/* main - open file system, list inode info */ int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_TCHAR *cp, *dash; TSK_INUM_T istart = 0, ilast = 0; int ch; int flags = TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED; int ils_flags = 0; int set_range = 1; TSK_TCHAR *image = NULL; int32_t sec_skew = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); /* * Provide convenience options for the most commonly selected feature * combinations. */ while ((ch = GETOPT(argc, argv, _TSK_T("aAb:ef:i:lLmo:Oprs:vVzZ"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('e'): flags |= (TSK_FS_META_FLAG_ALLOC | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_USED; break; case _TSK_T('m'): ils_flags |= TSK_FS_ILS_MAC; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('O'): flags |= TSK_FS_META_FLAG_UNALLOC; flags &= ~TSK_FS_META_FLAG_ALLOC; ils_flags |= TSK_FS_ILS_OPEN; break; case _TSK_T('p'): flags |= (TSK_FS_META_FLAG_ORPHAN | TSK_FS_META_FLAG_UNALLOC); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('r'): flags |= (TSK_FS_META_FLAG_UNALLOC | TSK_FS_META_FLAG_USED); flags &= ~TSK_FS_META_FLAG_ALLOC; break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); /* * Provide fine controls to tweak one feature at a time. */ case _TSK_T('a'): flags |= TSK_FS_META_FLAG_ALLOC; flags &= ~TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('A'): flags |= TSK_FS_META_FLAG_UNALLOC; break; case _TSK_T('l'): ils_flags |= TSK_FS_ILS_LINK; break; case _TSK_T('L'): ils_flags |= TSK_FS_ILS_UNLINK; break; case _TSK_T('z'): flags |= TSK_FS_META_FLAG_UNUSED; break; case _TSK_T('Z'): flags |= TSK_FS_META_FLAG_USED; break; } } if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((ils_flags & TSK_FS_ILS_LINK) && (ils_flags & TSK_FS_ILS_UNLINK)) { tsk_fprintf(stderr, "ERROR: Only linked or unlinked should be used\n"); usage(); } /* We need to determine if an inode or inode range was given */ if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) { /* Check if is a single number */ istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { /* Single address set end addr to start */ ilast = istart; set_range = 0; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } else { /* We have a dash, but it could be part of the file name */ *dash = '\0'; istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ *dash = _TSK_T('-'); image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { dash++; ilast = TSTRTOULL(dash, &cp, 0); if (*cp || *cp == *dash) { /* Not a number - consider it a file name */ dash--; *dash = '-'; image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { set_range = 0; /* It was a block range, so do not include it in the open */ image = argv[OPTIND]; if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } /* do we need to set the range or just check them? */ if (set_range) { istart = fs->first_inum; ilast = fs->last_inum; } else { if (istart < fs->first_inum) istart = fs->first_inum; if (ilast > fs->last_inum) ilast = fs->last_inum; } /* NTFS uses alloc and link different than UNIX so change * the default behavior * * The link value can be > 0 on deleted files (even when closed) */ /* NTFS and FAT have no notion of deleted but still open */ if ((ils_flags & TSK_FS_ILS_OPEN) && (TSK_FS_TYPE_ISNTFS(fs->ftype) || TSK_FS_TYPE_ISFAT(fs->ftype))) { fprintf(stderr, "Error: '-O' argument does not work with NTFS and FAT images\n"); exit(1); } if (tsk_fs_ils(fs, (TSK_FS_ILS_FLAG_ENUM) ils_flags, istart, ilast, (TSK_FS_META_FLAG_ENUM) flags, sec_skew, image)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; int ch; TSK_TCHAR *cp; uint8_t type = 0; int set = 0; TSK_DADDR_T count = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:d:f:i:o:s:u:vV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('d'): type |= TSK_FS_BLKCALC_DD; count = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG); usage(); } set = 1; break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): type |= TSK_FS_BLKCALC_SLACK; count = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG); usage(); } set = 1; break; case _TSK_T('u'): type |= TSK_FS_BLKCALC_BLKLS; count = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid address: %s\n"), OPTARG); usage(); } set = 1; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND == argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((!type) || (set == 0)) { tsk_fprintf(stderr, "Calculation type not given (-u, -d, -s)\n"); usage(); } if ((type & TSK_FS_BLKCALC_DD) && (type & TSK_FS_BLKCALC_BLKLS) && (type & TSK_FS_BLKCALC_SLACK)) { tsk_fprintf(stderr, "Only one block type can be given\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } if (-1 == tsk_fs_blkcalc(fs, (TSK_FS_BLKCALC_FLAG_ENUM) type, count)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char** argv1) { TSK_TCHAR **argv; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_OFF_T imgaddr = 0; int ch; while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) { switch (ch) { case _TSK_T('f'): fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose = 1; break; default: usage(); break; } } if (argc - OPTIND != 3) { usage(); } const TSK_TCHAR* image = argv[OPTIND]; size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0); if (nthreads == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0); if (niters == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0); if (img == 0) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype); if (fs == 0) { tsk_img_close(img); tsk_error_print(stderr); exit(1); } TskThread** threads = new TskThread*[nthreads]; for (size_t i = 0; i < nthreads; ++i) { threads[i] = new MyThread(i, fs, niters); } TskThread::run(threads, nthreads); for (size_t i = 0; i < nthreads; ++i) { delete threads[i]; } delete[] threads; tsk_fs_close(fs); tsk_img_close(img); exit(0); }
/* main - open file system, list inode info */ int MAIN(int argc, TSK_TCHAR ** argv) { TSK_TCHAR *fstype = NULL; TSK_TCHAR *imgtype = NULL, *cp, *dash; TSK_IMG_INFO *img; TSK_FS_INFO *fs; INUM_T istart = 0, ilast = 0; int ch; int flags = TSK_FS_INODE_FLAG_UNALLOC | TSK_FS_INODE_FLAG_USED; int argflags = 0; SSIZE_T imgoff = 0; int set_range = 1; TSK_TCHAR *image = NULL; int32_t sec_skew = 0; progname = argv[0]; setlocale(LC_ALL, ""); /* * Provide convenience options for the most commonly selected feature * combinations. */ while ((ch = getopt(argc, argv, _TSK_T("aAef:i:lLmo:Oprs:vVzZ"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[optind]); usage(); case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('e'): flags |= (TSK_FS_INODE_FLAG_ALLOC | TSK_FS_INODE_FLAG_UNALLOC); flags &= ~TSK_FS_INODE_FLAG_USED; break; case _TSK_T('m'): argflags |= TSK_FS_ILS_MAC; break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('O'): flags |= TSK_FS_INODE_FLAG_UNALLOC; flags &= ~TSK_FS_INODE_FLAG_ALLOC; argflags |= TSK_FS_ILS_OPEN; break; case _TSK_T('p'): flags |= (TSK_FS_INODE_FLAG_ORPHAN | TSK_FS_INODE_FLAG_UNALLOC); flags &= ~TSK_FS_INODE_FLAG_ALLOC; break; case _TSK_T('r'): flags |= (TSK_FS_INODE_FLAG_UNALLOC | TSK_FS_INODE_FLAG_USED); flags &= ~TSK_FS_INODE_FLAG_ALLOC; break; case _TSK_T('s'): sec_skew = TATOI(optarg); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); /* * Provide fine controls to tweak one feature at a time. */ case _TSK_T('a'): flags |= TSK_FS_INODE_FLAG_ALLOC; break; case _TSK_T('A'): flags |= TSK_FS_INODE_FLAG_UNALLOC; break; case _TSK_T('l'): argflags |= TSK_FS_ILS_LINK; break; case _TSK_T('L'): argflags |= TSK_FS_ILS_UNLINK; break; case _TSK_T('z'): flags |= TSK_FS_INODE_FLAG_UNUSED; break; case _TSK_T('Z'): flags |= TSK_FS_INODE_FLAG_USED; break; } } if (optind >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((argflags & TSK_FS_ILS_LINK) && (argflags & TSK_FS_ILS_UNLINK)) { tsk_fprintf(stderr, "ERROR: Only linked or unlinked should be used\n"); usage(); } /* We need to determine if an inode or inode range was given */ if ((dash = TSTRCHR(argv[argc - 1], _TSK_T('-'))) == NULL) { /* Check if is a single number */ istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { /* Single address set end addr to start */ ilast = istart; set_range = 0; image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } } else { /* We have a dash, but it could be part of the file name */ *dash = '\0'; istart = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { /* Not a number - consider it a file name */ *dash = _TSK_T('-'); image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { dash++; ilast = TSTRTOULL(dash, &cp, 0); if (*cp || *cp == *dash) { /* Not a number - consider it a file name */ dash--; *dash = '-'; image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { set_range = 0; /* It was a block range, so do not include it in the open */ image = argv[optind]; if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } } } if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); exit(1); } /* do we need to set the range or just check them? */ if (set_range) { istart = fs->first_inum; ilast = fs->last_inum; } else { if (istart < fs->first_inum) istart = fs->first_inum; if (ilast > fs->last_inum) ilast = fs->last_inum; } /* NTFS uses alloc and link different than UNIX so change * the default behavior * * The link value can be > 0 on deleted files (even when closed) */ /* NTFS and FAT have no notion of deleted but still open */ if ((argflags & TSK_FS_ILS_OPEN) && (((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) == TSK_FS_INFO_TYPE_NTFS_TYPE) || ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) == TSK_FS_INFO_TYPE_FAT_TYPE))) { fprintf(stderr, "Error: '-O' argument does not work with NTFS and FAT images\n"); exit(1); } if (tsk_fs_ils(fs, argflags, istart, ilast, flags, sec_skew, image)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int MAIN(int argc, TSK_TCHAR ** argv) { TSK_FS_INFO *fs; TSK_IMG_INFO *img; TSK_TCHAR *fstype = NULL; TSK_TCHAR *imgtype = NULL; int ch; uint8_t type = 0; SSIZE_T imgoff = 0; progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = getopt(argc, argv, _TSK_T("f:i:o:tvV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[optind]); usage(); case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): type = 1; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); } } /* We need at least one more argument */ if (optind >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); exit(1); } if (type) { char *str = tsk_fs_get_type(fs->ftype); tsk_printf("%s\n", str); } else { if (fs->fsstat(fs, stdout)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_DADDR_T addr = 0; TSK_TCHAR *cp; TSK_DADDR_T read_num_units; /* Number of data units */ int usize = 0; /* Length of each data unit */ int ch; char format = 0; extern int OPTIND; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("ab:f:hi:o:su:vVw"))) > 0) { switch (ch) { case _TSK_T('a'): format |= TSK_FS_BLKCAT_ASCII; break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, BLKLS_TYPE) == 0) { fstype = TSK_FS_TYPE_RAW; } else if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fprintf(stderr, "\t%" PRIttocTSK " (Unallocated Space)\n", BLKLS_TYPE); tsk_fs_type_print(stderr); exit(1); } else { fstype = tsk_fs_type_toid(OPTARG); } if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('h'): format |= TSK_FS_BLKCAT_HEX; break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): format |= TSK_FS_BLKCAT_STAT; break; case _TSK_T('u'): usize = TSTRTOUL(OPTARG, &cp, 0); if (*cp || cp == OPTARG) { TFPRINTF(stderr, _TSK_T("Invalid block size: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); break; case _TSK_T('w'): format |= TSK_FS_BLKCAT_HTML; break; case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); } } if (format & TSK_FS_BLKCAT_STAT) { if (OPTIND == argc) usage(); if (format & (TSK_FS_BLKCAT_HTML | TSK_FS_BLKCAT_ASCII | TSK_FS_BLKCAT_HEX)) { tsk_fprintf(stderr, "NOTE: Additional flags will be ignored\n"); } } /* We need at least two more arguments */ else if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } if ((format & TSK_FS_BLKCAT_ASCII) && (format & TSK_FS_BLKCAT_HEX)) { tsk_fprintf(stderr, "Ascii and Hex flags can not be used together\n"); usage(); } /* We need to figure out if there is a length argument... */ /* Check out the second argument from the end */ /* default number of units is 1 */ read_num_units = 1; /* Get the block address */ if (format & TSK_FS_BLKCAT_STAT) { if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { addr = TSTRTOULL(argv[argc - 2], &cp, 0); if (*cp || *cp == *argv[argc - 2]) { /* Not a number, so it is the image name and we do not have a length */ addr = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"), argv[argc - 1]); usage(); } if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } else { /* We got a number, so take the length as well while we are at it */ read_num_units = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { TFPRINTF(stderr, _TSK_T("Invalid size: %s\n"), argv[argc - 1]); usage(); } else if (read_num_units <= 0) { tsk_fprintf(stderr, "Invalid size: %" PRIuDADDR "\n", read_num_units); usage(); } if ((img = tsk_img_open(argc - OPTIND - 2, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } } } /* open the file */ if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } /* Set the default size if given */ if ((usize != 0) && (TSK_FS_TYPE_ISRAW(fs->ftype) || TSK_FS_TYPE_ISSWAP(fs->ftype))) { TSK_DADDR_T sectors; int orig_dsize, new_dsize; if (usize % 512) { tsk_fprintf(stderr, "New data unit size not a multiple of 512 (%d)\n", usize); usage(); } /* We need to do some math to update the block_count value */ /* Get the original number of sectors */ orig_dsize = fs->block_size / 512; sectors = fs->block_count * orig_dsize; /* Convert that to the new size */ new_dsize = usize / 512; fs->block_count = sectors / new_dsize; if (sectors % new_dsize) fs->block_count++; fs->last_block = fs->block_count - 1; fs->block_size = usize; } if (addr > fs->last_block) { tsk_fprintf(stderr, "Data unit address too large for image (%" PRIuDADDR ")\n", fs->last_block); fs->close(fs); img->close(img); exit(1); } if (addr < fs->first_block) { tsk_fprintf(stderr, "Data unit address too small for image (%" PRIuDADDR ")\n", fs->first_block); fs->close(fs); img->close(img); exit(1); } if (tsk_fs_blkcat(fs, (TSK_FS_BLKCAT_FLAG_ENUM) format, addr, read_num_units)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_INUM_T inum; int ch; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:f:i:o:vV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* open image - there is an optional inode address at the end of args * * Check the final argument and see if it is a number */ if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) { /* Not an inode at the end */ if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } inum = fs->journ_inum; } else { if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } } if (fs->jopen == NULL) { tsk_fprintf(stderr, "Journal support does not exist for this file system\n"); fs->close(fs); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Inode value is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Inode value is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->jopen(fs, inum)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } if (fs->jentry_walk(fs, 0, 0, NULL)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int MAIN(int argc, TSK_TCHAR ** argv) { TSK_TCHAR *imgtype = NULL; TSK_TCHAR *fstype = NULL; TSK_FS_INFO *fs; TSK_IMG_INFO *img; int ch; TSK_TCHAR *cp; extern int optind; DADDR_T block = 0; /* the block to find */ INUM_T parinode = 0; TSK_TCHAR *path = NULL; SSIZE_T imgoff = 0; progname = argv[0]; setlocale(LC_ALL, ""); localflags = 0; while ((ch = getopt(argc, argv, _TSK_T("ad:f:i:ln:o:p:vVz:"))) > 0) { switch (ch) { case _TSK_T('a'): localflags |= TSK_FS_IFIND_ALL; break; case _TSK_T('d'): if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_PATH)) { tsk_fprintf(stderr, "error: only one address type can be given\n"); usage(); } localflags |= TSK_FS_IFIND_DATA; block = TSTRTOULL(optarg, &cp, 0); if (*cp || *cp == *optarg) { TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"), optarg); usage(); } break; case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('l'): localflags |= TSK_FS_IFIND_PAR_LONG; break; case _TSK_T('n'): { size_t len; if (localflags & (TSK_FS_IFIND_PAR | TSK_FS_IFIND_DATA)) { tsk_fprintf(stderr, "error: only one address type can be given\n"); usage(); } localflags |= TSK_FS_IFIND_PATH; len = (TSTRLEN(optarg) + 1) * sizeof(TSK_TCHAR); if ((path = (TSK_TCHAR *) tsk_malloc(len)) == NULL) { tsk_error_print(stderr); exit(1); } TSTRNCPY(path, optarg, TSTRLEN(optarg) + 1); break; } case 'o': if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case 'p': if (localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA)) { tsk_fprintf(stderr, "error: only one address type can be given\n"); usage(); } localflags |= TSK_FS_IFIND_PAR; if (tsk_parse_inum(optarg, &parinode, NULL, NULL, NULL)) { TFPRINTF(stderr, _TSK_T("Invalid inode address: %s\n"), optarg); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_print_version(stdout); exit(0); case 'z': { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg); if (0 != PUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } /* we should be checking this somehow */ TZSET(); break; } case '?': default: tsk_fprintf(stderr, "Invalid argument: %s\n", argv[optind]); usage(); } } /* We need at least one more argument */ if (optind >= argc) { tsk_fprintf(stderr, "Missing image name\n"); if (path) free(path); usage(); } if (0 == (localflags & (TSK_FS_IFIND_PATH | TSK_FS_IFIND_DATA | TSK_FS_IFIND_PAR))) { tsk_fprintf(stderr, "-d, -n, or -p must be given\n"); usage(); } if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); if (path) free(path); exit(1); } if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); if (path) free(path); exit(1); } if (localflags & TSK_FS_IFIND_DATA) { if (block > fs->last_block) { tsk_fprintf(stderr, "Block %" PRIuDADDR " is larger than last block in image (%" PRIuDADDR ")\n", block, fs->last_block); fs->close(fs); img->close(img); exit(1); } else if (block == 0) { tsk_printf("Inode not found\n"); fs->close(fs); img->close(img); exit(1); } if (tsk_fs_ifind_data(fs, localflags, block)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } } else if (localflags & TSK_FS_IFIND_PAR) { if ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) != TSK_FS_INFO_TYPE_NTFS_TYPE) { tsk_fprintf(stderr, "-p works only with NTFS file systems\n"); fs->close(fs); img->close(img); exit(1); } else if (parinode > fs->last_inum) { tsk_fprintf(stderr, "Meta data %" PRIuINUM " is larger than last MFT entry in image (%" PRIuINUM ")\n", parinode, fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (tsk_fs_ifind_par(fs, localflags, parinode)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } } else if (localflags & TSK_FS_IFIND_PATH) { int retval; INUM_T inum; if (-1 == (retval = tsk_fs_ifind_path(fs, localflags, path, &inum))) { tsk_error_print(stderr); fs->close(fs); img->close(img); free(path); exit(1); } free(path); if (retval == 1) tsk_printf("File not found\n"); else tsk_printf("%" PRIuINUM "\n", inum); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } print_stats(vs); tsk_vs_close(vs); tsk_img_close(img); exit(0); }
int MAIN(int argc, TSK_TCHAR ** argv) { TSK_TCHAR *imgtype = NULL; TSK_TCHAR *fstype = NULL; TSK_IMG_INFO *img; TSK_FS_INFO *fs; INUM_T inum; int ch; TSK_TCHAR *cp; int32_t sec_skew = 0; SSIZE_T imgoff = 0; /* When > 0 this is the number of blocks to print, used for -b arg */ DADDR_T numblock = 0; progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = getopt(argc, argv, _TSK_T("b:f:i:o:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[optind]); usage(); case _TSK_T('b'): numblock = TSTRTOULL(optarg, &cp, 0); if (*cp || *cp == *optarg || numblock < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: block count must be positive: %s\n"), optarg); usage(); } break; case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): sec_skew = TATOI(optarg); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); case _TSK_T('z'): { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), optarg); if (0 != PUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } TZSET(); } break; } } /* We need at least two more argument */ if (optind + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* if we are given the inode in the inode-type-id form, then ignore * the other stuff w/out giving an error * * This will make scripting easier */ if (tsk_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL)) { TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"), argv[argc - 1]); usage(); } /* * Open the