int
main(int argc, char **argv1)
{
TSK_IMG_INFO *img_info;
TSK_TCHAR **argv;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
if (argc != 2) {
fprintf(stderr, "Missing image name\n");
exit(1);
}
#if DO_HASHLOOKUP
/* Setup hash infrastructure */
if ((hdb_info =
tsk_hdb_open(_TSK_T("/XXX/NSRLFile.txt"),
TSK_HDB_OPEN_NONE)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if (tsk_hdb_hasindex(hdb_info, TSK_HDB_HTYPE_MD5_ID) == 0) {
fprintf(stderr,
"Hash database does not have an index (create one using hfind -i nsrl-md5 HASHFILE\n");
exit(1);
}
#else
hdb_info = NULL;
#endif
img_info = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0);
if (img_info == NULL) {
fprintf(stderr, "Error opening file\n");
tsk_error_print(stderr);
exit(1);
}
if (proc_vs(img_info, 0)) {
tsk_error_print(stderr);
tsk_img_close(img_info);
exit(1);
}
tsk_img_close(img_info);
return 0;
}
// Find all the harddisk address corresponding to target file
//
// \param img_path path of target image
// \param file_path the target filename
//
// Return NULL if error, otherwise a UT_array of (start, end) tuple will returned, where start and end are the harddisk byte addrsesses
UT_array* tsk_find_haddr_by_filename(const char* img_path, const char* file_path)
{
TSK_IMG_TYPE_ENUM img_type ;
TSK_IMG_INFO *img;
TSK_VS_INFO *vs;
find_file_data data;
UT_array* ret = NULL;
img_type = tsk_img_type_toid(QCOW_IMG_TYPE);
//XXX([email protected]):need error handling.
img = tsk_img_open_sing(img_path, img_type, 0);
if(img == NULL)
{
printf("Image Open Failed!!\n");
return NULL;
}
vs = tsk_vs_open(img, 0, TSK_VS_TYPE_DETECT);
if(vs==NULL)
{
printf("Volume Open Failed!!\n");
tsk_img_close(img);
return NULL;
}
data.file_found = 0;
data.full_path = file_path;
utarray_new(data.offsets_in_disk, &ut_tsk_daddr_tuple_icd);
tsk_vs_part_walk(
vs, // the volume system
0, // start from first partiton
vs->part_count - 1, // walk to last partiton
TSK_VS_PART_FLAG_ALLOC, // traverse all allocated partiton
find_file_in_partiton, // action for each partition
&data // argument for action
);
if (data.file_found) {
ret = data.offsets_in_disk;
}
else {
tsk_vs_close(vs);
tsk_img_close(img);
return NULL;
}
tsk_vs_close(vs);
tsk_img_close(img);
return ret;
}
/*
* Close the given image
* @param env pointer to java environment this was called from
* @param obj the java object this was called from
* @param a_img_info the pointer to the image object
*/
JNIEXPORT void JNICALL
Java_org_sleuthkit_datamodel_SleuthkitJNI_closeImgNat(JNIEnv * env,
jclass obj, jlong a_img_info)
{
TSK_IMG_INFO *img_info = castImgInfo(env, a_img_info);
tsk_img_close(img_info);
}
int
test_ntfs_comp()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
char *tname = "ntfs-comp-1";
char fname[512];
snprintf(fname, 512, "%s/ntfs-comp-1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if (testfile(fs, 34)) {
fprintf(stderr, "%s error (both)\n", tname);
return 1;
}
if (testfile(fs, 32)) {
fprintf(stderr, "%s error (sparse)\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
static int Img_Info_dest(void *x) {
Img_Info self = (Img_Info)x;
tsk_img_close((TSK_IMG_INFO *)self->img);
return 0;
};
/**
* Called when the filesystem is unmounted, and allows the destruction
* of structures and freeing allocated memory.
*/
void cleanup(void)
{
if (input_filename != NULL)
{
g_free(input_filename);
input_filename = NULL;
}
if (fs_info != NULL)
{
tsk_fs_close(fs_info);
}
fs_info = NULL;
if (img_info != NULL)
{
tsk_img_close(img_info);
}
img_info = NULL;
if (mountpoint != NULL)
{
g_free(mountpoint);
}
mountpoint = NULL;
if (inode_buffer != NULL)
{
g_free(inode_buffer);
}
}
static int
test_ntfs_fe()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1-NTFS";
char fname[512];
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if (test_dir_open_apis(fs, "/allocated", 30)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
if (test_walk_apis(fs, 30)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
int
test_fat12()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fat12.dd";
char fname[512];
snprintf(fname, 512, "%s/fat12.dd", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (testfile(fs, 33)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/**
* Closes the handles to the open disk image. Should be called after
* you have completed analysis of the image.
*/
void
TskAuto::closeImage()
{
if ((m_img_info) && (m_internalOpen)) {
tsk_img_close(m_img_info);
}
m_img_info = NULL;
}
void TskL01Extract::close()
{
if (m_imgInfo)
{
tsk_img_close(m_imgInfo);
m_imgInfo = NULL;
}
m_archivePath.clear();
}
int
main(int argc, char **argv1)
{
TSK_IMG_INFO *img_info;
TSK_TCHAR **argv;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
if (argc != 2) {
fprintf(stderr, "Missing image name\n");
exit(1);
}
// open the disk image
img_info =
tsk_img_open_sing((const TSK_TCHAR *) argv[1],
TSK_IMG_TYPE_DETECT, 0);
if (img_info == NULL) {
fprintf(stderr, "Error opening file\n");
tsk_error_print(stderr);
exit(1);
}
// process the volume starting at sector 0
if (proc_vs(img_info, 0)) {
tsk_error_print(stderr);
tsk_img_close(img_info);
exit(1);
}
// close the image
tsk_img_close(img_info);
return 0;
}
void TskImageFileTsk::close()
{
if (m_img_info) {
tsk_img_close(m_img_info);
m_img_info = NULL;
}
if (m_images_ptrs) {
free(m_images_ptrs);
m_images_ptrs = NULL;
}
m_images.clear();
// Close the handles in m_openFiles and m_openFs
for (uint32_t i = 0; i < m_openFiles.size(); i++)
closeFile(i);
std::for_each(m_openFs.begin(), m_openFs.end(), (&TskImageFileTsk::closeFs));
}
int
test_ntfs_fe()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1-NTFS";
char fname[512];
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (testfile(fs, 31)) {
fprintf(stderr, "%s error (non-resident)\n", tname);
return 1;
}
if (testfile(fs, 32)) {
fprintf(stderr, "%s error (resident)\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
int
test_fat12()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fat12.dd";
char fname[512];
snprintf(fname, 512, "%s/fat12.dd", s_root);
if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
// verify the APIs get teh same for file 47
if (test_get_apis(fs, 47, 1)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
// verify the one attribte is the expected type
if (test_get_type(fs, 47, TSK_FS_ATTR_TYPE_DEFAULT)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/* This test checks the RECOVER flags
*/
int
test_fat_recover()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1.img-FAT";
char fname[512];
TSK_FS_FILE *file1;
TSK_FS_FILE *file2;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs =
tsk_fs_open_img(img, 41126400,
(TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// fragmented.html
const char *fname2 = "fragmented.html";
file1 = tsk_fs_file_open_meta(fs, NULL, 1162);
if (file1 == NULL) {
fprintf(stderr, "Error opening %s (%s)\n", fname2, tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// verify expected size
if (file1->meta->size != 5905) {
fprintf(stderr,
"Error: %s not expected size (%" PRIuOFF ") (%s)\n", fname2,
file1->meta->size, tname);
return 1;
}
// verify we can open it via name as well
file2 = tsk_fs_file_open(fs, NULL, "/deleted/fragmented.html");
if (file2 == NULL) {
fprintf(stderr,
"Error opening /deleted/fragmented.html via path name (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (file2->name == NULL) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path name did not have name set(%s)\n",
