/** * Process the data as a volume system to find the partitions * and volumes. * File system analysis will be performed on each partition. * * @param img Image file information structure for data to analyze * @param start Byte offset to start analyzing from. * * @return 1 on error and 0 on success */ static uint8_t proc_vs(TSK_IMG_INFO * img_info, TSK_OFF_T start) { TSK_VS_INFO *vs_info; // USE mm_walk to get the volumes if ((vs_info = tsk_vs_open(img_info, start, TSK_VS_TYPE_DETECT)) == NULL) { if (tsk_verbose) fprintf(stderr, "Error determining volume system -- trying file systems\n"); /* There was no volume system, but there could be a file system */ tsk_error_reset(); if (proc_fs(img_info, start)) { return 1; } } else { fprintf(stderr, "Volume system open, examining each\n"); /* Walk the allocated volumes (skip metadata and unallocated volumes) */ if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1, (TSK_VS_PART_FLAG_ENUM) (TSK_VS_PART_FLAG_ALLOC), vs_act, NULL)) { tsk_vs_close(vs_info); return 1; } tsk_vs_close(vs_info); } return 0; }
// Find all the harddisk address corresponding to target file // // \param img_path path of target image // \param file_path the target filename // // Return NULL if error, otherwise a UT_array of (start, end) tuple will returned, where start and end are the harddisk byte addrsesses UT_array* tsk_find_haddr_by_filename(const char* img_path, const char* file_path) { TSK_IMG_TYPE_ENUM img_type ; TSK_IMG_INFO *img; TSK_VS_INFO *vs; find_file_data data; UT_array* ret = NULL; img_type = tsk_img_type_toid(QCOW_IMG_TYPE); //XXX([email protected]):need error handling. img = tsk_img_open_sing(img_path, img_type, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return NULL; } vs = tsk_vs_open(img, 0, TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); tsk_img_close(img); return NULL; } data.file_found = 0; data.full_path = file_path; utarray_new(data.offsets_in_disk, &ut_tsk_daddr_tuple_icd); tsk_vs_part_walk( vs, // the volume system 0, // start from first partiton vs->part_count - 1, // walk to last partiton TSK_VS_PART_FLAG_ALLOC, // traverse all allocated partiton find_file_in_partiton, // action for each partition &data // argument for action ); if (data.file_found) { ret = data.offsets_in_disk; } else { tsk_vs_close(vs); tsk_img_close(img); return NULL; } tsk_vs_close(vs); tsk_img_close(img); return ret; }
/** * Starts in a specified byte offset of the opened disk images and looks for a * volume system or file system. Will call processFile() on each file * that is found. * @param a_start Byte offset to start analyzing from. * @param a_vtype Volume system type to analyze * @return 1 on error, 0 on success */ uint8_t TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype) { if (!m_img_info) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN); tsk_error_set_errstr("findFilesInVs\n"); return 1; } TSK_VS_INFO *vs_info; // USE mm_walk to get the volumes if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) { char msg[1024]; snprintf(msg, 1024, "Unable to open volume system at offset %" PRIuOFF " (%s)", a_start, tsk_error_get()); if (tsk_verbose) fprintf(stderr, "%s\n", msg); handleNotification(msg); /* There was no volume system, but there could be a file system */ tsk_error_reset(); if (findFilesInFs(a_start)) { return 1; } } else { TSK_FILTER_ENUM retval = filterVs(vs_info); if (retval == TSK_FILTER_STOP) return TSK_STOP; else if (retval == TSK_FILTER_SKIP) return TSK_OK; /* Walk the allocated volumes (skip metadata and unallocated volumes) */ if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1, m_volFilterFlags, vsWalkCb, this)) { tsk_vs_close(vs_info); return 1; } tsk_vs_close(vs_info); } return 0; }
