/* * Class: edu_uw_apl_commons_tsk4j_base_Version * Method: getVersion * Signature: ()Ljava/lang/String; */ JNIEXPORT jstring JNICALL Java_edu_uw_apl_commons_tsk4j_base_Version_getVersion (JNIEnv *env, jclass clazz ) { const char* v = tsk_version_get_str(); jstring result = (*env)->NewStringUTF( env, v ); return result; }
/* * Get the current Sleuthkit version number * @return the version string * @param env pointer to java environment this was called from * @param obj the java object this was called from */ JNIEXPORT jstring JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_getVersionNat(JNIEnv * env, jclass obj) { const char *cversion = tsk_version_get_str(); jstring jversion = (*env).NewStringUTF(cversion); return jversion; }
TSKAutoImpl::TSKAutoImpl() : m_db(TskServices::Instance().getImgDB()), m_numFilesSeen(0) { m_curFsId = 0; m_curVsId = 0; m_vsSeen = false; m_startTime = time(NULL); setVolFilterFlags((TSK_VS_PART_FLAG_ENUM)(TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC)); setFileFilterFlags((TSK_FS_DIR_WALK_FLAG_ENUM)(TSK_FS_DIR_WALK_FLAG_ALLOC|TSK_FS_DIR_WALK_FLAG_UNALLOC)); // add the version to the DB m_db.addToolInfo("Sleuth Kit", tsk_version_get_str()); }
void print_version() { printf("SleuthKit Version: %s\n",tsk_version_get_str()); #ifdef HAVE_LIBAFFLIB printf("AFFLIB Version: %s\n",af_version()); #else printf("*** NO AFFLIB SUPPORT ***\n"); #endif #ifdef HAVE_LIBEWF printf("LIBEWF Version: %s\n",libewf_get_version()); #else printf("*** NO LIBEWF SUPPORT ***\n"); #endif }
int main(int argc, char * const *argv1) { int ch; const char *arff_fn = 0; const char *text_fn = 0; string *xml_fn = 0; const char *audit_file = 0; bool opt_x = false; string command_line = xml::make_command_line(argc,argv1); bool opt_zap = false; u_int sector_size=512; // defaults to 512; may be changed by AFF struct timeval tv0; struct timeval tv1; gettimeofday(&tv0,0); TSK_TCHAR * const *argv; #ifdef TSK_WIN32 char *opt_arg = NULL; char *argv_0 = NULL; argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr,"Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR * const*) argv1; #endif while ((ch = GETOPT(argc, argv, _TSK_T("A:a:C:dfG:gmv1IMX:S:T:VZn:c:b:xOzh?"))) > 0 ) { // s: removed switch (ch) { case _TSK_T('1'): opt_sha1 = true;break; case _TSK_T('m'): opt_body_file = 1; opt_sha1 = 0; opt_md5 = 1; t = stdout; break; case _TSK_T('A'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); arff_fn = opt_arg; #else arff_fn = OPTARG; #endif break; case _TSK_T('C'): file_count_max = TATOI(OPTARG);break; case _TSK_T('d'): opt_debug++; break; case _TSK_T('f'): opt_magic = true;break; case _TSK_T('g'): opt_no_data = true; break; case _TSK_T('b'): opt_get_fragments = false; break; case _TSK_T('G'): opt_maxgig = TATOI(OPTARG);break; case _TSK_T('h'): usage(); break; case _TSK_T('I'): opt_ignore_ntfs_system_files=true;break; case _TSK_T('M'): opt_md5 = true; case _TSK_T('O'): opt_allocated_only=true; break; case _TSK_T('S'): opt_sector_hash = true; sectorhash_size = TATOI(OPTARG); break; case _TSK_T('T'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); text_fn = opt_arg; #else text_fn = OPTARG; #endif break; case _TSK_T('V'): print_version();exit(0); case _TSK_T('X'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); xml_fn = new string(opt_arg); #else xml_fn = new string(OPTARG); #endif break; case _TSK_T('x'): opt_x = true;break; case _TSK_T('Z'): opt_zap = true;break; case _TSK_T('a'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); audit_file = opt_arg; #else audit_file = OPTARG; #endif break; case _TSK_T('c'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); config_file = opt_arg; #else config_file = OPTARG; #endif break; case _TSK_T('n'): #ifdef TSK_WIN32 convert(OPTARG, &opt_arg); namelist.push_back(opt_arg); #else namelist.push_back(OPTARG); #endif break; //case 's': save_outdir = optarg; opt_save = true; break; case _TSK_T('v'): tsk_verbose++; break; // sleuthkit option case _TSK_T('z'): opt_sha1=false;opt_md5=false;break; case _TSK_T('?'): usage();break; default: fprintf(stderr, "Invalid argument: %s\n", argv[OPTIND]); usage(); } } if (OPTIND >= argc) usage(); argc -= OPTIND; argv += OPTIND; argv1 += OPTIND; #ifdef TSK_WIN32 convert(argv[0],&argv_0); const char *filename = argv_0; #else const char *filename = argv[0]; #endif opt_parent_tracking = true; if(!filename){ errx(1,"must provide filename"); } if(opt_no_data && (opt_md5 || opt_sha1 || opt_save || opt_magic)) { errx(1, "-g conflicts with options requiring data access (-z may be needed)"); } if(opt_save){ if(access(save_outdir.c_str(),F_OK)){ #ifdef WIN32 if(mkdir(save_outdir.c_str())) { #else if(mkdir(save_outdir.c_str(),0777)){ #endif err(1,"Cannot make directory: %s",save_outdir.c_str()); } } if(access(save_outdir.c_str(),R_OK)){ err(1,"Cannot access directory: %s",save_outdir.c_str()); } } if(text_fn){ if(access(text_fn,F_OK)==0) errx(1,"%s: file exists",text_fn); t = fopen(text_fn,"w"); if(!t) err(1,"%s",text_fn); } if(arff_fn){ if(access(arff_fn,F_OK)==0) errx(1,"%s: file exists",arff_fn); a = new arff("fiwalk"); // the ARFF output object a->set_outfile(arff_fn); } /* XML initialization */ if(opt_x){ x = new xml(); // default to stdout } if(xml_fn){ if(*xml_fn == "0"){ string newfn = filename; *xml_fn = newfn.substr(0,newfn.rfind(".")) + ".xml"; } if(x) errx(1,"Cannot write XML to stdout and file at same time\n"); if(access(xml_fn->c_str(),F_OK)==0){ if(opt_zap){ if(unlink(xml_fn->c_str())){ err(1,"%s: file exists and cannot unlink",xml_fn->c_str()); } } else{ errx(1,"%s: file exists",xml_fn->c_str()); } } x = new xml(*xml_fn,true); // we will make DTD going to a file } /* If no output file has been specified, output text to stdout */ if(a==0 && x==0 && t==0){ t = stdout; } if(strstr(filename,".aff") || strstr(filename,".afd") || strstr(filename,".afm")){ #ifndef HAVE_LIBAFFLIB fprintf(stderr,"ERROR: fiwalk was compiled without AFF support.\n"); exit(0); #else #endif } /* If we are outputing ARFF, create the ARFF object and set the file types for the file system metadata */ if(a){ a->add_attribute("id",arff::NUMERIC); a->add_attribute("partition",arff::NUMERIC); a->add_attribute("filesize",arff::NUMERIC); a->add_attribute("mtime",arff::DATE); a->add_attribute("ctime",arff::DATE); a->add_attribute("atime",arff::DATE); a->add_attribute("fragments",arff::NUMERIC); a->add_attribute("frag1startsector",arff::NUMERIC); a->add_attribute("frag2startsector",arff::NUMERIC); a->add_attribute("filename",arff::STRING); if(opt_md5) a->add_attribute("md5",arff::STRING); if(opt_sha1) a->add_attribute("sha1",arff::STRING); } /* output