void TskCarveExtractScalpel::processCarvedFiles(const std::string &outputFolderPath, const std::vector<TskCarveExtractScalpel::CarvedFile> &carvedFiles) const
{
try
{
TskImgDB& imgDB = TskServices::Instance().getImgDB();
const uint64_t sectorSize = 512;
for (std::vector<CarvedFile>::const_iterator file = carvedFiles.begin(); file != carvedFiles.end(); ++file)
{
std::stringstream filePath;
filePath << outputFolderPath << Poco::Path::separator() << (*file).name;
// Convert the starting offset (in bytes) of the carved file in the unallocated image file the and length of the carved file (in bytes)
// into a range of "sectors."
int fileStartSectorOffset = static_cast<int>((*file).offset / sectorSize);
int fileEndSectorOffset = static_cast<int>(((*file).offset + (*file).length) / sectorSize);
// Get the unallocated sectors run corresponding to the unallocated image file and map the file sector offsets to image sector offset and length.
std::auto_ptr<UnallocRun> run(imgDB.getUnallocRun((*file).id, fileStartSectorOffset));
int numberOfRuns = 1;
uint64_t sectorRunStart[] = { run->getAllocStart() + fileStartSectorOffset - run->getUnallocStart() };
uint64_t sectorRunLength[] = { run->getAllocStart() + fileEndSectorOffset - run->getUnallocStart() - sectorRunStart[0] };
// Add the mapping to the image database.
uint64_t fileId;
if (imgDB.addCarvedFileInfo(run->getVolId(), const_cast<wchar_t*>(TskUtilities::toUTF16((*file).name).c_str()), (*file).length, §orRunStart[0], §orRunLength[0], numberOfRuns, fileId) == -1)
{
std::stringstream msg;
msg << "TskCarveExtractScalpel::processCarvedFiles : unable to save carved file info for '" << filePath.str() << "'";
throw TskException(msg.str());
}
TskServices::Instance().getFileManager().addFile(fileId, TskUtilities::toUTF16(filePath.str()));
// Delete output (carved) files by default.
std::string option = GetSystemProperty("CARVE_EXTRACT_KEEP_OUTPUT_FILES");
std::transform(option.begin(), option.end(), option.begin(), ::toupper);
bool deleteOutputFiles = (option != "TRUE");
if (deleteOutputFiles)
{
Poco::File file(filePath.str());
file.remove();
}
if (imgDB.updateFileStatus(fileId, TskImgDB::IMGDB_FILES_STATUS_READY_FOR_ANALYSIS) == 1)
{
std::stringstream msg;
msg << "TskCarveExtractScalpel::processCarvedFiles : unable to update file status for '" << filePath.str() << "'";
throw TskException(msg.str());
}
}
}
catch (Poco::Exception &ex)
{
std::stringstream msg;
msg << "TskCarveExtractScalpel::processCarvedFiles : Poco exception: " << ex.displayText();
throw TskException(msg.str());
}
}
/**
* Sets the location of the module given an absolute or relative location.
* For relative paths we look for the
* module first in PROG_DIR, then MODULE_DIR, then the
* current directory, and
* finally the system path. Will throw an exception if the module cannot
* be found.
* @param location Absolute or relative path string for module.
*/
void TskModule::setPath(const std::string& location)
{
if (location.empty())
{
throw TskException("TskModule::setPath: location is empty or missing.");
}
Poco::Path tempPath = location;
if (!tempPath.isAbsolute())
{
// If this is a relative path, then see if we can find the
// executable either in PROG_DIR, in MODULE_DIR, in the current directory,
// or on the system path.
std::string pathsToSearch = GetSystemProperty(TskSystemProperties::PROG_DIR);
if (!pathsToSearch.empty())
pathsToSearch += Poco::Path::pathSeparator();
pathsToSearch += GetSystemProperty(TskSystemProperties::MODULE_DIR);
if (!pathsToSearch.empty())
pathsToSearch += Poco::Path::pathSeparator();
pathsToSearch += ".";
if (!Poco::Path::find(pathsToSearch, location, tempPath))
{
// if we didn't find them in the above paths, check on the path.
if (Poco::Environment::has("Path"))
{
std::string systemPath = Poco::Environment::get("Path");
if (!systemPath.empty())
{
Poco::Path::find(systemPath, location, tempPath);
}
}
}
}
// Confirm existence of file at location.
