/usr/include/tsk/auto/tsk_auto.h is in libtsk-dev 4.4.0-5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 | /*
** The Sleuth Kit
**
** Brian Carrier [carrier <at> sleuthkit [dot] org]
** Copyright (c) 2010-2011 Brian Carrier. All Rights reserved
**
** This software is distributed under the Common Public License 1.0
**
*/
/**
* \file tsk_auto.h
* Contains the class definitions for the automated file extraction classes.
* Note that this file is not meant to be directly included.
* It is included by libtsk.h.
*/
/**
* \defgroup autolib File Extraction Automation Functionality
*/
#ifndef _TSK_AUTO_H
#define _TSK_AUTO_H
#ifdef __cplusplus
// Include the other TSK header files
#include "tsk/base/tsk_base.h"
#include "tsk/img/tsk_img.h"
#include "tsk/vs/tsk_vs.h"
#include "tsk/fs/tsk_fs.h"
#include <string>
#include <vector>
#define TSK_AUTO_TAG 0x9191ABAB
typedef enum {
TSK_FILTER_CONT = 0x00, ///< Framework should continue to process this object
TSK_FILTER_STOP = 0x01, ///< Framework should stop processing the image
TSK_FILTER_SKIP = 0x02, ///< Framework should skip this object and go on to the next
} TSK_FILTER_ENUM;
/** \ingroup autolib
* C++ class that automatically analyzes a disk image to extract files from it. This class
* hides many of the details that are required to use lower-level TSK APIs to analyze volume
* and file systems.
*
* The processFile() method must be implemented and it will be called for each file and
* directory that is found.
*
* An image file must be first opened using openImage(). It can then be analyzed using one
* of the findFilesInXXXX() methods. The filterXX() methods can be used to skip volumes
* and file systems.
*
* This class, by default, will not stop if an error occurs. It registers the error into an
* internal list. Those can be retrieved with getErrorList(). If you want to deal with errors
* differently, you must implement handleError().
*/
class TskAuto {
public:
unsigned int m_tag;
TskAuto();
virtual ~ TskAuto();
virtual uint8_t openImage(int, const TSK_TCHAR * const images[],
TSK_IMG_TYPE_ENUM, unsigned int a_ssize);
virtual uint8_t openImageUtf8(int, const char *const images[],
TSK_IMG_TYPE_ENUM, unsigned int a_ssize);
virtual uint8_t openImageHandle(TSK_IMG_INFO *);
virtual void closeImage();
TSK_OFF_T getImageSize() const;
/**
* Returns true if all processing and recursion should stop.
*/
bool getStopProcessing() const;
uint8_t findFilesInImg();
uint8_t findFilesInVs(TSK_OFF_T start);
uint8_t findFilesInVs(TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype);
uint8_t findFilesInFs(TSK_OFF_T start);
uint8_t findFilesInFs(TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype);
uint8_t findFilesInFs(TSK_OFF_T start, TSK_INUM_T inum);
uint8_t findFilesInFs(TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype,
TSK_INUM_T inum);
uint8_t findFilesInFs(TSK_FS_INFO * a_fs_info);
TSK_RETVAL_ENUM findFilesInFsRet(TSK_OFF_T start,
TSK_FS_TYPE_ENUM a_ftype);
void setFileFilterFlags(TSK_FS_DIR_WALK_FLAG_ENUM);
void setVolFilterFlags(TSK_VS_PART_FLAG_ENUM);
/**
* TskAuto calls this method before it processes the volume system that is found in an
* image. You can use this to learn about the volume system before it is processed
* and you can force TskAuto to skip this volume system.
* @param vs_info volume system details
* @returns Value to show if Vs should be processed, skipped, or process should stop.
*/
virtual TSK_FILTER_ENUM filterVs(const TSK_VS_INFO * vs_info);
/**
* TskAuto calls this method before it processes each volume that is found in a
* volume system. You can use this to learn about each volume before it is processed
* and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be
* used to configure if TskAuto should process unallocated space.
*
* @param vs_part Parition details
* @returns Value to show if volume should be processed, skipped, or process should stop.
*/
virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part);
/**
* TskAuto calls this method before it processes each file system that is found in a
* volume. You can use this to learn about each file system before it is processed
* and you can force TskAuto to skip this file system.
* @param fs_info file system details
* @returns Value to show if FS should be processed, skipped, or process should stop.
*/
virtual TSK_FILTER_ENUM filterFs(TSK_FS_INFO * fs_info);
/**
* TskAuto calls this method for each file and directory that it finds in an image.
* The setFileFilterFlags() method can be used to set the criteria for what types of
* files this should be called for. There are several methods, such as isDir() that
* can be used by this method to help focus in on the files that you care about.