per-run metadata for XML output */ if(x){ /* Output Dublin Core information */ x->push("dfxml", "\n xmlns='http://www.forensicswiki.org/wiki/Category:Digital_Forensics_XML'" "\n xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'" "\n xmlns:dc='http://purl.org/dc/elements/1.1/'" "\n version='1.0'" ); x->push("metadata", ""); x->xmlout("dc:type","Disk Image",fw_empty,false); x->pop(); /* Output carver information per photorec standard */ x->add_DFXML_creator("fiwalk",tsk_version_get_str(),command_line); } /* Can't use comment until after here... */ if(config_file){ comment("Reading configuration file %s",config_file); config_read(config_file); /* Read the configuration file */ } /* Check that we have a valid file format */ if(x) x->push("source"); partition_info("image_filename",filename); if(!x){ partition_info("fiwalk_version",tsk_version_get_str()); partition_info("start_time",mytime()); partition_info("tsk_version",tsk_version_get_str()); } if(x) x->pop(); if (opt_debug) printf("calling tsk_img_open(%s)\n",filename); #ifdef SIGINFO signal(SIGINFO,sig_info); #endif #ifdef TSK_WIN32 int count = process_image_file(argc,argv1,audit_file,sector_size); if(count<=0 || sector_size!=512){ comment("Retrying with 512 byte sector size."); count = process_image_file(argc,argv1,audit_file,512); } #else int count = process_image_file(argc,argv,audit_file,sector_size); if(count<=0 || sector_size!=512){ comment("Retrying with 512 byte sector size."); count = process_image_file(argc,argv,audit_file,512); } #endif /* Calculate time elapsed (reported as a comment and with rusage) */ struct timeval tv; char tvbuf[64]; gettimeofday(&tv1,0); tv.tv_sec = tv1.tv_sec - tv0.tv_sec; if(tv1.tv_usec > tv0.tv_usec){ tv.tv_usec = tv1.tv_usec - tv0.tv_usec; } else { tv.tv_sec--; tv.tv_usec = (tv1.tv_usec+1000000) - tv0.tv_usec; } sprintf(tvbuf, "%d.%06d",(int)tv.tv_sec, (int)tv.tv_usec); comment("clock: %s",tvbuf); #ifdef HAVE_SYS_RESOURCE_H #ifdef HAVE_GETRUSAGE /* Print usage information */ struct rusage ru; memset(&ru,0,sizeof(ru)); if(getrusage(RUSAGE_SELF,&ru)==0){ if(x) x->push("rusage"); partition_info("utime",ru.ru_utime); partition_info("stime",ru.ru_stime); partition_info("maxrss",ru.ru_maxrss); partition_info("minflt",ru.ru_minflt); partition_info("majflt",ru.ru_majflt); partition_info("nswap",ru.ru_nswap); partition_info("inblock",ru.ru_inblock); partition_info("oublock",ru.ru_oublock); partition_info("clocktime",tv); comment("stop_time: %s",cstr(mytime())); if(x) x->pop(); } #endif #endif // *** Added <finished time="(time_t)" duration="<seconds>" /> if(a){ a->write(); delete a; } if(t) comment("=EOF="); if(x) { x->pop(); // <dfxml> x->close(); delete(x); } exit(0); }
void printHelp(const po::options_description& desc) { std::cout << "fsrip, Copyright (c) 2010-2012, Lightbox Technologies, Inc." << std::endl; std::cout << "Built " << __DATE__ << std::endl; std::cout << "TSK version is " << tsk_version_get_str() << std::endl; std::cout << desc << std::endl; }
