/*
* Clear set lookup databases.
* @param images Path to index.
*/
void
TskCaseDb::clearLookupDatabases() {
if (m_NSRLDb != NULL) {
tsk_hdb_close(m_NSRLDb);
m_NSRLDb = NULL;
}
if (m_knownBadDb != NULL) {
tsk_hdb_close(m_knownBadDb);
m_knownBadDb = NULL;
}
}
JNIEXPORT void JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_closeDbLookupsNat(JNIEnv * env,
jclass obj) {
if (m_NSRLDb != NULL) {
tsk_hdb_close(m_NSRLDb);
m_NSRLDb = NULL;
}
if (m_knownBadDb != NULL) {
tsk_hdb_close(m_knownBadDb);
m_knownBadDb = NULL;
}
}
/*
* Create an index for the given database path
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param dbPathJ path for the database
*/
JNIEXPORT void JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_createLookupIndexNat (JNIEnv * env,
jclass obj, jstring dbPathJ)
{
TSK_TCHAR dbPathT[1024];
toTCHAR(env, dbPathT, 1024, dbPathJ);
TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_NONE;
TSK_HDB_INFO * temp = tsk_hdb_open(dbPathT, flags);
if (temp == NULL) {
throwTskError(env);
return;
}
TSK_TCHAR dbType[1024];
if(temp->db_type == TSK_HDB_DBTYPE_MD5SUM_ID) {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_MD5SUM_STR);
}
else if(temp->db_type == TSK_HDB_DBTYPE_HK_ID) {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_HK_STR);
}
else {
TSNPRINTF(dbType, 1024, _TSK_T("%") PRIcTSK, TSK_HDB_DBTYPE_NSRL_MD5_STR);
}
if (tsk_hdb_makeindex(temp, dbType)) {
throwTskError(env);
}
tsk_hdb_close(temp);
}
TskCaseDb::~TskCaseDb()
{
if (m_db != NULL) {
delete m_db;
m_db = NULL;
}
if (m_NSRLDb != NULL) {
tsk_hdb_close(m_NSRLDb);
m_NSRLDb = NULL;
}
if (m_knownBadDb != NULL) {
tsk_hdb_close(m_knownBadDb);
m_knownBadDb = NULL;
}
}
/*
* Specify an index for determining "known bad" files.
* @param images Path to index.
* @returns 1 on error and 0 on success
*/
uint8_t
TskCaseDb::setKnownBadHashDb(TSK_TCHAR * const indexFile) {
if (m_knownBadDb != NULL) {
tsk_hdb_close(m_knownBadDb);
m_knownBadDb = NULL;
}
TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_IDXONLY;
m_knownBadDb = tsk_hdb_open(indexFile, flags);
return m_knownBadDb != NULL;
}
/*
* Set the "known bad" database to use for hash lookups.
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param caseHandle the pointer to the case
*/
JNIEXPORT void JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_setDbKnownBadNat(JNIEnv * env,
jclass obj, jstring pathJ) {
if (m_knownBadDb != NULL) {
tsk_hdb_close(m_knownBadDb);
m_knownBadDb = NULL;
}
TSK_TCHAR pathT[1024];
toTCHAR(env, pathT, 1024, pathJ);
TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_IDXONLY;
m_knownBadDb = tsk_hdb_open(pathT, flags);
}
/*
* Check if an index exists for the given database path.
