/**
* Analyze the volume starting at byte offset 'start'
* and walk each file that can be found.
*
* @param img Disk image to be analyzed.
* @param start Byte offset of volume starting location.
*
* @return 1 on error and 0 on success
*/
static uint8_t
proc_fs(TSK_IMG_INFO * img_info, TSK_OFF_T start)
{
TSK_FS_INFO *fs_info;
/* Try it as a file system */
if ((fs_info =
tsk_fs_open_img(img_info, start, TSK_FS_TYPE_DETECT)) == NULL)
{
tsk_error_print(stderr);
/* We could do some carving on the volume data at this point */
return 1;
}
/* Walk the files, starting at the root directory */
if (tsk_fs_dir_walk(fs_info, fs_info->root_inum,
(TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_RECURSE),
dir_act, NULL)) {
tsk_error_print(stderr);
tsk_fs_close(fs_info);
return 1;
}
/* We could do some analysis of unallocated blocks at this point... */
tsk_fs_close(fs_info);
return 0;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* file system. Will start processing the file system at a specified
* file system. Will call processFile() on each file
* that is found in that directory.
*
* @param a_start Byte offset of file system starting location.
* @param a_ftype Type of file system that will be analyzed.
* @param a_inum inum to start walking files system at.
*
* @returns 1 if an error occured (messages will have been registered) and 0 on success
*/
uint8_t
TskAuto::findFilesInFs(TSK_OFF_T a_start, TSK_FS_TYPE_ENUM a_ftype,
TSK_INUM_T a_inum)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInFs -- img_info ");
registerError();
return 1;
}
TSK_FS_INFO *fs_info;
if ((fs_info = tsk_fs_open_img(m_img_info, a_start, a_ftype)) == NULL) {
if (getCurVsPartFlag() & TSK_VS_PART_FLAG_ALLOC) {
tsk_error_set_errstr2(
"Sector offset: %" PRIuOFF ", Partition Type: %s",
a_start / 512, getCurVsPartDescr().c_str());
registerError();
return 1;
}
else {
tsk_error_reset();
return 0;
}
}
findFilesInFsInt(fs_info, a_inum);
tsk_fs_close(fs_info);
return m_errors.empty() ? 0 : 1;
}
static int
test_ntfs_fe()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1-NTFS";
char fname[512];
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if (test_dir_open_apis(fs, "/allocated", 30)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
if (test_walk_apis(fs, 30)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/**
* Called when the filesystem is unmounted, and allows the destruction
* of structures and freeing allocated memory.
*/
void cleanup(void)
{
if (input_filename != NULL)
{
g_free(input_filename);
input_filename = NULL;
}
if (fs_info != NULL)
{
tsk_fs_close(fs_info);
}
fs_info = NULL;
if (img_info != NULL)
{
tsk_img_close(img_info);
}
img_info = NULL;
if (mountpoint != NULL)
{
g_free(mountpoint);
}
mountpoint = NULL;
if (inode_buffer != NULL)
{
g_free(inode_buffer);
}
}
int
test_ntfs_comp()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
char *tname = "ntfs-comp-1";
char fname[512];
snprintf(fname, 512, "%s/ntfs-comp-1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if (testfile(fs, 34)) {
fprintf(stderr, "%s error (both)\n", tname);
return 1;
}
if (testfile(fs, 32)) {
fprintf(stderr, "%s error (sparse)\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
int
test_fat12()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fat12.dd";
char fname[512];
snprintf(fname, 512, "%s/fat12.dd", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (testfile(fs, 33)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* file system. Will start processing the file system at a specified
* file system. Will call processFile() on each file
* that is found in that directory.
*
* @param a_start Byte offset of file system starting location.
* @param a_ftype Type of file system that will be analyzed.
* @param a_inum inum to start walking files system at.
