Sleuth Kit中文使用教程C Base TSK Library Functions
Functions
tsk_error_errstr2_concat
void tsk_error_errstr2_concat ( const char * format,
...
)
Concatenate a message onto the end of the errstr2.
Parameters
format
Referenced by fatfs_inode_walk(), and ntfs_open().tsk_error_get
const char* tsk_error_get ( )
Return the string with the current error message.
Return a human-readable form of tsk_error_get_errno.
The string does not end with a newline.
Returns
String with error message or NULL if there is no error
Referenced by TskError::get(), ntfs_open(), and tsk_error_print().tsk_error_get_errno
Return the current error number.
Returns
the current error number.
Referenced by TskAuto::registerError(), tsk_error_print(), and tsk_img_open().tsk_error_get_errstr
char* tsk_error_get_errstr ( )
Retrieve the current, basic error string.
Additional information is in errstr2. Use tsk_error_get() to get a fully formatted string.
Returns
the string. This is only valid until the next call to a tsk function.
Referenced by TskAuto::registerError().tsk_error_get_errstr2
char* tsk_error_get_errstr ( )
Retrieve the current, basic error string.
Additional information is in errstr2. Use tsk_error_get() to get a fully formatted string.
Returns
the string. This is only valid until the next call to a tsk function.
Referenced by TskAuto::registerError().tsk_error_print
void tsk_error_print ( FILE * hFile )
Print the current fully formed error message to a file.
Parameters
hFile File to print message to
References tsk_error_get(), tsk_error_get_errno(), and tsk_fprintf().
Referenced by fatfs_inode_walk(), fatfs_istat(), fatxxfs_dent_parse_buf(), TskError::print(), and tsk_fs_dir_get().tsk_error_set_errno
void tsk_error_set_errno ( uint32_t t_errno )
Set the current TSK error number.
Parameters
t_errno the error number.
Referenced by TskAutoDb::addFilesInImgToDb(), TskAutoDb::commitAddImage(), TskAuto::enableImageWriter(), encase_get_entry(), encase_make_index(), fatfs_inode_walk(), fatxxfs_dent_parse_buf(), TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), TskAuto::findFilesInImg(), TskAuto::findFilesInPool(), TskAuto::findFilesInVs(), TskDbSqlite::getFsInfos(), TskDbSqlite::getVsInfos(), TskDbSqlite::getVsPartInfos(), TskAuto::hasPool(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), hdb_binsrch_lookup_bin(), hdb_binsrch_lookup_str(), hk_getentry(), hk_makeindex(), idxonly_open(), md5sum_getentry(), md5sum_makeindex(), TskCaseDb::newDb(), nsrl_getentry(), nsrl_makeindex(), ntfs_dinode_lookup(), ntfs_open(), TskCaseDb::openDb(), TskAutoDb::revertAddImage(), TskAutoDb::startAddImage(), tsk_fs_attr_read(), tsk_fs_attr_walk(), tsk_fs_blkcat(), tsk_fs_block_get_flag(), tsk_fs_block_walk(), tsk_fs_dir_get(), tsk_fs_dir_get_name(), tsk_fs_dir_getsize(), tsk_fs_dir_open(), tsk_fs_dir_open_meta(), tsk_fs_dir_walk(), tsk_fs_file_attr_get_id(), tsk_fs_file_get_owner_sid(), tsk_fs_file_hash_calc(), tsk_fs_file_open(), tsk_fs_file_open_meta(), tsk_fs_file_read(), tsk_fs_file_read_type(), tsk_fs_file_walk(), tsk_fs_file_walk_type(), tsk_fs_ifind_path(), tsk_fs_open_img_decrypt(), tsk_fs_open_vol_decrypt(), tsk_fs_path2inum(), tsk_fs_read_block_decrypt(), tsk_fs_read_decrypt(), tsk_hdb_accepts_updates(), tsk_hdb_add_entry(), tsk_hdb_begin_transaction(), tsk_hdb_close(), tsk_hdb_commit_transaction(), tsk_hdb_create(), tsk_hdb_has_idx(), tsk_hdb_is_idx_only(), tsk_hdb_lookup_raw(), tsk_hdb_lookup_str(), tsk_hdb_make_index(), tsk_hdb_open(), tsk_hdb_rollback_transaction(), tsk_img_open(), tsk_img_open_external(), tsk_img_open_utf8(), tsk_img_read(), tsk_ntfs_usnjentry_walk(), tsk_ntfs_usnjopen(), tsk_parse_offset(), tsk_parse_pnum(), tsk_vs_open(), tsk_vs_part_get(), tsk_vs_part_read_block(), tsk_vs_part_walk(), and tsk_vs_read_block().tsk_error_set_errstr
void tsk_error_set_errstr ( const char * format,
...