Poco::File moduleFile(tempPath);
if (!moduleFile.exists())
{
std::stringstream msg;
msg << "TskModule::setPath - Module not found: "
<< tempPath.toString().c_str();
throw TskException(msg.str());
}
else {
std::wstringstream msg;
msg << L"TskModule::setPath - Module found at: "
<< tempPath.toString().c_str();
LOGINFO(msg.str());
}
m_modulePath = tempPath.toString();
}
TskModule::Status TskReportPluginModule::report()
{
const std::string MSG_PREFIX = "TskReportPluginModule::report : ";
TskModule::Status status = TskModule::OK;
try
{
if (!isLoaded())
{
std::stringstream msg;
msg << MSG_PREFIX << "'" << getPath() << "' is not loaded";
throw TskException(msg.str());
}
if (!hasSymbol(TskPluginModule::REPORT_SYMBOL))
{
std::stringstream msg;
msg << MSG_PREFIX << "'" << getPath() << "' does not define the '" << TskPluginModule::REPORT_SYMBOL << "' symbol";
throw TskException(msg.str());
}
typedef TskModule::Status (*ReportFunc)();
ReportFunc report = (ReportFunc)getSymbol(TskPluginModule::REPORT_SYMBOL);
status = report();
}
catch (TskException &ex)
{
std::stringstream msg;
msg << MSG_PREFIX << "TskException executing report function of " << getName() << ": " << ex.message();
LOGERROR(msg.str());
status = TskModule::FAIL;
}
catch (Poco::Exception &ex)
{
std::stringstream msg;
msg << MSG_PREFIX << "Poco::Exception executing report function of " << getName() << ": " << ex.displayText();
LOGERROR(msg.str());
status = TskModule::FAIL;
}
catch (std::exception &ex)
{
std::stringstream msg;
msg << MSG_PREFIX << "std::exception executing report function of " << getName() << ": " << ex.what();
LOGERROR(msg.str());
status = TskModule::FAIL;
}
catch (...)
{
std::stringstream msg;
msg << MSG_PREFIX << "unrecognized exception executing report function of " << getName();
LOGERROR(msg.str());
status = TskModule::FAIL;
}
return status;
}
std::vector<TskCarveExtractScalpel::CarvedFile> TskCarveExtractScalpel::parseCarvingResultsFile(int unallocImgId, const std::string &resultsFilePath) const
{
try
{
std::vector<CarvedFile> carvedFiles;
Poco::File resultsFile(resultsFilePath);
if (!resultsFile.exists())
{
std::stringstream msg;
msg << "TskCarveExtractScalpel::parseCarvingResultsFile : could not find Scalpel carving results file for unalloc img id " << unallocImgId;
throw TskException(msg.str());
}
std::ifstream resultsStream(resultsFilePath.c_str());
if (!resultsStream)
{
std::stringstream msg;
msg << "TskCarveExtractScalpel::parseCarvingResultsFile : unable to open Scalpel carving results file for unalloc img id " << unallocImgId;
throw TskException(msg.str());
}
// Discard all of the file up to and including the header for the carved files list.
std::string line;
while (std::getline(resultsStream, line) && line.find("Extracted From") == std::string::npos);
// Parse the files list.
const std::size_t numberOfFileFields = 5;
while (std::getline(resultsStream, line))
{
// Tokenize the next line of the results file and see if it is part of the files list by checking the number of tokens.
Poco::StringTokenizer tokenizer(line, "\t ", Poco::StringTokenizer::TOK_IGNORE_EMPTY | Poco::StringTokenizer::TOK_TRIM);
if (tokenizer.count() != numberOfFileFields)
{
// No more files in the files list.
break;
}
carvedFiles.push_back(CarvedFile(unallocImgId, tokenizer[0], tokenizer[1], tokenizer[3]));
}
resultsStream.close();
return carvedFiles;
}
catch (Poco::Exception &ex)
{
std::stringstream msg;
msg << "TskCarveExtractScalpel::parseCarvingResultsFile : Poco exception: " << ex.displayText();
throw TskException(msg.str());
}
}
std::string TskSystemProperties::get(PredefinedProperty prop) const
{
assert(prop >= PROG_DIR && prop < END_PROPS);
if (prop < PROG_DIR || prop >= END_PROPS)
{
throw TskException("TskSystemProperties::get : passed out of range prop argument");
}
if (prop == CURRENT_TIME)
{
// CURRENT_TIME is always computed upon request.
return Poco::DateTimeFormatter::format(Poco::LocalDateTime(), "%Y_%m_%d_%H_%M_%S");
}
std::string value = getProperty(predefPropNames[prop]);
if (value.empty())
{
if (prop == PROG_DIR)
{
// If PROG_DIR has not been set, set it to the location of the currently executing program.
