Sleuth Kit中文使用教程C++ Volume System Classes
TskVsInfo類參考
Public Member Functions
close
void TskVsInfo::close()
inline
Closes an open volume system.
See for tsk_vs_close() details.
References tsk_vs_close().getBlockSize
unsigned int TskVsInfo::getBlockSize() const
Return size of volume system blocks in bytes.
Returns
size of a block in bytes
References TSK_VS_INFO::block_size.getImgInfo
const TskImgInfo* TskVsInfo::getImgInfo ( ) const
Get a reference to the parent image object.
Returns
Pointer to object or NULL on error. Caller is responsible for freeing object.
References TSK_VS_INFO::img_info.getOffset
const TskImgInfo* TskVsInfo::getImgInfo ( ) const
Get a reference to the parent image object.
Returns
Pointer to object or NULL on error. Caller is responsible for freeing object.
References TSK_VS_INFO::img_infogetPart
const TskVsPartInfo* TskVsInfo::getPart ( TSK_PNUM_T a_idx) const
Get reference to a volume in the volume system.
See tsk_vs_part_get() for details.
Parameters
a_idx Index for volume to return (0-based)
Returns
Pointer to partition or NULL on error. Caller is responsible for freeing object.
References tsk_vs_part_get().getPartCount
TSK_PNUM_T TskVsInfo::getPartCount()const
inline
Return number of partitions.
Returns
number of partitions
References TSK_VS_INFO::part_count.getVsType
TSK_VS_TYPE_ENUM TskVsInfo::getVsType()const
inline
Return type of volume system / media management.
Returns
type of volume system / media management
References TSK_VS_INFO::vstype.open
uint8_t TskVsInfo::open(TskImgInfo * a_imgInfo,TSK_DADDR_T a_offset,TSK_VS_TYPE_ENUM a_type
)
Open a disk image and process the media management system data.
See tsk_vs_open() for details.
Parameters
a_imgInfo The opened disk image.
a_offset Byte offset in the disk image to start analyzing from.
a_type Type of volume system (including auto detect)
Returns
1 on error and 0 on success.
References tsk_vs_open().readBlock
ssize_t TskVsInfo::readBlock (TSK_DADDR_T a_addr,char * a_buf,size_t a_len)
Reads one or more blocks of data with an address relative to the start of the volume system.
See tsk_vs_read_block() for details.
Parameters
a_addr Sector address to read from, relative to start of VOLUME SYSTEM.
a_buf Buffer to store data in
a_len Amount of data to read (in bytes - must be a multiple of block_size)
Returns
Number of bytes read or -1 on error
References tsk_vs_read_block().vsPartWalk
uint8_t TskVsInfo::vsPartWalk ( TSK_PNUM_T a_start,TSK_PNUM_T a_last,TSK_VS_PART_FLAG_ENUM a_flags,TSK_VS_PART_WALK_CPP_CB a_action,void * a_ptr)
Walk a range of partitions and pass the data to a callback function.
See tsk_vs_part_walk() for details.
Parameters
a_start Address of first partition to walk from.
a_last Address of last partition to walk to.
a_flags Flags that are used to identify which of the partitions in the range should be returned (if 0, all partitions will be returned).
a_action Callback action to call for each partition.
a_ptr Pointer to data that will be passed to callback.
Returns
1 on error and 0 on success
References tsk_vs_part_walk().
Static Public Member Functions
typePrint
static void TskVsInfo::typePrint(FILE * a_hFile )
Print the supported volume system type names to an open handle.
See tsk_vs_type_print() for details.
Parameters
a_hFile Handle to print to.
References tsk_vs_type_print().typeSupported
static TSK_VS_TYPE_ENUM TskVsInfo::typeSupported ( )
inlinestatic
Return the supported volume system types.
See tsk_vs_type_supported() for details.
Returns
The bit in the return value is 1 if the type is supported.
References tsk_vs_type_supported().typeToDesc
static const char* TskVsInfo::typeToDesc ( TSK_VS_TYPE_ENUM a_type )
inlinestatic
Return the string description of a partition type ID.
See tsk_vs_type_todesc() for details.
Parameters
a_type Volume system type
Returns
description of type or NULL on error
References tsk_vs_type_todesc().typeToId
static TSK_VS_TYPE_ENUM TskVsInfo::typeToId (const TSK_TCHAR *a_str* )
Parse a string with the volume system type and return its internal ID.
See tsk_vs_type_toid().
Parameters
a_str String to parse.
Returns
ID of string (or unsupported if the name is unknown)
References tsk_vs_type_toid().typeToName
static const char* TskVsInfo::typeToName(TSK_VS_TYPE_ENUM *a_type*)
Return the string name of a partition type ID.
See tsk_vs_type_toname() for details.
Parameters
a_type Volume system type
Returns
name of type or NULL on error
References tsk_vs_type_toname().TskVsPartInfo類參考
Public Member Functions
getAddr
TSK_PNUM_T TskVsPartInfo::getAddr ( ) const
Return address of this partition.
Returns
address of this partition
References TSK_VS_PART_INFO::addr.
getDesc
const char* TskVsPartInfo::getDesc ( ) const
inline
Return UTF-8 description of partition (volume system type-specific)
Returns
description of partition
References TSK_VS_PART_INFO::desc.getFlags
TSK_VS_PART_FLAG_ENUM TskVsPartInfo::getFlags ( ) const
inline
Return flags for partition.
Returns
flags for partition
References TSK_VS_PART_INFO::flags.vgetLen
TSK_DADDR_T TskVsPartInfo::getLen ( ) const
inline
Return number of sectors in partition.
Returns
number of sectors in partition
References TSK_VS_PART_INFO::len.getSlotNum
int8_t TskVsPartInfo::getSlotNum ( ) const
inline
Return entry in the table that describes this partition.
Returns
entry in the table that describes this partition
References TSK_VS_PART_INFO::slot_num.getStart
TSK_DADDR_T TskVsPartInfo::getStart ( ) const
inline
Return sector offset of start of partition.
Returns
sector offset of start of partition
References TSK_VS_PART_INFO::start.getTableNum
8_t TskVsPartInfo::getTableNum ( ) const
inline
Return table address that describes this partition.
Returns
table address that describes this partition
References TSK_VS_PART_INFO::table_num.read
ssize_t TskVsPartInfo::read ( TSK_OFF_T a_off,
char * a_buf,
size_t a_len
)
inline
Reads data starting at a byte address relative to the start of a VOLUME in a volume system.
See tsk_vs_part_read() for details.
Parameters
a_off Byte offset to read from, relative to start of VOLUME in volume system.
a_buf Buffer to store data in
a_len Amount of data to read (in bytes)
Returns
Number of bytes read or -1 on error
References tsk_vs_part_read().readBlock
ssize_t TskVsPartInfo::readBlock ( TSK_DADDR_T a_addr,
char * a_buf,
size_t a_len
)
inline
Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system.
See tsk_vs_part_read_block() for details.
Parameters
a_addr Block address to start reading from, relative to start of VOLUME in volume system.
a_buf Buffer to store data in
a_len Amount of data to read (in bytes - must be a multiple of block_size)
Returns
Number of bytes read or -1 on error
References tsk_vs_part_read_block().TskVsPartInfo
TskVsPartInfo::TskVsPartInfo ( TSK_VS_PART_INFO * a_vsPartInfo )
inline
Create an object from its C struct.
Parameters
a_vsPartInfo Pointer to C struct for partition. If NULL, the remaining getX() methods will be undefined.
推薦文章: