" PRIuINUM "\n",
fs_attr->type, fs_attr->id, a_addr);
tsk_error_print(stderr);
return 1;
}
if ((fs_attr->type != fs_attr2->type)
|| (fs_attr->id != fs_attr2->id)) {
fprintf(stderr,
"Attribute from get_type not expected %d-%d vs %d-%d from %"
PRIuINUM "\n", fs_attr->type, fs_attr->id, fs_attr2->type,
fs_attr2->id, a_addr);
tsk_error_print(stderr);
return 1;
}
if (fs_attr != fs_attr2) {
fprintf(stderr,
"Attribute from get_type not same addr as original %lu vs %lu from %"
PRIuINUM "\n", (long) fs_attr, (long) fs_attr2, a_addr);
tsk_error_print(stderr);
return 1;
}
// verify we also get something via only type
fs_attr2 = tsk_fs_file_attr_get_type(fs_file, fs_attr->type, 0, 0);
if (!fs_attr2) {
fprintf(stderr,
"Error getting attribute %d (no id) from %" PRIuINUM "\n",
fs_attr->type, a_addr);
tsk_error_print(stderr);
return 1;
}
if (fs_attr->type != fs_attr2->type) {
fprintf(stderr,
"Attribute from get_type (no id) not expected %d vs %d from %"
PRIuINUM "\n", fs_attr->type, fs_attr2->type, a_addr);
tsk_error_print(stderr);
return 1;
}
// Try with a "random" ID: Note this atribute could actually exist...
fs_attr2 =
tsk_fs_file_attr_get_type(fs_file, fs_attr->type, 0xfd, 1);
if (fs_attr2) {
fprintf(stderr,
"Got unexpected attribute %d-0xfd (random ID) from %"
PRIuINUM "\n", fs_attr->type, a_addr);
tsk_error_print(stderr);
return 1;
}
else if (tsk_error_get_errno() != TSK_ERR_FS_ATTR_NOTFOUND) {
fprintf(stderr,
"Unexpected error code %x from getting %d-0xfd (random ID) from %"
PRIuINUM "\n", (int)tsk_error_get_errno(), fs_attr->type, a_addr);
tsk_error_print(stderr);
return 1;
}
tsk_error_reset();
// Try with a "random" type Note this atribute could actually exist...
fs_attr2 =
tsk_fs_file_attr_get_type(fs_file,
(TSK_FS_ATTR_TYPE_ENUM) (fs_attr->type + 37), 0, 0);
if (fs_attr2) {
fprintf(stderr,
"Got unexpected attribute %d-X (random type, no id) from %"
PRIuINUM "\n", fs_attr->type + 37, a_addr);
tsk_error_print(stderr);
return 1;
}
else if (tsk_error_get_errno() != TSK_ERR_FS_ATTR_NOTFOUND) {
fprintf(stderr,
"Unexpected error code %x from getting %d-X (random type, no id) from %"
PRIuINUM "\n", (int)tsk_error_get_errno(), fs_attr->type, a_addr);
tsk_error_print(stderr);
return 1;
}
tsk_error_reset();
}
tsk_fs_file_close(fs_file);
return retval;
}
/**
* Process the contents of a file.
*
* @return 1 on error and 0 on success
*/
static uint8_t
procFile(TskFsFile * fs_file, const char *path)
{
TSK_MD5_CTX md;
if ((fs_file->getMeta() == NULL) || (fs_file->getName() == NULL))
return 1;
if (fs_file->getMeta()->getType() != TSK_FS_META_TYPE_REG)
return 0;
//printf("Processing %s%s\n", path, fs_file->name->name);
int myflags = TSK_FS_FILE_WALK_FLAG_NOID;
TSK_MD5_Init(&md);
/* Note that we could also cycle through all of the attributes in the
* file by using one of the tsk_fs_attr_get() functions and walking it
* with tsk_fs_attr_walk(). See the File Systems section of the Library
* User's Guide for more details:
* http://www.sleuthkit.org/sleuthkit/docs/api-docs/ */
if (fs_file->walk
((TSK_FS_FILE_WALK_FLAG_ENUM) myflags, fileAct,
(void *) &md)) {
// ignore errors from deleted files that were being recovered
if (tsk_error_get_errno() != TSK_ERR_FS_RECOVER) {
printf("Processing: %s/%s (%" PRIuINUM ")\n", path,
fs_file->getName()->getName(), fs_file->getMeta()->getAddr());
tsk_error_print(stderr);
}
tsk_error_reset();
}
// otherwise, compute the hash of the file.
else {
unsigned char hash[16];
TSK_MD5_Final(hash, &md);
#if 0
{
int i;
printf("Hash of %s/%s: ", path, fs_file->name->name);
for (i = 0; i < 16; i++) {
printf("%x%x", (hash[i] >> 4) & 0xf, hash[i] & 0xf);
}
printf("\n");
}
#endif
#if DO_HASHLOOKUP
// This code is not currently viable; TskHdbInfo implementation is incomplete.