tname);
return 1;
}
if (strcmp(file2->name->name, fname2) != 0) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path had incorrect name set (%s) (%s)\n",
file2->name->name, tname);
return 1;
}
if ((file2->name->meta_addr != file2->meta->addr)
|| (file2->meta->addr != file1->meta->addr)) {
fprintf(stderr,
"Opening /deleted/fragmented.html via path had incorrect meta addresses (%"
PRIuINUM " %" PRIuINUM " %" PRIuINUM " (%s)\n",
file2->name->meta_addr, file2->meta->addr, file1->meta->addr,
tname);
return 1;
}
tsk_fs_file_close(file2);
file2 = NULL;
// try to read past end of first 2048-byte cluster
retval =
tsk_fs_file_read(file1, 2048, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr, "Error reading %s past end w/out Recover flag\n",
fname2);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// current behavior is to return 0s in "unitialized" space
//if (retval != 0) {
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading %s past end w/out Recover flag.\n",
fname2);
fprintf(stderr, "Expected: 0. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 2048, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr, "Error reading %s past end w/Recover flag\n",
fname2);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from %s past end w/Recover flag.\n",
fname2);
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("appear", buf, 6) != 0) {
fprintf(stderr,
"expected string not found in %s recovery: %c %c %c %c %c %c\n",
fname2, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]);
return 1;
}
tsk_fs_file_close(file1);
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
Image::~Image() {
if (ShouldClose) {
tsk_img_close(Img);
}
}
/* This test checks the SLACK flags and verifies
* that we read data from the slack space
*/
int
test_ntfs_slack_ads()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "ntfs-img-kw";
char fname[512];
TSK_FS_FILE *file1;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/ntfs-img-kw-1.dd", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// file-n-44.dat
file1 = tsk_fs_file_open_meta(fs, NULL, 36);
if (file1 == NULL) {
fprintf(stderr, "Error opening file-n-4.dat (%s)\n", tname);
return 1;
}
// verify expected size
if (file1->meta->size != 2000) {
fprintf(stderr,
"Error: file-n-4.dat not expected size (%" PRIuOFF ") (%s)\n",
file1->meta->size, tname);
return 1;
}
// try to read all of last sector with/out Slack set
retval =
tsk_fs_file_read(file1, 1536, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr,
"Error reading file-n-4.dat to end w/out slack flag (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 464) {
fprintf(stderr,
"Unexpected return value from reading file-n-4.dat to end w/out slack flag (%s).\n",
tname);
fprintf(stderr, "Expected: 464. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 1536, buf, 512,
TSK_FS_FILE_READ_FLAG_SLACK);
if (retval == -1) {
fprintf(stderr,
"Error reading file-n-4.dat to end w/slack flag (%s)\n",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading file-n-4.dat w/slack flag. (%s)\n",
tname);
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("n-slack", &buf[485], 7) != 0) {
fprintf(stderr,
"slack string not found in file-n-4.dat slack space: %c %c %c %c %c %c %c (%s)\n",
buf[485], buf[486], buf[487], buf[488], buf[489], buf[490],
buf[491], tname);
return 1;
}
// try to read past end of file
retval =
tsk_fs_file_read(file1, 2001, buf, 32,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval != -1) {
fprintf(stderr,
"Unexpected return value from reading file-n-4.dat after end of file (%s).\n",
tname);
fprintf(stderr, "Expected: -1. Got: %zd\n", retval);
return 1;
}
tsk_fs_file_close(file1);
// file-n-5.dat
file1 = tsk_fs_file_open_meta(fs, NULL, 37);
if (file1 == NULL) {
fprintf(stderr, "Error opening file-n-5.dat (%s)\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// check the default size to make sure it is the default $Data
if (file1->meta->size != 1300) {
fprintf(stderr,
"file-n-5.dat size is not 1300 (%" PRIuOFF ") (%s)",
file1->meta->size, tname);
return 1;
}
// test the getsize API for both attributes
