static int test_ntfs_fe() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1-NTFS"; char fname[512]; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if (test_dir_open_apis(fs, "/allocated", 30)) { fprintf(stderr, "%s failure\n", tname); return 1; } if (test_walk_apis(fs, 30)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int test_ntfs_comp() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; char *tname = "ntfs-comp-1"; char fname[512]; snprintf(fname, 512, "%s/ntfs-comp-1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if (testfile(fs, 34)) { fprintf(stderr, "%s error (both)\n", tname); return 1; } if (testfile(fs, 32)) { fprintf(stderr, "%s error (sparse)\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int test_fat12() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fat12.dd"; char fname[512]; snprintf(fname, 512, "%s/fat12.dd", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (testfile(fs, 33)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int main(int argc, char **argv1) { TSK_IMG_INFO *img_info; TSK_TCHAR **argv; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif if (argc != 2) { fprintf(stderr, "Missing image name\n"); exit(1); } #if DO_HASHLOOKUP /* Setup hash infrastructure */ if ((hdb_info = tsk_hdb_open(_TSK_T("/XXX/NSRLFile.txt"), TSK_HDB_OPEN_NONE)) == NULL) { tsk_error_print(stderr); exit(1); } if (tsk_hdb_hasindex(hdb_info, TSK_HDB_HTYPE_MD5_ID) == 0) { fprintf(stderr, "Hash database does not have an index (create one using hfind -i nsrl-md5 HASHFILE\n"); exit(1); } #else hdb_info = NULL; #endif img_info = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { fprintf(stderr, "Error opening file\n"); tsk_error_print(stderr); exit(1); } if (proc_vs(img_info, 0)) { tsk_error_print(stderr); tsk_img_close(img_info); exit(1); } tsk_img_close(img_info); return 0; }
// Find all the harddisk address corresponding to target file // // \param img_path path of target image // \param file_path the target filename // // Return NULL if error, otherwise a UT_array of (start, end) tuple will returned, where start and end are the harddisk byte addrsesses UT_array* tsk_find_haddr_by_filename(const char* img_path, const char* file_path) { TSK_IMG_TYPE_ENUM img_type ; TSK_IMG_INFO *img; TSK_VS_INFO *vs; find_file_data data; UT_array* ret = NULL; img_type = tsk_img_type_toid(QCOW_IMG_TYPE); //XXX([email protected]):need error handling. img = tsk_img_open_sing(img_path, img_type, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return NULL; } vs = tsk_vs_open(img, 0, TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); tsk_img_close(img); return NULL; } data.file_found = 0; data.full_path = file_path; utarray_new(data.offsets_in_disk, &ut_tsk_daddr_tuple_icd); tsk_vs_part_walk( vs, // the volume system 0, // start from first partiton vs->part_count - 1, // walk to last partiton TSK_VS_PART_FLAG_ALLOC, // traverse all allocated partiton find_file_in_partiton, // action for each partition &data // argument for action ); if (data.file_found) { ret = data.offsets_in_disk; } else { tsk_vs_close(vs); tsk_img_close(img); return NULL; } tsk_vs_close(vs); tsk_img_close(img); return ret; }
int main(int argc, char **argv1) { TSK_IMG_INFO *img_info; TSK_TCHAR **argv; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif if (argc != 2) { fprintf(stderr, "Missing image name\n"); exit(1); } // open the disk image img_info = tsk_img_open_sing((const TSK_TCHAR *) argv[1], TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { fprintf(stderr, "Error opening file\n"); tsk_error_print(stderr); exit(1); } // process the volume starting at sector 0 if (proc_vs(img_info, 0)) { tsk_error_print(stderr); tsk_img_close(img_info); exit(1); } // close the image tsk_img_close(img_info); return 0; }
