C File System Functions

Functions

tsk_fs_attr_read

ssize_t tsk_fs_attr_read ( const TSK_FS_ATTR * a_fs_attr,
TSK_OFF_T a_offset,
char * a_buf,
size_t a_len,
TSK_FS_FILE_READ_FLAG_ENUM a_flags
)
Read the contents of a given attribute using a typical read() type interface.

0s are returned for missing runs.

Parameters
a_fs_attr The attribute to read.
a_offset The byte offset to start reading from.
a_buf The buffer to read the data into.
a_len The number of bytes to read from the file.
a_flags Flags to use while reading
Returns
The number of bytes read or -1 on error (incl if offset is past end of file).
References TSK_FS_ATTR_RUN::addr, TSK_FS_ATTR::allocsize, TSK_FS_INFO::block_size, TSK_FS_ATTR::buf, TSK_FS_ATTR_RUN::crypto_id, TSK_FS_ATTR_RUN::flags, TSK_FS_ATTR::flags, TSK_FS_ATTR::fs_file, TSK_FS_FILE::fs_info, TSK_FS_ATTR::initsize, TSK_FS_ATTR_RUN::len, TSK_FS_FILE::meta, TSK_FS_ATTR_RUN::next, TSK_FS_ATTR::nrd, TSK_FS_ATTR_RUN::offset, PRIuSIZE, TSK_FS_ATTR::rd, TSK_FS_ATTR::run, TSK_FS_ATTR::size, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_FS_ATTR_COMP, TSK_FS_ATTR_NONRES, TSK_FS_ATTR_RES, TSK_FS_ATTR_RUN_FLAG_FILLER, TSK_FS_ATTR_RUN_FLAG_SPARSE, tsk_fs_read_decrypt(), and tsk_verbose.

Referenced by TskFsAttribute::read(), tsk_fs_file_read(), and tsk_fs_file_read_type().

tsk_fs_attr_walk

uint8_t tsk_fs_attr_walk ( const TSK_FS_ATTR * a_fs_attr,
TSK_FS_FILE_WALK_FLAG_ENUM a_flags,
TSK_FS_FILE_WALK_CB a_action,
void * a_ptr
)
Process an attribute and call a callback function with its contents.

Parameters
a_fs_attr Attribute to process
a_flags Flags to use while processing attribute
a_action Callback action to call with content
a_ptr Pointer that will passed to callback
Returns
1 on error and 0 on success.
References TSK_FS_ATTR::flags, TSK_FS_ATTR::fs_file, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_ATTR_COMP, TSK_FS_ATTR_NONRES, and TSK_FS_ATTR_RES.

Referenced by tsk_fs_file_walk(), tsk_fs_file_walk_type(), and TskFsAttribute::walk().

tsk_fs_block_free

void tsk_fs_block_free ( TSK_FS_BLOCK * a_fs_block )
Free the memory associated with the TSK_FS_BLOCK structure.

Parameters
a_fs_block Block to free
References TSK_FS_BLOCK::buf.

Referenced by TskFsBlock::~TskFsBlock().

tsk_fs_block_get_flag

TSK_FS_BLOCK* tsk_fs_block_get_flag ( TSK_FS_INFO * a_fs,
TSK_FS_BLOCK * a_fs_block,
TSK_DADDR_T a_addr,
TSK_FS_BLOCK_FLAG_ENUM a_flags
)
Get the contents and flags of a specific file system block.
v
Note that if the block contains compressed data, then this function will return the compressed data with the RAW flag set. The uncompressed data can be obtained only from the file-level functions.

