// utility functions
VALUE get_filesystem_type(VALUE self) {
const char * mytype;
struct tsk4r_fs_wrapper * fs_ptr;
Data_Get_Struct(self, struct tsk4r_fs_wrapper, fs_ptr);
mytype = tsk_fs_type_toname(fs_ptr->filesystem->ftype);
rb_iv_set(self, "@name", rb_str_new2(mytype));
return rb_str_new2(mytype);
}
/** \internal
* Print details about the file system to a file handle.
*
* @param a_fs File system to print details on
* @param hFile File handle to print text to
*
* @returns 1 on error and 0 on success
*/
uint8_t
tsk_fs_nofs_fsstat(TSK_FS_INFO * a_fs, FILE * hFile)
{
tsk_fprintf(hFile, "%s Data\n", tsk_fs_type_toname(a_fs->ftype));
tsk_fprintf(hFile, "Block Size: %d\n", a_fs->block_size);
tsk_fprintf(hFile, "Block Range: 0 - %" PRIuDADDR "\n",
a_fs->last_block);
return 0;
}
/** \internal
*/
uint8_t
tsk_fs_nofs_jopen(TSK_FS_INFO * a_fs, TSK_INUM_T inum)
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC);
tsk_error_set_errstr("Illegal analysis method for %s data ",
tsk_fs_type_toname(a_fs->ftype));
return 1;
}
/** \internal
*/
uint8_t
tsk_fs_nofs_make_data_run(TSK_FS_FILE * a_fs_file)
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC);
tsk_error_set_errstr("Illegal analysis method for %s data ",
(a_fs_file->fs_info) ? tsk_fs_type_toname(a_fs_file->fs_info->
ftype) : "");
return 1;
}
/** \internal
*/
uint8_t
tsk_fs_nofs_jblk_walk(TSK_FS_INFO * a_fs, TSK_INUM_T start, TSK_INUM_T end,
int a_flags, TSK_FS_JBLK_WALK_CB a_action, void *a_ptr)
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC);
tsk_error_set_errstr("Illegal analysis method for %s data ",
tsk_fs_type_toname(a_fs->ftype));
return 1;
}
/** \internal
*/
TSK_RETVAL_ENUM
tsk_fs_nofs_dir_open_meta(TSK_FS_INFO * a_fs, TSK_FS_DIR ** a_fs_dir,
TSK_INUM_T a_addr)
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC);
tsk_error_set_errstr("Illegal analysis method for %s data ",
tsk_fs_type_toname(a_fs->ftype));
return TSK_ERR;
}
/** \internal
*/
uint8_t
tsk_fs_nofs_istat(TSK_FS_INFO * a_fs, FILE * hFile, TSK_INUM_T inum,
TSK_DADDR_T numblock, int32_t sec_skew)
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC);
tsk_error_set_errstr("Illegal analysis method for %s data ",
tsk_fs_type_toname(a_fs->ftype));
return 1;
}
/** \internal
*/
uint8_t
tsk_fs_nofs_inode_walk(TSK_FS_INFO * a_fs, TSK_INUM_T a_start_inum,
TSK_INUM_T a_end_inum, TSK_FS_META_FLAG_ENUM a_flags,
TSK_FS_META_WALK_CB a_action, void *a_ptr)
{
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_UNSUPFUNC);
tsk_error_set_errstr("Illegal analysis method for %s data ",
tsk_fs_type_toname(a_fs->ftype));
return 1;
}
TSK_FILTER_ENUM TSKAutoImpl::filterFs(TSK_FS_INFO * a_fsInfo)
{
// add a volume entry if there is no file system
if (m_vsSeen == false)
{
TSK_DADDR_T start_sect = a_fsInfo->offset / a_fsInfo->img_info->sector_size;
TSK_DADDR_T end_sect = start_sect +
((a_fsInfo->block_count * a_fsInfo->block_size) / a_fsInfo->img_info->sector_size);
createDummyVolume(start_sect, (end_sect - start_sect) + 1,
"Dummy volume for file system",
TSK_VS_PART_FLAG_ALLOC);
}
m_curFsId++;
m_db.addFsInfo(m_curVsId, m_curFsId, a_fsInfo);
/* Process the root directory so that its contents are added to
* the DB. We won't see it during the dir_walk. */
TSK_FS_FILE *fs_file = tsk_fs_file_open(a_fsInfo, NULL, "/");
if (fs_file != NULL)
{
processFile(fs_file, "\\");
}
// make sure that flags are set to get all files -- we need this to
// find parent directory
setFileFilterFlags((TSK_FS_DIR_WALK_FLAG_ENUM)
(TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC));
std::wstringstream msg;
msg << L"TSKAutoImpl::filterFs - Discovered " << tsk_fs_type_toname(a_fsInfo->ftype)
<< L" file system at offset " << a_fsInfo->offset << L" with Id : " << m_curFsId;
LOGINFO(msg.str());
return TSK_FILTER_CONT;
}
std::string Filesystem::fsName() const {
return std::string(tsk_fs_type_toname(Fs->ftype));
}
/**
* Parses the file and populates the structures used by this FUSE driver.