{
int retval;
retval = tsk_hdb_lookup_raw(hdb_info, (uint8_t *) hash, 16,
TSK_HDB_FLAG_QUICK, NULL, NULL);
if (retval == 1) {
//printf("Ignoring file %s\n", fs_dent->name);
}
else if (retval == 0) {
// printf("Not Ignoring: %s/%s\n", path, name);
}
}
#endif
}
return 0;
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
int ch;
TSK_OFF_T imgaddr = 0;
int flags = 0;
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
uint8_t hide_meta = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) {
switch (ch) {
case _TSK_T('a'):
flags |= TSK_VS_PART_FLAG_ALLOC;
break;
case _TSK_T('A'):
flags |= TSK_VS_PART_FLAG_UNALLOC;
break;
case _TSK_T('B'):
print_bytes = 1;
break;
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('m'):
flags |= (TSK_VS_PART_FLAG_META);
break;
case _TSK_T('M'):
// we'll set this after all flags have been set
hide_meta = 1;
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('r'):
recurse = 1;
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case _TSK_T('?'):
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
// if they want to hide metadata volumes, set that now
if (hide_meta) {
if (flags == 0)
flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC);
else
flags &= ~TSK_VS_PART_FLAG_META;
}
else if (flags == 0) {
flags = TSK_VS_PART_FLAG_ALL;
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
/* open the image */
img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize);
if (img == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
/* process the partition tables */
vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype);
if (vs == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
tsk_img_close(img);
exit(1);
}
print_header(vs);
if (tsk_vs_part_walk(vs, 0, vs->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) {
tsk_error_print(stderr);
tsk_vs_close(vs);
tsk_img_close(img);
exit(1);
}
tsk_vs_close(vs);
if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) {
int i;
/* disable recursing incase we hit another DOS partition
* future versions may support more layers */
recurse = 0;
for (i = 0; i < recurse_cnt; i++) {
vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT);
if (vs != NULL) {
tsk_printf("\n\n");
print_header(vs);
if (tsk_vs_part_walk(vs, 0, vs->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) {
tsk_error_reset();
}
tsk_vs_close(vs);
}
else {
/* Ignore error in this case and reset */
tsk_error_reset();
}
}
}
tsk_img_close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int ch;
TSK_OFF_T imgaddr = 0;
TSK_IMG_INFO *img;
TSK_PNUM_T pnum;
TSK_DADDR_T addr;
const TSK_VS_PART_INFO *vs_part;
char *buf;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) {
switch (ch) {
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case 'v':
tsk_verbose++;
break;
case 'V':
tsk_version_print(stdout);
exit(0);
case '?':
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
/* We need at least two more arguments */
if (OPTIND + 1 >= argc) {
tsk_fprintf(stderr,
"Missing image name and/or partition number\n");
usage();
}
/* open the image */
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if (tsk_parse_pnum(argv[argc - 1], &pnum)) {
tsk_error_print(stderr);
exit(1);
}
/* process the partition tables */
if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
exit(1);
}
if (pnum >= vs->part_count) {
tsk_fprintf(stderr,
"Partition address is too large (maximum: %"
PRIuPNUM ")\n", vs->part_count);
exit(1);
}
vs_part = tsk_vs_part_get(vs, pnum);
if (vs_part == NULL) {
tsk_fprintf(stderr, "Error looking up partition\n");
exit(1);
}
buf = (char *) malloc(vs->block_size);
if (buf == NULL) {
tsk_error_print(stderr);
exit(1);
}
#ifdef TSK_WIN32
char strerror_buffer[1024];
if (-1 == _setmode(_fileno(stdout), _O_BINARY)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WRITE);
tsk_error_set_errstr(
"mmcat: error setting stdout to binary: %s",
strerror_s(strerror_buffer, 1024, errno));
return 1;
}
#endif
for (addr = 0; addr < vs_part->len; addr++) {
ssize_t retval;
retval =
tsk_vs_part_read_block(vs_part, addr, buf, vs->block_size);
if (retval == -1) {
tsk_error_print(stderr);
exit(1);
}
if ((size_t) retval != fwrite(buf, 1, retval, stdout)) {
tsk_fprintf(stderr, "Error writing data to stdout\n");
exit(1);
}
}
tsk_vs_close(vs);
tsk_img_close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
TSK_INUM_T inum;
int ch;
TSK_TCHAR *cp;
int32_t sec_skew = 0;
/* When > 0 this is the number of blocks to print, used for -B arg */
TSK_DADDR_T numblock = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:B:f:i:o:s:vVz:"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('B'):
numblock = TSTRTOULL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || numblock < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: block count must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('s'):
sec_skew = TATOI(OPTARG);
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case _TSK_T('z'):
{
TSK_TCHAR envstr[32];
TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG);
if (0 != TPUTENV(envstr)) {
tsk_fprintf(stderr, "error setting environment");
exit(1);
}
TZSET();
}
break;
}
}
/* We need at least two more argument */
if (OPTIND + 1 >= argc) {
tsk_fprintf(stderr, "Missing image name and/or address\n");
usage();
}
/* if we are given the inode in the inode-type-id form, then ignore
* the other stuff w/out giving an error
*
* This will make scripting easier
*/
if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) {
TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"),
argv[argc - 1]);
usage();
}
/*
* Open the file system.
*/
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
if (inum > fs->last_inum) {
tsk_fprintf(stderr,
"Metadata address is too large for image (%" PRIuINUM ")\n",
fs->last_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (inum < fs->first_inum) {
tsk_fprintf(stderr,
"Metadata address is too small for image (%" PRIuINUM ")\n",
fs->first_inum);
fs->close(fs);
img->close(img);
exit(1);
}
if (fs->istat(fs, stdout, inum, numblock, sec_skew)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
fs->close(fs);
img->close(img);
exit(0);
}