Parameters
a_fs The file system to read the block from.
a_fs_block The structure to write the block data into or NULL to have one created.
a_addr The file system address to read.
a_flags Flag to assign to the returned TSK_FS_BLOCK (use if you already have it as part of a block_walk-type scenario)
Returns
The TSK_FS_BLOCK with the data or NULL on error. (If a_fs_block was not NULL, this will be the same structure).
References TSK_FS_BLOCK::addr, TSK_FS_INFO::block_size, TSK_FS_BLOCK::buf, TSK_FS_BLOCK::fs_info, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_BLOCK_FLAG_RAW, and tsk_img_read().

tsk_fs_block_walk

uint8_t tsk_fs_block_walk ( TSK_FS_INFO * a_fs,
TSK_DADDR_T a_start_blk,
TSK_DADDR_T a_end_blk,
TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags,
TSK_FS_BLOCK_WALK_CB a_action,
void * a_ptr
)
Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each.

Parameters
a_fs File system to analyze
a_start_blk Block address to start walking from
a_end_blk Block address to walk to
a_flags Flags used during walk to determine which blocks to call callback with
a_action Callback function
a_ptr Pointer that will be passed to callback
Returns
1 on error and 0 on success
References TSK_FS_INFO::block_walk, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskFsInfo::blockWalk().

tsk_fs_close

void tsk_fs_close ( TSK_FS_INFO * a_fs )
Close an open file system.

Parameters
a_fs File system to close.
References TSK_FS_INFO::close.

Referenced by TskFsInfo::close(), TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), and TskAuto::findFilesInPool().

tsk_fs_dir_close

void tsk_fs_dir_close ( TSK_FS_DIR * a_fs_dir )
Close the directory that was opened with tsk_fs_dir_open()

Parameters
a_fs_dir Directory to close
References TSK_FS_DIR::fs_file, TSK_FS_DIR::names, TSK_FS_DIR::names_used, and tsk_fs_file_close().

Referenced by tsk_fs_dir_open_meta(), and tsk_fs_path2inum().

tsk_fs_dir_get

TSK_FS_FILE* tsk_fs_dir_get ( const TSK_FS_DIR * a_fs_dir,
size_t a_idx
)
Return a specific file or subdirectory from an open directory.

Parameters
a_fs_dir Directory to analyze
a_idx Index of file in directory to open (0-based)
Returns
NULL on error
References TSK_FS_NAME::flags, TSK_FS_DIR::fs_info, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_NAME::meta_seq, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_DIR::names, TSK_FS_DIR::names_used, PRIuSIZE, TSK_FS_META::seq, TSK_FS_NAME::shrt_name, tsk_error_print(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_NAME_FLAG_ALLOC, and tsk_verbose.

Referenced by tsk_fs_path2inum().

tsk_fs_dir_get_name

const TSK_FS_NAME* tsk_fs_dir_get_name ( const TSK_FS_DIR * a_fs_dir,
size_t a_idx
)
Return only the name for a file or subdirectory from an open directory.

Useful when wanting to find files of a given name and you don’t need the additional metadata.

Parameters
a_fs_dir Directory to analyze
a_idx Index of file in directory to open (0-based)
Returns
NULL on error
References TSK_FS_DIR::fs_info, TSK_FS_DIR::names, TSK_FS_DIR::names_used, PRIuSIZE, tsk_error_set_errno(), and tsk_error_set_errstr().

tsk_fs_dir_getsize

size_t tsk_fs_dir_getsize ( const TSK_FS_DIR * a_fs_dir )
Returns the number of files and subdirectories in a directory.

Parameters
a_fs_dir Directory to get information about
Returns
Number of files and subdirectories (or 0 on error)
References TSK_FS_DIR::names_used, tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by tsk_fs_path2inum().

tsk_fs_dir_open

TSK_FS_DIR* tsk_fs_dir_open ( TSK_FS_INFO * a_fs,
const char * a_dir
)
Open a directory (using its path) so that each of the files in it can be accessed.

Parameters
a_fs File system to analyze
a_dir Path of the directory to open
Returns
NULL on error
References TSK_FS_DIR::fs_file, TSK_FS_FILE::name, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_dir_open_meta(), and tsk_fs_path2inum().

tsk_fs_dir_open_meta

TSK_FS_DIR* tsk_fs_dir_open_meta ( TSK_FS_INFO * a_fs,
TSK_INUM_T a_addr
)
Open a directory (using its metadata addr) so that each of the files in it can be accessed.

