int main(int argc, char **argv1) { TSK_IMG_INFO *img_info; TSK_TCHAR **argv; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif if (argc != 2) { fprintf(stderr, "Missing image name\n"); exit(1); } #if DO_HASHLOOKUP /* Setup hash infrastructure */ if ((hdb_info = tsk_hdb_open(_TSK_T("/XXX/NSRLFile.txt"), TSK_HDB_OPEN_NONE)) == NULL) { tsk_error_print(stderr); exit(1); } if (tsk_hdb_hasindex(hdb_info, TSK_HDB_HTYPE_MD5_ID) == 0) { fprintf(stderr, "Hash database does not have an index (create one using hfind -i nsrl-md5 HASHFILE\n"); exit(1); } #else hdb_info = NULL; #endif img_info = tsk_img_open_sing(argv[1], TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { fprintf(stderr, "Error opening file\n"); tsk_error_print(stderr); exit(1); } if (proc_vs(img_info, 0)) { tsk_error_print(stderr); tsk_img_close(img_info); exit(1); } tsk_img_close(img_info); return 0; }
// Find all the harddisk address corresponding to target file // // \param img_path path of target image // \param file_path the target filename // // Return NULL if error, otherwise a UT_array of (start, end) tuple will returned, where start and end are the harddisk byte addrsesses UT_array* tsk_find_haddr_by_filename(const char* img_path, const char* file_path) { TSK_IMG_TYPE_ENUM img_type ; TSK_IMG_INFO *img; TSK_VS_INFO *vs; find_file_data data; UT_array* ret = NULL; img_type = tsk_img_type_toid(QCOW_IMG_TYPE); //XXX([email protected]):need error handling. img = tsk_img_open_sing(img_path, img_type, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return NULL; } vs = tsk_vs_open(img, 0, TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); tsk_img_close(img); return NULL; } data.file_found = 0; data.full_path = file_path; utarray_new(data.offsets_in_disk, &ut_tsk_daddr_tuple_icd); tsk_vs_part_walk( vs, // the volume system 0, // start from first partiton vs->part_count - 1, // walk to last partiton TSK_VS_PART_FLAG_ALLOC, // traverse all allocated partiton find_file_in_partiton, // action for each partition &data // argument for action ); if (data.file_found) { ret = data.offsets_in_disk; } else { tsk_vs_close(vs); tsk_img_close(img); return NULL; } tsk_vs_close(vs); tsk_img_close(img); return ret; }
/* * Close the given image * @param env pointer to java environment this was called from * @param obj the java object this was called from * @param a_img_info the pointer to the image object */ JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeImgNat(JNIEnv * env, jclass obj, jlong a_img_info) { TSK_IMG_INFO *img_info = castImgInfo(env, a_img_info); tsk_img_close(img_info); }
int test_ntfs_comp() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; char *tname = "ntfs-comp-1"; char fname[512]; snprintf(fname, 512, "%s/ntfs-comp-1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if (testfile(fs, 34)) { fprintf(stderr, "%s error (both)\n", tname); return 1; } if (testfile(fs, 32)) { fprintf(stderr, "%s error (sparse)\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
static int Img_Info_dest(void *x) { Img_Info self = (Img_Info)x; tsk_img_close((TSK_IMG_INFO *)self->img); return 0; };
/** * Called when the filesystem is unmounted, and allows the destruction * of structures and freeing allocated memory. */ void cleanup(void) { if (input_filename != NULL) { g_free(input_filename); input_filename = NULL; } if (fs_info != NULL) { tsk_fs_close(fs_info); } fs_info = NULL; if (img_info != NULL) { tsk_img_close(img_info); } img_info = NULL; if (mountpoint != NULL) { g_free(mountpoint); } mountpoint = NULL; if (inode_buffer != NULL) { g_free(inode_buffer); } }
static int test_ntfs_fe() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1-NTFS"; char fname[512]; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if (test_dir_open_apis(fs, "/allocated", 30)) { fprintf(stderr, "%s failure\n", tname); return 1; } if (test_walk_apis(fs, 30)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int test_fat12() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fat12.dd"; char fname[512]; snprintf(fname, 512, "%s/fat12.dd", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (testfile(fs, 33)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
