bool FSNTFSWIN::excludeFiles( const std::string& path, const std::string& fn_contains ) { HANDLE fHandle; WIN32_FIND_DATAW wfd; std::wstring tpath=Server->ConvertToWchar(path); if(!tpath.empty() && tpath[tpath.size()-1]=='\\' ) tpath.erase(path.size()-1, 1); fHandle=FindFirstFileW((tpath+L"\\*"+Server->ConvertToWchar(fn_contains)+L"*").c_str(),&wfd); if(fHandle==INVALID_HANDLE_VALUE) { Server->Log("Error opening find handle to "+path+" err: "+convert((int)GetLastError()), LL_DEBUG); return false; } bool ret=true; do { std::string name = Server->ConvertFromWchar(wfd.cFileName); if(name=="." || name==".." ) continue; if(!(wfd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) { if(!excludeFile(Server->ConvertFromWchar(tpath+L"\\"+wfd.cFileName))) { ret=false; } } } while (FindNextFileW(fHandle,&wfd) ); FindClose(fHandle); return ret; }
void TskFileAnalysisPipeline::run(TskFile* file) { if (file == NULL) { LOGERROR(L"TskFileAnalysisPipeline::run - Passed NULL file pointer."); throw TskNullPointerException(); } TskImgDB& imgDB = TskServices::Instance().getImgDB(); try { // If this is an excluded file or the file is not ready for analysis // we return without processing. if (excludeFile(file)) { file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_SKIPPED); return; } if (file->status() != TskImgDB::IMGDB_FILES_STATUS_READY_FOR_ANALYSIS) return; // Update status to indicate analysis is in progress. file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS); // If there is an Executable module in the pipeline we must // ensure that the file exists on disk. bool bCreated = false; if (!file->exists()) { TskFileManagerImpl::instance().saveFile(file); bCreated = true; } for (int i = 0; i < m_modules.size(); i++) { TskModule::Status status = m_modules[i]->run(file); imgDB.setModuleStatus(file->id(), m_modules[i]->getModuleId(), (int)status); // Stop processing the file when a module tells us to. if (status == TskModule::STOP) break; } // Delete the file if we created it above. if (bCreated) TskFileManagerImpl::instance().deleteFile(file); // We allow modules to set status on the file so we only update it // if the modules haven't if (file->status() == TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS) file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_COMPLETE); } catch (std::exception& ex) { std::wstringstream msg; msg << L"TskFileAnalysisPipeline::run - Error while processing file id (" << file->id() << L") : " << ex.what(); LOGERROR(msg.str()); imgDB.updateFileStatus(file->id(), TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_FAILED); // Rethrow the exception throw; } }
void TskFileAnalysisPipeline::run(TskFile* file) { const std::string MSG_PREFIX = "TskFileAnalysisPipeline::run : "; if (m_modules.size() == 0) return; if (file == NULL) { LOGERROR(MSG_PREFIX + "passed NULL file pointer"); throw TskNullPointerException(); } TskImgDB& imgDB = TskServices::Instance().getImgDB(); try { // If this is an excluded file or the file is not ready for analysis // we return without processing. if (excludeFile(file)) { std::stringstream msg; msg << MSG_PREFIX << "skipping file (excluded) " << file->getName() << "(" << file->getId() << ")"; LOGINFO(msg.str()); file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_SKIPPED); return; } if (file->getStatus() != TskImgDB::IMGDB_FILES_STATUS_READY_FOR_ANALYSIS) { std::stringstream msg; msg << MSG_PREFIX << "skipping file (not ready) " << file->getName() << "(" << file->getId() << ")"; LOGINFO(msg.str()); return; } // Update status to indicate analysis is in progress. file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS); std::stringstream msg; msg << MSG_PREFIX << "analyzing " << file->getName() << "(" << file->getId() << ")"; LOGINFO(msg.str()); // If there is an Executable module in the pipeline we must // ensure that the file exists on disk. if (m_hasExeModule && !file->exists()) { TskFileManagerImpl::instance().saveFile(file); } bool bModuleFailed = false; Poco::Stopwatch stopWatch; for (int i = 0; i < m_modules.size(); i++) { // we have no way of knowing if the file was closed by a module, // so always make sure it is open file->open(); // Reset the file offset to the beginning of the file. file->seek(0); stopWatch.restart(); TskModule::Status status = m_modules[i]->run(file); stopWatch.stop(); updateModuleExecutionTime(m_modules[i]->getModuleId(), stopWatch.elapsed()); imgDB.setModuleStatus(file->getId(), m_modules[i]->getModuleId(), (int)status); // If any module encounters a failure while processing a file // we will set the file status to failed once the pipeline is complete. if (status == TskModule::FAIL) bModuleFailed = true; // Stop processing the file when a module tells us to. else if (status == TskModule::STOP) break; } // Delete the file if it exists. The file may have been created by us // above or by a module that required it to exist on disk. // Carved and derived files should not be deleted since the content is // typically created by external tools. if (file->getTypeId() != TskImgDB::IMGDB_FILES_TYPE_CARVED && file->getTypeId() != TskImgDB::IMGDB_FILES_TYPE_DERIVED && file->exists()) { TskFileManagerImpl::instance().deleteFile(file); } // We allow modules to set status on the file so we only update it // if the modules haven't. if (file->getStatus() == TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS) { if (bModuleFailed) { file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_FAILED); } else { file->setStatus(TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_COMPLETE); } } } catch (std::exception& ex) { std::stringstream msg; msg << MSG_PREFIX << "error while processing file id (" << file->getId() << ") : " << ex.what(); LOGERROR(msg.str()); imgDB.updateFileStatus(file->getId(), TskImgDB::IMGDB_FILES_STATUS_ANALYSIS_FAILED); // Rethrow the exception throw; } }