*
* @returns 1 on error and 0 on success
*/
uint8_t
TskAuto::findFilesInFs(TSK_OFF_T a_start, TSK_FS_TYPE_ENUM a_ftype,
TSK_INUM_T a_inum)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInFs\n");
return 1;
}
TSK_FS_INFO *fs_info;
/* Try it as a file system */
if ((fs_info = tsk_fs_open_img(m_img_info, a_start, a_ftype)) == NULL) {
char msg[1024];
snprintf(msg, 1024,
"Unable to open file system at offset %" PRIuOFF " (%s)",
+a_start, tsk_error_get());
if (tsk_verbose)
fprintf(stderr, "%s\n", msg);
handleNotification(msg);
/* We could do some carving on the volume data at this point */
return 1;
}
TSK_RETVAL_ENUM retval = findFilesInFsInt(fs_info, a_inum);
tsk_fs_close(fs_info);
if (retval == TSK_ERR)
return 1;
else
return 0;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* file system. Will call processFile() on each file
* that is found. Same as findFilesInFs, but gives more detailed return values.
* @param a_start Byte offset to start analyzing from.
* @param a_ftype File system type.
* @returns Error (messages will have been registered), OK, or STOP.
*/
TSK_RETVAL_ENUM
TskAuto::findFilesInFsRet(TSK_OFF_T a_start, TSK_FS_TYPE_ENUM a_ftype)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInFsRet -- img_info");
registerError();
return TSK_ERR;
}
TSK_FS_INFO *fs_info;
if ((fs_info = tsk_fs_open_img(m_img_info, a_start, a_ftype)) == NULL) {
if (getCurVsPartFlag() & TSK_VS_PART_FLAG_ALLOC) {
tsk_error_set_errstr2 ("Sector offset: %" PRIuOFF ", Partition Type: %s",
a_start/512, getCurVsPartDescr().c_str() );
registerError();
return TSK_ERR;
}
else {
tsk_error_reset();
return TSK_OK;
}
}
TSK_RETVAL_ENUM retval = findFilesInFsInt(fs_info, fs_info->root_inum);
tsk_fs_close(fs_info);
if (m_errors.empty() == false)
return TSK_ERR;
else
return retval;
}
/*
* Class: edu_uw_apl_commons_tsk4j_filesys_FileSystem
* Method: close
* Signature: (J)V
*/
JNIEXPORT void JNICALL
Java_edu_uw_apl_commons_tsk4j_filesys_FileSystem_close
(JNIEnv * env, jobject thiz, jlong nativePtr ) {
TSK_FS_INFO* info = (TSK_FS_INFO*)nativePtr;
tsk_fs_close( info );
}
/**
* Analyze the volume starting at byte offset 'start' and look
* for a file system. When found, the files will be analyzed.
*
* @param img Disk image to be analyzed.
* @param start Byte offset of volume starting location.
*
* @return 1 on error and 0 on success
*/
static uint8_t
proc_fs(TSK_IMG_INFO * img_info, TSK_OFF_T start)
{
TSK_FS_INFO *fs_info;
TSK_STACK *stack;
/* Try it as a file system */
if ((fs_info =
tsk_fs_open_img(img_info, start, TSK_FS_TYPE_DETECT)) == NULL)
{
fprintf(stderr,
"Error opening file system in partition at offset %" PRIuOFF
"\n", start);
tsk_error_print(stderr);
/* We could do some carving on the volume data at this point */
return 1;
}
// create a stack to prevent infinite loops
stack = tsk_stack_create();
// Process the directories
if (proc_dir(fs_info, stack, fs_info->root_inum, "")) {
fprintf(stderr,
"Error processing file system in partition at offset %" PRIuOFF
"\n", start);
tsk_fs_close(fs_info);
return 1;
}
tsk_stack_free(stack);
/* We could do some analysis of unallocated blocks at this point... */
tsk_fs_close(fs_info);
return 0;
}
static TSK_WALK_RET_ENUM find_file_in_partiton(
TSK_VS_INFO * vs, const TSK_VS_PART_INFO * part, void *ptr){
find_file_data *data = (find_file_data*)ptr;
const char *file_path = data->full_path;
TSK_FS_INFO *filesystem;
TSK_FS_FILE *file;
filesystem = tsk_fs_open_vol(part, TSK_FS_TYPE_DETECT);
if (OPEN_FAIL(filesystem))
return TSK_WALK_CONT;
file = tsk_fs_file_open(filesystem, NULL, file_path);
if (OPEN_FAIL(file))
return TSK_WALK_CONT;
data->file_found_in_partiton = 0;
utarray_new(data->offsets_in_filesystem, &ut_tsk_daddr_tuple_icd);
log_file_offsets_in_filesystem(data, file);
if (data->file_found_in_partiton) {
TSK_DADDR_T *p;
for (p=(TSK_DADDR_T*)utarray_front(data->offsets_in_filesystem);
p != NULL;
p=(TSK_DADDR_T*)utarray_next(data->offsets_in_filesystem, p)) {
TSK_DADDR_T offset_start_and_last[2] = {
p[0] + part->start*vs->img_info->sector_size,
p[1] + part->start*vs->img_info->sector_size
};
utarray_push_back(data->offsets_in_disk, &offset_start_and_last);
}
data->file_found = 1;
}
utarray_free(data->offsets_in_filesystem);
tsk_fs_file_close(file);
tsk_fs_close(filesystem);
return TSK_WALK_CONT;
}
int
test_ntfs_fe()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1-NTFS";
char fname[512];
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (testfile(fs, 31)) {
fprintf(stderr, "%s error (non-resident)\n", tname);
return 1;
}
if (testfile(fs, 32)) {
fprintf(stderr, "%s error (resident)\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
int
test_fat12()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fat12.dd";
char fname[512];
snprintf(fname, 512, "%s/fat12.dd", s_root);
if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
// verify the APIs get teh same for file 47
if (test_get_apis(fs, 47, 1)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
// verify the one attribte is the expected type
if (test_get_type(fs, 47, TSK_FS_ATTR_TYPE_DEFAULT)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
Filesystem::~Filesystem() {
tsk_fs_close(Fs);
}
/* This test checks the SLACK flags and verifies
* that we read data from the slack space
*/
int
test_fat_slack()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fat-img-kw";
char fname[512];
TSK_FS_FILE *file1;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/fat-img-kw.dd", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// file4.dat
file1 = tsk_fs_file_open_meta(fs, NULL, 10);
if (file1 == NULL) {
fprintf(stderr, "Error opening file4.dat (%s)\n", tname);
return 1;
}
// verify expected size
if (file1->meta->size != 631) {
fprintf(stderr,
"Error: file4.dat not expected size (%" PRIuOFF ") (%s)\n",
file1->meta->size, tname);
return 1;
}
// try to read all of last sector with/out Slack set
retval =
tsk_fs_file_read(file1, 512, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr,
"Error reading file4.dat to end w/out slack flag\n");
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 119) {
fprintf(stderr,
"Unexpected return value from reading file4.dat to end w/out slack flag.\n");
fprintf(stderr, "Expected: 119. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 512, buf, 512,
TSK_FS_FILE_READ_FLAG_SLACK);
if (retval == -1) {
fprintf(stderr, "Error reading file4.dat to end w/slack flag\n");
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading file4.dat w/slack flag.\n");
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("3slack3", &buf[385], 7) != 0) {
fprintf(stderr,
"slack string not found in file4.dat slack space: %x %x %x %x %x %x %x\n",
buf[385], buf[386], buf[387], buf[388], buf[389], buf[390],
buf[391]);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
int
main(int argc, char** argv1)
{
TSK_TCHAR **argv;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_OFF_T imgaddr = 0;
int ch;
while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) {
switch (ch) {
case _TSK_T('f'):
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('v'):
tsk_verbose = 1;
break;
default:
usage();
break;
}
}
if (argc - OPTIND != 3) {
usage();
}
const TSK_TCHAR* image = argv[OPTIND];
size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0);
if (nthreads == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0);
if (niters == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0);
if (img == 0) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype);
if (fs == 0) {
tsk_img_close(img);
tsk_error_print(stderr);
exit(1);
}
TskThread** threads = new TskThread*[nthreads];
for (size_t i = 0; i < nthreads; ++i) {
threads[i] = new MyThread(i, fs, niters);
}
TskThread::run(threads, nthreads);
for (size_t i = 0; i < nthreads; ++i) {
delete threads[i];
}
delete[] threads;
tsk_fs_close(fs);
tsk_img_close(img);
exit(0);
}
TSK_WALK_RET_ENUM part_act(
TSK_VS_INFO* pVsInfo,
const TSK_VS_PART_INFO* pPartInfo,
void* pData)
{
TSK_FS_INFO* lFsInfo = NULL;
OS_FH_TYPE lOut = (OS_FH_TYPE)pData;
unsigned long long lCnt = 0;
char lBuf[32768] = { 0 };
unsigned long long lOffsetBlock = 0;
/* open file system */
if ((lFsInfo = tsk_fs_open_vol(
pPartInfo, /* partition to open */