const TSK_FS_ATTR *fs_attr =
tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 3, 1);
if (!fs_attr) {
fprintf(stderr,
"Error getting data attribute 3 in file-n-5.dat (%s)", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (fs_attr->size != 1300) {
fprintf(stderr,
"file-n-5.dat size (via getsize) is not 1300 (%" PRIuOFF
") (%s)", fs_attr->size, tname);
return 1;
}
fs_attr =
tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 5, 1);
if (!fs_attr) {
fprintf(stderr,
"Error getting size of attribute 5 in file-n-5.dat (%s)",
tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (fs_attr->size != 2000) {
fprintf(stderr,
"file-n-5.dat:here size (via getsize) is not 2000 (%" PRIuOFF
") (%s)", fs_attr->size, tname);
return 1;
}
tsk_fs_file_close(file1);
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
int
main(int argc, char** argv1)
{
TSK_TCHAR **argv;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT;
TSK_OFF_T imgaddr = 0;
int ch;
while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) {
switch (ch) {
case _TSK_T('f'):
fstype = tsk_fs_type_toid(OPTARG);
if (fstype == TSK_FS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported file system type: %s\n"), OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('v'):
tsk_verbose = 1;
break;
default:
usage();
break;
}
}
if (argc - OPTIND != 3) {
usage();
}
const TSK_TCHAR* image = argv[OPTIND];
size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0);
if (nthreads == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0);
if (niters == 0) {
fprintf(stderr, "invalid nthreads\n");
exit(1);
}
TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0);
if (img == 0) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype);
if (fs == 0) {
tsk_img_close(img);
tsk_error_print(stderr);
exit(1);
}
TskThread** threads = new TskThread*[nthreads];
for (size_t i = 0; i < nthreads; ++i) {
threads[i] = new MyThread(i, fs, niters);
}
TskThread::run(threads, nthreads);
for (size_t i = 0; i < nthreads; ++i) {
delete threads[i];
}
delete[] threads;
tsk_fs_close(fs);
tsk_img_close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
int ch;
TSK_OFF_T imgaddr = 0;
int flags = 0;
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
uint8_t hide_meta = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) {
switch (ch) {
case _TSK_T('a'):
flags |= TSK_VS_PART_FLAG_ALLOC;
break;
case _TSK_T('A'):
flags |= TSK_VS_PART_FLAG_UNALLOC;
break;
case _TSK_T('B'):
print_bytes = 1;
break;
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('m'):
flags |= (TSK_VS_PART_FLAG_META);
break;
case _TSK_T('M'):
// we'll set this after all flags have been set
hide_meta = 1;
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('r'):
recurse = 1;
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
case _TSK_T('?'):
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
// if they want to hide metadata volumes, set that now
if (hide_meta) {
if (flags == 0)
flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC);
else
flags &= ~TSK_VS_PART_FLAG_META;
}
else if (flags == 0) {
flags = TSK_VS_PART_FLAG_ALL;
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
/* open the image */
img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize);
if (img == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
/* process the partition tables */
vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype);
if (vs == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
tsk_img_close(img);
exit(1);
}
print_header(vs);
if (tsk_vs_part_walk(vs, 0, vs->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) {
tsk_error_print(stderr);
tsk_vs_close(vs);
tsk_img_close(img);
exit(1);
}
tsk_vs_close(vs);
if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) {
int i;
/* disable recursing incase we hit another DOS partition
* future versions may support more layers */
recurse = 0;
for (i = 0; i < recurse_cnt; i++) {
vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT);
if (vs != NULL) {
tsk_printf("\n\n");
print_header(vs);
if (tsk_vs_part_walk(vs, 0, vs->part_count - 1,
(TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) {
tsk_error_reset();
}
tsk_vs_close(vs);