value = TskUtilities::getProgDir();
const_cast<TskSystemProperties*>(this)->set(prop, value);
}
else if (prop == IMAGE_FILE)
{
// If IMAGE_FILE has not been set, attempt to retrieve it from the image database.
const std::vector<std::string> imgNames = TskServices::Instance().getImgDB().getImageNames();
if (!imgNames.empty())
{
value = imgNames[0];
const_cast<TskSystemProperties*>(this)->set(prop, value);
}
}
else
{
// Perhaps there is a default value.
value = predefPropDefaults[prop];
}
}
if (value.empty() && requiredProps.count(prop) != 0)
{
// The empty property is an unset required property.
std::stringstream msg;
msg << "TskSystemProperties::get : required predefined system property '" << predefPropNames[prop] << "' is not set";
throw TskException(msg.str());
}
return expandMacros(value);
}
// Throw exception if the module does not have REPORT_SYMBOL
void TskReportPluginModule::checkInterface()
{
if (!isLoaded())
throw TskException("Module is not loaded");
if (!hasSymbol(TskPluginModule::REPORT_SYMBOL)) {
std::wstringstream msg;
msg << L"TskReportPluginModule::checkInterface - Module does not contain the \""
<< TskPluginModule::REPORT_SYMBOL.c_str() << L"\" symbol : " << getPath().c_str();
LOGERROR(msg.str());
throw TskException("Module missing required symbol.");
}
}
/**
* Confirm that an executable file exists at location.
*/
void TskExecutableModule::setPath(const std::string& location)
{
try
{
// Autogenerate filename extension if needed
Poco::Path tempPath = location;
if (tempPath.getExtension().empty())
{
std::string os = Poco::Environment::osName();
if (os.find("Windows") != std::string::npos ||
os.find("CYGWIN") != std::string::npos ||
os.find("MINGW") != std::string::npos )
{
tempPath.setExtension("exe");
}
// Else we assume the user is on a platform that doesn't use executable extensions.
}
// Call our parent to validate the location.
TskModule::setPath(tempPath.toString());
m_name = Poco::Path(m_modulePath).getBaseName();
// Verify that the file is executable.
Poco::File exeFile(m_modulePath);
if (!exeFile.canExecute())
{
std::wstringstream msg;
msg << L"TskExecutableModule::setPath - File is not executable: "
<< m_modulePath.c_str();
LOGERROR(msg.str());
throw TskException("File is not executable.");
}
}
catch (TskException& tskEx)
{
throw tskEx;
}
catch(std::exception& ex)
{
// Log a message and throw a framework exception.
std::wstringstream msg;
msg << "TskExecutableModule::setPath : " << ex.what();
LOGERROR(msg.str());
throw TskException("Failed to set location: " + m_modulePath);
}
}
void TskCarvePrepSectorConcat::processFiles(const std::string &fileName) const
{
assert(!fileName.empty());
if (fileName.empty())
{
throw TskException("TskCarvePrepSectorConcat::processFiles : empty file name argument");
}
std::string outputFolderPath;
std::string outputFileName;
size_t maxOutputFileSize;
setUpForCarvePrep(outputFolderPath, outputFileName, maxOutputFileSize);
// Get the file ids for any files with the the specified file name.