TSK_FS_TYPE_DETECT /* auto-detect mode on */
)) != NULL)
{
/* known file-system */
/* iterate over unallocated blocks of fs */
tsk_fs_block_walk(
lFsInfo, /* file-system info */
0, /* start */
lFsInfo->block_count - 1, /* end */
TSK_FS_BLOCK_WALK_FLAG_UNALLOC, /* only unallocated blocks */
block_act, /* callback */
pData /* file-handle */
);
/* close fs */
tsk_fs_close(lFsInfo);
}
else
{
/* unknown file-system */
/* iterate through all blocks of this volume regardless of their state */
for (lCnt = 0; lCnt < pPartInfo->len; lCnt++)
{
lOffsetBlock = (pPartInfo->start + lCnt) * pPartInfo->vs->block_size;
LOGGING_DEBUG(
"Block in unknown partition (Len: %lu blocks). "
"Size: %u, Absolute address (Bytes): %lld\n",
pPartInfo->len,
pPartInfo->vs->block_size,
lOffsetBlock);
/* use the following function so that forensic images are supported */
/* HINT: this is not the case with fopen/fseek/fread/fclose functions */
tsk_vs_part_read_block(
pPartInfo,
lCnt, /* start address (blocks) relative to start of volume */
lBuf, /* buffer to store data in */
pPartInfo->vs->block_size /* amount of data to read */
);
data_act(lBuf,
pPartInfo->vs->block_size,
lOffsetBlock,
lOut);
}
}
return TSK_WALK_CONT;
}
void deallocate_filesystem(struct tsk4r_fs_wrapper * ptr){
TSK_FS_INFO *filesystem = ptr->filesystem;
tsk_fs_close(filesystem);
xfree(ptr);
}
/* This test checks the RECOVER flags
*/
int
test_fat_recover()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1.img-FAT";
char fname[512];
TSK_FS_FILE *file1;
TSK_FS_FILE *file2;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs =
tsk_fs_open_img(img, 41126400,
(TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// fragmented.html
const char *fname2 = "fragmented.html";
file1 = tsk_fs_file_open_meta(fs, NULL, 1162);
if (file1 == NULL) {
fprintf(stderr, "Error opening %s (%s)\n", fname2, tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// verify expected size
if (file1->meta->size != 5905) {
fprintf(stderr,
"Error: %s not expected size (%" PRIuOFF ") (%s)\n", fname2,
file1->meta->size, tname);
return 1;
}
// verify we can open it via name as well
file2 = tsk_fs_file_open(fs, NULL, "/deleted/fragmented.html");
if (file2 == NULL) {
fprintf(stderr,
"Error opening /deleted/fragmented.html via path name (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (file2->name == NULL) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path name did not have name set(%s)\n",
tname);
return 1;
}
if (strcmp(file2->name->name, fname2) != 0) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path had incorrect name set (%s) (%s)\n",
file2->name->name, tname);
return 1;
}
if ((file2->name->meta_addr != file2->meta->addr)
|| (file2->meta->addr != file1->meta->addr)) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path had incorrect meta addresses (%"
PRIuINUM " %" PRIuINUM " %" PRIuINUM " (%s)\n",
file2->name->meta_addr, file2->meta->addr, file1->meta->addr,
tname);
return 1;
}
tsk_fs_file_close(file2);
file2 = NULL;
// try to read past end of first 2048-byte cluster
retval =
tsk_fs_file_read(file1, 2048, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr, "Error reading %s past end w/out Recover flag\n",
fname2);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// current behavior is to return 0s in "unitialized" space
//if (retval != 0) {
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading %s past end w/out Recover flag.\n",
fname2);
fprintf(stderr, "Expected: 0. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 2048, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr, "Error reading %s past end w/Recover flag\n",
fname2);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from %s past end w/Recover flag.\n",
fname2);
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("appear", buf, 6) != 0) {
fprintf(stderr,
"expected string not found in %s recovery: %c %c %c %c %c %c\n",
fname2, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]);
return 1;
}
tsk_fs_file_close(file1);
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/**
* Utility function to close file system handles.
