// utility functions VALUE get_filesystem_type(VALUE self) { const char * mytype; struct tsk4r_fs_wrapper * fs_ptr; Data_Get_Struct(self, struct tsk4r_fs_wrapper, fs_ptr); mytype = tsk_fs_type_toname(fs_ptr->filesystem->ftype); rb_iv_set(self, "@name", rb_str_new2(mytype)); return rb_str_new2(mytype); }
/** \internal * Print details about the file system to a file handle. * * @param a_fs File system to print details on * @param hFile File handle to print text to * * @returns 1 on error and 0 on success */ uint8_t tsk_fs_nofs_fsstat(TSK_FS_INFO * a_fs, FILE * hFile) { tsk_fprintf(hFile, "%s Data\n", tsk_fs_type_toname(a_fs->ftype)); tsk_fprintf(hFile, "Block Size: %d\n", a_fs->block_size); tsk_fprintf(hFile, "Block Range: 0 - %" PRIuDADDR "\n", a_fs->last_block); return 0; }
/** \internal */ uint8_t tsk_fs_nofs_jopen(TSK_FS_INFO * a_fs, TSK_INUM_T inum) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC); tsk_error_set_errstr("Illegal analysis method for %s data ", tsk_fs_type_toname(a_fs->ftype)); return 1; }
/** \internal */ uint8_t tsk_fs_nofs_make_data_run(TSK_FS_FILE * a_fs_file) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC); tsk_error_set_errstr("Illegal analysis method for %s data ", (a_fs_file->fs_info) ? tsk_fs_type_toname(a_fs_file->fs_info-> ftype) : ""); return 1; }
/** \internal */ uint8_t tsk_fs_nofs_jblk_walk(TSK_FS_INFO * a_fs, TSK_INUM_T start, TSK_INUM_T end, int a_flags, TSK_FS_JBLK_WALK_CB a_action, void *a_ptr) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC); tsk_error_set_errstr("Illegal analysis method for %s data ", tsk_fs_type_toname(a_fs->ftype)); return 1; }
/** \internal */ TSK_RETVAL_ENUM tsk_fs_nofs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir, TSK_INUM_T a_addr) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC); tsk_error_set_errstr("Illegal analysis method for %s data ", tsk_fs_type_toname(a_fs->ftype)); return TSK_ERR; }
/** \internal */ uint8_t tsk_fs_nofs_istat(TSK_FS_INFO * a_fs, FILE * hFile, TSK_INUM_T inum, TSK_DADDR_T numblock, int32_t sec_skew) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC); tsk_error_set_errstr("Illegal analysis method for %s data ", tsk_fs_type_toname(a_fs->ftype)); return 1; }
/** \internal */ uint8_t tsk_fs_nofs_inode_walk(TSK_FS_INFO * a_fs, TSK_INUM_T a_start_inum, TSK_INUM_T a_end_inum, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_action, void *a_ptr) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC); tsk_error_set_errstr("Illegal analysis method for %s data ", tsk_fs_type_toname(a_fs->ftype)); return 1; }
TSK_FILTER_ENUM TSKAutoImpl::filterFs(TSK_FS_INFO * a_fsInfo) { // add a volume entry if there is no file system if (m_vsSeen == false) { TSK_DADDR_T start_sect = a_fsInfo->offset / a_fsInfo->img_info->sector_size; TSK_DADDR_T end_sect = start_sect + ((a_fsInfo->block_count * a_fsInfo->block_size) / a_fsInfo->img_info->sector_size); createDummyVolume(start_sect, (end_sect - start_sect) + 1, "Dummy volume for file system", TSK_VS_PART_FLAG_ALLOC); } m_curFsId++; m_db.addFsInfo(m_curVsId, m_curFsId, a_fsInfo); /* Process the root directory so that its contents are added to * the DB. We won't see it during the dir_walk. */ TSK_FS_FILE *fs_file = tsk_fs_file_open(a_fsInfo, NULL, "/"); if (fs_file != NULL) { processFile(fs_file, "\\"); } // make sure that flags are set to get all files -- we need this to // find parent directory setFileFilterFlags((TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC)); std::wstringstream msg; msg << L"TSKAutoImpl::filterFs - Discovered " << tsk_fs_type_toname(a_fsInfo->ftype) << L" file system at offset " << a_fsInfo->offset << L" with Id : " << m_curFsId; LOGINFO(msg.str()); return TSK_FILTER_CONT; }
std::string Filesystem::fsName() const { return std::string(tsk_fs_type_toname(Fs->ftype)); }
/** * Parses the file and populates the structures used by this FUSE driver. * * \param filename The filename to parse * \param r The result structure to populate (or NULL if not needed) * \returns 0 if successful, -1 if not. */ static int process_file(const char *filename, result_t new_result) { img_info = tsk_img_open_sing(filename, TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { info_log("Failed to open image: %s", filename); return -1; } fs_info = tsk_fs_open_img(img_info, 0, TSK_FS_TYPE_DETECT); if (fs_info == NULL) { info_log("Failed to open filesystem: %s", filename); return -1; } const char *fsname = tsk_fs_type_toname(fs_info->ftype); result_set_brief_data_description(new_result, fsname); mountpoint = g_strdup_printf("%s:mnt-%s", filename, fsname); char *description = g_strdup_printf("%" PRIdDADDR " bytes (%" PRIdDADDR " %ss of %u size)", fs_info->block_count * fs_info->block_size, fs_info->block_count, fs_info->duname, fs_info->block_size); result_set_data_description(new_result, description); g_free(description); result_set_confidence(new_result, 100); block_start(absolute_offset); TSK_FS_DIR_WALK_FLAG_ENUM name_flags = (TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC | TSK_FS_DIR_WALK_FLAG_RECURSE); if (tsk_fs_dir_walk(fs_info, fs_info->root_inum, name_flags, examine_dirent, new_result) != 0) { // Why does this occur? Is it because it's an invalid filesystem structure, or the // structure is damaged? I'm going to assume the structure is damaged, but partially available. warning_log("Warning, unable to fully walk fs! Probably truncated or not a real FS header."); } unsigned int size; block_range_t *ranges = block_end(&size); if (ranges != NULL) { result_set_block_ranges(new_result, ranges, size); for (int i = 0; i < size; i++) { block_range_close(ranges[i]); } g_free(ranges); } if (inode_lookup != NULL) { g_tree_destroy(inode_lookup); inode_lookup = NULL; } unsigned int num_contracts; result_get_new_contracts(new_result, &num_contracts); if (num_contracts > 0) { // Ready to mount! int ret = do_mount(mountpoint); if (ret != 0) { error_log("Failed to mount filesystem!"); } } remove_all_files(); return 0; }
int main(int argc, char **argv1) { TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_IMG_INFO *img; TSK_OFF_T imgaddr = 0; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_FS_INFO *fs; int ch; uint8_t type = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; setlocale(LC_ALL, ""); while ((ch = GETOPT(argc, argv, _TSK_T("b:f:i:o:tvV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('f'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_fs_type_print(stderr); exit(1); } fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): type = 1; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE) tsk_fs_type_print(stderr); img->close(img); exit(1); } if (type) { tsk_printf("%s\n", tsk_fs_type_toname(fs->ftype)); } else { if (fs->fsstat(fs, stdout)) { tsk_error_print(stderr); fs->close(fs); img->close(img); exit(1); } } fs->close(fs); img->close(img); exit(0); }