/** * Starts in a specified byte offset of the opened disk images and looks for a * volume system or file system. Will call processFile() on each file * that is found. * @param a_start Byte offset to start analyzing from. * @param a_vtype Volume system type to analyze * @return 1 if an error occured (messages will have been registered) and 0 on success */ uint8_t TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype) { if (!m_img_info) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN); tsk_error_set_errstr("findFilesInVs -- img_info"); registerError(); return 1; } TSK_VS_INFO *vs_info; // USE mm_walk to get the volumes if ((vs_info = tsk_vs_open(m_img_info, a_start, a_vtype)) == NULL) { /* we're going to ignore this error to avoid confusion if the * fs_open passes. */ tsk_error_reset(); if(tsk_verbose) fprintf(stderr, "findFilesInVs: Error opening volume system, trying as a file system\n"); /* There was no volume system, but there could be a file system * Errors will have been registered */ findFilesInFs(a_start); } // process the volume system else { TSK_FILTER_ENUM retval = filterVs(vs_info); if ((retval == TSK_FILTER_STOP) || (retval == TSK_FILTER_SKIP)|| (m_stopAllProcessing)) return m_errors.empty() ? 0 : 1; /* Walk the allocated volumes (skip metadata and unallocated volumes) */ if (tsk_vs_part_walk(vs_info, 0, vs_info->part_count - 1, m_volFilterFlags, vsWalkCb, this)) { registerError(); tsk_vs_close(vs_info); return 1; } tsk_vs_close(vs_info); } return m_errors.empty() ? 0 : 1; }
/** * Process the data as a volume system to find the partitions * and volumes. * File system analysis will be performed on each partition. * * @param img Image file information structure for data to analyze * @param start Byte offset to start analyzing from. * * @return 1 on error and 0 on success */ static uint8_t proc_vs(TSK_IMG_INFO * img_info, TSK_OFF_T start) { TSK_VS_INFO *vs_info; // Open the volume system if ((vs_info = tsk_vs_open(img_info, start, TSK_VS_TYPE_DETECT)) == NULL) { if (tsk_verbose) fprintf(stderr, "Error determining volume system -- trying file systems\n"); /* There was no volume system, but there could be a file system */ tsk_error_reset(); if (proc_fs(img_info, start)) { return 1; } } else { fprintf(stderr, "Volume system open, examining each\n"); // cycle through the partitions for (TSK_PNUM_T i = 0; i < vs_info->part_count; i++) { const TSK_VS_PART_INFO *vs_part; if ((vs_part = tsk_vs_part_get(vs_info, i)) == NULL) { fprintf(stderr, "Error getting volume %" PRIuPNUM "\n", i); continue; } // ignore the metadata partitions if (vs_part->flags & TSK_VS_PART_FLAG_META) continue; // could do something with unallocated volumes else if (vs_part->flags & TSK_VS_PART_FLAG_UNALLOC) { } else { if (proc_fs(img_info, vs_part->start * vs_info->block_size)) { // We could do more fancy error checking here to see the cause // of the error or consider the allocation status of the volume... tsk_error_reset(); } } } tsk_vs_close(vs_info); } return 0; }
VolumeSystem::~VolumeSystem() { tsk_vs_close(VolInfo); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } print_stats(vs); tsk_vs_close(vs); tsk_img_close(img); exit(0); }
// Find the filename of the specified harddisk byte offset // // \param imgname path of target image // \param haddr_img_offset the target harddisk byte address // // Return NULL if error, otherwise a UT_array of filename UT_array* tsk_get_filename_by_haddr(const char* imgname, uint64_t haddr_img_offset) { TSK_IMG_INFO *img; TSK_VS_INFO *vs; TSK_FS_INFO *fs; uint8_t id_used = 0, type_used = 0; TSK_DADDR_T partition_offset = 0; TSK_DADDR_T block_img_offset = 0; TSK_DADDR_T part_byte_offset = 0; TSK_DADDR_T part_block_offset = 0; MBA_IFIND_DATA_DATA* ifind_data; TSK_IMG_TYPE_ENUM imgtype; MBA_FFIND_DATA* ffind_data; UT_array* ret = NULL; //open image imgtype = tsk_img_type_toid(QCOW_IMG_TYPE); img = tsk_img_open_sing(imgname, imgtype, 0); if(img == NULL) { printf("Image Open Failed!!\n"); return NULL; } if(haddr_img_offset >= img->size) { printf("Request haddr is larger than image size\n"); tsk_img_close(img); return NULL; } //open volume vs = tsk_vs_open(img, 0 , TSK_VS_TYPE_DETECT); if(vs==NULL) { printf("Volume Open Failed!!