Parameters
a_fs File system to analyze
a_addr Metadata address of the directory to open
Returns
NULL on error
References tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_dir_close(), and TSK_OK.

tsk_fs_dir_open

Referenced by tsk_fs_dir_open(), and tsk_fs_path2inum().

uint8_t tsk_fs_dir_walk ( TSK_FS_INFO * a_fs,
TSK_INUM_T a_addr,
TSK_FS_DIR_WALK_FLAG_ENUM a_flags,
TSK_FS_DIR_WALK_CB a_action,
void * a_ptr
)
Walk the file names in a directory and obtain the details of the files via a callback.

Parameters
a_fs File system to analyze
a_addr Metadata address of the directory to analyze
a_flags Flags used during analysis
a_action Callback function that is called for each file name
a_ptr Pointer to data that is passed to the callback function each time
Returns
1 on error and 0 on success
References TSK_FS_INFO::list_inum_named, TSK_FS_INFO::root_inum, tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_DIR_WALK_FLAG_ALLOC, TSK_FS_DIR_WALK_FLAG_UNALLOC, tsk_list_free(), tsk_stack_create(), tsk_stack_free(), TSK_WALK_CONT, and TSK_WALK_ERROR.

Referenced by fatfs_inode_walk(), and fatxxfs_dent_parse_buf().

tsk_fs_file_attr_get

const TSK_FS_ATTR* tsk_fs_file_attr_get ( TSK_FS_FILE * a_fs_file )
Return the default attribute for the file.

Parameters
a_fs_file File to get data from
Returns
NULL on error
References TSK_FS_META::attr, TSK_FS_FILE::fs_info, and TSK_FS_FILE::meta.

Referenced by tsk_fs_file_read(), and tsk_fs_file_walk().

tsk_fs_file_attr_get_id

const TSK_FS_ATTR* tsk_fs_file_attr_get_id ( TSK_FS_FILE * a_fs_file,
uint16_t a_id
)
Return a specific attribute by its ID for the file.

Parameters
a_fs_file File to get data from
a_id Id of attribute to load
Returns
NULL on error
References TSK_FS_ATTR::id, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_attr_get_idx(), and tsk_fs_file_attr_getsize().

tsk_fs_file_attr_get_idx

const TSK_FS_ATTR* tsk_fs_file_attr_get_idx ( TSK_FS_FILE * a_fs_file,
int a_idx
)
Get a file’s attribute based on the 0-based index in the list (and not type, id pair).

Parameters
a_fs_file File to get attributes from.
a_idx 0-based index of attribute to return.
Returns
Pointer to attribute or NULL on error
References TSK_FS_META::attr, and TSK_FS_FILE::meta.

Referenced by TskAuto::processAttributes(), tsk_fs_file_attr_get_id(), and tsk_fs_path2inum().

tsk_fs_file_attr_get_typ

const TSK_FS_ATTR* tsk_fs_file_attr_get_type ( TSK_FS_FILE * a_fs_file,
TSK_FS_ATTR_TYPE_ENUM a_type,
uint16_t a_id,
uint8_t a_id_used
)
Return a specific type and id attribute for the file.

Parameters
a_fs_file File to get data from
a_type Type of attribute to load
a_id Id of attribute to load
a_id_used Set to 1 if ID is actually set or 0 to use default
Returns
NULL on error
References TSK_FS_META::attr, and TSK_FS_FILE::meta.

Referenced by fatfs_istat(), tsk_fs_file_read_type(), and tsk_fs_file_walk_type().

tsk_fs_file_attr_getsize

int tsk_fs_file_attr_getsize ( TSK_FS_FILE * a_fs_file )
Return the number of attributes in the file.

Parameters
a_fs_file File to return attribute count for
Returns
number of attributes in file
References TSK_FS_META::attr, TSK_FS_FILE::meta, and tsk_error_reset().