}
else {
/* Ignore error in this case and reset */
tsk_error_reset();
}
}
}
tsk_img_close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int ch;
TSK_OFF_T imgaddr = 0;
TSK_IMG_INFO *img;
TSK_PNUM_T pnum;
TSK_DADDR_T addr;
const TSK_VS_PART_INFO *vs_part;
char *buf;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) {
switch (ch) {
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case 'v':
tsk_verbose++;
break;
case 'V':
tsk_version_print(stdout);
exit(0);
case '?':
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
/* We need at least two more arguments */
if (OPTIND + 1 >= argc) {
tsk_fprintf(stderr,
"Missing image name and/or partition number\n");
usage();
}
/* open the image */
if ((img =
tsk_img_open(argc - OPTIND - 1, &argv[OPTIND],
imgtype, ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
if (tsk_parse_pnum(argv[argc - 1], &pnum)) {
tsk_error_print(stderr);
exit(1);
}
/* process the partition tables */
if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
exit(1);
}
if (pnum >= vs->part_count) {
tsk_fprintf(stderr,
"Partition address is too large (maximum: %"
PRIuPNUM ")\n", vs->part_count);
exit(1);
}
vs_part = tsk_vs_part_get(vs, pnum);
if (vs_part == NULL) {
tsk_fprintf(stderr, "Error looking up partition\n");
exit(1);
}
buf = (char *) malloc(vs->block_size);
if (buf == NULL) {
tsk_error_print(stderr);
exit(1);
}
#ifdef TSK_WIN32
char strerror_buffer[1024];
if (-1 == _setmode(_fileno(stdout), _O_BINARY)) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_FS_WRITE);
tsk_error_set_errstr(
"mmcat: error setting stdout to binary: %s",
strerror_s(strerror_buffer, 1024, errno));
return 1;
}
#endif
for (addr = 0; addr < vs_part->len; addr++) {
ssize_t retval;
retval =
tsk_vs_part_read_block(vs_part, addr, buf, vs->block_size);
if (retval == -1) {
tsk_error_print(stderr);
exit(1);
}
if ((size_t) retval != fwrite(buf, 1, retval, stdout)) {
tsk_fprintf(stderr, "Error writing data to stdout\n");
exit(1);
}
}
tsk_vs_close(vs);
tsk_img_close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
int ch;
TSK_OFF_T start_sector = 0;
TSK_OFF_T end_sector = 0;
ssize_t cnt;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:vVs:e:"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('s'):
start_sector = TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || start_sector < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: start sector must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('e'):
end_sector = TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || end_sector < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: end sector must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
#ifdef TSK_WIN32
if (-1 == _setmode(_fileno(stdout), _O_BINARY)) {
fprintf(stderr,
"error setting stdout to binary: %s", strerror(errno));
exit(1);
}
#endif
TSK_OFF_T start_byte = 0;
if (start_sector)
start_byte = start_sector * img->sector_size;
TSK_OFF_T end_byte = 0;
if (end_sector)
end_byte = (end_sector + 1) * img->sector_size;
else
end_byte = img->size;
for (TSK_OFF_T done = start_byte; done < end_byte; done += cnt) {
char buf[16 * 1024];
size_t len;
if (done + (TSK_OFF_T) sizeof(buf) > end_byte) {
len = (size_t) (end_byte - done);
}
else {
len = sizeof(buf);
}
cnt = tsk_img_read(img, done, buf, len);
if (cnt != (ssize_t) len) {
if (cnt >= 0) {
tsk_fprintf(stderr,
"img_cat: Error reading image file at offset: %"
PRIuOFF ", len: %" PRIuOFF ", return: %" PRIuOFF "\n",
done, len, cnt);
}
else {
tsk_error_print(stderr);
}
tsk_img_close(img);
exit(1);
}
if (fwrite(buf, cnt, 1, stdout) != 1) {
fprintf(stderr,
"img_cat: Error writing to stdout: %s", strerror(errno));
tsk_img_close(img);
exit(1);
}
}
tsk_img_close(img);
exit(0);
}
void deallocate_image(struct tsk4r_img_wrapper * ptr){
TSK_IMG_INFO *image = ptr->image;
tsk_img_close(image);
xfree(ptr);
}
// Find the filename of the specified harddisk byte offset
//
// \param imgname path of target image
// \param haddr_img_offset the target harddisk byte address
//
// Return NULL if error, otherwise a UT_array of filename
UT_array* tsk_get_filename_by_haddr(const char* imgname, uint64_t haddr_img_offset)