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param dbPathJ path for the database
*/
JNIEXPORT jboolean JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_lookupIndexExistsNat
(JNIEnv * env, jclass obj, jstring dbPathJ) {
TSK_TCHAR dbPathT[1024];
toTCHAR(env, dbPathT, 1024, dbPathJ);
TSK_HDB_OPEN_ENUM flags = TSK_HDB_OPEN_IDXONLY;
TSK_HDB_INFO * temp = tsk_hdb_open(dbPathT, flags);
if (temp == NULL) {
return (jboolean) false;
}
uint8_t retval = tsk_hdb_hasindex(temp, TSK_HDB_HTYPE_MD5_ID);
tsk_hdb_close(temp);
return (jboolean) retval == 1;
}
int
main(int argc, char ** argv1)
{
int ch;
TSK_TCHAR *idx_type = NULL;
TSK_TCHAR *db_file = NULL, *lookup_file = NULL;
unsigned int flags = 0;
TSK_HDB_INFO *hdb_info;
TSK_TCHAR **argv;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if( argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **)argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("ef:i:qV"))) > 0) {
switch (ch) {
case _TSK_T('e'):
flags |= TSK_HDB_FLAG_EXT;
break;
case _TSK_T('f'):
lookup_file = OPTARG;
break;
case _TSK_T('i'):
idx_type = OPTARG;
break;
case _TSK_T('q'):
flags |= TSK_HDB_FLAG_QUICK;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
default:
usage();
}
}
if (OPTIND + 1 > argc) {
tsk_fprintf(stderr,
"Error: You must provide the source hash database location\n");
usage();
}
db_file = argv[OPTIND++];
if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) {
tsk_error_print(stderr);
return 1;
}
/* What mode are we going to run in
*
* Are we going to make an index? */
if (idx_type != NULL) {
/* Get the flags right */
if (lookup_file != NULL) {
fprintf(stderr, "'-f' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_QUICK) {
fprintf(stderr, "'-q' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_EXT) {
fprintf(stderr, "'-e' flag can't be used with '-i'\n");
usage();
}
if (tsk_hdb_makeindex(hdb_info, idx_type)) {
tsk_error_print(stderr);
tsk_hdb_close(hdb_info);
return 1;
}
printf("Index Created\n");
tsk_hdb_close(hdb_info);
return 0;
}
/* Do some hash lookups
*
* Check if the values were passed on the command line or via a file */
if (OPTIND < argc) {
if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr,
"Error: Only one hash can be given with quick option\n");
usage();
}
if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr, "'-e' flag can't be used with '-q'\n");
usage();
}
if (lookup_file != NULL) {
fprintf(stderr,
"Error: -f can't be used when hashes are also given\n");
usage();
}
/* Loop through all provided hash values
*/
while (OPTIND < argc) {
char htmp[128];
int i;
int retval;
// convert to char -- lazy way to deal with WCHARs..
for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) {
htmp[i] = (char) argv[OPTIND][i];
}
htmp[i] = '\0';
/* Perform lookup */
retval =
tsk_hdb_lookup_str(hdb_info, (const char *)htmp,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
}
else if (retval == 0) {
print_notfound(htmp);
}
OPTIND++;
}
}
/* Hash were given from stdin or a file */
else {
char buf[100];
/* If the file was specified, use that - otherwise stdin */
#ifdef TSK_WIN32
HANDLE handle = NULL;
if (lookup_file != NULL) {
if ((handle = CreateFile(lookup_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"),
lookup_file);
exit(1);
}
}
else {
handle = GetStdHandle(STD_INPUT_HANDLE);
}
#else
FILE *handle = NULL;
if (lookup_file != NULL) {
handle = fopen(lookup_file, "r");
if (!handle) {
fprintf(stderr, "Error opening hash file: %s\n",
lookup_file);
exit(1);
}
}
else {
handle = stdin;
}
#endif
while (1) {
int retval;
memset(buf, 0, 100);
#ifdef TSK_WIN32
int done = 0;
// win32 doesn't have a fgets equivalent, so we make an equivalent one
for (int i = 0; i < 100; i++) {
DWORD nread;