Referenced by TskAuto::processAttributes(), TskAutoDb::processFile(), tsk_fs_file_attr_get_id(), and tsk_fs_path2inum().

tsk_fs_file_close

void tsk_fs_file_close ( TSK_FS_FILE * a_fs_file )
Close an open file.

Parameters
a_fs_file Pointer to open file
References TSK_FS_FILE::meta, and TSK_FS_FILE::name.

Referenced by TskFsFile::close(), fatfs_inode_walk(), fatfs_istat(), TskAutoDb::filterFs(), tsk_fs_dir_close(), tsk_fs_file_open_meta(), tsk_fs_path2inum(), and tsk_ntfs_usnjentry_walk().

tsk_fs_file_open

TSK_FS_FILE* tsk_fs_file_open ( TSK_FS_INFO * a_fs,
TSK_FS_FILE * a_fs_file,
const char * a_path
)
Return the handle structure for a specific file, given its full path.

Note that if you have the metadata address fo the file, then tsk_fs_file_open_meta() is a more efficient approach.

Parameters
a_fs File system to analyze
a_fs_file Structure to store file data in or NULL to have one allocated.
a_path Path of file to open
Returns
NULL on error
References TSK_FS_FILE::meta, TSK_FS_NAME::meta_seq, TSK_FS_FILE::name, TSK_FS_META::seq, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_file_open_meta(), and tsk_fs_path2inum().

Referenced by TskAutoDb::filterFs(), and TskFsFile::open().

tsk_fs_file_open_meta

TSK_FS_FILE* tsk_fs_file_open_meta ( TSK_FS_INFO * a_fs,
TSK_FS_FILE * a_fs_file,
TSK_INUM_T a_addr
)
Open a file given its metadata address.

This function loads the metadata and returns a handle that can be used to read and process the file. Note that the returned TSK_FS_FILE structure will not have the file name set because it was not used to load the file and this function does not search the directory structure to find the name that points to the address. In general, if you know the metadata address of a file, this function is more efficient then tsk_fs_file_open, which first maps a file name to the metadata address and then opens the file using this function.

Parameters
a_fs File system to analyze
a_fs_file Structure to store file data in or NULL to have one allocated.
a_addr Metadata address of file to lookup
Returns
NULL on error
References TSK_FS_FILE::name, tsk_error_set_errno(), tsk_error_set_errstr(), and tsk_fs_file_close().

Referenced by fatfs_istat(), ntfs_open(), TskFsFile::open(), tsk_fs_file_open(), and tsk_ntfs_usnjopen().

tsk_fs_file_read

ssize_t tsk_fs_file_read ( TSK_FS_FILE * a_fs_file,
TSK_OFF_T a_offset,
char * a_buf,
size_t a_len,
TSK_FS_FILE_READ_FLAG_ENUM a_flags
)
Read the contents of a specific attribute of a file using a typical read() type interface.

0s are returned for missing runs of files.

Parameters
a_fs_file The inode structure of the file to read.
a_offset The byte offset to start reading from.
a_buf The buffer to read the data into.
a_len The number of bytes to read from the file.
a_flags Flags to use while reading
Returns
The number of bytes read or -1 on error (incl if offset is past EOF).
References TSK_FS_FILE::fs_info, tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_attr_read(), and tsk_fs_file_attr_get().

Referenced by TskFsFile::read().

tsk_fs_file_read_type

ssize_t tsk_fs_file_read_type ( TSK_FS_FILE * a_fs_file,
TSK_FS_ATTR_TYPE_ENUM a_type,
uint16_t a_id,
TSK_OFF_T a_offset,
char * a_buf,
size_t a_len,
TSK_FS_FILE_READ_FLAG_ENUM a_flags
)
Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS).

0s are returned for missing runs of files.