int test_fat12() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fat12.dd"; char fname[512]; snprintf(fname, 512, "%s/fat12.dd", s_root); if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } // verify the APIs get teh same for file 47 if (test_get_apis(fs, 47, 1)) { fprintf(stderr, "%s failure\n", tname); return 1; } // verify the one attribte is the expected type if (test_get_type(fs, 47, TSK_FS_ATTR_TYPE_DEFAULT)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int test_ntfs_fe() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1-NTFS"; char fname[512]; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (testfile(fs, 31)) { fprintf(stderr, "%s error (non-resident)\n", tname); return 1; } if (testfile(fs, 32)) { fprintf(stderr, "%s error (resident)\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
VALUE image_open(VALUE self, VALUE filename_location, VALUE disk_type_flag) { char * filename; int dtype; struct tsk4r_img_wrapper * ptr; Data_Get_Struct(self, struct tsk4r_img_wrapper, ptr); VALUE img_size; VALUE img_sector_size; VALUE description = Qnil; VALUE name = Qnil; dtype = FIX2ULONG(disk_type_flag); TSK_IMG_TYPE_ENUM * type_flag_num = get_img_flag(disk_type_flag); if (rb_obj_is_kind_of(filename_location, rb_cString)) { fprintf(stdout, "opening %s. (flag=%d)\n", StringValuePtr(filename_location), dtype); rb_str_modify(filename_location); filename=StringValuePtr(filename_location); ptr->image = tsk_img_open_sing(filename, (TSK_IMG_TYPE_ENUM)type_flag_num, 0); // 0=default sector size if (ptr->image == NULL) rb_warn("unable to open image %s.\n", StringValuePtr(filename_location)); } else if (rb_obj_is_kind_of(filename_location, rb_cArray)) { long i; typedef TSK_TCHAR * split_list; split_list images[255]; // to do: make array length reflect list's length for (i=0; i < RARRAY_LEN(filename_location); i++) { VALUE rstring = rb_ary_entry(filename_location, i); images[i] = StringValuePtr(rstring); } int count = (int)RARRAY_LEN(filename_location); ptr->image = tsk_img_open(count, (const TSK_TCHAR **)images, (TSK_IMG_TYPE_ENUM)type_flag_num, 0); // 0=default sector size VALUE arr_to_s = rb_funcall(filename_location, rb_intern("to_s"), 0, NULL); if (ptr->image == NULL) rb_warn("unable to open images %s.\n", StringValuePtr(arr_to_s)); } else { rb_raise(rb_eArgError, "Arg1 should be String or Array of strings."); } if (ptr->image == NULL) { rb_funcall(self, rb_intern("taint"), 0, NULL); return Qnil; } else { TSK_IMG_INFO *image = ptr->image; img_size = LONG2NUM(image->size); img_sector_size = INT2NUM((int)image->sector_size); TSK_IMG_TYPE_ENUM typenum = image->itype; description = image_type_to_desc(self, INT2NUM(typenum)); name = image_type_to_name(self, INT2NUM(typenum)); rb_iv_set(self, "@size", img_size); rb_iv_set(self, "@sector_size", img_sector_size); rb_iv_set(self, "@type", INT2NUM((int)typenum)); rb_iv_set(self, "@description", description); rb_iv_set(self, "@name", name); return self; } }
static int test_ntfs_fe() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1-NTFS"; char fname[512]; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } // Verify the APIS get the same and that they are the expected type if (test_get_apis(fs, 35, 3)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_SI)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_FNAME)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_DATA)) { fprintf(stderr, "%s failure\n", tname); return 1; } if (test_get_apis(fs, 9, 7)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_SI)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_FNAME)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_DATA)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXALLOC)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_BITMAP)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