file system. */ if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Metadata address is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Metadata address is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; int ch; TSK_OFF_T imgaddr = 0; int flags = 0; TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; uint8_t hide_meta = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) { switch (ch) { case _TSK_T('a'): flags |= TSK_VS_PART_FLAG_ALLOC; break; case _TSK_T('A'): flags |= TSK_VS_PART_FLAG_UNALLOC; break; case _TSK_T('B'): print_bytes = 1; break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('m'): flags |= (TSK_VS_PART_FLAG_META); break; case _TSK_T('M'): // we'll set this after all flags have been set hide_meta = 1; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('r'): recurse = 1; break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('?'): default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } // if they want to hide metadata volumes, set that now if (hide_meta) { if (flags == 0) flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC); else flags &= ~TSK_VS_PART_FLAG_META; } else if (flags == 0) { flags = TSK_VS_PART_FLAG_ALL; } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize); if (img == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype); if (vs == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); tsk_img_close(img); exit(1); } print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_print(stderr); tsk_vs_close(vs); tsk_img_close(img); exit(1); } tsk_vs_close(vs); if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) { int i; /* disable recursing incase we hit another DOS partition * future versions may support more layers */ recurse = 0; for (i = 0; i < recurse_cnt; i++) { vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT); if (vs != NULL) { tsk_printf("\n\n"); print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_reset(); } tsk_vs_close(vs); } else { /* Ignore error in this case and reset */ tsk_error_reset(); } } } tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_PNUM_T pnum; TSK_DADDR_T addr; const TSK_VS_PART_INFO *vs_part; char *buf; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least two more arguments */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or partition number\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if (tsk_parse_pnum(argv[argc - 1], &pnum)) { tsk_error_print(stderr); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } if (pnum >= vs->part_count) { tsk_fprintf(stderr, "Partition address is too large (maximum: %" PRIuPNUM ")\n", vs->part_count); exit(1); } vs_part = tsk_vs_part_get(vs, pnum); if (vs_part == NULL) { tsk_fprintf(stderr, "Error looking up partition\n"); exit(1); } buf = (char *) malloc(vs->block_size); if (buf == NULL) { tsk_error_print(stderr); exit(1); } #ifdef TSK_WIN32 char strerror_buffer[1024]; if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_WRITE); tsk_error_set_errstr( "mmcat: error setting stdout to binary: %s", strerror_s(strerror_buffer, 1024, errno)); return 1; } #endif for (addr = 0; addr < vs_part->len; addr++) { ssize_t retval; retval = tsk_vs_part_read_block(vs_part, addr, buf, vs->block_size); if (retval == -1) { tsk_error_print(stderr); exit(1); } if ((size_t) retval != fwrite(buf, 1, retval, stdout)) { tsk_fprintf(stderr, "Error writing data to stdout\n"); exit(1); } } tsk_vs_close(vs); tsk_img_close(img); exit(0); }
int MAIN(int argc, TSK_TCHAR ** argv) { TSK_FS_INFO *fs = NULL; TSK_IMG_INFO *img; DADDR_T addr = 0; TSK_TCHAR *fstype = NULL; TSK_TCHAR *cp, *imgtype = NULL; DADDR_T read_num_units; /* Number of data units */ int usize = 0; /* Length of each data unit */ int ch; char format = 0; extern int optind; SSIZE_T imgoff = 0; progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = getopt(argc, argv, _TSK_T("af:hi:o:su:vVw"))) > 0) { switch (ch) { case _TSK_T('a'): format |= TSK_FS_DCAT_ASCII; break; case _TSK_T('f'): fstype = optarg; if (TSTRCMP(fstype, _TSK_T(DLS_TYPE)) == 0) fstype = _TSK_T(RAW_STR); if (TSTRCMP(fstype, _TSK_T("list")) == 0) { tsk_fprintf(stderr, "\t%s (Unallocated