)
Set the error string #1.
This should contain the basic message.
Parameters
format the printf-style format string
Referenced by TskAutoDb::addFilesInImgToDb(), TskAutoDb::commitAddImage(), TskAuto::enableImageWriter(), encase_get_entry(), encase_make_index(), fatfs_inode_walk(), fatxxfs_dent_parse_buf(), TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), TskAuto::findFilesInImg(), TskAuto::findFilesInPool(), TskAuto::findFilesInVs(), TskDbSqlite::getFsInfos(), TskDbSqlite::getVsInfos(), TskDbSqlite::getVsPartInfos(), TskAuto::hasPool(), hdb_binsrch_idx_finalize(), hdb_binsrch_idx_initialize(), hdb_binsrch_lookup_bin(), hdb_binsrch_lookup_str(), hk_getentry(), hk_makeindex(), idxonly_open(), md5sum_getentry(), md5sum_makeindex(), TskCaseDb::newDb(), nsrl_getentry(), nsrl_makeindex(), ntfs_dinode_lookup(), ntfs_open(), TskCaseDb::openDb(), TskAutoDb::revertAddImage(), TskAutoDb::startAddImage(), tsk_fs_attr_read(), tsk_fs_attr_walk(), tsk_fs_blkcat(), tsk_fs_block_get_flag(), tsk_fs_block_walk(), tsk_fs_dir_get(), tsk_fs_dir_get_name(), tsk_fs_dir_getsize(), tsk_fs_dir_open(), tsk_fs_dir_open_meta(), tsk_fs_dir_walk(), tsk_fs_file_attr_get_id(), tsk_fs_file_get_owner_sid(), tsk_fs_file_hash_calc(), tsk_fs_file_open(), tsk_fs_file_open_meta(), tsk_fs_file_read(), tsk_fs_file_read_type(), tsk_fs_file_walk(), tsk_fs_file_walk_type(), tsk_fs_ifind_path(), tsk_fs_open_img_decrypt(), tsk_fs_open_vol_decrypt(), tsk_fs_path2inum(), tsk_fs_read_block_decrypt(), tsk_fs_read_decrypt(), tsk_hdb_accepts_updates(), tsk_hdb_add_entry(), tsk_hdb_begin_transaction(), tsk_hdb_close(), tsk_hdb_commit_transaction(), tsk_hdb_create(), tsk_hdb_has_idx(), tsk_hdb_is_idx_only(), tsk_hdb_lookup_raw(), tsk_hdb_lookup_str(), tsk_hdb_make_index(), tsk_hdb_open(), tsk_hdb_rollback_transaction(), tsk_img_open(), tsk_img_open_external(), tsk_img_open_utf8(), tsk_img_read(), tsk_ntfs_usnjentry_walk(), tsk_ntfs_usnjopen(), tsk_parse_offset(), tsk_parse_pnum(), tsk_vs_open(), tsk_vs_part_get(), tsk_vs_part_read_block(), tsk_vs_part_walk(), and tsk_vs_read_block().tsk_error_set_errstr2
void tsk_error_set_errstr2 ( const char * format,
...
)
Set the error string #2.
This is called by methods who encounter the error, but did not set errno.
Parameters
format the printf-style format string
Referenced by encase_make_index(), fatfs_inode_walk(), TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), TskAuto::findFilesInPool(), hdb_binsrch_idx_finalize(), hdb_binsrch_lookup_str(), hk_makeindex(), md5sum_makeindex(), nsrl_getentry(), nsrl_makeindex(), ntfs_dinode_lookup(), ntfs_open(), TskAutoDb::startAddImage(), and tsk_fs_attr_read().tsk_error_vset_errstr
void tsk_error_vset_errstr ( const char * format,
va_list args
)
Set the error string.
Parameters
format the printf-style format string
args the printf-style argstsk_error_vset_errstr2
void tsk_error_vset_errstr2 ( const char * format,
va_list args
)
Set the error string.
Parameters
format the printf-style format string
args the printf-style format args
tsk_fprintf
void tsk_fprintf ( FILE * fd,
const char * msg,
...
)
fprintf wrapper function that takes UTF-8 strings as input (on all platforms) and does what is necessary to output strings in the correct encoding (UTF-8 on Unix and UTF-16 on Windows).
Parameters
fd File to print to
msg printf message
Referenced by TskAutoDb::commitAddImage(), fatfs_inode_walk(), fatfs_istat(), fatxxfs_dent_parse_buf(), fatxxfs_istat_attr_flags(), hdb_binsrch_idx_finalize(), ntfs_dinode_lookup(), ntfs_open(), TskAutoDb::processFile(), TskAutoDb::revertAddImage(), TskAutoDb::startAddImage(), TskAutoDb::stopAddImage(), tsk_error_print(), tsk_fs_file_walk(), tsk_fs_file_walk_type(), tsk_fs_open_img_decrypt(), tsk_fs_path2inum(), tsk_fs_type_print(), tsk_img_findFiles(), tsk_img_type_print(), tsk_ntfs_usnjopen(), tsk_print_sanitized(), tsk_version_print(), tsk_vs_open(), and tsk_vs_type_print().tsk_list_add
uint8_t tsk_list_add ( TSK_LIST ** a_tsk_list_head,
uint64_t a_key
)
Add an entry to a TSK_LIST (and create one if one does not exist)
Parameters
a_tsk_list_head Pointer to pointer for head of list (can point to NULL if no list exists).
a_key Value to add to list
Returns
1 on error
References TSK_LIST::key, TSK_LIST::len, and TSK_LIST::next.tsk_list_find
uint8_t tsk_list_find ( TSK_LIST * a_tsk_list_head,
uint64_t a_key
)
Search a TSK_LIST for the existence of a value.
Parameters
a_tsk_list_head Head of list to search
a_key Value to search for
Returns
1 if value is found and 0 if not
References TSK_LIST::key, TSK_LIST::len, and TSK_LIST::next.tsk_list_free
void tsk_list_free ( TSK_LIST * a_tsk_list_head )
Free a TSK_LIST.
Parameters
a_tsk_list_head Head of list to free
References TSK_LIST::next.
Referenced by tsk_fs_dir_walk().TSK_MD5_Fina
void TSK_MD5_Final ( unsigned char digest[16],
TSK_MD5_CTX * context
)
Calculate the MD5 hash of the data added to this context.
Context will be zeroed after this call.
Parameters
digest Buffer to store MD5 value in.
context Context that has data added to it.
References TSK_MD5_Update().
Referenced by tsk_fs_file_hash_calc().TSK_MD5_Init
void TSK_MD5_Init ( TSK_MD5_CTX * context )
Initialize a MD5 context structure so that data can be added to it.
Parameters
context Pointer to context to initialize
Referenced by tsk_fs_file_hash_calc().TSK_MD5_Update
void TSK_MD5_Update ( TSK_MD5_CTX * context,
unsigned char * input,
unsigned int inputLen
)
Add data to an initialized MD5 operation.
Parameters
context Initialized context to add data to
input Buffer of data to process
inputLen Number of bytes in input
Referenced by tsk_fs_file_hash_calc_callback(), and TSK_MD5_Final().tsk_parse_offset
TSK_OFF_T tsk_parse_offset ( const TSK_TCHAR * a_offset_str )
Parse a TSK_TCHAR block address string.
Note that the cnt@size format is no longer supported. Set the device sector size in img_open to set the block size.
Parameters
[in] a_offset_str The string version of the offset
Returns
-1 on error or block offset on success
References PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().tsk_parse_pnum
int tsk_parse_pnum ( const TSK_TCHAR * a_pnum_str,
TSK_PNUM_T * a_pnum
)
Parse a TSK_TCHAR string of a partition byte offset and the integer version of it.
Parameters
[in] a_pnum_str The string version of the address
[out] a_pnum The parsed integer version of the address
Returns
1 on error and 0 on success
References PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().tsk_print_sanitized
int tsk_print_sanitized ( FILE * fd,
const char * str
)
Prints the string removing control characters.
Parameters
fd File to print to
str string to be printed
Returns
0 on success and 1 on error
References tsk_fprintf().
tsk_printf
void tsk_printf ( const char * msg,
...
)
printf wrapper function that takes UTF-8 strings as input (on all platforms) and does what is necessary to output strings in the correct encoding (UTF-8 on Unix and UTF-16 on Windows).
Parameters
msg printf message
Referenced by tsk_fs_blkcat().TSK_SHA_Final
void TSK_SHA_Final ( BYTE output[SHS_DIGESTSIZE],
TSK_SHA_CTX * shsInfo
)
Calculate the hash of the data added to the context.
Parameters
output Buffer to store hash value
shsInfo Context that has data added to it.
Referenced by tsk_fs_file_hash_calc().TSK_SHA_Init
Initialize a SHA-1 context so that data can be added to it.
Parameters
shsInfo Pointer to context structure to initialize
Referenced by tsk_fs_file_hash_calc().TSK_SHA_Update
void TSK_SHA_Update ( TSK_SHA_CTX * shsInfo,
BYTE * buffer,
int count
)
Add data to an initialized SHA-1 context.
Parameters
shsInfo Context to add data to
buffer Data to process
count Number of bytes in buffer
Referenced by tsk_fs_file_hash_calc_callback().tsk_stack_create
TSK_STACK* tsk_stack_create ( )
Create a TSK_STACK structure.