// Find the filename of the specified harddisk byte offset // // \param imgname path of target image // \param haddr_img_offset the target harddisk byte address // // Return NULL if error, otherwise a UT_array of filename UT_array* tsk_get_filename_by_haddr(const char* imgname, uint64_t haddr_img_offset) { TSK_IMG_INFO *img; TSK_VS_INFO *vs; TSK_FS_INFO *fs; uint8_t id_used = 0, type_used = 0; TSK_DADDR_T partition_offset = 0; TSK_DADDR_T block_img_offset = 0; TSK_DADDR_T part_byte_offset = 0; TSK_DADDR_T part_block_offset = 0; MBA_IFIND_DATA_DATA* ifind_data; TSK_IMG_TYPE_ENUM imgtype; MBA_FFIND_DATA* ffind_data; UT_array* ret = NULL; //open image imgtype = tsk_img_type_toid(QCOW_IMG_TYPE); img = tsk_img_open_sing(imgname, imgtype, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return NULL; } if(haddr_img_offset >= img->size) { printf("Request haddr is larger than image size\n"); tsk_img_close(img); return NULL; } //open volume vs = tsk_vs_open(img, 0 , TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); tsk_img_close(img); return NULL; } //calculate block address block_img_offset = haddr_img_offset/img->sector_size; //search the partition contain the target block partition_offset = search_partition(vs, block_img_offset); if(partition_offset == 0) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } //open the partition's file system fs = tsk_fs_open_img(img, partition_offset * img->sector_size, TSK_FS_TYPE_DETECT); if(fs==NULL) { printf("Cannot open file system\n"); tsk_img_close(img); tsk_vs_close(vs); return NULL; } //calculate offset to the current partition part_byte_offset = haddr_img_offset - (partition_offset * img->sector_size); part_block_offset = part_byte_offset/fs->block_size; //find the inode of this block ifind_data = fs_ifind_data(fs, (TSK_FS_IFIND_FLAG_ENUM) 0, part_block_offset); if(ifind_data == NULL) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } if(ifind_data->found!=1) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } //Find the inode's filename //Note: Do Not Know what to fill in variable type_used and id_used ffind_data = fs_ffind(fs, 0, ifind_data->curinode, ifind_data->curtype , type_used, ifind_data->curid , id_used, (TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC)); if(ffind_data==NULL){ printf("Cannot found fdata associate with inode\n"); tsk_img_close(img); tsk_vs_close(vs); return NULL; } //free data //reserve return data first ret = ffind_data->filenames; free(ifind_data); free(ffind_data); tsk_vs_close(vs); tsk_img_close(img); return ret; }
/* This test checks the SLACK flags and verifies * that we read data from the slack space */ int test_ntfs_slack_ads() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "ntfs-img-kw"; char fname[512]; TSK_FS_FILE *file1; char buf[512]; ssize_t retval; snprintf(fname, 512, "%s/ntfs-img-kw-1.dd", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // file-n-44.dat file1 = tsk_fs_file_open_meta(fs, NULL, 36); if (file1 == NULL) { fprintf(stderr, "Error opening file-n-4.dat (%s)\n", tname); return 1; } // verify expected size if (file1->meta->size != 2000) { fprintf(stderr, "Error: file-n-4.dat not expected size (%" PRIuOFF ") (%s)\n", file1->meta->size, tname); return 1; } // try to read all of last sector with/out Slack set retval = tsk_fs_file_read(file1, 1536, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading file-n-4.dat to end w/out slack flag (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 464) { fprintf(stderr, "Unexpected return value from reading file-n-4.dat to end w/out slack flag (%s).\n", tname); fprintf(stderr, "Expected: 464. Got: %zd\n", retval); return 1; } retval = tsk_fs_file_read(file1, 1536, buf, 512, TSK_FS_FILE_READ_FLAG_SLACK); if (retval == -1) { fprintf(stderr, "Error reading file-n-4.dat to end w/slack flag (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 512) { fprintf(stderr, "Unexpected return value from reading file-n-4.dat w/slack flag. (%s)\n", tname); fprintf(stderr, "Expected: 512. Got: %zd\n", retval); return 1; } // verify the term in the slack space if (memcmp("n-slack", &buf[485], 7) != 0) { fprintf(stderr, "slack string not found in file-n-4.dat slack space: %c %c %c %c %c %c %c (%s)\n", buf[485], buf[486], buf[487], buf[488], buf[489], buf[490], buf[491], tname); return 1; } // try to read past end of file retval = tsk_fs_file_read(file1, 2001, buf, 32, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval != -1) { fprintf(stderr, "Unexpected return value from reading file-n-4.dat after end of file (%s).