/*
* Class: edu_uw_apl_commons_tsk4j_filesys_FileSystem
* Method: openPartition
* Signature: (J)J
*/
JNIEXPORT jlong JNICALL
Java_edu_uw_apl_commons_tsk4j_filesys_FileSystem_openPartition
( JNIEnv *env, jobject thiz, jlong partitionNativePtr ) {
TSK_VS_PART_INFO* partInfo = (TSK_VS_PART_INFO*)partitionNativePtr;
TSK_FS_INFO* fsInfo = tsk_fs_open_vol( partInfo, TSK_FS_TYPE_DETECT );
return (jlong)fsInfo;
}
VALUE open_fs_from_partition(VALUE self, VALUE vpart_obj, VALUE opts) {
struct tsk4r_vs_part * rb_partition; struct tsk4r_fs_wrapper * my_pointer;
Data_Get_Struct(vpart_obj, struct tsk4r_vs_part, rb_partition);
Data_Get_Struct(self, struct tsk4r_fs_wrapper, my_pointer);
VALUE fs_type_flag = rb_hash_aref(opts, rb_symname_p("type_flag"));
TSK_FS_TYPE_ENUM * type_flag_num = get_fs_flag(fs_type_flag);
my_pointer->filesystem = tsk_fs_open_vol(rb_partition->volume_part, (TSK_FS_TYPE_ENUM)type_flag_num);
return self;
}
// should warn user when there is more than one partition available
// with a readable filesystem. Right now, this simply returns
// the last one found.
VALUE open_fs_from_volume(VALUE self, VALUE vs_obj, VALUE opts) {
struct tsk4r_vs * rb_volumesystem; struct tsk4r_fs_wrapper * my_pointer;
Data_Get_Struct(vs_obj, struct tsk4r_vs, rb_volumesystem);
Data_Get_Struct(self, struct tsk4r_fs_wrapper, my_pointer);
VALUE fs_type_flag = rb_hash_aref(opts, rb_symname_p("type_flag"));
TSK_FS_TYPE_ENUM * type_flag_num = get_fs_flag(fs_type_flag);
TSK_PNUM_T c = 0;
while (c < rb_volumesystem->volume->part_count) {
const TSK_VS_PART_INFO * partition = tsk_vs_part_get(rb_volumesystem->volume, c);
my_pointer->filesystem = tsk_fs_open_vol(partition, (TSK_FS_TYPE_ENUM)type_flag_num);
if (my_pointer->filesystem != NULL) { break; }
c++;
}
return self;
}
static TSK_WALK_RET_ENUM find_file_in_partiton(
TSK_VS_INFO * vs, const TSK_VS_PART_INFO * part, void *ptr){
find_file_data *data = (find_file_data*)ptr;
const char *file_path = data->full_path;
TSK_FS_INFO *filesystem;
TSK_FS_FILE *file;
filesystem = tsk_fs_open_vol(part, TSK_FS_TYPE_DETECT);
if (OPEN_FAIL(filesystem))
return TSK_WALK_CONT;
file = tsk_fs_file_open(filesystem, NULL, file_path);
if (OPEN_FAIL(file))
return TSK_WALK_CONT;
data->file_found_in_partiton = 0;
utarray_new(data->offsets_in_filesystem, &ut_tsk_daddr_tuple_icd);
log_file_offsets_in_filesystem(data, file);
if (data->file_found_in_partiton) {
TSK_DADDR_T *p;
for (p=(TSK_DADDR_T*)utarray_front(data->offsets_in_filesystem);
p != NULL;
p=(TSK_DADDR_T*)utarray_next(data->offsets_in_filesystem, p)) {
TSK_DADDR_T offset_start_and_last[2] = {
p[0] + part->start*vs->img_info->sector_size,
p[1] + part->start*vs->img_info->sector_size
};
utarray_push_back(data->offsets_in_disk, &offset_start_and_last);
}
data->file_found = 1;
}
utarray_free(data->offsets_in_filesystem);
tsk_fs_file_close(file);
tsk_fs_close(filesystem);
return TSK_WALK_CONT;
}
Volume::Volume(const TSK_VS_PART_INFO* vol): Vol(vol) {
TSK_FS_INFO* fs(tsk_fs_open_vol(Vol, TSK_FS_TYPE_DETECT));
if (fs) {
Fs.reset(new Filesystem(fs));
}
}
TSK_WALK_RET_ENUM part_act(
TSK_VS_INFO* pVsInfo,
const TSK_VS_PART_INFO* pPartInfo,
void* pData)
{
TSK_FS_INFO* lFsInfo = NULL;
OS_FH_TYPE lOut = (OS_FH_TYPE)pData;
unsigned long long lCnt = 0;
char lBuf[32768] = { 0 };
unsigned long long lOffsetBlock = 0;
/* open file system */
if ((lFsInfo = tsk_fs_open_vol(
pPartInfo, /* partition to open */
TSK_FS_TYPE_DETECT /* auto-detect mode on */
)) != NULL)
{
/* known file-system */
/* iterate over unallocated blocks of fs */
tsk_fs_block_walk(
lFsInfo, /* file-system info */
0, /* start */
lFsInfo->block_count - 1, /* end */
TSK_FS_BLOCK_WALK_FLAG_UNALLOC, /* only unallocated blocks */
block_act, /* callback */
pData /* file-handle */
);
/* close fs */
tsk_fs_close(lFsInfo);
}
else
{
/* unknown file-system */
/* iterate through all blocks of this volume regardless of their state */
for (lCnt = 0; lCnt < pPartInfo->len; lCnt++)
{
lOffsetBlock = (pPartInfo->start + lCnt) * pPartInfo->vs->block_size;
LOGGING_DEBUG(
"Block in unknown partition (Len: %lu blocks). "
"Size: %u, Absolute address (Bytes): %lld\n",
pPartInfo->len,
pPartInfo->vs->block_size,
lOffsetBlock);
/* use the following function so that forensic images are supported */
/* HINT: this is not the case with fopen/fseek/fread/fclose functions */
tsk_vs_part_read_block(
pPartInfo,
lCnt, /* start address (blocks) relative to start of volume */
lBuf, /* buffer to store data in */
pPartInfo->vs->block_size /* amount of data to read */
);
data_act(lBuf,
pPartInfo->vs->block_size,
lOffsetBlock,
lOut);
}
}
return TSK_WALK_CONT;
}