* When errors are encountered, send them to registerError().
*
* @param fs_file file details
* @param path full path of parent directory
* @returns STOP or OK. All error must have been registered.
*/
virtual TSK_RETVAL_ENUM processFile(TSK_FS_FILE * fs_file,
const char *path) = 0;
/**
* Internal method that TskAuto calls when it encounters issues while processing an image.
* It will add the error to an internal list and then call handleError() to allow the
* sub-class to decide what to do with the error.
* The tsk global error values must be set before this is called (tsk_error_set_errno, etc.).
* This method will reset the error values before it returns.
*
* @returns 1 if the caller should stop processing (registerError() implementation should
* also call setStopProcessing() to ensure all processes stop) or 0 if they should continue.
*/
uint8_t registerError();
struct error_record {
int code;
std::string msg1;
std::string msg2;
};
/**
* Get the list of errors that were added to
* the internal list. This list could be empty
* if the implementing class already acted on
* the errors or never called addToErrorList().
* @returns list of errors.
*/
const std::vector<error_record> getErrorList();
/**
* Remove the errors on the internal list.
*/
void resetErrorList();
static std::string errorRecordToString(error_record &rec);
/**
* Override this method to get called for each error that
* is registered. This method allows you to log the message
* or stop processing. Use setStopProcessing() to do that.
*
* @return 1 to stop the processing flow and 0 to continue.
*/
virtual uint8_t handleError();
/**
* get volume description of the lastly processed volume
* @return volume description string of the lastly processed volume
*/
std::string getCurVsPartDescr() const;
/**
* get volume flags of the lastly processed volume.
* @return flags for lastly processed volume.
*/
TSK_VS_PART_FLAG_ENUM getCurVsPartFlag() const;
/**
* Determine if we are inside of a volume system and
* therefore we can trust the results of getCurVsPartFlag/Desc.
*/
bool isCurVsValid() const;
private:
TSK_VS_PART_FLAG_ENUM m_volFilterFlags;
TSK_FS_DIR_WALK_FLAG_ENUM m_fileFilterFlags;
std::vector<error_record> m_errors;
// prevent copying until we add proper logic to handle it
TskAuto(const TskAuto&);
TskAuto & operator=(const TskAuto&);
static TSK_WALK_RET_ENUM dirWalkCb(TSK_FS_FILE * fs_file,
const char *path, void *ptr);
static TSK_WALK_RET_ENUM vsWalkCb(TSK_VS_INFO * vs_info,
const TSK_VS_PART_INFO * vs_part, void *ptr);
TSK_RETVAL_ENUM findFilesInFsInt(TSK_FS_INFO *, TSK_INUM_T inum);
std::string m_curVsPartDescr; ///< description string of the current volume being processed
TSK_VS_PART_FLAG_ENUM m_curVsPartFlag; ///< Flag of the current volume being processed
bool m_curVsPartValid; ///< True if we are inside of a volume system (and therefore m_CurVs are valid)
void setCurVsPart(const TSK_VS_PART_INFO *);
protected:
TSK_IMG_INFO * m_img_info;
bool m_internalOpen; ///< True if m_img_info was opened in TskAuto and false if passed in
bool m_stopAllProcessing; ///< True if no further processing should occur
uint8_t isNtfsSystemFiles(TSK_FS_FILE * fs_file, const char *path);
uint8_t isFATSystemFiles(TSK_FS_FILE * fs_file);
uint8_t isDotDir(TSK_FS_FILE * fs_file);
uint8_t isDir(TSK_FS_FILE * fs_file);
uint8_t isFile(TSK_FS_FILE * fs_file);
uint8_t isDefaultType(TSK_FS_FILE * fs_file,
const TSK_FS_ATTR * fs_attr);
uint8_t isNonResident(const TSK_FS_ATTR * fs_attr);
TSK_RETVAL_ENUM processAttributes(TSK_FS_FILE * fs_file,
const char *path);
/**
* Method that is called from processAttributes() for each attribute that a file
* has. processAttributes() is not called by default. It exists so that implementations
* of processFile() can choose to call it if they want to look at all of the attributes.
* You must implement this method to see each attribute and modify processFile() so that
* it calls processAttributes().
*
* @param fs_file File being analyzed.
* @param fs_attr Attribute of the file.
* @param path full path of parent directory
* @returns STOP or OK. All error must have been registered.
*/
virtual TSK_RETVAL_ENUM processAttribute(TSK_FS_FILE * fs_file,
const TSK_FS_ATTR * fs_attr, const char *path);
/**
* When called, will cause TskAuto to not continue to recurse into directories and volumes.
*/
void setStopProcessing();
};
#endif
#endif
|