* @param pair An element from the file system map.
*/
void TskImageFileTsk::closeFs(std::pair<uint64_t, TSK_FS_INFO*> pair)
{
tsk_fs_close(pair.second);
}
/* This test checks the SLACK flags and verifies
* that we read data from the slack space
*/
int
test_ntfs_slack_ads()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "ntfs-img-kw";
char fname[512];
TSK_FS_FILE *file1;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/ntfs-img-kw-1.dd", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// file-n-44.dat
file1 = tsk_fs_file_open_meta(fs, NULL, 36);
if (file1 == NULL) {
fprintf(stderr, "Error opening file-n-4.dat (%s)\n", tname);
return 1;
}
// verify expected size
if (file1->meta->size != 2000) {
fprintf(stderr,
"Error: file-n-4.dat not expected size (%" PRIuOFF ") (%s)\n",
file1->meta->size, tname);
return 1;
}
// try to read all of last sector with/out Slack set
retval =
tsk_fs_file_read(file1, 1536, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr,
"Error reading file-n-4.dat to end w/out slack flag (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 464) {
fprintf(stderr,
"Unexpected return value from reading file-n-4.dat to end w/out slack flag (%s).\n",
tname);
fprintf(stderr, "Expected: 464. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 1536, buf, 512,
TSK_FS_FILE_READ_FLAG_SLACK);
if (retval == -1) {
fprintf(stderr,
"Error reading file-n-4.dat to end w/slack flag (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading file-n-4.dat w/slack flag. (%s)\n",
tname);
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("n-slack", &buf[485], 7) != 0) {
fprintf(stderr,
"slack string not found in file-n-4.dat slack space: %c %c %c %c %c %c %c (%s)\n",
buf[485], buf[486], buf[487], buf[488], buf[489], buf[490],
buf[491], tname);
return 1;
}
// try to read past end of file
retval =
tsk_fs_file_read(file1, 2001, buf, 32,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval != -1) {
fprintf(stderr,
"Unexpected return value from reading file-n-4.dat after end of file (%s).\n",
tname);
fprintf(stderr, "Expected: -1. Got: %zd\n", retval);
return 1;
}
tsk_fs_file_close(file1);
// file-n-5.dat
file1 = tsk_fs_file_open_meta(fs, NULL, 37);
if (file1 == NULL) {
fprintf(stderr, "Error opening file-n-5.dat (%s)\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// check the default size to make sure it is the default $Data
if (file1->meta->size != 1300) {
fprintf(stderr,
"file-n-5.dat size is not 1300 (%" PRIuOFF ") (%s)",
file1->meta->size, tname);
return 1;
}
// test the getsize API for both attributes
const TSK_FS_ATTR *fs_attr =
tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 3, 1);
if (!fs_attr) {
fprintf(stderr,
"Error getting data attribute 3 in file-n-5.dat (%s)", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (fs_attr->size != 1300) {
fprintf(stderr,
"file-n-5.dat size (via getsize) is not 1300 (%" PRIuOFF
") (%s)", fs_attr->size, tname);
return 1;
}
fs_attr =
tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 5, 1);
if (!fs_attr) {
fprintf(stderr,
"Error getting size of attribute 5 in file-n-5.dat (%s)",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (fs_attr->size != 2000) {
fprintf(stderr,
"file-n-5.dat:here size (via getsize) is not 2000 (%" PRIuOFF
") (%s)", fs_attr->size, tname);
return 1;
}
tsk_fs_file_close(file1);
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
static int
test_ntfs_fe()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1-NTFS";
char fname[512];
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
// Verify the APIS get the same and that they are the expected type
if (test_get_apis(fs, 35, 3)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_SI)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_FNAME)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_DATA)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
if (test_get_apis(fs, 9, 7)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_SI)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_FNAME)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_DATA)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXALLOC)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_BITMAP)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/**
* Scan the image for file systems creating allocated volumes for file systems found
* and unallocated volumes for areas in the image that do not contain file systems.
* Will initially look for file system in first sect_count sectors. If a file system
* is found then it will continue to process the remainder of the image for other
* file systems.
*
* @param sect_start Start looking for file systems starting at this sector.
* @param sect_count The initial number of sectors to scan for file systems.
* @return 0 on success, 1 on failure
*/
uint8_t TSKAutoImpl::scanImgForFs(const uint64_t sect_start, const uint64_t sect_count)
{
if (m_img_info == NULL)
{
LOGERROR(L"TSKAutoImpl::scanImgForFs - Image not open.");
return 1;
}
LOGINFO(L"TSKAutoImpl::scanImgForFs - Starting file system scan.");
// Initialize current offset to our starting byte location.
TSK_OFF_T current_offset = sect_start * m_img_info->sector_size;
TSK_OFF_T end_offset = current_offset + (sect_count * m_img_info->sector_size);
// Last offset keeps track of byte location where we last saw file system
// data. It gets initialized to our starting location.
TSK_OFF_T last_offset = current_offset;
while (current_offset < end_offset)
{
TSK_FS_INFO * fs_info;
if ((fs_info = tsk_fs_open_img(m_img_info,
current_offset,
TSK_FS_TYPE_DETECT)) == NULL)
{
// We didn't find a file system so we move on to the next sector.
current_offset += m_img_info->sector_size;
}
else
{
// We found a file system so we will continue to search for file
// systems beyond the initial sectors.
end_offset = m_img_info->size;
// If there is a gap between the location of this file system and
// where we last saw file system data, an unallocated volume entry
// needs to be created for the gap.
if (fs_info->offset > last_offset)
{
createDummyVolume(last_offset / m_img_info->sector_size,
(fs_info->offset - last_offset) / m_img_info->sector_size,
"Dummy volume for carving purposes",
TSK_VS_PART_FLAG_UNALLOC);
}
// The call to findFilesInFs will take care of creating a
// dummy volume for the file system.
if (findFilesInFs(fs_info) == TSK_ERR)
{
std::wstringstream msg;
msg << L"TSKAutoImpl::scanImgForFs - Error finding files: "
<< tsk_error_get();
tsk_error_reset();
LOGERROR(msg.str());
}
// Move the current offset past the file system we just found.
current_offset += ((fs_info->block_count + 1) * fs_info->block_size);
// Update the last location we saw file system data.
last_offset = current_offset;
tsk_fs_close(fs_info);
}
}
// Finally, create a dummy unallocated volume for the area between the
// last offset and the end of the image.
if (last_offset < m_img_info->size)
{
createDummyVolume(last_offset / m_img_info->sector_size,
(m_img_info->size - last_offset) / m_img_info->sector_size,
"Dummy volume for carving purposes",
TSK_VS_PART_FLAG_UNALLOC);
}
LOGINFO(L"TSKAutoImpl::scanImgForFs - File system scan complete.");
return 0;
}
/*
* Close the given volume system
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_fs_info the pointer to the file system object
*/
JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeFsNat
(JNIEnv * env, jclass obj, jlong a_fs_info) {
TSK_FS_INFO *fs_info = castFsInfo(env, a_fs_info);
tsk_fs_close(fs_info);
}
