/* Return 0 on success and 1 on error */
uint8_t
fs_ffind(FS_INFO * fs, uint8_t lclflags, INUM_T inode_a, uint32_t type,
uint16_t id, int flags)
{
found = 0;
localflags = lclflags;
inode = inode_a;
/* Since we start the walk on the root inode, then this will not show
** up in the above functions, so do it now
*/
if (inode == fs->root_inum) {
if (flags & FS_FLAG_NAME_ALLOC) {
// printf("/\n");
sprintf(found_path, "/");
found = 1;
if (!(lclflags & FFIND_ALL))
return 0;
}
}
if ((fs->ftype & FSMASK) == NTFS_TYPE) {
if (ntfs_find_file(fs, inode, type, id, flags, find_file_act,
NULL))
return 1;
}
else {
if (fs->dent_walk(fs, fs->root_inum, flags, find_file_act, NULL))
return 1;
}
#if 0
if (found == 0) {
/* With FAT, we can at least give the name of the file and call
* it orphan
*/
if ((fs->ftype & FSMASK) == FATFS_TYPE) {
FS_INODE *fs_inode = fs->inode_lookup(fs, inode);
if ((fs_inode != NULL) && (fs_inode->name != NULL)) {
if (fs_inode->flags & FS_FLAG_NAME_UNALLOC)
printf("* ");
printf("%s/%s\n", ORPHAN_STR, fs_inode->name->name);
}
if (fs_inode)
fs_inode_free(fs_inode);
}
else {
printf("inode not currently used\n");
}
}
#endif
return (found == 0);
}
// XXX([email protected]): had better fix the comment // find file of the given inode // // \param fs filesystem info structure defined in sleuthkit // \param lclflags traverse options defined in sleuthkit // \param a_inode the inode of the file // \param type filesystem type number // \param type_used don't know what it is, just give a 0(XXX) // \param id the id of file attribute that the inode refers // \param id_used don't know what it is, just give a 0(XXX) // \param flags traverse options difned in sleuthkit // // Return 0 if error, otherwise a pointer static MBA_FFIND_DATA* fs_ffind(TSK_FS_INFO * fs, TSK_FS_FFIND_FLAG_ENUM lclflags, TSK_INUM_T a_inode, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_DIR_WALK_FLAG_ENUM flags) { MBA_FFIND_DATA* data=(MBA_FFIND_DATA*)malloc(sizeof(MBA_FFIND_DATA)); char* orphan =NULL; int size = 0; if(data == NULL) { printf("Cannot allocate memory\n"); return NULL; } data->found = 0; data->flags = lclflags; data->inode = a_inode; utarray_new(data->filenames, &ut_str_icd); /* Since we start the walk on the root inode, then this will not show ** up in the above functions, so do it now */ if (data->inode == fs->root_inum) { if (flags & TSK_FS_DIR_WALK_FLAG_ALLOC) { //tsk_printf("/\n"); data->found = 1; if (!(lclflags & TSK_FS_FFIND_ALL)) return data; } } if (TSK_FS_TYPE_ISNTFS(fs->ftype)) { if (ntfs_find_file(fs, data->inode, type, type_used, id, id_used, flags, find_file_act, data)) return NULL; } else { if (tsk_fs_dir_walk(fs, fs->root_inum, flags, find_file_act, data)) return NULL; } if (data->found == 0) { /* With FAT, we can at least give the name of the file and call * it orphan */ if (TSK_FS_TYPE_ISFAT(fs->ftype)) { TSK_FS_FILE *fs_file = tsk_fs_file_open_meta(fs, NULL, data->inode); if ((fs_file != NULL) && (fs_file->meta != NULL) && (fs_file->meta->name2 != NULL)) { //if (fs_file->meta->flags & TSK_FS_META_FLAG_UNALLOC) // tsk_printf("* "); //tsk_printf("%s/%s\n", TSK_FS_ORPHAN_STR, // fs_file->meta->name2->name); //Added Ophan file into file list size = strlen(TSK_FS_ORPHAN_STR) + strlen(fs_file->meta->name2->name)+2; orphan = (char*)malloc(size); if(orphan == NULL) { printf("Cannot allocate memory\n"); }else { snprintf(orphan, size, "%s/%s", TSK_FS_ORPHAN_STR,fs_file->meta->name2->name); utarray_push_back(data->filenames, orphan ); } } if (fs_file) tsk_fs_file_close(fs_file); } else { tsk_printf("File name not found for inode\n"); } } return data; }