if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) {
done = 1;
break;
}
// skip the windows CR
else if (buf[i] == '\r') {
buf[i] = '\0';
i--;
continue;
}
else if (buf[i] == '\n') {
break;
}
}
if (done)
break;
#else
if (NULL == fgets(buf, 100, handle)) {
break;
}
#endif
/* Remove the newline */
buf[strlen(buf) - 1] = '\0';
retval =
tsk_hdb_lookup_str(hdb_info, (const char *)buf,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
break;
}
else if (retval == 0) {
print_notfound(buf);
}
}
#ifdef TSK_WIN32
if (lookup_file != NULL)
CloseHandle(handle);
#else
if (lookup_file != NULL)
fclose(handle);
#endif
}
tsk_hdb_close(hdb_info);
return 0;
}
int
main(int argc, char ** argv1)
{
int ch;
TSK_TCHAR *idx_type = NULL;
TSK_TCHAR *db_file = NULL;
TSK_TCHAR *lookup_file = NULL;
unsigned int flags = 0;
TSK_HDB_INFO *hdb_info;
TSK_TCHAR **argv;
bool create = false;
bool addHash = false;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if( argv == NULL) {
tsk_fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **)argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("cef:i:aqV"))) > 0) {
switch (ch) {
case _TSK_T('e'):
flags |= TSK_HDB_FLAG_EXT;
break;
case _TSK_T('f'):
lookup_file = OPTARG;
break;
case _TSK_T('i'):
idx_type = OPTARG;
break;
case _TSK_T('c'):
create = true;
break;
case _TSK_T('a'):
addHash = true;
break;
case _TSK_T('q'):
flags |= TSK_HDB_FLAG_QUICK;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
default:
usage();
}
}
if ((addHash) && ((idx_type != NULL) || (create))) {
tsk_fprintf(stderr, "-a cannot be specified with -c or -i\n");
usage();
}
if (OPTIND + 1 > argc) {
tsk_fprintf(stderr,
"Error: You must provide the source hash database location\n");
usage();
}
db_file = argv[OPTIND++];
// Running in create mode (-c option). Make a new hash database and exit.
if (create) {
if (idx_type != NULL) {
tsk_fprintf(stderr, "-c and -i cannot be specified at same time\n");
usage();
}
TSK_TCHAR *ext = TSTRRCHR(db_file, _TSK_T('.'));
if ((NULL != ext) && (TSTRLEN(ext) >= 4) && (TSTRCMP(ext, _TSK_T(".kdb")) == 0)) {
if (0 == tsk_hdb_create(db_file)) {
tsk_fprintf(stdout, "New database %" PRIttocTSK" created\n", db_file);
return 0;
}
else {
tsk_fprintf(stderr, "Failed to create new database %" PRIttocTSK"\n", db_file);
return 1;
}
}
else {
tsk_fprintf(stderr, "New database path must end in .kdb extension\n");
return 1;
}
}
// Opening an existing database.
if ((hdb_info = tsk_hdb_open(db_file, TSK_HDB_OPEN_NONE)) == NULL) {
tsk_error_print(stderr);
return 1;
}
// Now that the database is open and its type is known, if running in add hashes mode (-a option)
// see if it takes updates.
if (addHash && !tsk_hdb_accepts_updates(hdb_info)) {
tsk_fprintf(stderr, "-a option specified, but the specified database does not allow hashes to be added\n");
usage();
}
// Running in indexing mode (-i option). Create an index file and exit.
if (idx_type != NULL) {
if (lookup_file != NULL) {
tsk_fprintf(stderr, "'-f' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_QUICK) {
tsk_fprintf(stderr, "'-q' flag can't be used with '-i'\n");
usage();
}
if (flags & TSK_HDB_FLAG_EXT) {
tsk_fprintf(stderr, "'-e' flag can't be used with '-i'\n");
usage();
}
if (!tsk_hdb_uses_external_indexes(hdb_info)) {
tsk_fprintf(stderr, "Database does not use external indexes, can't be used with '-i'\n");
}
if (tsk_hdb_is_idx_only(hdb_info)) {
tsk_fprintf(stderr, "Database is index only, can be used for look ups, but can't be used with '-i'\n");
}
if (tsk_hdb_make_index(hdb_info, idx_type)) {
tsk_error_print(stderr);
tsk_hdb_close(hdb_info);
return 1;
}
tsk_fprintf(stdout, "Index created\n");
tsk_hdb_close(hdb_info);
return 0;
}
/* Either lookup hash values or add them to DB.