Parameters
a_fs_file The file to read from
a_type The type of attribute to load
a_id The id of attribute to load (use 0 and set a_flags if you do not care)
a_offset The byte offset to start reading from.
a_buf The buffer to read the data into.
a_len The number of bytes to read from the file.
a_flags Flags to use while reading
Returns
The number of bytes read or -1 on error (incl if offset is past EOF).
References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_attr_read(), tsk_fs_file_attr_get_type(), and TSK_FS_FILE_READ_FLAG_NOID.

Referenced by TskFsFile::read().

tsk_fs_file_walk

uint8_t tsk_fs_file_walk ( TSK_FS_FILE * a_fs_file,
TSK_FS_FILE_WALK_FLAG_ENUM a_flags,
TSK_FS_FILE_WALK_CB a_action,
void * a_ptr
)
Process a file and call a callback function with the file contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse files, the address may be zero. If a file has multiple attributes, such as NTFS files, this function uses the default one ($DATA for files, $IDX_ROOT for directories). Use tsk_fs_file_walk_type to specify an attribute.

Parameters
a_fs_file File to process
a_flags Flags to use while processing file
a_action Callback action to call with content
a_ptr Pointer that will passed to callback
Returns
1 on error and 0 on success.
References TSK_FS_META::addr, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_attr_walk(), tsk_fs_file_attr_get(), and tsk_verbose.

Referenced by fatfs_inode_walk(), fatfs_istat(), tsk_fs_file_hash_calc(), and TskFsFile::walk().

tsk_fs_file_walk_type

uint8_t tsk_fs_file_walk_type ( TSK_FS_FILE * a_fs_file,
TSK_FS_ATTR_TYPE_ENUM a_type,
uint16_t a_id,
TSK_FS_FILE_WALK_FLAG_ENUM a_flags,
TSK_FS_FILE_WALK_CB a_action,
void * a_ptr
)
Process a specific attribute in a file and call a callback function with the file contents.

The callback will be called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse files, the address may be zero. If the file system you are analyzing does not have multiple attributes per file, then you can use tsk_fs_file_walk(). For incomplete or corrupt files, some missing runs will be identified as SPARSE and zeros will be returned in the content.

Parameters
a_fs_file File to process
a_type Attribute type to process
a_id Id if attribute to process
a_flags Flags to use while processing file
a_action Callback action to call with content
a_ptr Pointer that will passed to callback
Returns
1 on error and 0 on success.
References TSK_FS_META::addr, TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_attr_walk(), tsk_fs_file_attr_get_type(), TSK_FS_FILE_WALK_FLAG_NOID, and tsk_verbose.

Referenced by TskFsFile::walk().

tsk_fs_meta_make_ls

uint8_t tsk_fs_meta_make_ls ( const TSK_FS_META * a_fs_meta,
char * a_buf,
size_t a_len
)
Makes the “ls -l” permissions string for a file.

Parameters
a_fs_meta File to be processed
a_buf [out] Buffer to write results to (must be 12 bytes or longer)
a_len Length of buffer
References TSK_FS_META::mode, TSK_FS_META_MODE_IRGRP, TSK_FS_META_MODE_IROTH, TSK_FS_META_MODE_IRUSR, TSK_FS_META_MODE_ISGID, TSK_FS_META_MODE_ISUID, TSK_FS_META_MODE_ISVTX, TSK_FS_META_MODE_IWGRP, TSK_FS_META_MODE_IWOTH, TSK_FS_META_MODE_IWUSR, TSK_FS_META_MODE_IXGRP, TSK_FS_META_MODE_IXOTH, TSK_FS_META_MODE_IXUSR, tsk_fs_meta_type_str, TSK_FS_META_TYPE_STR_MAX, and TSK_FS_META::type.

Referenced by TskFsMeta::getLs().

tsk_fs_meta_walk

uint8_t tsk_fs_meta_walk ( TSK_FS_INFO * a_fs,
TSK_INUM_T a_start,
TSK_INUM_T a_end,
TSK_FS_META_FLAG_ENUM a_flags,
TSK_FS_META_WALK_CB a_cb,
void * a_ptr
)
Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.