{
TSK_IMG_INFO *img;
TSK_VS_INFO *vs;
TSK_FS_INFO *fs;
uint8_t id_used = 0, type_used = 0;
TSK_DADDR_T partition_offset = 0;
TSK_DADDR_T block_img_offset = 0;
TSK_DADDR_T part_byte_offset = 0;
TSK_DADDR_T part_block_offset = 0;
MBA_IFIND_DATA_DATA* ifind_data;
TSK_IMG_TYPE_ENUM imgtype;
MBA_FFIND_DATA* ffind_data;
UT_array* ret = NULL;
//open image
imgtype = tsk_img_type_toid(QCOW_IMG_TYPE);
img = tsk_img_open_sing(imgname, imgtype, 0);
if(img == NULL)
{
printf("Image Open Failed!!\n");
return NULL;
}
if(haddr_img_offset >= img->size)
{
printf("Request haddr is larger than image size\n");
tsk_img_close(img);
return NULL;
}
//open volume
vs = tsk_vs_open(img, 0 , TSK_VS_TYPE_DETECT);
if(vs==NULL)
{
printf("Volume Open Failed!!\n");
tsk_img_close(img);
return NULL;
}
//calculate block address
block_img_offset = haddr_img_offset/img->sector_size;
//search the partition contain the target block
partition_offset = search_partition(vs, block_img_offset);
if(partition_offset == 0)
{
tsk_img_close(img);
tsk_vs_close(vs);
return NULL;
}
//open the partition's file system
fs = tsk_fs_open_img(img, partition_offset * img->sector_size, TSK_FS_TYPE_DETECT);
if(fs==NULL)
{
printf("Cannot open file system\n");
tsk_img_close(img);
tsk_vs_close(vs);
return NULL;
}
//calculate offset to the current partition
part_byte_offset = haddr_img_offset - (partition_offset * img->sector_size);
part_block_offset = part_byte_offset/fs->block_size;
//find the inode of this block
ifind_data = fs_ifind_data(fs, (TSK_FS_IFIND_FLAG_ENUM) 0, part_block_offset);
if(ifind_data == NULL)
{
tsk_img_close(img);
tsk_vs_close(vs);
return NULL;
}
if(ifind_data->found!=1)
{
tsk_img_close(img);
tsk_vs_close(vs);
return NULL;
}
//Find the inode's filename
//Note: Do Not Know what to fill in variable type_used and id_used
ffind_data = fs_ffind(fs, 0, ifind_data->curinode, ifind_data->curtype ,
type_used, ifind_data->curid , id_used,
(TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC));
if(ffind_data==NULL){
printf("Cannot found fdata associate with inode\n");
tsk_img_close(img);
tsk_vs_close(vs);
return NULL;
}
//free data
//reserve return data first
ret = ffind_data->filenames;
free(ifind_data);
free(ffind_data);
tsk_vs_close(vs);
tsk_img_close(img);
return ret;
}
int
main(int argc, char **argv1)
{
TSK_IMG_INFO *img;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
int ch;
uint8_t type = 0;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:tvV"))) > 0) {
switch (ch) {
case _TSK_T('?'):
default:
TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"),
argv[OPTIND]);
usage();
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('t'):
type = 1;
break;
case _TSK_T('v'):
tsk_verbose++;
break;
case _TSK_T('V'):
tsk_version_print(stdout);
exit(0);
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if (type) {
const char *str = tsk_img_type_toname(img->itype);
tsk_printf("%s\n", str);
}
else {
img->imgstat(img, stdout);
}
tsk_img_close(img);
exit(0);
}
int
main(int argc, char **argv1)
{
TSK_VS_INFO *vs;
TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT;
TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT;
int ch;
TSK_OFF_T imgaddr = 0;
TSK_IMG_INFO *img;
TSK_TCHAR **argv;
unsigned int ssize = 0;
TSK_TCHAR *cp;
#ifdef TSK_WIN32
// On Windows, get the wide arguments (mingw doesn't support wmain)
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if (argv == NULL) {
fprintf(stderr, "Error getting wide arguments\n");
exit(1);
}
#else
argv = (TSK_TCHAR **) argv1;
#endif
progname = argv[0];
while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) {
switch (ch) {
case _TSK_T('b'):
ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0);
if (*cp || *cp == *OPTARG || ssize < 1) {
TFPRINTF(stderr,
_TSK_T
("invalid argument: sector size must be positive: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('i'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_img_type_print(stderr);
exit(1);
}
imgtype = tsk_img_type_toid(OPTARG);
if (imgtype == TSK_IMG_TYPE_UNSUPP) {
TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"),
OPTARG);
usage();
}
break;
case _TSK_T('o'):