\n", tname); fprintf(stderr, "Expected: -1. Got: %zd\n", retval); return 1; } tsk_fs_file_close(file1); // file-n-5.dat file1 = tsk_fs_file_open_meta(fs, NULL, 37); if (file1 == NULL) { fprintf(stderr, "Error opening file-n-5.dat (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // check the default size to make sure it is the default $Data if (file1->meta->size != 1300) { fprintf(stderr, "file-n-5.dat size is not 1300 (%" PRIuOFF ") (%s)", file1->meta->size, tname); return 1; } // test the getsize API for both attributes const TSK_FS_ATTR *fs_attr = tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 3, 1); if (!fs_attr) { fprintf(stderr, "Error getting data attribute 3 in file-n-5.dat (%s)", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (fs_attr->size != 1300) { fprintf(stderr, "file-n-5.dat size (via getsize) is not 1300 (%" PRIuOFF ") (%s)", fs_attr->size, tname); return 1; } fs_attr = tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 5, 1); if (!fs_attr) { fprintf(stderr, "Error getting size of attribute 5 in file-n-5.dat (%s)", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (fs_attr->size != 2000) { fprintf(stderr, "file-n-5.dat:here size (via getsize) is not 2000 (%" PRIuOFF ") (%s)", fs_attr->size, tname); return 1; } tsk_fs_file_close(file1); tsk_fs_close(fs); tsk_img_close(img); return 0; }
/* This test checks the RECOVER flags */ int test_fat_recover() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1.img-FAT"; char fname[512]; TSK_FS_FILE *file1; TSK_FS_FILE *file2; char buf[512]; ssize_t retval; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 41126400, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // fragmented.html const char *fname2 = "fragmented.html"; file1 = tsk_fs_file_open_meta(fs, NULL, 1162); if (file1 == NULL) { fprintf(stderr, "Error opening %s (%s)\n", fname2, tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // verify expected size if (file1->meta->size != 5905) { fprintf(stderr, "Error: %s not expected size (%" PRIuOFF ") (%s)\n", fname2, file1->meta->size, tname); return 1; } // verify we can open it via name as well file2 = tsk_fs_file_open(fs, NULL, "/deleted/fragmented.html"); if (file2 == NULL) { fprintf(stderr, "Error opening /deleted/fragmented.html via path name (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (file2->name == NULL) { fprintf(stderr, "Opening /deleted/fragmented.html via path name did not have name set(%s)\n", tname); return 1; } if (strcmp(file2->name->name, fname2) != 0) { fprintf(stderr, "Opening /deleted/fragmented.html via path had incorrect name set (%s) (%s)\n", file2->name->name, tname); return 1; } if ((file2->name->meta_addr != file2->meta->addr) || (file2->meta->addr != file1->meta->addr)) { fprintf(stderr, "Opening /deleted/fragmented.html via path had incorrect meta addresses (%" PRIuINUM " %" PRIuINUM " %" PRIuINUM " (%s)\n", file2->name->meta_addr, file2->meta->addr, file1->meta->addr, tname); return 1; } tsk_fs_file_close(file2); file2 = NULL; // try to read past end of first 2048-byte cluster retval = tsk_fs_file_read(file1, 2048, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading %s past end w/out Recover flag\n", fname2); tsk_error_print(stderr); tsk_error_reset(); return 1; } // current behavior is to return 0s in "unitialized" space //if (retval != 0) { if (retval != 512) { fprintf(stderr, "Unexpected return value from reading %s past end w/out Recover flag.\n", fname2); fprintf(stderr, "Expected: 0. Got: %zd\n", retval); return 1; } retval = tsk_fs_file_read(file1, 2048, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading %s past end w/Recover flag\n", fname2); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 512) { fprintf(stderr, "Unexpected return value from %s past end w/Recover flag.\n", fname2); fprintf(stderr, "Expected: 512. Got: %zd\n", retval); return 1; } // verify the term in the slack space if (memcmp("appear", buf, 6) != 0) { fprintf(stderr, "expected string not found in %s recovery: %c %c %c %c %c %c\n", fname2, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]); return 1; } tsk_fs_file_close(file1); tsk_fs_close(fs); tsk_img_close(img); return 0; }