For example, it can call the callback on only allocated or unallocated entries.

Parameters
a_fs File system to process
a_start Metadata address to start walking from
a_end Metadata address to walk to
a_flags Flags that specify the desired metadata features
a_cb Callback function to call
a_ptr Pointer to pass to the callback
Returns
1 on error and 0 on success
References TSK_FS_INFO::inode_walk.

Referenced by TskFsInfo::metaWalk().

tsk_fs_open_img

TSK_FS_INFO* tsk_fs_open_img ( TSK_IMG_INFO * a_img_info,
TSK_OFF_T a_offset,
TSK_FS_TYPE_ENUM a_ftype
)
Tries to process data in a disk image at a given offset as a file system.

Returns a structure that can be used for analysis and reporting.

Parameters
a_img_info Disk image to analyze
a_offset Byte offset to start analyzing from
a_ftype Type of file system (or autodetect)
Returns
NULL on error
References tsk_fs_open_img_decrypt().

Referenced by TskAuto::findFilesInFs(), TskAuto::findFilesInFsRet(), and TskFsInfo::open().

tsk_fs_open_img_decrypt

TSK_FS_INFO* tsk_fs_open_img_decrypt ( TSK_IMG_INFO * a_img_info,
TSK_OFF_T a_offset,
TSK_FS_TYPE_ENUM a_ftype,
const char * a_pass
)
Tries to process data in a disk image at a given offset as a file system.

Allows for providing an optional password for decryption. Returns a structure that can be used for analysis and reporting.

Parameters
a_img_info Disk image to analyze
a_offset Byte offset to start analyzing from
a_ftype Type of file system (or autodetect)
a_pass Password to decrypt filesystem. Currently only used if type is specified.
Returns
NULL on error
References TSK_FS_INFO::close, ntfs_open(), tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), TSK_FS_TYPE_APFS_DETECT, TSK_FS_TYPE_DETECT, TSK_FS_TYPE_EXT_DETECT, TSK_FS_TYPE_FAT_DETECT, TSK_FS_TYPE_FFS_DETECT, TSK_FS_TYPE_HFS_DETECT, TSK_FS_TYPE_ISAPFS, TSK_FS_TYPE_ISEXT, TSK_FS_TYPE_ISFAT, TSK_FS_TYPE_ISFFS, TSK_FS_TYPE_ISHFS, TSK_FS_TYPE_ISISO9660, TSK_FS_TYPE_ISNTFS, TSK_FS_TYPE_ISO9660_DETECT, TSK_FS_TYPE_ISRAW, TSK_FS_TYPE_ISSWAP, TSK_FS_TYPE_ISYAFFS2, TSK_FS_TYPE_NTFS_DETECT, TSK_FS_TYPE_YAFFS2_DETECT, and tsk_verbose.

Referenced by tsk_fs_open_img(), and tsk_fs_open_vol_decrypt().

tsk_fs_open_vol

TSK_FS_INFO* tsk_fs_open_vol ( const TSK_VS_PART_INFO * a_part_info,
TSK_FS_TYPE_ENUM a_ftype
)
Tries to process data in a volume as a file system.

Returns a structure that can be used for analysis and reporting.

Parameters
a_part_info Open volume to read from and analyze
a_ftype Type of file system (or autodetect)
Returns
NULL on error
References tsk_fs_open_vol_decrypt().

Referenced by TskFsInfo::open().

tsk_fs_open_vol_decrypt

TSK_FS_INFO* tsk_fs_open_vol_decrypt ( const TSK_VS_PART_INFO * a_part_info,
TSK_FS_TYPE_ENUM a_ftype,
const char * a_pass
)
Tries to process data in a volume as a file system.

Allows for providing an optional password for decryption. Returns a structure that can be used for analysis and reporting.