// The initialization method for this module void Init_tsk4r() { rb_mtsk4r = rb_define_module("Sleuthkit"); rb_mtsk4r_v = rb_define_module_under(rb_mtsk4r, "Volume"); rb_mtsk4r_fs = rb_define_module_under(rb_mtsk4r, "FileSystem"); rb_const_set(rb_mtsk4r, rb_intern("TSK_VERSION"), rb_str_new2(tsk_version_get_str())); // class definitions rb_cTSKImage = rb_define_class_under(rb_mtsk4r, "Image", rb_cObject); rb_cTSKVolumeSystem = rb_define_class_under(rb_mtsk4r_v, "System", rb_cObject); rb_cTSKVolumePart = rb_define_class_under(rb_mtsk4r_v, "Partition", rb_cObject); rb_cTSKFileSystem = rb_define_class_under(rb_mtsk4r_fs, "System", rb_cObject); rb_cTSKFileSystemDir = rb_define_class_under(rb_mtsk4r_fs, "Directory", rb_cObject); rb_cTSKFileSystemFileData = rb_define_class_under(rb_mtsk4r_fs, "FileData", rb_cObject); rb_cTSKFileSystemFileMeta = rb_define_class_under(rb_mtsk4r_fs, "FileMeta", rb_cObject); rb_cTSKFileSystemFileName = rb_define_class_under(rb_mtsk4r_fs, "FileName", rb_cObject); rb_cTSKFileSystemAttr = rb_define_class_under(rb_mtsk4r_fs, "Attribute", rb_cObject); rb_cTSKFileSystemBlock = rb_define_class_under(rb_mtsk4r_fs, "Block", rb_cObject); // allocation functions rb_define_alloc_func(rb_cTSKImage, allocate_image); rb_define_alloc_func(rb_cTSKVolumeSystem, allocate_volume_system); rb_define_alloc_func(rb_cTSKVolumePart, allocate_volume_part); rb_define_alloc_func(rb_cTSKFileSystem, allocate_filesystem); rb_define_alloc_func(rb_cTSKFileSystemDir, allocate_fs_dir); rb_define_alloc_func(rb_cTSKFileSystemFileData, allocate_fs_file); rb_define_alloc_func(rb_cTSKFileSystemFileMeta, allocate_fs_meta); rb_define_alloc_func(rb_cTSKFileSystemFileName, allocate_fs_name); rb_define_alloc_func(rb_cTSKFileSystemAttr, allocate_fs_attr); rb_define_alloc_func(rb_cTSKFileSystemBlock, allocate_fs_block); // sub classes //rb_cTSKFileSystem = rb_define_class_under(rb_cTSKVolume, "ThirdClass", rb_cObject); /* Sleuthkit::Image */ // some method templates // object methods for Sleuthkit::Image objects rb_define_method(rb_cTSKImage, "initialize", initialize_disk_image, -1); rb_define_method(rb_cTSKImage, "image_open", image_open, 2); rb_define_module_function(rb_cTSKImage, "image_type_to_description", image_type_to_desc, 1); rb_define_module_function(rb_cTSKImage, "image_type_to_name", image_type_to_name, 1); rb_define_module_function(rb_cTSKImage, "return_tsk_img_type_supported", return_tsk_img_type_supported, 0); rb_define_module_function(rb_cTSKImage, "return_type_list", return_tsk_img_type_list, -1); // attributes (read only) rb_define_attr(rb_cTSKImage, "auto_detect", 1, 0); rb_define_attr(rb_cTSKImage, "description", 1, 0); rb_define_attr(rb_cTSKImage, "name", 1, 0); rb_define_attr(rb_cTSKImage, "path", 1, 0); rb_define_attr(rb_cTSKImage, "sector_size", 1, 0); rb_define_attr(rb_cTSKImage, "size", 1, 0); rb_define_attr(rb_cTSKImage, "type", 1, 0); // attributes for linking RubyTSK objects rb_define_attr(rb_cTSKImage, "volumes", 1, 1); rb_define_attr(rb_cTSKImage, "filesystems", 1, 1); /* Sleuthkit::Volume::System */ // object methods for VolumeSystem objects rb_define_method(rb_cTSKVolumeSystem, "initialize", initialize_volume_system, -1); rb_define_method(rb_cTSKVolumeSystem, "open", open_volume_system, 2); // change arg1 to klass? rb_define_method(rb_cTSKVolumeSystem, "close", close_volume_system, 1); rb_define_method(rb_cTSKVolumeSystem, "read_block", read_volume_block, 3); //read block given start and no. of blocks