/* This test checks the SLACK flags and verifies * that we read data from the slack space */ int test_fat_slack() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fat-img-kw"; char fname[512]; TSK_FS_FILE *file1; char buf[512]; ssize_t retval; snprintf(fname, 512, "%s/fat-img-kw.dd", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // file4.dat file1 = tsk_fs_file_open_meta(fs, NULL, 10); if (file1 == NULL) { fprintf(stderr, "Error opening file4.dat (%s)\n", tname); return 1; } // verify expected size if (file1->meta->size != 631) { fprintf(stderr, "Error: file4.dat not expected size (%" PRIuOFF ") (%s)\n", file1->meta->size, tname); return 1; } // try to read all of last sector with/out Slack set retval = tsk_fs_file_read(file1, 512, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading file4.dat to end w/out slack flag\n"); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 119) { fprintf(stderr, "Unexpected return value from reading file4.dat to end w/out slack flag.\n"); fprintf(stderr, "Expected: 119. Got: %zd\n", retval); return 1; } retval = tsk_fs_file_read(file1, 512, buf, 512, TSK_FS_FILE_READ_FLAG_SLACK); if (retval == -1) { fprintf(stderr, "Error reading file4.dat to end w/slack flag\n"); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 512) { fprintf(stderr, "Unexpected return value from reading file4.dat w/slack flag.\n"); fprintf(stderr, "Expected: 512. Got: %zd\n", retval); return 1; } // verify the term in the slack space if (memcmp("3slack3", &buf[385], 7) != 0) { fprintf(stderr, "slack string not found in file4.dat slack space: %x %x %x %x %x %x %x\n", buf[385], buf[386], buf[387], buf[388], buf[389], buf[390], buf[391]); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int main(int argc, char** argv1) { TSK_TCHAR **argv; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_OFF_T imgaddr = 0; int ch; while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) { switch (ch) { case _TSK_T('f'): fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose = 1; break; default: usage(); break; } } if (argc - OPTIND != 3) { usage(); } const TSK_TCHAR* image = argv[OPTIND]; size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0); if (nthreads == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0); if (niters == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0); if (img == 0) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype); if (fs == 0) { tsk_img_close(img); tsk_error_print(stderr); exit(1); } TskThread** threads = new TskThread*[nthreads]; for (size_t i = 0; i < nthreads; ++i) { threads[i] = new MyThread(i, fs, niters); } TskThread::run(threads, nthreads); for (size_t i = 0; i < nthreads; ++i) { delete threads[i]; } delete[] threads; tsk_fs_close(fs); tsk_img_close(img); exit(0); }
/** * Parses the file and populates the structures used by this FUSE driver. * * \param filename The filename to parse * \param r The result structure to populate (or NULL if not needed) * \returns 0 if successful, -1 if not. */ static int process_file(const char *filename, result_t new_result) { img_info = tsk_img_open_sing(filename, TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { info_log("Failed to open image: %s", filename); return -1; } fs_info = tsk_fs_open_img(img_info, 0, TSK_FS_TYPE_DETECT); if (fs_info == NULL) { info_log("Failed to open filesystem: %s", filename); return -1; } const char *fsname = tsk_fs_type_toname(fs_info->ftype); result_set_brief_data_description(new_result, fsname); mountpoint = g_strdup_printf("%s:mnt-%s", filename, fsname); char *description = g_strdup_printf("%" PRIdDADDR " bytes (%" PRIdDADDR " %ss of %u size)", fs_info->block_count * fs_info->block_size, fs_info->block_count, fs_info->duname, fs_info->block_size); result_set_data_description(new_result, description); g_free(description); result_set_confidence(new_result, 100); block_start(absolute_offset); TSK_FS_DIR_WALK_FLAG_ENUM name_flags = (TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC | TSK_FS_DIR_WALK_FLAG_RECURSE); if (tsk_fs_dir_walk(fs_info, fs_info->root_inum, name_flags, examine_dirent, new_result) != 0) { // Why does this occur? Is it because it's an invalid filesystem structure, or the // structure is damaged? I'm going to assume the structure is damaged, but partially available. warning_log("Warning, unable to fully walk fs! Probably truncated or not a real FS header."); } unsigned int size; block_range_t *ranges = block_end(&size); if (ranges != NULL) { result_set_block_ranges(new_result, ranges, size); for (int i = 0; i < size; i++) { block_range_close(ranges[i]); } g_free(ranges); } if (inode_lookup != NULL) { g_tree_destroy(inode_lookup); inode_lookup = NULL; } unsigned int num_contracts; result_get_new_contracts(new_result, &num_contracts); if (num_contracts > 0) { // Ready to mount! int ret = do_mount(mountpoint); if (ret != 0) { error_log("Failed to mount filesystem!"); } } remove_all_files(); return 0; }
void tsk_get_file(const char* imgname,uint64_t haddr_img_offset, const char* file_path, const char* destination, uint64_t start_offset, int read_file_len ) { TSK_IMG_INFO *img; TSK_VS_INFO *vs; TSK_FS_INFO *fs; uint8_t id_used = 0, type_used = 0; TSK_DADDR_T partition_offset = 0; TSK_DADDR_T block_img_offset = 0; TSK_DADDR_T part_byte_offset = 0; TSK_DADDR_T part_block_offset = 0; MBA_IFIND_DATA_DATA* ifind_data; TSK_IMG_TYPE_ENUM imgtype; MBA_FFIND_DATA* ffind_data; TSK_FS_FILE *file; FILE* writeHive; char *temp; //open image imgtype = tsk_img_type_toid(QCOW_IMG_TYPE); img = tsk_img_open_sing(imgname, imgtype, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return; } if(haddr_img_offset >= img->size) { printf("Request haddr is larger than image size\n"); return; } //open volume vs = tsk_vs_open(img, 0 , TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); return; } //calculate block address block_img_offset = haddr_img_offset/img->sector_size; //search the partition contain the target block partition_offset = search_partition(vs, block_img_offset); if(partition_offset == 0) { printf("Cannot found partition contains the target haddr\n"); return; } //open the partition's file system fs = tsk_fs_open_img(img, partition_offset * img->sector_size, TSK_FS_TYPE_DETECT); if(fs==NULL) { printf("Cannot open file system\n"); return; } //calculate offset to the current partition part_byte_offset = haddr_img_offset - (partition_offset * img->sector_size); part_block_offset = part_byte_offset/fs->block_size; file = tsk_fs_file_open( fs, NULL, file_path); if ( OPEN_FAIL(file) ) printf("open file fail\n\n"); temp = calloc( read_file_len, sizeof(char)); int size = tsk_fs_file_read( file, start_offset, temp, read_file_len, TSK_FS_FILE_READ_FLAG_NONE ); tsk_fs_file_close(file); writeHive = fopen( destination, "w" ); if ( writeHive == NULL ) printf("Open fail"); else { fwrite( temp, size, sizeof(char), writeHive ); fclose(writeHive); } // else free(temp); //find the inode of this block ifind_data = fs_ifind_data(fs, (TSK_FS_IFIND_FLAG_ENUM) 0, part_block_offset); if(ifind_data == NULL) { return; } if(ifind_data->found!=1) { printf("Inode not found\n"); return; } //Find the inode's filename //Note: Do Not Know what to fill in variable type_used and id_used ffind_data = fs_ffind(fs, 0, ifind_data->curinode, ifind_data->curtype , type_used, ifind_data->curid , id_used, (TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC)); if(ffind_data==NULL){ printf("Cannot found fdata associate with inode\n"); return; } free(ifind_data); return; }