Parameters
a_part_info Open volume to read from and analyze
a_ftype Type of file system (or autodetect)
a_pass Password to decrypt filesystem
Returns
NULL on error
References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fs_open_img_decrypt(), and TSK_VS_PART_INFO::vs.

Referenced by tsk_fs_open_vol().

tsk_fs_parse_inum

int tsk_fs_parse_inum ( const TSK_TCHAR * str,
TSK_INUM_T * inum,
TSK_FS_ATTR_TYPE_ENUM * type,
uint8_t * type_used,
uint16_t * id,
uint8_t * id_used
)
Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there).

This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID. Return the values in integer form.

Parameters
[in] str Input string to parse
[out] inum Pointer to location where inode can be stored.
[out] type Pointer to location where type can be stored (or NULL)
[out] type_used Pointer to location where the value can be set to 1 if the type was set (to differentiate between meanings of 0) (or NULL).
[out] id Pointer to location where id can be stored (or NULL)
[out] id_used Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0) (or NULL).
Returns
1 on error or if not an inode and 0 on success
References TSK_FS_ATTR_ID_DEFAULT.

Referenced by TskFsInfo::parseINum().

tsk_fs_path2inum

int8_t tsk_fs_path2inum ( TSK_FS_INFO * a_fs,
const char * a_path,
TSK_INUM_T * a_result,
TSK_FS_NAME * a_fs_name
)
Find the meta data address for a given file name (UTF-8).

The basic idea of the function is to break the given name into its subdirectories and start looking for each (starting in the root directory).

Parameters
a_fs FS to analyze
a_path UTF-8 path of file to search for
[out] a_result Meta data address of file
[out] a_fs_name Copy of name details (or NULL if details not wanted)
Returns
-1 on (system) error, 0 if found, and 1 if not found
References TSK_FS_NAME::flags, TSK_FS_DIR::fs_file, TSK_FS_INFO::ftype, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_ATTR::name, TSK_FS_NAME::name, TSK_FS_FILE::name, TSK_FS_INFO::root_inum, TSK_FS_NAME::shrt_name, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), tsk_fs_dir_close(), tsk_fs_dir_get(), tsk_fs_dir_getsize(), tsk_fs_dir_open_meta(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_getsize(), tsk_fs_file_close(), TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, TSK_FS_TYPE_ISNTFS, tsk_verbose, TSK_FS_META::type, and TSK_FS_NAME::type.

Referenced by TskFsInfo::path2INum(), tsk_fs_dir_open(), tsk_fs_file_open(), and tsk_fs_ifind_path().

tsk_fs_read

ssize_t tsk_fs_read ( TSK_FS_INFO * a_fs,
TSK_OFF_T a_off,
char * a_buf,
size_t a_len
)
Read arbitrary data from inside of the file system.

Referenced by ntfs_dinode_lookup(), ntfs_open(), and TskFsInfo::read().

tsk_fs_read_block

ssize_t tsk_fs_read_block ( TSK_FS_INFO * a_fs,
TSK_DADDR_T a_addr,
char * a_buf,
size_t a_len
)
Read a file system block into a char* buffer.

This is actually a wrapper around the fs_read_random function, but it allows the starting location to be specified as a block address.

Referenced by fatfs_inode_walk(), TskFsInfo::readBlock(), and tsk_fs_blkcat().

tsk_fs_read_block_decrypt

ssize_t tsk_fs_read_block_decrypt ( TSK_FS_INFO * a_fs,
TSK_DADDR_T a_addr,
char * a_buf,
size_t a_len,
TSK_DADDR_T crypto_id
)
Read a file system block into a char* buffer.

This is actually a wrapper around the fs_read_random function, but it allows the starting location to be specified as a block address.

Parameters
a_fs The file system structure.
a_addr The starting block file system address.
a_buf The char * buffer to store the block data in.
a_len The number of bytes to read (must be a multiple of the block size)
crypto_id Starting block number needed for the XTS IV
Returns
The number of bytes read or -1 on error.
References TSK_FS_INFO::block_post_size, TSK_FS_INFO::block_pre_size, TSK_FS_INFO::block_size, TSK_FS_INFO::flags, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, PRIuSIZE, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_INFO_FLAG_ENCRYPTED, and tsk_img_read().

