/* this is a wrapper type function that takes care of the runtime * flags * * fs_attr should be set to NULL for all non-NTFS file systems */ static void printit(TSK_FS_FILE * fs_file, const char *a_path, const TSK_FS_ATTR * fs_attr, const FLS_DATA * fls_data) { unsigned int i; if ((!(fls_data->flags & TSK_FS_FLS_FULL)) && (a_path)) { uint8_t printed = 0; // lazy way to find out how many dirs there could be for (i = 0; a_path[i] != '\0'; i++) { if ((a_path[i] == '/') && (i != 0)) { tsk_fprintf(stdout, "+"); printed = 1; } } if (printed) tsk_fprintf(stdout, " "); } if (fls_data->flags & TSK_FS_FLS_MAC) { tsk_fs_name_print_mac(stdout, fs_file, a_path, fs_attr, fls_data->macpre, fls_data->sec_skew); } else if (fls_data->flags & TSK_FS_FLS_LONG) { tsk_fs_name_print_long(stdout, fs_file, a_path, fs_file->fs_info, fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0, fls_data->sec_skew); } else { tsk_fs_name_print(stdout, fs_file, a_path, fs_file->fs_info, fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0); tsk_printf("\n"); } }
/* this is a wrapper type function that takes care of the runtime * flags * * fs_attr should be set to NULL for all non-NTFS file systems */ static void printit(TSK_FS_FILE * fs_file, const char *a_path, const TSK_FS_ATTR * fs_attr, const FLS_DATA * fls_data) { TSK_FS_HASH_RESULTS hash_results; unsigned char null_buf[16]; unsigned int i; if ((!(fls_data->flags & TSK_FS_FLS_FULL)) && (a_path)) { uint8_t printed = 0; // lazy way to find out how many dirs there could be for (i = 0; a_path[i] != '\0'; i++) { if ((a_path[i] == '/') && (i != 0)) { tsk_fprintf(stdout, "+"); printed = 1; } } if (printed) tsk_fprintf(stdout, " "); } if (fls_data->flags & TSK_FS_FLS_MAC) { if (fls_data->flags & TSK_FS_FLS_HASH) { if(0 == tsk_fs_file_hash_calc(fs_file, &hash_results, TSK_BASE_HASH_MD5)){ tsk_fs_name_print_mac_md5(stdout, fs_file, a_path, fs_attr, fls_data->macpre, fls_data->sec_skew, hash_results.md5_digest); tsk_printf("\n"); } else{ // If the hash calculation had errors, pass in a buffer of nulls memset(null_buf, 0, 16); tsk_fs_name_print_mac_md5(stdout, fs_file, a_path, fs_attr, fls_data->macpre, fls_data->sec_skew, null_buf); tsk_printf("\n"); } } else { tsk_fs_name_print_mac(stdout, fs_file, a_path, fs_attr, fls_data->macpre, fls_data->sec_skew); tsk_printf("\n"); } } else if (fls_data->flags & TSK_FS_FLS_LONG) { tsk_fs_name_print_long(stdout, fs_file, a_path, fs_file->fs_info, fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0, fls_data->sec_skew); tsk_printf("\n"); } else { tsk_fs_name_print(stdout, fs_file, a_path, fs_file->fs_info, fs_attr, TSK_FS_FLS_FULL & fls_data->flags ? 1 : 0); tsk_printf("\n"); } }
/* inode walk call back for tsk_fs_ifind_par to find unallocated files * based on parent directory */ static TSK_WALK_RET_ENUM ifind_par_act(TSK_FS_FILE * fs_file, void *ptr) { IFIND_PAR_DATA *data = (IFIND_PAR_DATA *) ptr; TSK_FS_META_NAME_LIST *fs_name_list; /* go through each file name attribute for this file */ fs_name_list = fs_file->meta->name2; while (fs_name_list) { /* we found a file that has the target parent directory. * Make a FS_NAME structure and print it. */ if (fs_name_list->par_inode == data->parinode) { int i, cnt; uint8_t printed; TSK_FS_NAME *fs_name; if ((fs_name = tsk_fs_name_alloc(256, 0)) == NULL) return TSK_WALK_ERROR; /* Fill in the basics of the fs_name entry * so we can print in the fls formats */ fs_name->meta_addr = fs_file->meta->addr; fs_name->flags = TSK_FS_NAME_FLAG_UNALLOC; strncpy(fs_name->name, fs_name_list->name, fs_name->name_size); // now look for the $Data and $IDXROOT attributes fs_file->name = fs_name; printed = 0; // cycle through the attributes cnt = tsk_fs_file_attr_getsize(fs_file); for (i = 0; i < cnt; i++) { const TSK_FS_ATTR *fs_attr = tsk_fs_file_attr_get_idx(fs_file, i); if (!fs_attr) continue; if ((fs_attr->type == TSK_FS_ATTR_TYPE_NTFS_DATA) || (fs_attr->type == TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) { if (data->flags & TSK_FS_IFIND_PAR_LONG) { tsk_fs_name_print_long(stdout, fs_file, NULL, fs_file->fs_info, fs_attr, 0, 0); tsk_printf("\n"); } else { tsk_fs_name_print(stdout, fs_file, NULL, fs_file->fs_info, fs_attr, 0); tsk_printf("\n"); } printed = 1; } } // if there were no attributes, print what we got if (printed == 0) { if (data->flags & TSK_FS_IFIND_PAR_LONG) { tsk_fs_name_print_long(stdout, fs_file, NULL, fs_file->fs_info, NULL, 0, 0); tsk_printf("\n"); } else { tsk_fs_name_print(stdout, fs_file, NULL, fs_file->fs_info, NULL, 0); tsk_printf("\n"); } } tsk_fs_name_free(fs_name); data->found = 1; } fs_name_list = fs_name_list->next; } return TSK_WALK_CONT; }