Space)\n", DLS_TYPE); tsk_fs_print_types(stderr); exit(1); } break; case _TSK_T('h'): format |= TSK_FS_DCAT_HEX; break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): format |= TSK_FS_DCAT_STAT; break; case _TSK_T('u'): usize = TSTRTOUL(optarg, &cp, 0); if (*cp || cp == optarg) { TFPRINTF(stderr, _TSK_T("Invalid block size: %s\n"), optarg); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); break; case _TSK_T('w'): format |= TSK_FS_DCAT_HTML; break; case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[optind]); usage(); } } if (format & TSK_FS_DCAT_STAT) { if (optind == argc) usage(); if (format & (TSK_FS_DCAT_HTML | TSK_FS_DCAT_ASCII | TSK_FS_DCAT_HEX)) { tsk_fprintf(stderr, "NOTE: Additional flags will be ignored\n"); } } /* We need at least two more arguments */ else if (optind + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } if ((format & TSK_FS_DCAT_ASCII) && (format & TSK_FS_DCAT_HEX)) { tsk_fprintf(stderr, "Ascii and Hex flags can not be used together\n"); usage(); } /* We need to figure out if there is a length argument... */ /* Check out the second argument from the end */ /* default number of units is 1 */ read_num_units = 1; /* Get the block address */ if (format & TSK_FS_DCAT_STAT) { if ((img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { addr = TSTRTOULL(argv[argc - 2], &cp, 0); if (*cp || *cp == *argv[argc - 2]) { /* Not a number, so it is the image name and we do not have a length */ addr = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { TFPRINTF(stderr, _TSK_T("Invalid block address: %s\n"), argv[argc - 1]); usage(); } if ((img = tsk_img_open(imgtype, argc - optind - 1, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } else { /* We got a number, so take the length as well while we are at it */ read_num_units = TSTRTOULL(argv[argc - 1], &cp, 0); if (*cp || *cp == *argv[argc - 1]) { TFPRINTF(stderr, _TSK_T("Invalid size: %s\n"), argv[argc - 1]); usage(); } else if (read_num_units <= 0) { tsk_fprintf(stderr, "Invalid size: %" PRIuDADDR "\n", read_num_units); usage(); } if ((img = tsk_img_open(imgtype, argc - optind - 2, (const TSK_TCHAR **) &argv[optind])) == NULL) { tsk_error_print(stderr); exit(1); } } } /* open the file */ if ((fs = tsk_fs_open(img, imgoff, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_fs_print_types(stderr); img->close(img); exit(1); } /* Set the default size if given */ if ((usize != 0) && (((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) == TSK_FS_INFO_TYPE_RAW_TYPE) || ((fs->ftype & TSK_FS_INFO_TYPE_FS_MASK) == TSK_FS_INFO_TYPE_SWAP_TYPE))) { DADDR_T sectors; int orig_dsize, new_dsize; if (usize % 512) { tsk_fprintf(stderr, "New data unit size not a multiple of 512 (%d)\n", usize); usage(); } /* We need to do some math to update the block_count value */ /* Get the original number of sectors */ orig_dsize = fs->block_size / 512; sectors = fs->block_count * orig_dsize; /* Convert that to the new size */ new_dsize = usize / 512; fs->block_count = sectors / new_dsize; if (sectors % new_dsize) fs->block_count++; fs->last_block = fs->block_count - 1; fs->block_size = usize; } if (addr > fs->last_block) { tsk_fprintf(stderr, "Data unit address too large for image (%" PRIuDADDR ")\n", fs->last_block); fs->close(fs); img->close(img); exit(1); } if (addr < fs->first_block) { tsk_fprintf(stderr, "Data unit address too small for image (%" PRIuDADDR ")\n", fs->first_block); fs->close(fs); img->close(img); exit(1); } if (tsk_fs_dcat(fs, format, addr, read_num_units)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; int ch; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, "b:f:i:o:vV")) > 0) { switch (ch) { case '?': default: fprintf(stderr, "Invalid argument: %s\n", argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case 'f': if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case 'i': if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case 'o': if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case 'v': verbose++; break; case 'V': print_version(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { fprintf(stderr, "Missing image name\n"); usage(); } img = img_open(imgoff, argc - OPTIND, (const char **) &argv[OPTIND], imgtype, ssize); if (img == NULL) { tsk_error_print(stderr); exit(1); } if (fs = fs_open(img, fstype)) { if (tsk_errno == TSK_ERR_FS_UNSUPTYPE) tsk_print_types(stderr); tsk_error_print(stderr); img->close(img); exit(1); } if (fs->fscheck(fs, stdout)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; TSK_INUM_T inum; int ch; TSK_TCHAR *cp; int32_t sec_skew = 0; /* When > 0 this is the number of blocks to print, used for -B arg */ TSK_DADDR_T numblock = 0; TSK_TCHAR **argv; unsigned int ssize = 0; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:B:f:i:o:s:vVz:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('B'): numblock = TSTRTOULL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || numblock < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: block count must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('s'): sec_skew = TATOI(OPTARG); break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('z'): { TSK_TCHAR envstr[32]; TSNPRINTF(envstr, 32, _TSK_T("TZ=%s"), OPTARG); if (0 != TPUTENV(envstr)) { tsk_fprintf(stderr, "error setting environment"); exit(1); } TZSET(); } break; } } /* We need at least two more argument */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or address\n"); usage(); } /* if we are given the inode in the inode-type-id form, then ignore * the other stuff w/out giving an error * * This will make scripting easier */ if (tsk_fs_parse_inum(argv[argc - 1], &inum, NULL, NULL, NULL, NULL)) { TFPRINTF(stderr, _TSK_T("Invalid inode number: %s"), argv[argc - 1]); usage(); } /* * Open the file system. */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } if (inum > fs->last_inum) { tsk_fprintf(stderr, "Metadata address is too large for image (%" PRIuINUM ")\n", fs->last_inum); fs->close(fs); img->close(img); exit(1); } if (inum < fs->first_inum) { tsk_fprintf(stderr, "Metadata address is too small for image (%" PRIuINUM ")\n", fs->first_inum); fs->close(fs); img->close(img); exit(1); } if (fs->istat(fs, stdout, inum, numblock, sec_skew)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } fs->close(fs); img->close(img); exit(0); }
int MAIN(int argc, TSK_TCHAR ** argv) { TSK_MM_INFO *mm; TSK_TCHAR *mmtype = NULL; int ch; SSIZE_T imgoff = 0; uint8_t flags = 0; TSK_TCHAR *imgtype = NULL; TSK_IMG_INFO *img; progname = argv[0]; while ((ch = getopt(argc, argv, _TSK_T("bi:o:rt:vV"))) > 0) { switch (ch) { case _TSK_T('b'): print_bytes = 1; break; case _TSK_T('i'): imgtype = optarg; if (TSTRCMP(imgtype, _TSK_T("list")) == 0) { tsk_img_print_types(stderr); exit(1); } break; case _TSK_T('o'): if ((imgoff = tsk_parse_offset(optarg)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('r'): recurse = 1; break; case _TSK_T('t'): mmtype = optarg; if (TSTRCMP(mmtype, _TSK_T("list")) == 0) { tsk_mm_print_types(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_print_version(stdout); exit(0); case _TSK_T('?'): default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least one more argument */ if (optind >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ img = tsk_img_open(imgtype, argc - optind, (const TSK_TCHAR **) &argv[optind]); if (img == NULL) { tsk_error_print(stderr); exit(1); } /* process the partition tables */ mm = tsk_mm_open(img, (OFF_T) imgoff, mmtype); if (mm == NULL) { tsk_error_print(stderr); if (tsk_errno == TSK_ERR_MM_UNSUPTYPE) tsk_mm_print_types(stderr); exit(1); } print_header(mm); if (mm->part_walk(mm, mm->first_part, mm->last_part, flags, part_act, NULL)) { tsk_error_print(stderr); mm->close(mm); exit(1); } mm->close(mm); if ((recurse) && (mm->mmtype == TSK_MM_INFO_TYPE_DOS)) { int i; /* disable recursing incase we hit another DOS partition * future versions may support more layers */ recurse = 0; for (i = 0; i < recurse_cnt; i++) { mm = tsk_mm_open(img, recurse_list[i], NULL); if (mm != NULL) { tsk_printf("\n\n"); print_header(mm); if (mm->part_walk(mm, mm->first_part, mm->last_part, flags, part_act, NULL)) { tsk_error_reset(); } mm->close(mm); } else { /* Ignore error in this case and reset */ tsk_error_reset(); } } } img->close(img); exit(0); }