\n"); tsk_img_close(img); return NULL; } //calculate block address block_img_offset = haddr_img_offset/img->sector_size; //search the partition contain the target block partition_offset = search_partition(vs, block_img_offset); if(partition_offset == 0) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } //open the partition's file system fs = tsk_fs_open_img(img, partition_offset * img->sector_size, TSK_FS_TYPE_DETECT); if(fs==NULL) { printf("Cannot open file system\n"); tsk_img_close(img); tsk_vs_close(vs); return NULL; } //calculate offset to the current partition part_byte_offset = haddr_img_offset - (partition_offset * img->sector_size); part_block_offset = part_byte_offset/fs->block_size; //find the inode of this block ifind_data = fs_ifind_data(fs, (TSK_FS_IFIND_FLAG_ENUM) 0, part_block_offset); if(ifind_data == NULL) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } if(ifind_data->found!=1) { tsk_img_close(img); tsk_vs_close(vs); return NULL; } //Find the inode's filename //Note: Do Not Know what to fill in variable type_used and id_used ffind_data = fs_ffind(fs, 0, ifind_data->curinode, ifind_data->curtype , type_used, ifind_data->curid , id_used, (TSK_FS_DIR_WALK_FLAG_RECURSE | TSK_FS_DIR_WALK_FLAG_ALLOC | TSK_FS_DIR_WALK_FLAG_UNALLOC)); if(ffind_data==NULL){ printf("Cannot found fdata associate with inode\n"); tsk_img_close(img); tsk_vs_close(vs); return NULL; } //free data //reserve return data first ret = ffind_data->filenames; free(ifind_data); free(ffind_data); tsk_vs_close(vs); tsk_img_close(img); return ret; }
/* * Close the given volume system * @param env pointer to java environment this was called from * @param obj the java object this was called from * @param a_vs_info the pointer to the volume system object */ JNIEXPORT void JNICALL Java_org_sleuthkit_datamodel_SleuthkitJNI_closeVsNat (JNIEnv * env, jclass obj, jlong a_vs_info) { TSK_VS_INFO *vs_info = castVsInfo(env, a_vs_info); tsk_vs_close(vs_info); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; int ch; TSK_OFF_T imgaddr = 0; int flags = 0; TSK_IMG_INFO *img; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; uint8_t hide_meta = 0; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("aAb:Bi:mMo:rt:vV"))) > 0) { switch (ch) { case _TSK_T('a'): flags |= TSK_VS_PART_FLAG_ALLOC; break; case _TSK_T('A'): flags |= TSK_VS_PART_FLAG_UNALLOC; break; case _TSK_T('B'): print_bytes = 1; break; case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('m'): flags |= (TSK_VS_PART_FLAG_META); break; case _TSK_T('M'): // we'll set this after all flags have been set hide_meta = 1; break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('r'): recurse = 1; break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case _TSK_T('v'): tsk_verbose++; break; case _TSK_T('V'): tsk_version_print(stdout); exit(0); case _TSK_T('?'): default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } // if they want to hide metadata volumes, set that now if (hide_meta) { if (flags == 0) flags = (TSK_VS_PART_FLAG_ALLOC | TSK_VS_PART_FLAG_UNALLOC); else flags &= ~TSK_VS_PART_FLAG_META; } else if (flags == 0) { flags = TSK_VS_PART_FLAG_ALL; } /* We need at least one more argument */ if (OPTIND >= argc) { tsk_fprintf(stderr, "Missing image name\n"); usage(); } /* open the image */ img = tsk_img_open(argc - OPTIND, &argv[OPTIND], imgtype, ssize); if (img == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } /* process the partition tables */ vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype); if (vs == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); tsk_img_close(img); exit(1); } print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_print(stderr); tsk_vs_close(vs); tsk_img_close(img); exit(1); } tsk_vs_close(vs); if ((recurse) && (vs->vstype == TSK_VS_TYPE_DOS)) { int i; /* disable recursing incase we hit another DOS partition * future versions may support more layers */ recurse = 0; for (i = 0; i < recurse_cnt; i++) { vs = tsk_vs_open(img, recurse_list[i], TSK_VS_TYPE_DETECT); if (vs != NULL) { tsk_printf("\n\n"); print_header(vs); if (tsk_vs_part_walk(vs, 0, vs->part_count - 1, (TSK_VS_PART_FLAG_ENUM) flags, part_act, NULL)) { tsk_error_reset(); } tsk_vs_close(vs); } else { /* Ignore error in this case and reset */ tsk_error_reset(); } } } tsk_img_close(img); exit(0); }