/** * Closes the handles to the open disk image. Should be called after * you have completed analysis of the image. */ void TskAuto::closeImage() { if ((m_img_info) && (m_internalOpen)) { tsk_img_close(m_img_info); } m_img_info = NULL; }
void TskL01Extract::close() { if (m_imgInfo) { tsk_img_close(m_imgInfo); m_imgInfo = NULL; } m_archivePath.clear(); }
int main(int argc, char **argv1) { TSK_IMG_INFO *img_info; TSK_TCHAR **argv; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif if (argc != 2) { fprintf(stderr, "Missing image name\n"); exit(1); } // open the disk image img_info = tsk_img_open_sing((const TSK_TCHAR *) argv[1], TSK_IMG_TYPE_DETECT, 0); if (img_info == NULL) { fprintf(stderr, "Error opening file\n"); tsk_error_print(stderr); exit(1); } // process the volume starting at sector 0 if (proc_vs(img_info, 0)) { tsk_error_print(stderr); tsk_img_close(img_info); exit(1); } // close the image tsk_img_close(img_info); return 0; }
void TskImageFileTsk::close() { if (m_img_info) { tsk_img_close(m_img_info); m_img_info = NULL; } if (m_images_ptrs) { free(m_images_ptrs); m_images_ptrs = NULL; } m_images.clear(); // Close the handles in m_openFiles and m_openFs for (uint32_t i = 0; i < m_openFiles.size(); i++) closeFile(i); std::for_each(m_openFs.begin(), m_openFs.end(), (&TskImageFileTsk::closeFs)); }
int test_ntfs_fe() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1-NTFS"; char fname[512]; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (testfile(fs, 31)) { fprintf(stderr, "%s error (non-resident)\n", tname); return 1; } if (testfile(fs, 32)) { fprintf(stderr, "%s error (resident)\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
int test_fat12() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fat12.dd"; char fname[512]; snprintf(fname, 512, "%s/fat12.dd", s_root); if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } // verify the APIs get teh same for file 47 if (test_get_apis(fs, 47, 1)) { fprintf(stderr, "%s failure\n", tname); return 1; } // verify the one attribte is the expected type if (test_get_type(fs, 47, TSK_FS_ATTR_TYPE_DEFAULT)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
/* This test checks the RECOVER flags */ int test_fat_recover() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1.img-FAT"; char fname[512]; TSK_FS_FILE *file1; TSK_FS_FILE *file2; char buf[512]; ssize_t retval; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 41126400, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // fragmented.html const char *fname2 = "fragmented.html"; file1 = tsk_fs_file_open_meta(fs, NULL, 1162); if (file1 == NULL) { fprintf(stderr, "Error opening %s (%s)\n", fname2, tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // verify expected size if (file1->meta->size != 5905) { fprintf(stderr, "Error: %s not expected size (%" PRIuOFF ") (%s)\n", fname2, file1->meta->size, tname); return 1; } // verify we can open it via name as well file2 = tsk_fs_file_open(fs, NULL, "/deleted/fragmented.html"); if (file2 == NULL) { fprintf(stderr, "Error opening /deleted/fragmented.html via path name (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (file2->name == NULL) { fprintf(stderr, "Opening /deleted/fragmented.html via path name did not have name set(%s)\n", tname); return 1; } if (strcmp(file2->name->name, fname2) != 0) { fprintf(stderr, "Opening /deleted/fragmented.html via path had incorrect name set (%s) (%s)\n", file2->name->name, tname); return 1; } if ((file2->name->meta_addr != file2->meta->addr) || (file2->meta->addr != file1->meta->addr)) { fprintf(stderr, "Opening /deleted/fragmented.html via path had incorrect meta addresses (%" PRIuINUM " %" PRIuINUM " %" PRIuINUM " (%s)\n", file2->name->meta_addr, file2->meta->addr, file1->meta->addr, tname); return 1; } tsk_fs_file_close(file2); file2 = NULL; // try to read past end of first 2048-byte cluster retval = tsk_fs_file_read(file1, 2048, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading %s past end w/out Recover flag\n", fname2); tsk_error_print(stderr); tsk_error_reset(); return 1; } // current behavior is to return 0s in "unitialized" space //if (retval != 0) { if (retval != 512) { fprintf(stderr, "Unexpected return value from reading %s past end w/out Recover flag.