TskImgDB &imgDB = TskServices::Instance().getImgDB();
std::stringstream condition;
condition << "WHERE files.name = " << "'" << fileName << "'";
std::vector<uint64_t> fileIds = imgDB.getFileIds(condition.str());
std::auto_ptr<SectorRuns> sectorRuns;
for (std::vector<uint64_t>::const_iterator it = fileIds.begin(); it != fileIds.end(); ++it)
{
sectorRuns.reset(imgDB.getFileSectors(*it));
if (sectorRuns.get())
{
createUnallocSectorsImgFiles(outputFolderPath, outputFileName, maxOutputFileSize, *sectorRuns);
}
}
}
string TskBlackboard::artTypeIDToTypeName(const int artifactTypeID){
map<int, TskArtifactNames>::iterator it = artifact_type_table.find(artifactTypeID);
if(it == artifact_type_table.end())
throw TskException("No attribute type with that id");
else
return it->second.typeName;
}
string TskBlackboard::attrTypeIDToTypeDisplayName(const int attributeTypeID){
map<int, TskAttributeNames>::iterator it = attribute_type_table.find(attributeTypeID);
if(it == attribute_type_table.end())
throw TskException("No attribute type with that id");
else
return it->second.displayName;
}
/*
Traverse the hierarchy inside the container
*/
void TskL01Extract::traverse(ewf::libewf_file_entry_t *parent)
{
static Poco::Path currPath;
TskL01Extract::ArchivedFile fileInfo;
fileInfo.entry = parent;
fileInfo.type = getFileType(parent);
fileInfo.size = getFileSize(parent);
fileInfo.ctime = getEntryChangeTime(parent);
fileInfo.crtime = getCreationTime(parent);
fileInfo.atime = getAccessTime(parent);
fileInfo.mtime = getModifiedTime(parent);
std::string name = getName(parent);
bool saveDirectory = false;
if ((fileInfo.type == 'd') && !name.empty())
{
saveDirectory = true;
}
if (saveDirectory)
{
currPath.pushDirectory(name);
fileInfo.path = currPath;
m_archivedFiles.push_back(fileInfo);
}
else if (fileInfo.type == 'f')
{
Poco::Path tempPath = currPath;
tempPath.setFileName(name);
fileInfo.path = tempPath;
m_archivedFiles.push_back(fileInfo);
}
int num = 0;
ewf::libewf_error_t *ewfError = NULL;
ewf::libewf_file_entry_get_number_of_sub_file_entries(parent, &num, &ewfError);
if (num > 0)
{
//recurse
for (int i=0; i < num; ++i)
{
ewf::libewf_file_entry_t *child = NULL;
ewfError = NULL;
if (ewf::libewf_file_entry_get_sub_file_entry(parent, i, &child, &ewfError) == -1)
{
throw TskException("TskL01Extract::traverse - Error with libewf_file_entry_get_sub_file_entry: ");
}
traverse(child);
}
}
if (saveDirectory)
{
currPath.popDirectory();
}
}
int TskBlackboard::artTypeNameToTypeID(const string& artifactTypeString){
map<int, TskArtifactNames>::iterator it = artifact_type_table.begin();
for(it; it != artifact_type_table.end(); it++){
if(artifactTypeString.compare(it->second.typeName) == 0)
return it->first;
}
throw TskException("No attribute type with that name");
}
/**
* Set the scheduler service.
* Throws an exception if one has already been set.
*/
void TskServices::setScheduler(Scheduler &scheduler)
{
if (m_scheduler) {
LOGERROR(L"TskServices::setScheduler - Scheduler has already been initialized.");
throw TskException("Scheduler already initialized.");
} else {
m_scheduler = &scheduler;
}
}
/**
* Set the log service.
* Throws an exception if one has already been set.
*/
void TskServices::setLog(Log &log)
{
if (m_log) {
LOGERROR(L"TskServices::setLog - Log has already been initialized.");
throw TskException("Log already initialized.");
} else {
m_log = &log;
}
}
void TskServices::setFileManager(TskFileManager& fileManager)
{
if (m_fileManager) {
LOGERROR(L"TskServices::setFileManager - File Manager has already been initialized.");
throw TskException("FileManager already initialized.");
} else {
m_fileManager = &fileManager;
}
}
TskFileManager& TskServices::getFileManager()
{
if (m_fileManager == NULL)
{
LOGERROR(L"TskServices::getFileManager - File Manager has not been initialized.");
throw TskException("File Manager not initialized.");
}
return *m_fileManager;
}
/**
* Return the blackboard service. If no service was setup, an exception
* is thrown.
* @returns blackboard file reference.
*/
TskBlackboard& TskServices::getBlackboard()
{
if (m_blackboard == NULL)
{
LOGERROR(L"TskServices::getBlackboard - Blackboard has not been initialized.");
throw TskException("Blackboard not initialized.");
}
return *m_blackboard;
}
/**
* Set the system properties service.
* Throws an exception if one has already been set.
*/
void TskServices::setSystemProperties(TskSystemProperties& systemProperties)
{
if (m_systemProperties) {
LOGERROR(L"TskServices::setSystemProperties - SystemProperties has already been initialized.");
throw TskException("SystemProperties already initialized.");
} else {
m_systemProperties = &systemProperties;
}
}
const uint8_t TskL01Extract::getFileType(ewf::libewf_file_entry_t *node)
{
uint8_t type = 0;
ewf::libewf_error_t *ewfError = NULL;
if (ewf::libewf_file_entry_get_type(node, &type, &ewfError) == -1)
{
throw TskException("TskL01Extract::getFileType - Error with libewf_file_entry_get_utf8_name: ");
}
uint32_t flags = 0;
ewfError = NULL;
if (ewf::libewf_file_entry_get_flags(node, &flags, &ewfError) == -1)
{
throw TskException("TskL01Extract::getFileType - Error with libewf_file_entry_get_flags: ");
}
return type;
}
/**
* Set the blackboard service.