int main(int argc, char **argv1) { TSK_VS_INFO *vs; TSK_IMG_TYPE_ENUM imgtype = TSK_IMG_TYPE_DETECT; TSK_VS_TYPE_ENUM vstype = TSK_VS_TYPE_DETECT; int ch; TSK_OFF_T imgaddr = 0; TSK_IMG_INFO *img; TSK_PNUM_T pnum; TSK_DADDR_T addr; const TSK_VS_PART_INFO *vs_part; char *buf; TSK_TCHAR **argv; unsigned int ssize = 0; TSK_TCHAR *cp; #ifdef TSK_WIN32 // On Windows, get the wide arguments (mingw doesn't support wmain) argv = CommandLineToArgvW(GetCommandLineW(), &argc); if (argv == NULL) { fprintf(stderr, "Error getting wide arguments\n"); exit(1); } #else argv = (TSK_TCHAR **) argv1; #endif progname = argv[0]; while ((ch = GETOPT(argc, argv, _TSK_T("b:i:o:t:vV"))) > 0) { switch (ch) { case _TSK_T('b'): ssize = (unsigned int) TSTRTOUL(OPTARG, &cp, 0); if (*cp || *cp == *OPTARG || ssize < 1) { TFPRINTF(stderr, _TSK_T ("invalid argument: sector size must be positive: %s\n"), OPTARG); usage(); } break; case _TSK_T('i'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_img_type_print(stderr); exit(1); } imgtype = tsk_img_type_toid(OPTARG); if (imgtype == TSK_IMG_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported image type: %s\n"), OPTARG); usage(); } break; case _TSK_T('o'): if ((imgaddr = tsk_parse_offset(OPTARG)) == -1) { tsk_error_print(stderr); exit(1); } break; case _TSK_T('t'): if (TSTRCMP(OPTARG, _TSK_T("list")) == 0) { tsk_vs_type_print(stderr); exit(1); } vstype = tsk_vs_type_toid(OPTARG); if (vstype == TSK_VS_TYPE_UNSUPP) { TFPRINTF(stderr, _TSK_T("Unsupported volume system type: %s\n"), OPTARG); usage(); } break; case 'v': tsk_verbose++; break; case 'V': tsk_version_print(stdout); exit(0); case '?': default: tsk_fprintf(stderr, "Unknown argument\n"); usage(); } } /* We need at least two more arguments */ if (OPTIND + 1 >= argc) { tsk_fprintf(stderr, "Missing image name and/or partition number\n"); usage(); } /* open the image */ if ((img = tsk_img_open(argc - OPTIND - 1, &argv[OPTIND], imgtype, ssize)) == NULL) { tsk_error_print(stderr); exit(1); } if ((imgaddr * img->sector_size) >= img->size) { tsk_fprintf(stderr, "Sector offset supplied is larger than disk image (maximum: %" PRIu64 ")\n", img->size / img->sector_size); exit(1); } if (tsk_parse_pnum(argv[argc - 1], &pnum)) { tsk_error_print(stderr); exit(1); } /* process the partition tables */ if ((vs = tsk_vs_open(img, imgaddr * img->sector_size, vstype)) == NULL) { tsk_error_print(stderr); if (tsk_error_get_errno() == TSK_ERR_VS_UNSUPTYPE) tsk_vs_type_print(stderr); exit(1); } if (pnum >= vs->part_count) { tsk_fprintf(stderr, "Partition address is too large (maximum: %" PRIuPNUM ")\n", vs->part_count); exit(1); } vs_part = tsk_vs_part_get(vs, pnum); if (vs_part == NULL) { tsk_fprintf(stderr, "Error looking up partition\n"); exit(1); } buf = (char *) malloc(vs->block_size); if (buf == NULL) { tsk_error_print(stderr); exit(1); } #ifdef TSK_WIN32 char strerror_buffer[1024]; if (-1 == _setmode(_fileno(stdout), _O_BINARY)) { tsk_error_reset(); tsk_error_set_errno(TSK_ERR_FS_WRITE); tsk_error_set_errstr( "mmcat: error setting stdout to binary: %s", strerror_s(strerror_buffer, 1024, errno)); return 1; } #endif for (addr = 0; addr < vs_part->len; addr++) { ssize_t retval; retval = tsk_vs_part_read_block(vs_part, addr, buf, vs->block_size); if (retval == -1) { tsk_error_print(stderr); exit(1); } if ((size_t) retval != fwrite(buf, 1, retval, stdout)) { tsk_fprintf(stderr, "Error writing data to stdout\n"); exit(1); } } tsk_vs_close(vs); tsk_img_close(img); exit(0); }