/**
* Starts in a specified byte offset of the opened disk images and looks for a
* volume system or file system. Will call processFile() on each file
* that is found.
* @param a_start Byte offset to start analyzing from.
* @param a_vtype Volume system type to analyze
* @return 1 on error, 0 on success
*/
uint8_t
TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInVs\n");
return 1;
}
TSK_VS_INFO *vs_info;
// USE mm_walk to get the volumes
if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) {
char
msg[1024];
snprintf(msg, 1024,
"Unable to open volume system at offset %" PRIuOFF " (%s)",
a_start, tsk_error_get());
if (tsk_verbose)
fprintf(stderr, "%s\n", msg);
handleNotification(msg);
/* There was no volume system, but there could be a file system */
tsk_error_reset();
if (findFilesInFs(a_start)) {
return 1;
}
}
else {
TSK_FILTER_ENUM retval = filterVs(vs_info);
if (retval == TSK_FILTER_STOP)
return TSK_STOP;
else if (retval == TSK_FILTER_SKIP)
return TSK_OK;
/* Walk the allocated volumes (skip metadata and unallocated volumes) */
if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1,
m_volFilterFlags, vsWalkCb, this)) {
tsk_vs_close(vs_info);
return 1;
}
tsk_vs_close(vs_info);
}
return 0;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* volume system or file system. Will call processFile() on each file
* that is found.
* @param a_start Byte offset to start analyzing from.
* @param a_vtype Volume system type to analyze
* @return 1 if an error occured (messages will have been registered) and 0 on success
*/
uint8_t
TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)
{
if (!m_img_info) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
tsk_error_set_errstr("findFilesInVs -- img_info");
registerError();
return 1;
}
TSK_VS_INFO *vs_info;
// USE mm_walk to get the volumes
if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) {
/* we're going to ignore this error to avoid confusion if the
* fs_open passes. */
tsk_error_reset();
if(tsk_verbose)
fprintf(stderr, "findFilesInVs: Error opening volume system, trying as a file system\n");
/* There was no volume system, but there could be a file system
* Errors will have been registered */
findFilesInFs(a_start);
}
// process the volume system
else {
TSK_FILTER_ENUM retval = filterVs(vs_info);
if ((retval == TSK_FILTER_STOP) || (retval == TSK_FILTER_SKIP)|| (m_stopAllProcessing))
return m_errors.empty() ? 0 : 1;
/* Walk the allocated volumes (skip metadata and unallocated volumes) */
if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1,
m_volFilterFlags, vsWalkCb, this)) {
registerError();
tsk_vs_close(vs_info);
return 1;
}
tsk_vs_close(vs_info);
}
return m_errors.empty() ? 0 : 1;
}
/**
* Starts in a specified byte offset of the opened disk images and looks for a
* file system. Will call processFile() on each file
* that is found.
*
* @param a_start Byte offset of file system starting location.
*
* @returns 1 if an error occured (messages will have been registered) and 0 on success
*/
uint8_t
TskAuto::findFilesInFs(TSK_OFF_T a_start)
{
return findFilesInFs(a_start, TSK_FS_TYPE_DETECT);
}
/**
* Scan the image for file systems creating allocated volumes for file systems found
* and unallocated volumes for areas in the image that do not contain file systems.
* Will initially look for file system in first sect_count sectors. If a file system
* is found then it will continue to process the remainder of the image for other
* file systems.
*
* @param sect_start Start looking for file systems starting at this sector.
* @param sect_count The initial number of sectors to scan for file systems.
* @return 0 on success, 1 on failure
*/
uint8_t TSKAutoImpl::scanImgForFs(const uint64_t sect_start, const uint64_t sect_count)
{
if (m_img_info == NULL)
{
LOGERROR(L"TSKAutoImpl::scanImgForFs - Image not open.");
return 1;
}
LOGINFO(L"TSKAutoImpl::scanImgForFs - Starting file system scan.");
// Initialize current offset to our starting byte location.
TSK_OFF_T current_offset = sect_start * m_img_info->sector_size;
TSK_OFF_T end_offset = current_offset + (sect_count * m_img_info->sector_size);
// Last offset keeps track of byte location where we last saw file system
// data. It gets initialized to our starting location.
TSK_OFF_T last_offset = current_offset;
while (current_offset < end_offset)
{
TSK_FS_INFO * fs_info;
if ((fs_info = tsk_fs_open_img(m_img_info,
current_offset,
TSK_FS_TYPE_DETECT)) == NULL)
{
// We didn't find a file system so we move on to the next sector.
current_offset += m_img_info->sector_size;
}
else
{
// We found a file system so we will continue to search for file
// systems beyond the initial sectors.
end_offset = m_img_info->size;
// If there is a gap between the location of this file system and
// where we last saw file system data, an unallocated volume entry
// needs to be created for the gap.
if (fs_info->offset > last_offset)
{
createDummyVolume(last_offset / m_img_info->sector_size,
(fs_info->offset - last_offset) / m_img_info->sector_size,
"Dummy volume for carving purposes",
TSK_VS_PART_FLAG_UNALLOC);
}
// The call to findFilesInFs will take care of creating a
// dummy volume for the file system.
if (findFilesInFs(fs_info) == TSK_ERR)
{
std::wstringstream msg;
msg << L"TSKAutoImpl::scanImgForFs - Error finding files: "
<< tsk_error_get();
tsk_error_reset();
LOGERROR(msg.str());
}
// Move the current offset past the file system we just found.
current_offset += ((fs_info->block_count + 1) * fs_info->block_size);
// Update the last location we saw file system data.
last_offset = current_offset;
tsk_fs_close(fs_info);
}
}
// Finally, create a dummy unallocated volume for the area between the
// last offset and the end of the image.
if (last_offset < m_img_info->size)
{
createDummyVolume(last_offset / m_img_info->sector_size,
(m_img_info->size - last_offset) / m_img_info->sector_size,
"Dummy volume for carving purposes",
TSK_VS_PART_FLAG_UNALLOC);
}
LOGINFO(L"TSKAutoImpl::scanImgForFs - File system scan complete.");
return 0;
}