rb_define_method(rb_cTSKVolumeSystem, "walk", walk_volume, 1); rb_define_method(rb_cTSKVolumeSystem, "expose_part_at", volume_expose_part_by_idx, 1); rb_define_private_method(rb_cTSKVolumeSystem, "get_partitions", volume_get_partitions, 1); rb_define_module_function(rb_mtsk4r_v, "return_type_list", return_tsk_vol_type_list, -1); // attributes rb_define_attr(rb_cTSKVolumeSystem, "block_size", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "description", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "endian", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "offset", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "parent", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "partition_count", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "parts", 1, 0); rb_define_attr(rb_cTSKVolumeSystem, "volume_system_type", 1, 0); /* Sleuthkit::Volume::Partition */ // object methods for VolumePart objects rb_define_method(rb_cTSKVolumePart, "initialize", initialize_volume_part, -1); rb_define_method(rb_cTSKVolumePart, "open", open_volume_part, -1); // change arg1 to klass? // rb_define_method(rb_cTSKVolumePart, "read_block", read_volume_part_block, 3); //read block given start and no. of blocks // rb_define_method(rb_cTSKVolumePart, "walk", walk_volume_part, 1); // attributes rb_define_attr(rb_cTSKVolumePart, "address", 1, 0); rb_define_attr(rb_cTSKVolumePart, "description", 1, 0); rb_define_attr(rb_cTSKVolumePart, "flags", 1, 0); rb_define_attr(rb_cTSKVolumePart, "length", 1, 0); rb_define_attr(rb_cTSKVolumePart, "next", 1, 0); rb_define_attr(rb_cTSKVolumePart, "parent", 1, 0); rb_define_attr(rb_cTSKVolumePart, "prev", 1, 0); rb_define_attr(rb_cTSKVolumePart, "slot_number", 1, 0); rb_define_attr(rb_cTSKVolumePart, "start", 1, 0); rb_define_attr(rb_cTSKVolumePart, "table_number", 1, 0); /* Sleuthkit::FileSystem */ // object methods for FileSystem objects rb_define_method(rb_cTSKFileSystem, "initialize", initialize_filesystem, -1); rb_define_method(rb_cTSKFileSystem, "open", open_filesystem, -1); // change arg1 to klass? rb_define_method(rb_cTSKFileSystem, "system_name", get_filesystem_type, 0); rb_define_method(rb_cTSKFileSystem, "call_tsk_fsstat", call_tsk_fsstat, 1); rb_define_method(rb_cTSKFileSystem, "call_tsk_istat", call_tsk_istat, -1); rb_define_method(rb_cTSKFileSystem, "open_directory_by_name", open_directory_by_name, -1); rb_define_method(rb_cTSKFileSystem, "open_directory_by_inum", open_directory_by_inum, -1); rb_define_method(rb_cTSKFileSystem, "open_file_by_name", open_file_by_name, -1); rb_define_method(rb_cTSKFileSystem, "open_file_by_inum", open_file_by_inum, -1); rb_define_module_function(rb_mtsk4r_fs, "return_type_list", return_tsk_fs_type_list, -1); // attributes based on TSK struct int i; for (i = 0; i < TSK4R_FS_ATTRS_COUNT; i++) { rb_define_attr(rb_cTSKFileSystem, TSK4R_FS_ATTRS_NAMES[i], 1, 0); } // extra attributes rb_define_attr(rb_cTSKFileSystem, "name", 1, 0); rb_define_attr(rb_cTSKFileSystem, "description", 1, 0); rb_define_attr(rb_cTSKFileSystem, "parent", 1, 0); #ifdef TSK4R_DEPRECATED_TSK4_FEATURE rb_define_attr(rb_cTSKFileSystem, "isOrphanHunting", 1, 0); #endif /* Sleuthkit::FileSystemDirectory */ // object methods for FileSystemDirectory objects