\n", fname2); fprintf(stderr, "Expected: 0. Got: %zd\n", retval); return 1; } retval = tsk_fs_file_read(file1, 2048, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading %s past end w/Recover flag\n", fname2); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 512) { fprintf(stderr, "Unexpected return value from %s past end w/Recover flag.\n", fname2); fprintf(stderr, "Expected: 512. Got: %zd\n", retval); return 1; } // verify the term in the slack space if (memcmp("appear", buf, 6) != 0) { fprintf(stderr, "expected string not found in %s recovery: %c %c %c %c %c %c\n", fname2, buf[0], buf[1], buf[2], buf[3], buf[4], buf[5]); return 1; } tsk_fs_file_close(file1); tsk_fs_close(fs); tsk_img_close(img); return 0; }
Image::~Image() { if (ShouldClose) { tsk_img_close(Img); } }
/* This test checks the SLACK flags and verifies * that we read data from the slack space */ int test_ntfs_slack_ads() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "ntfs-img-kw"; char fname[512]; TSK_FS_FILE *file1; char buf[512]; ssize_t retval; snprintf(fname, 512, "%s/ntfs-img-kw-1.dd", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // file-n-44.dat file1 = tsk_fs_file_open_meta(fs, NULL, 36); if (file1 == NULL) { fprintf(stderr, "Error opening file-n-4.dat (%s)\n", tname); return 1; } // verify expected size if (file1->meta->size != 2000) { fprintf(stderr, "Error: file-n-4.dat not expected size (%" PRIuOFF ") (%s)\n", file1->meta->size, tname); return 1; } // try to read all of last sector with/out Slack set retval = tsk_fs_file_read(file1, 1536, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading file-n-4.dat to end w/out slack flag (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 464) { fprintf(stderr, "Unexpected return value from reading file-n-4.dat to end w/out slack flag (%s).\n", tname); fprintf(stderr, "Expected: 464. Got: %zd\n", retval); return 1; } retval = tsk_fs_file_read(file1, 1536, buf, 512, TSK_FS_FILE_READ_FLAG_SLACK); if (retval == -1) { fprintf(stderr, "Error reading file-n-4.dat to end w/slack flag (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 512) { fprintf(stderr, "Unexpected return value from reading file-n-4.dat w/slack flag. (%s)\n", tname); fprintf(stderr, "Expected: 512. Got: %zd\n", retval); return 1; } // verify the term in the slack space if (memcmp("n-slack", &buf[485], 7) != 0) { fprintf(stderr, "slack string not found in file-n-4.dat slack space: %c %c %c %c %c %c %c (%s)\n", buf[485], buf[486], buf[487], buf[488], buf[489], buf[490], buf[491], tname); return 1; } // try to read past end of file retval = tsk_fs_file_read(file1, 2001, buf, 32, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval != -1) { fprintf(stderr, "Unexpected return value from reading file-n-4.dat after end of file (%s).\n", tname); fprintf(stderr, "Expected: -1. Got: %zd\n", retval); return 1; } tsk_fs_file_close(file1); // file-n-5.dat file1 = tsk_fs_file_open_meta(fs, NULL, 37); if (file1 == NULL) { fprintf(stderr, "Error opening file-n-5.dat (%s)\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // check the default size to make sure it is the default $Data if (file1->meta->size != 1300) { fprintf(stderr, "file-n-5.dat size is not 1300 (%" PRIuOFF ") (%s)", file1->meta->size, tname); return 1; } // test the getsize API for both attributes const TSK_FS_ATTR *fs_attr = tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 3, 1); if (!fs_attr) { fprintf(stderr, "Error getting data attribute 3 in file-n-5.dat (%s)", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (fs_attr->size != 1300) { fprintf(stderr, "file-n-5.dat size (via getsize) is not 1300 (%" PRIuOFF ") (%s)", fs_attr->size, tname); return 1; } fs_attr = tsk_fs_file_attr_get_type(file1, TSK_FS_ATTR_TYPE_NTFS_DATA, 5, 1); if (!fs_attr) { fprintf(stderr, "Error getting size of attribute 5 in file-n-5.dat (%s)", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (fs_attr->size != 2000) { fprintf(stderr, "file-n-5.dat:here size (via getsize) is not 2000 (%" PRIuOFF ") (%s)", fs_attr->size, tname); return 1; } tsk_fs_file_close(file1); tsk_fs_close(fs); tsk_img_close(img); return 0; }