if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) {
tsk_error_print(stderr);
exit(1);
}
break;
case _TSK_T('t'):
if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) {
tsk_vs_type_print(stderr);
exit(1);
}
vstype = tsk_vs_type_toid(OPTARG);
if (vstype == TSK_VS_TYPE_UNSUPP) {
TFPRINTF(stderr,
_TSK_T("Unsupported volume system type: %s\n"),
OPTARG);
usage();
}
break;
case 'v':
tsk_verbose++;
break;
case 'V':
tsk_version_print(stdout);
exit(0);
case '?':
default:
tsk_fprintf(stderr, "Unknown argument\n");
usage();
}
}
/* We need at least one more argument */
if (OPTIND >= argc) {
tsk_fprintf(stderr, "Missing image name\n");
usage();
}
/* open the image */
if ((img =
tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype,
ssize)) == NULL) {
tsk_error_print(stderr);
exit(1);
}
if ((imgaddr * img->sector_size) >= img->size) {
tsk_fprintf(stderr,
"Sector offset supplied is larger than disk image (maximum: %"
PRIu64 ")\n", img->size / img->sector_size);
exit(1);
}
/* process the partition tables */
if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) {
tsk_error_print(stderr);
if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE)
tsk_vs_type_print(stderr);
exit(1);
}
print_stats(vs);
tsk_vs_close(vs);
tsk_img_close(img);
exit(0);
}
static int
test_ntfs_fe()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fe_test_1-NTFS";
char fname[512];
snprintf(fname, 512, "%s/fe_test_1.img", s_root);
if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
return 1;
}
// Verify the APIS get the same and that they are the expected type
if (test_get_apis(fs, 35, 3)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_SI)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_FNAME)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_DATA)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
if (test_get_apis(fs, 9, 7)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_SI)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_FNAME)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_DATA)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXALLOC)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_BITMAP)) {
fprintf(stderr, "%s failure\n", tname);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
/* This test checks the SLACK flags and verifies
* that we read data from the slack space
*/
int
test_fat_slack()
{
TSK_FS_INFO *fs;
TSK_IMG_INFO *img;
const char *tname = "fat-img-kw";
char fname[512];
TSK_FS_FILE *file1;
char buf[512];
ssize_t retval;
snprintf(fname, 512, "%s/fat-img-kw.dd", s_root);
if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) {
fprintf(stderr, "Error opening %s image\n", tname);
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
// file4.dat
file1 = tsk_fs_file_open_meta(fs, NULL, 10);
if (file1 == NULL) {
fprintf(stderr, "Error opening file4.dat (%s)\n", tname);
return 1;
}
// verify expected size
if (file1->meta->size != 631) {
fprintf(stderr,
"Error: file4.dat not expected size (%" PRIuOFF ") (%s)\n",
file1->meta->size, tname);
return 1;
}
// try to read all of last sector with/out Slack set
retval =
tsk_fs_file_read(file1, 512, buf, 512,
(TSK_FS_FILE_READ_FLAG_ENUM) 0);
if (retval == -1) {
fprintf(stderr,
"Error reading file4.dat to end w/out slack flag\n");
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 119) {
fprintf(stderr,
"Unexpected return value from reading file4.dat to end w/out slack flag.\n");
fprintf(stderr, "Expected: 119. Got: %zd\n", retval);
return 1;
}
retval =
tsk_fs_file_read(file1, 512, buf, 512,
TSK_FS_FILE_READ_FLAG_SLACK);
if (retval == -1) {
fprintf(stderr, "Error reading file4.dat to end w/slack flag\n");
tsk_error_print(stderr);
tsk_error_reset();
return 1;
}
if (retval != 512) {
fprintf(stderr,
"Unexpected return value from reading file4.dat w/slack flag.\n");
fprintf(stderr, "Expected: 512. Got: %zd\n", retval);
return 1;
}
// verify the term in the slack space
if (memcmp("3slack3", &buf[385], 7) != 0) {
fprintf(stderr,
"slack string not found in file4.dat slack space: %x %x %x %x %x %x %x\n",
buf[385], buf[386], buf[387], buf[388], buf[389], buf[390],
buf[391]);
return 1;
}
tsk_fs_close(fs);
tsk_img_close(img);
return 0;
}