rb_define_method(rb_cTSKFileSystemDir, "initialize", initialize_fs_dir, -1); rb_define_private_method(rb_cTSKFileSystemDir, "open_fs_directory", open_fs_directory, 3); // attributes rb_define_attr(rb_cTSKFileSystemDir, "parent", 1, 0); // rb_define_attr(rb_cTSKFileSystemDir, "inum", 1, 0); rb_define_attr(rb_cTSKFileSystemDir, "names_used", 1, 0); rb_define_attr(rb_cTSKFileSystemDir, "names_alloc", 1, 0); rb_define_attr(rb_cTSKFileSystemDir, "names", 1, 0); rb_define_attr(rb_cTSKFileSystemDir, "file", 1, 0); /* Sleuthkit::FileSystemFileData */ // object methods for FileSystemFileData objects rb_define_method(rb_cTSKFileSystemFileData, "initialize", initialize_fs_file, -1); rb_define_method(rb_cTSKFileSystemFileData, "open_fs_file", open_fs_file, -1); rb_define_method(rb_cTSKFileSystemFileData, "get_number_of_attributes", get_number_of_attributes, 0); // attributes rb_define_attr(rb_cTSKFileSystemFileData, "address", 1, 0); rb_define_attr(rb_cTSKFileSystemFileData, "content_len", 1, 0); rb_define_attr(rb_cTSKFileSystemFileData, "parent", 1, 0); rb_define_attr(rb_cTSKFileSystemFileData, "meta", 1, 0); rb_define_attr(rb_cTSKFileSystemFileData, "name", 1, 0); rb_define_attr(rb_cTSKFileSystemFileData, "uid", 1, 0); /* Sleuthkit::FileSystemFileMeta */ // object methods for FileSystemFileMeta objects rb_define_method(rb_cTSKFileSystemFileMeta, "initialize", initialize_fs_meta, -1); rb_define_private_method(rb_cTSKFileSystemFileMeta, "get_meta_from_inum", get_meta_from_inum, 2); rb_define_private_method(rb_cTSKFileSystemFileMeta, "get_meta_from_file", get_meta_from_file, 1); rb_define_private_method(rb_cTSKFileSystemFileMeta, "get_meta_from_dir", get_meta_from_dir, 1); // attributes rb_define_attr(rb_cTSKFileSystemFileMeta, "parent", 1, 0); rb_define_attr(rb_cTSKFileSystemFileMeta, "addr", 1, 0); /* Sleuthkit::FileSystemFileName */ // object methods for FileSystemFileName objects rb_define_method(rb_cTSKFileSystemFileName, "initialize", initialize_fs_name, -1); // attributes (see lib/sleuthkit/file_system.rb for more) rb_define_attr(rb_cTSKFileSystemFileName, "parent", 1, 0); /* Sleuthkit::FileSystem:Attr */ rb_define_method(rb_cTSKFileSystemAttr, "initialize", initialize_fs_attr, -1); rb_define_method(rb_cTSKFileSystemAttr, "fetch", fetch_attr, -1); rb_define_method(rb_cTSKFileSystemAttr, "fetch_default_attribute", fetch_attr, -1); rb_define_method(rb_cTSKFileSystemAttr, "fetch_attribute_by_index", fetch_attr, -1); rb_define_attr(rb_cTSKFileSystemAttr, "file", 1, 0); rb_define_attr(rb_cTSKFileSystemAttr, "flags", 1, 0); rb_define_attr(rb_cTSKFileSystemAttr, "id", 1, 0); rb_define_attr(rb_cTSKFileSystemAttr, "name", 1, 0); rb_define_attr(rb_cTSKFileSystemAttr, "name_size", 1, 0); rb_define_attr(rb_cTSKFileSystemAttr, "size", 1, 0); rb_define_attr(rb_cTSKFileSystemAttr, "type", 1, 0); /* Sleuthkit::FileSystem::Block */ rb_define_method(rb_cTSKFileSystemBlock, "initialize", initialize_fs_block, -1); rb_define_method(rb_cTSKFileSystemBlock, "fetch", fetch_block, 2); // attributes rb_define_attr(rb_cTSKFileSystemBlock, "address", 1, 0); rb_define_attr(rb_cTSKFileSystemBlock, "buffer", 1, 0); rb_define_attr(rb_cTSKFileSystemBlock, "filesystem", 1, 0); rb_define_attr(rb_cTSKFileSystemBlock, "flags", 1, 0); rb_define_attr(rb_cTSKFileSystemBlock, "tag", 1, 0); }