void ie_file(TSK_FS_INFO *fs)
{
TSK_INUM_T inode;
void * ptr= NULL;
tsk_fs_path2inum(fs, "/Users", &inode, NULL);
tsk_fs_dir_walk(fs, inode, TSK_FS_DIR_WALK_FLAG_NONE, callback2, ptr);
}
void ntuser_hive(TSK_FS_INFO *fs)
{
TSK_INUM_T inode;
void * ptr= NULL;
// TSK_FS_DIR * dir = tsk_fs_dir_open (fs, "/user");
tsk_fs_path2inum(fs, "/Users", &inode, NULL);
printf("%d\n", (int)inode);
tsk_fs_dir_walk(fs, inode, TSK_FS_DIR_WALK_FLAG_NONE, callback, ptr);
}
/**
* Find the meta data address for a given file TCHAR name
*
* @param fs FS to analyze
* @param tpath Path of file to search for
* @param [out] result Meta data address of file
* @returns -1 on error, 0 if found, and 1 if not found
*/
int8_t
tsk_fs_ifind_path(TSK_FS_INFO * fs, TSK_TCHAR * tpath, TSK_INUM_T * result)
{
#ifdef TSK_WIN32
// Convert the UTF-16 path to UTF-8
{
size_t clen;
UTF8 *ptr8;
UTF16 *ptr16;
int retval;
char *cpath;
clen = TSTRLEN(tpath) * 4;
if ((cpath = (char *) tsk_malloc(clen)) == NULL) {
return -1;
}
ptr8 = (UTF8 *) cpath;
ptr16 = (UTF16 *) tpath;
retval =
tsk_UTF16toUTF8_lclorder((const UTF16 **) &ptr16, (UTF16 *)
& ptr16[TSTRLEN(tpath) + 1], &ptr8,
(UTF8 *) ((uintptr_t) ptr8 + clen), TSKlenientConversion);
if (retval != TSKconversionOK) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNICODE);
tsk_error_set_errstr
("tsk_fs_ifind_path: Error converting path to UTF-8: %d",
retval);
free(cpath);
return -1;
}
return tsk_fs_path2inum(fs, cpath, result, NULL);
}
#else
return tsk_fs_path2inum(fs, (const char *) tpath, result, NULL);
#endif
}
/**
* \ingroup fslib
* Return the handle structure for a specific file, given its full path. Note that
* if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a
* more efficient approach.
*
* @param a_fs File system to analyze
* @param a_fs_file Structure to store file data in or NULL to have one allocated.
* @param a_path Path of file to open
* @returns NULL on error
*/
TSK_FS_FILE *
tsk_fs_file_open(TSK_FS_INFO * a_fs,
TSK_FS_FILE * a_fs_file, const char *a_path)
{
TSK_INUM_T inum;
int8_t retval;
TSK_FS_FILE *fs_file = NULL;
TSK_FS_NAME *fs_name = NULL;
if ((a_fs == NULL) || (a_fs->tag != TSK_FS_INFO_TAG)) {
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr
("tsk_fs_file_open: called with NULL or unallocated structures");
return NULL;
}
// allocate a structure to store the name in
if ((fs_name = tsk_fs_name_alloc(128, 32)) == NULL) {
return NULL;
}
retval = tsk_fs_path2inum(a_fs, a_path, &inum, fs_name);
if (retval == -1) {
tsk_fs_name_free(fs_name);
return NULL;
}
else if (retval == 1) {
tsk_fs_name_free(fs_name);
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr("tsk_fs_file_open: path not found: %s",
a_path);
return NULL;
}
fs_file = tsk_fs_file_open_meta(a_fs, a_fs_file, inum);
if (fs_file) {
// Add the name to the structure
fs_file->name = fs_name;
// path2inum did not put this in there...
fs_name->meta_seq = fs_file->meta->seq;
}
else {
tsk_fs_name_free(fs_name);
}
return fs_file;
}
int carving_hive(TCHAR * path, TSK_FS_INFO *fs, TSK_INUM_T inode)
{
char buf[0x2000];
memset(buf, 0, 0x2000);
WideCharToMultiByte(CP_ACP, 0, path, TSTRLEN(path) , buf, TSTRLEN(path) , NULL, NULL);
if(tsk_fs_path2inum(fs, buf, &inode, NULL)){
tsk_error_print(stderr);
return 0;
}
if(hive_extract(fs, inode, TSK_FS_ATTR_TYPE_DEFAULT, NULL, NULL,NULL, (TSK_FS_FILE_WALK_FLAG_ENUM) 0))
return 0;
return 1;
}
/** \ingroup fslib
* Open a directory (using its path) so that each of the files in it can be accessed.
* @param a_fs File system to analyze
* @param a_dir Path of the directory to open
* @returns NULL on error
*/
TSK_FS_DIR *
tsk_fs_dir_open(TSK_FS_INFO * a_fs, const char *a_dir)
{
TSK_INUM_T inum;
int8_t retval;
TSK_FS_DIR *fs_dir;
TSK_FS_NAME *fs_name;
if ((a_fs == NULL) || (a_fs->tag != TSK_FS_INFO_TAG)) {
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr
("tsk_fs_dir_open: called with NULL or unallocated structures");
return NULL;
}
// allocate a structure to store the name in
if ((fs_name = tsk_fs_name_alloc(128, 32)) == NULL) {
return NULL;
}
retval = tsk_fs_path2inum(a_fs, a_dir, &inum, fs_name);
if (retval == -1) {
tsk_fs_name_free(fs_name);
return NULL;
}
else if (retval == 1) {
tsk_error_set_errno(TSK_ERR_FS_ARG);
tsk_error_set_errstr("tsk_fs_dir_open: path not found: %s", a_dir);
tsk_fs_name_free(fs_name);
return NULL;
}
fs_dir = tsk_fs_dir_open_meta(a_fs, inum);
// add the name structure on to it
if ((fs_dir) && (fs_dir->fs_file))
fs_dir->fs_file->name = fs_name;
return fs_dir;
}