*
* \param filename The filename to parse
* \param r The result structure to populate (or NULL if not needed)
* \returns 0 if successful, -1 if not.
*/
static int process_file(const char *filename, result_t new_result)
{
img_info = tsk_img_open_sing(filename, TSK_IMG_TYPE_DETECT, 0);
if (img_info == NULL)
{
info_log("Failed to open image: %s", filename);
return -1;
}
fs_info = tsk_fs_open_img(img_info, 0, TSK_FS_TYPE_DETECT);
if (fs_info == NULL)
{
info_log("Failed to open filesystem: %s", filename);
return -1;
}
const char *fsname = tsk_fs_type_toname(fs_info->ftype);
result_set_brief_data_description(new_result, fsname);
mountpoint = g_strdup_printf("%s:mnt-%s", filename, fsname);
char *description = g_strdup_printf("%" PRIdDADDR " bytes (%" PRIdDADDR " %ss of %u size)", fs_info->block_count * fs_info->block_size, fs_info->block_count, fs_info->duname, fs_info->block_size);
result_set_data_description(new_result, description);
g_free(description);
result_set_confidence(new_result, 100);
block_start(absolute_offset);
TSK_FS_DIR_WALK_FLAG_ENUM name_flags = (TSK_FS_DIR_WALK_FLAG_ENUM) (TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC | TSK_FS_DIR_WALK_FLAG_RECURSE);
if (tsk_fs_dir_walk(fs_info, fs_info->root_inum, name_flags, examine_dirent, new_result) != 0)
{
// Why does this occur? Is it because it's an invalid filesystem structure, or the
// structure is damaged? I'm going to assume the structure is damaged, but partially available.
warning_log("Warning, unable to fully walk fs! Probably truncated or not a real FS header.");
}
unsigned int size;
block_range_t *ranges = block_end(&size);
if (ranges != NULL)
{
result_set_block_ranges(new_result, ranges, size);
for (int i = 0; i < size; i++)
{
block_range_close(ranges[i]);
}
g_free(ranges);
}
if (inode_lookup != NULL)
{
g_tree_destroy(inode_lookup);
inode_lookup = NULL;
}
unsigned int num_contracts;
result_get_new_contracts(new_result, &num_contracts);
if (num_contracts > 0)
{
// Ready to mount!
int ret = do_mount(mountpoint);
if (ret != 0)
{
error_log("Failed to mount filesystem!");
}
}
remove_all_files();
return 0;
}
int
main(int argc, char **argv1)
{
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_IMG_INFO *img;
TSK_OFF_T imgaddr = 0;
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_FS_INFO *fs;
int ch;
uint8_t type = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
setlocale(LC_ALL, "");
while ((ch = GETOPT(argc, argv, _TSK_T("b:f:i:o:tvV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('f'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_fs_type_print(stderr);
exit(1);
}
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('t'):
type = 1;
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if ((fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_FS_UNSUPTYPE)
tsk_fs_type_print(stderr);
img->close(img);
exit(1);
}
if (type) {
tsk_printf("%s\n", tsk_fs_type_toname(fs->ftype));
}
else {
if (fs->fsstat(fs, stdout)) {
tsk_error_print(stderr);
fs->close(fs);
img->close(img);
exit(1);
}
}
fs->close(fs);
img->close(img);
exit(0);
}