Returns
Pointer to structure or NULL on error
References TSK_STACK::len, TSK_STACK::top, and TSK_STACK::vals.
Referenced by tsk_fs_dir_walk().tsk_stack_find
uint8_t tsk_stack_find ( TSK_STACK * a_tsk_stack,
uint64_t a_val
)
Search a TSK_STACK for a given value.
Parameters
a_tsk_stack Stack to search
a_val Value to search for
Returns
1 if found and 0 if not
References TSK_STACK::top, and TSK_STACK::vals.tsk_stack_free
void tsk_stack_free ( TSK_STACK * a_tsk_stack )
Free an allocated TSK_STACK structure.
Parameters
a_tsk_stack Stack to free
References TSK_STACK::vals.
Referenced by tsk_fs_dir_walk().tsk_stack_pop
void tsk_stack_pop ( TSK_STACK * a_tsk_stack )
Pop a value from the top of the stack.
Parameters
a_tsk_stack Stack to pop from
References TSK_STACK::top.tsk_stack_push
uint8_t tsk_stack_push ( TSK_STACK * a_tsk_stack,
uint64_t a_val
)
Push a value to the top of TSK_STACK.
Parameters
a_tsk_stack Pointer to stack to push onto
a_val Value to push on
Returns
1 on error
References TSK_STACK::len, TSK_STACK::top, and TSK_STACK::vals.tsk_UTF16toUTF8
TSKConversionResult tsk_UTF16toUTF8 ( TSK_ENDIAN_ENUM endian,
const UTF16 ** sourceStart,
const UTF16 * sourceEnd,
UTF8 ** targetStart,
UTF8 * targetEnd,
TSKConversionFlags flags
)
Convert a UTF-16 string to UTF-8.
Parameters
endian Endian ordering flag of UTF-16 text
sourceStart Pointer to pointer to start of UTF-16 string. Will be updated to last char processed.
sourceEnd Pointer to one entry past end of UTF-16 string
targetStart Pointer to pointer to place where UTF-8 string should be written. Will be updated to next place to write to.
targetEnd Pointer to end of UTF-8 buffer
flags Flags used during conversion
Returns
error code
References TSKconversionOK, TSKsourceExhausted, TSKsourceIllegal, TSKstrictConversion, and TSKtargetExhausted.
Referenced by fatxxfs_dent_parse_buf().tsk_UTF16toUTF8_lclorder
TSKConversionResult tsk_UTF16toUTF8_lclorder ( const UTF16 ** sourceStart,
const UTF16 * sourceEnd,
UTF8 ** targetStart,
UTF8 * targetEnd,
TSKConversionFlags flags
)
Convert a UTF-16 string in local endian ordering to UTF-8.
Parameters
sourceStart Pointer to pointer to start of UTF-16 string. Will be updated to last char processed.
sourceEnd Pointer to one entry past end of UTF-16 string
targetStart Pointer to pointer to place where UTF-8 string should be written. Will be updated to next place to write to.
targetEnd Pointer to end of UTF-8 buffer
flags Flags used during conversion
Returns
error code
References TSKconversionOK, TSKsourceExhausted, TSKsourceIllegal, TSKstrictConversion, and TSKtargetExhausted.
Referenced by tsk_fs_ifind_path().tsk_UTF8toUTF16
TSKConversionResult tsk_UTF8toUTF16 ( const UTF8 ** sourceStart,
const UTF8 * sourceEnd,
UTF16 ** targetStart,
UTF16 * targetEnd,
TSKConversionFlags flags
)
Convert a UTF-8 string to UTF-16 (in local endian ordering).
Parameters
sourceStart Pointer to pointer to start of UTF-8 string. Will be updated to last char processed.
sourceEnd Pointer to one entry past end of UTF-8 string
targetStart Pointer to pointer to place where UTF-16 string should be written. Will be updated to next place to write to.
targetEnd Pointer to end of UTF-16 buffer
flags Flags used during conversion
Returns
error code
References TSKconversionOK, TSKsourceExhausted, TSKsourceIllegal, TSKstrictConversion, and TSKtargetExhausted.
Referenced by TskAuto::enableImageWriter(), and tsk_img_open_utf8().tsk_version_get_str
const char* tsk_version_get_str ( )
Return the library version as a string.
Returns
String version of version (1.00 for example)
References TSK_VERSION_STR.tsk_version_print
void tsk_version_print ( FILE * hFile )
Print the library name and version to a handle (such as "The Sleuth Kit ver 1.00").
Parameters
hFile Handle to print to
References tsk_fprintf(), and TSK_VERSION_STR.