* Throws an exception if one has already been set.
*/
void TskServices::setBlackboard(TskBlackboard& blackboard)
{
if (m_blackboard) {
LOGERROR(L"TskServices::setBlackboard - Blackboard has already been initialized.");
throw TskException("Blackboard already initialized.");
} else {
m_blackboard = &blackboard;
}
}
/**
* Set the image file service.
* Throws an exception if one has already been set.
*/
void TskServices::setImageFile(TskImageFile& imageFile)
{
if (m_imageFile) {
LOGERROR(L"TskServices::setImageFile - ImageFile has already been initialized.");
throw TskException("ImageFile already initialized.");
} else {
m_imageFile = &imageFile;
}
}
/**
* Set the database service.
* Throws an exception if one has already been set.
*/
void TskServices::setImgDB(TskImgDB& imgDB)
{
if (m_imgDB) {
LOGERROR(L"TskServices::setImgDB - ImgDB has already been initialized.");
throw TskException("ImgDB already initialized.");
} else {
m_imgDB = &imgDB;
}
}
int TskBlackboard::addArtifactType(const string& artifactTypeName, const string& displayName){
map<int, TskArtifactNames>::iterator it = artifact_type_table.begin();
for(it; it != artifact_type_table.end(); it++){
if(artifactTypeName.compare(it->second.typeName) == 0)
throw TskException("Attribute type with that name already exists");
}
artifact_type_table.insert(pair<int, TskArtifactNames>(m_artifactIDcounter, TskArtifactNames(artifactTypeName, displayName)));
return m_artifactIDcounter++;
}
/**
* Return the image file service. If no service was setup, an exception
* is thrown.
* @returns image file reference.
*/
TskImageFile& TskServices::getImageFile()
{
if (m_imageFile == NULL)
{
LOGERROR(L"TskServices::getImageFile - ImageFile has not been initialized.");
throw TskException("ImageFile not initialized.");
}
return *m_imageFile;
}
/**
* Return the system scheduler service. If no service was setup, an exception
* is thrown.
* @returns scheduler reference.
*/
Scheduler& TskServices::getScheduler()
{
if (m_scheduler == NULL)
{
LOGERROR(L"TskServices::getScheduler - Scheduler has not been initialized.");
throw TskException("Scheduler not initialized.");
}
return *m_scheduler;
}
void TskReportPluginModule::checkInterface()
{
const std::string MSG_PREFIX = "TskReportPluginModule::checkInterface : ";
if (!isLoaded())
{
std::stringstream msg;
msg << MSG_PREFIX << getPath() << " is not loaded";
LOGERROR(msg.str());
throw TskException(msg.str());
}
if (!hasSymbol(TskPluginModule::REPORT_SYMBOL))
{
std::stringstream msg;
msg << MSG_PREFIX << getPath() << " does not define the required '" << TskPluginModule::REPORT_SYMBOL << "' symbol";
throw TskException(msg.str());
}
}
void TskSystemProperties::set(PredefinedProperty prop, const std::string &value)
{
assert(prop >= PROG_DIR && prop < END_PROPS);
if (prop < PROG_DIR || prop >= END_PROPS)
{
throw TskException("TskSystemProperties::set : passed out of range prop argument");
}
set(predefPropNames[prop], value);
}
/**
* Return the database service. If no service was setup, an exception
* is thrown.
* @returns database reference.
*/
TskImgDB& TskServices::getImgDB()
{
if (m_imgDB == NULL)
{
LOGERROR(L"TskServices::getImgDB - ImgDB has not been initialized.");
throw TskException("ImgDB not initialized.");
}
return *m_imgDB;
}
void TskFile::initialize()
{
TskImgDB * imgDB = &TskServices::Instance().getImgDB();
// getDB will throw exception if ImgDB has not been setup
if (imgDB != NULL) {
if (imgDB->getFileRecord(m_id, m_fileRecord)) {
throw TskException("TskFile::initialize: Error looking up file: " + m_id);
}
}
}
/**
* Run the module on the given file.
*/
TskModule::Status TskExecutableModule::run(TskFile* fileToAnalyze)
{
if (fileToAnalyze == NULL)
{
LOGERROR(L"TskExecutableModule::run - Passed NULL file pointer.");
throw TskException("Module execution failed.");
}
return execute(fileToAnalyze);
}