* Check if the values were passed on the command line or via a file
*/
if (OPTIND < argc) {
if ((OPTIND + 1 < argc) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr,
"Error: Only one hash can be given with quick option\n");
usage();
}
if ((flags & TSK_HDB_FLAG_EXT) && (flags & TSK_HDB_FLAG_QUICK)) {
fprintf(stderr, "'-e' flag can't be used with '-q'\n");
usage();
}
if (lookup_file != NULL) {
fprintf(stderr,
"Error: -f can't be used when hashes are also given\n");
usage();
}
/* Loop through all provided hash values
*/
while (OPTIND < argc) {
char htmp[128];
int i;
int retval;
// convert to char -- lazy way to deal with WCHARs..
for (i = 0; i < 127 && argv[OPTIND][i] != '\0'; i++) {
htmp[i] = (char) argv[OPTIND][i];
}
htmp[i] = '\0';
if (addHash) {
// Write a new hash to the database/index, if it's updateable
//@todo support sha1 and sha2-256
retval = tsk_hdb_add_entry(hdb_info, NULL, (const char *)htmp, NULL, NULL, NULL);
if (retval == 1) {
printf("There was an error adding the hash.\n");
tsk_error_print(stderr);
return 1;
}
else if (retval == 0) {
printf("Hash %s added.\n", htmp);
}
}
else {
/* Perform lookup */
retval = tsk_hdb_lookup_str(hdb_info, (const char *)htmp,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
}
else if (retval == 0) {
print_notfound(htmp);
}
}
OPTIND++;
}
}
/* Hash were given from stdin or a file */
else {
char buf[100];
/* If the file was specified, use that - otherwise stdin */
#ifdef TSK_WIN32
HANDLE handle = NULL;
if (lookup_file != NULL) {
if ((handle = CreateFile(lookup_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
TFPRINTF(stderr, _TSK_T("Error opening hash file: %s\n"),
lookup_file);
exit(1);
}
}
else {
handle = GetStdHandle(STD_INPUT_HANDLE);
}
#else
FILE *handle = NULL;
if (lookup_file != NULL) {
handle = fopen(lookup_file, "r");
if (!handle) {
fprintf(stderr, "Error opening hash file: %s\n",
lookup_file);
exit(1);
}
}
else {
handle = stdin;
}
#endif
while (1) {
int retval;
memset(buf, 0, 100);
#ifdef TSK_WIN32
int done = 0;
// win32 doesn't have a fgets equivalent, so we make an equivalent one
for (int i = 0; i < 100; i++) {
DWORD nread;
if (FALSE == ReadFile(handle, &buf[i], (DWORD) 1, &nread, NULL)) {
done = 1;
break;
}
// skip the windows CR
else if (buf[i] == '\r') {
buf[i] = '\0';
i--;
continue;
}
else if (buf[i] == '\n') {
break;
}
}
if (done)
break;
#else
if (NULL == fgets(buf, 100, handle)) {
break;
}
#endif
/* Remove the newline */
buf[strlen(buf) - 1] = '\0';
retval =
tsk_hdb_lookup_str(hdb_info, (const char *)buf,
(TSK_HDB_FLAG_ENUM)flags, lookup_act, NULL);
if (retval == -1) {
tsk_error_print(stderr);
return 1;
}
if (flags & TSK_HDB_FLAG_QUICK) {
printf("%d\n", retval);
break;
}
else if (retval == 0) {
print_notfound(buf);
}
}
#ifdef TSK_WIN32
if (lookup_file != NULL)
CloseHandle(handle);
#else
if (lookup_file != NULL)
fclose(handle);
#endif
}
tsk_hdb_close(hdb_info);
return 0;
}