int main(int argc, char** argv1) { TSK_TCHAR **argv; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; TSK_FS_TYPE_ENUM fstype = TSK_FS_TYPE_DETECT; TSK_OFF_T imgaddr = 0; int ch; while ((ch = GETOPT(argc, argv, _TSK_T("f:o:v"))) != -1) { switch (ch) { case _TSK_T('f'): fstype = tsk_fs_type_toid(OPTARG); if (fstype == TSK_FS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported file system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('v'): tsk_verbose = 1; break; default: usage(); break; } } if (argc - OPTIND != 3) { usage(); } const TSK_TCHAR* image = argv[OPTIND]; size_t nthreads = (size_t) TSTRTOUL(argv[OPTIND + 1], &cp, 0); if (nthreads == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } size_t niters = (size_t) TSTRTOUL(argv[OPTIND + 2], &cp, 0); if (niters == 0) { fprintf(stderr, "invalid nthreads\n"); exit(1); } TSK_IMG_INFO* img = tsk_img_open_sing(image, TSK_IMG_TYPE_DETECT, 0); if (img == 0) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } TSK_FS_INFO* fs = tsk_fs_open_img(img, imgaddr * img->sector_size, fstype); if (fs == 0) { tsk_img_close(img); tsk_error_print(stderr); exit(1); } TskThread** threads = new TskThread*[nthreads]; for (size_t i = 0; i < nthreads; ++i) { threads[i] = new MyThread(i, fs, niters); } TskThread::run(threads, nthreads); for (size_t i = 0; i < nthreads; ++i) { delete threads[i]; } delete[] threads; tsk_fs_close(fs); tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; int ch; TSK_OFF_T imgaddr = 0; int flags = 0; TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; uint8_t hide_meta = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) { switch (ch) { case _TSK_T('a'): flags |= TSK_VS_PART_FLAG_ALLOC; break; case _TSK_T('A'): flags |= TSK_VS_PART_FLAG_UNALLOC; break; case _TSK_T('B'): print_bytes = 1; break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('m'): flags |= (TSK_VS_PART_FLAG_META); break; case _TSK_T('M'): // we'll set this after all flags have been set hide_meta = 1; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('r'): recurse = 1; break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('?'): default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } // if they want to hide metadata volumes, set that now if (hide_meta) { if (flags == 0) flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC); else flags &= ~TSK_VS_PART_FLAG_META; } else if (flags == 0) { flags = TSK_VS_PART_FLAG_ALL; } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize); if (img == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype); if (vs == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); tsk_img_close(img); exit(1); } print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_print(stderr); tsk_vs_close(vs); tsk_img_close(img); exit(1); } tsk_vs_close(vs); if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) { int i; /* disable recursing incase we hit another DOS partition * future versions may support more layers */ recurse = 0; for (i = 0; i < recurse_cnt; i++) { vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT); if (vs != NULL) { tsk_printf("\n\n"); print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_reset(); } tsk_vs_close(vs); } else { /* Ignore error in this case and reset */ tsk_error_reset(); } } } tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_PNUM_T pnum; TSK_DADDR_T addr; const TSK_VS_PART_INFO *vs_part; char *buf; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least two more arguments */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or partition number\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if (tsk_parse_pnum(argv[argc - 1], &pnum)) { tsk_error_print(stderr); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } if (pnum >= vs->part_count) { tsk_fprintf(stderr, "Partition address is too large (maximum: %" PRIuPNUM ")\n", vs->part_count); exit(1); } vs_part = tsk_vs_part_get(vs, pnum); if (vs_part == NULL) { tsk_fprintf(stderr, "Error looking up partition\n"); exit(1); } buf = (char *) malloc(vs->block_size); if (buf == NULL) { tsk_error_print(stderr); exit(1); } #ifdef TSK_WIN32 char strerror_buffer[1024]; if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_WRITE); tsk_error_set_errstr( "mmcat: error setting stdout to binary: %s", strerror_s(strerror_buffer, 1024, errno)); return 1; } #endif for (addr = 0; addr < vs_part->len; addr++) { ssize_t retval; retval = tsk_vs_part_read_block(vs_part, addr, buf, vs->block_size); if (retval == -1) { tsk_error_print(stderr); exit(1); } if ((size_t) retval != fwrite(buf, 1, retval, stdout)) { tsk_fprintf(stderr, "Error writing data to stdout\n"); exit(1); } } tsk_vs_close(vs); tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; int ch; TSK_OFF_T start_sector = 0; TSK_OFF_T end_sector = 0; ssize_t cnt; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:vVs:e:"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('s'): start_sector = TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || start_sector < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: start sector must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('e'): end_sector = TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || end_sector < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: end sector must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } #ifdef TSK_WIN32 if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { fprintf(stderr, "error setting stdout to binary: %s", strerror(errno)); exit(1); } #endif TSK_OFF_T start_byte = 0; if (start_sector) start_byte = start_sector * img->sector_size; TSK_OFF_T end_byte = 0; if (end_sector) end_byte = (end_sector + 1) * img->sector_size; else end_byte = img->size; for (TSK_OFF_T done = start_byte; done < end_byte; done += cnt) { char buf[16 * 1024]; size_t len; if (done + (TSK_OFF_T) sizeof(buf) > end_byte) { len = (size_t) (end_byte - done); } else { len = sizeof(buf); } cnt = tsk_img_read(img, done, buf, len); if (cnt != (ssize_t) len) { if (cnt >= 0) { tsk_fprintf(stderr, "img_cat: Error reading image file at offset: %" PRIuOFF ", len: %" PRIuOFF ", return: %" PRIuOFF "\n", done, len, cnt); } else { tsk_error_print(stderr); } tsk_img_close(img); exit(1); } if (fwrite(buf, cnt, 1, stdout) != 1) { fprintf(stderr, "img_cat: Error writing to stdout: %s", strerror(errno)); tsk_img_close(img); exit(1); } } tsk_img_close(img); exit(0); }
void deallocate_image(struct tsk4r_img_wrapper * ptr){ TSK_IMG_INFO *image = ptr->image; tsk_img_close(image); xfree(ptr); }
// Find the filename of the specified harddisk byte offset // // \param imgname path of target image // \param haddr_img_offset the target harddisk byte address // // Return NULL if error, otherwise a UT_array of filename UT_array* tsk_get_filename_by_haddr(const char* imgname, uint64_t haddr_img_offset) { TSK_IMG_INFO *img; TSK_VS_INFO *vs; TSK_FS_INFO *fs; uint8_t id_used = 0, type_used = 0; TSK_DADDR_T partition_offset = 0; TSK_DADDR_T block_img_offset = 0; TSK_DADDR_T part_byte_offset = 0; TSK_DADDR_T part_block_offset = 0; MBA_IFIND_DATA_DATA* ifind_data; TSK_IMG_TYPE_ENUM imgtype; MBA_FFIND_DATA* ffind_data; UT_array* ret = NULL; //open image imgtype = tsk_img_type_toid(QCOW_IMG_TYPE); img = tsk_img_open_sing(imgname, imgtype, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return NULL; } if(haddr_img_offset >= img->size) { printf("Request haddr is larger than image size\n"); tsk_img_close(img); return NULL; } //open volume vs = tsk_vs_open(img, 0 , TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); tsk_img_close(img); return NULL; } //calculate block address block_img_offset = haddr_img_offset/img->sector_size; //search the partition contain the target block partition_offset = search_partition(vs, block_img_offset); if(partition_offset == 0) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } //open the partition's file system fs = tsk_fs_open_img(img, partition_offset * img->sector_size, TSK_FS_TYPE_DETECT); if(fs==NULL) { printf("Cannot open file system\n"); tsk_img_close(img); tsk_vs_close(vs); return NULL; } //calculate offset to the current partition part_byte_offset = haddr_img_offset - (partition_offset * img->sector_size); part_block_offset = part_byte_offset/fs->block_size; //find the inode of this block ifind_data = fs_ifind_data(fs, (TSK_FS_IFIND_FLAG_ENUM) 0, part_block_offset); if(ifind_data == NULL) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } if(ifind_data->found!=1) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } //Find the inode's filename //Note: Do Not Know what to fill in variable type_used and id_used ffind_data = fs_ffind(fs, 0, ifind_data->curinode, ifind_data->curtype , type_used, ifind_data->curid , id_used, (TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC)); if(ffind_data==NULL){ printf("Cannot found fdata associate with inode\n"); tsk_img_close(img); tsk_vs_close(vs); return NULL; } //free data //reserve return data first ret = ffind_data->filenames; free(ifind_data); free(ffind_data); tsk_vs_close(vs); tsk_img_close(img); return ret; }
int main(int argc, char **argv1) { TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; int ch; uint8_t type = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:tvV"))) > 0) { switch (ch) { case _TSK_T('?'): default: TFPRINTF(stderr, _TSK_T("Invalid argument: %s\n"), argv[OPTIND]); usage(); case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('t'): type = 1; break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if (type) { const char *str = tsk_img_type_toname(img->itype); tsk_printf("%s\n", str); } else { img->imgstat(img, stdout); } tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } print_stats(vs); tsk_vs_close(vs); tsk_img_close(img); exit(0); }
static int test_ntfs_fe() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fe_test_1-NTFS"; char fname[512]; snprintf(fname, 512, "%s/fe_test_1.img", s_root); if ((img = tsk_img_open_sing((const TSK_TCHAR *)fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } if ((fs = tsk_fs_open_img(img, 32256, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); return 1; } // Verify the APIS get the same and that they are the expected type if (test_get_apis(fs, 35, 3)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_SI)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_FNAME)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 35, TSK_FS_ATTR_TYPE_NTFS_DATA)) { fprintf(stderr, "%s failure\n", tname); return 1; } if (test_get_apis(fs, 9, 7)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_SI)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_FNAME)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_DATA)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_IDXALLOC)) { fprintf(stderr, "%s failure\n", tname); return 1; } else if (test_get_type(fs, 9, TSK_FS_ATTR_TYPE_NTFS_BITMAP)) { fprintf(stderr, "%s failure\n", tname); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }
/* This test checks the SLACK flags and verifies * that we read data from the slack space */ int test_fat_slack() { TSK_FS_INFO *fs; TSK_IMG_INFO *img; const char *tname = "fat-img-kw"; char fname[512]; TSK_FS_FILE *file1; char buf[512]; ssize_t retval; snprintf(fname, 512, "%s/fat-img-kw.dd", s_root); if ((img = tsk_img_open_sing(fname, (TSK_IMG_TYPE_ENUM) 0, 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } if ((fs = tsk_fs_open_img(img, 0, (TSK_FS_TYPE_ENUM) 0)) == NULL) { fprintf(stderr, "Error opening %s image\n", tname); tsk_error_print(stderr); tsk_error_reset(); return 1; } // file4.dat file1 = tsk_fs_file_open_meta(fs, NULL, 10); if (file1 == NULL) { fprintf(stderr, "Error opening file4.dat (%s)\n", tname); return 1; } // verify expected size if (file1->meta->size != 631) { fprintf(stderr, "Error: file4.dat not expected size (%" PRIuOFF ") (%s)\n", file1->meta->size, tname); return 1; } // try to read all of last sector with/out Slack set retval = tsk_fs_file_read(file1, 512, buf, 512, (TSK_FS_FILE_READ_FLAG_ENUM) 0); if (retval == -1) { fprintf(stderr, "Error reading file4.dat to end w/out slack flag\n"); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 119) { fprintf(stderr, "Unexpected return value from reading file4.dat to end w/out slack flag.\n"); fprintf(stderr, "Expected: 119. Got: %zd\n", retval); return 1; } retval = tsk_fs_file_read(file1, 512, buf, 512, TSK_FS_FILE_READ_FLAG_SLACK); if (retval == -1) { fprintf(stderr, "Error reading file4.dat to end w/slack flag\n"); tsk_error_print(stderr); tsk_error_reset(); return 1; } if (retval != 512) { fprintf(stderr, "Unexpected return value from reading file4.dat w/slack flag.\n"); fprintf(stderr, "Expected: 512. Got: %zd\n", retval); return 1; } // verify the term in the slack space if (memcmp("3slack3", &buf[385], 7) != 0) { fprintf(stderr, "slack string not found in file4.dat slack space: %x %x %x %x %x %x %x\n", buf[385], buf[386], buf[387], buf[388], buf[389], buf[390], buf[391]); return 1; } tsk_fs_close(fs); tsk_img_close(img); return 0; }