Referenced by tsk_fs_read_block(), and tsk_fs_read_decrypt().

tsk_fs_read_decrypt

ssize_t tsk_fs_read_decrypt ( TSK_FS_INFO * a_fs,
TSK_OFF_T a_off,
char * a_buf,
size_t a_len,
TSK_DADDR_T crypto_id
)
Read arbitrary data from inside of the file system.

Parameters
a_fs The file system handle.
a_off The byte offset to start reading from (relative to start of file system)
a_buf The buffer to store the block in.
a_len The number of bytes to read
crypto_id Starting block number needed for the XTS IV
Returns
The number of bytes read or -1 on error.
References TSK_FS_INFO::block_post_size, TSK_FS_INFO::block_pre_size, TSK_FS_INFO::block_size, TSK_FS_INFO::flags, TSK_FS_INFO::img_info, TSK_FS_INFO::last_block, TSK_FS_INFO::last_block_act, TSK_FS_INFO::offset, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_FS_INFO_FLAG_ENCRYPTED, tsk_fs_read_block_decrypt(), and tsk_img_read().

Referenced by tsk_fs_attr_read(), and tsk_fs_read().

tsk_fs_time_to_str

char* tsk_fs_time_to_str ( time_t time,
char buf[128]
)
Converts a time value to a string representation.

Prints all zero values instead of 1970 if time is 0.

Parameters
time Time to be displayed.
buf Buffer to print into (must be 128 byes or larger)
Returns
Pointer to buffer that was passed in.
Referenced by fatfs_istat().

tsk_fs_time_to_str_subsecs

char* tsk_fs_time_to_str_subsecs ( time_t time,
unsigned int subsecs,
char buf[128]
)
Converts a time value to a string representation.

Prints all zero values instead of 1970 if time is 0.

Parameters
time Time to be displayed.
buf Buffer to print into (must b 64 bytes or larger)
subsecs Subseconds to be printed
Returns
Pointer to buffer that was passed in.
void tsk_fs_type_print ( FILE * hFile )
Print the supported file system types to a file handle.

Parameters
hFile File handle to print to
References tsk_fprintf().

Referenced by TskFsInfo::typePrint().

tsk_fs_type_supported

TSK_FS_TYPE_ENUM tsk_fs_type_supported ( )
Return the supported file system types.

Returns
The bit in the return value is 1 if the type is supported.
Referenced by TskFsInfo::typeSupported().

TSK_FS_TYPE_ENUM tsk_fs_type_toid ( const TSK_TCHAR * str )
Parse a string with the file system type and return its internal ID.

Parameters
str String to parse.
Returns
ID of string (or unsupported if the name is unknown)
References tsk_fs_type_toid_utf8().

Referenced by TskFsInfo::typeToId().

tsk_fs_type_toid_utf8

TSK_FS_TYPE_ENUM tsk_fs_type_toid_utf8 ( const char * str )
Parse a string with the file system type and return its internal ID.

Parameters
str String to parse, always UTF-8.
Returns
ID of string (or unsupported if the name is unknown)
References TSK_FS_TYPE_UNSUPP.

Referenced by tsk_fs_type_toid().

tsk_fs_type_toname

const char* tsk_fs_type_toname ( TSK_FS_TYPE_ENUM ftype )
Return the string name of a file system type id.

Parameters
ftype File system type id
Returns
Name or NULL on error
Referenced by TskFsInfo::typeToName().

Generic File System Handle Data Structure

###TSK_FS_TYPE_ISAPFS
define TSK_FS_TYPE_ISAPFS ( ftype ) (((ftype) & TSK_FS_TYPE_APFS_DETECT)?1:0)
Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.

Macro that takes a file system type and returns 1 if the type is for an APFS “file system”.