/src/sleuthkit/tsk/fs/fatxxfs.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | ** fatxxfs |
3 | | ** The Sleuth Kit |
4 | | ** |
5 | | ** Content and meta data layer support for the FATXX file system |
6 | | ** |
7 | | ** Brian Carrier [carrier <at> sleuthkit [dot] org] |
8 | | ** Copyright (c) 2006-2013 Brian Carrier, Basis Technology. All Rights reserved |
9 | | ** Copyright (c) 2003-2005 Brian Carrier. All rights reserved |
10 | | ** |
11 | | ** TASK |
12 | | ** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved |
13 | | ** |
14 | | ** |
15 | | ** This software is distributed under the Common Public License 1.0 |
16 | | ** |
17 | | ** Unicode added with support from I.D.E.A.L. Technology Corp (Aug '05) |
18 | | ** |
19 | | */ |
20 | | |
21 | | /** |
22 | | * \file fatxxfs.c |
23 | | * Contains the internal TSK FATXX (FAT12, FAT16, FAT32) file system code to |
24 | | * handle basic file system processing for opening file system, processing |
25 | | * sectors, and directory entries. |
26 | | */ |
27 | | |
28 | | #include "tsk_fatxxfs.h" |
29 | | |
30 | | #include <memory> |
31 | | |
32 | | /* |
33 | | * Implementation NOTES |
34 | | * |
35 | | * TSK_FS_META contains the first cluster. file_walk will return sector |
36 | | * values though because the cluster numbers do not start until after |
37 | | * the FAT. That makes it very hard to address the first few blocks! |
38 | | * |
39 | | * Inodes numbers do not exist in FAT. To make up for this we will count |
40 | | * directory entries as the inodes. As the root directory does not have |
41 | | * any records in FAT, we will give it times of 0 and call it inode 2 to |
42 | | * keep consistent with UNIX. After that, each 32-byte slot is numbered |
43 | | * as though it were a directory entry (even if it is not). Therefore, |
44 | | * when an inode walk is performed, not all inode values will be displayed |
45 | | * even when '-e' is given for ils. |
46 | | * |
47 | | * Progs like 'ils -e' are very slow because we have to look at each |
48 | | * block to see if it is a file system structure. |
49 | | */ |
50 | | |
51 | | /** |
52 | | * Print details about the file system to a file handle. |
53 | | * |
54 | | * @param fs File system to print details on |
55 | | * @param hFile File handle to print text to |
56 | | * |
57 | | * @returns 1 on error and 0 on success |
58 | | */ |
59 | | static uint8_t |
60 | | fatxxfs_fsstat(TSK_FS_INFO * fs, FILE * hFile) |
61 | 0 | { |
62 | 0 | unsigned int i; |
63 | 0 | TSK_DADDR_T next, snext, sstart, send; |
64 | 0 | FATFS_INFO *fatfs = (FATFS_INFO *) fs; |
65 | 0 | FATXXFS_SB *sb = (FATXXFS_SB*)fatfs->boot_sector_buffer; |
66 | 0 | char *data_buf; |
67 | 0 | FATXXFS_DENTRY *vol_label_dentry = NULL; |
68 | 0 | ssize_t cnt; |
69 | | |
70 | | // clean up any error messages that are lying around |
71 | 0 | tsk_error_reset(); |
72 | |
|
73 | 0 | if ((data_buf = (char *) tsk_malloc(fs->block_size)) == NULL) { |
74 | 0 | return 1; |
75 | 0 | } |
76 | | |
77 | | |
78 | | /* Read the root directory sector so that we can get the volume |
79 | | * label from it */ |
80 | 0 | cnt = tsk_fs_read_block(fs, fatfs->rootsect, data_buf, fs->block_size); |
81 | 0 | if (cnt != fs->block_size) { |
82 | 0 | if (cnt >= 0) { |
83 | 0 | tsk_error_reset(); |
84 | 0 | tsk_error_set_errno(TSK_ERR_FS_READ); |
85 | 0 | } |
86 | 0 | tsk_error_set_errstr2("fatxxfs_fsstat: root directory: %" PRIuDADDR, |
87 | 0 | fatfs->rootsect); |
88 | 0 | free(data_buf); |
89 | 0 | return 1; |
90 | 0 | } |
91 | | |
92 | | |
93 | | /* Find the dentry that is set as the volume label */ |
94 | 0 | vol_label_dentry = NULL; |
95 | 0 | if (fatfs->ssize <= fs->block_size) { |
96 | 0 | FATXXFS_DENTRY *current_entry = (FATXXFS_DENTRY *) data_buf; |
97 | 0 | for (i = 0; i < fatfs->ssize; i += sizeof(*current_entry)) { |
98 | 0 | if (current_entry->attrib == FATFS_ATTR_VOLUME) { |
99 | 0 | vol_label_dentry = current_entry; |
100 | 0 | break; |
101 | 0 | } |
102 | 0 | current_entry++; |
103 | 0 | } |
104 | 0 | } |
105 | | |
106 | | |
107 | | /* Print the general file system information */ |
108 | |
|
109 | 0 | tsk_fprintf(hFile, "FILE SYSTEM INFORMATION\n"); |
110 | 0 | tsk_fprintf(hFile, "--------------------------------------------\n"); |
111 | |
|
112 | 0 | tsk_fprintf(hFile, "File System Type: FAT"); |
113 | 0 | if (fs->ftype == TSK_FS_TYPE_FAT12) |
114 | 0 | tsk_fprintf(hFile, "12\n"); |
115 | 0 | else if (fs->ftype == TSK_FS_TYPE_FAT16) |
116 | 0 | tsk_fprintf(hFile, "16\n"); |
117 | 0 | else if (fs->ftype == TSK_FS_TYPE_FAT32) |
118 | 0 | tsk_fprintf(hFile, "32\n"); |
119 | 0 | else |
120 | 0 | tsk_fprintf(hFile, "\n"); |
121 | |
|
122 | 0 | tsk_fprintf(hFile, "\nOEM Name: %c%c%c%c%c%c%c%c\n", sb->oemname[0], |
123 | 0 | sb->oemname[1], sb->oemname[2], sb->oemname[3], sb->oemname[4], |
124 | 0 | sb->oemname[5], sb->oemname[6], sb->oemname[7]); |
125 | | |
126 | |
|
127 | 0 | if (fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) { |
128 | 0 | tsk_fprintf(hFile, "Volume ID: 0x%" PRIx32 "\n", |
129 | 0 | tsk_getu32(fs->endian, sb->a.f16.vol_id)); |
130 | |
|
131 | 0 | tsk_fprintf(hFile, |
132 | 0 | "Volume Label (Boot Sector): %c%c%c%c%c%c%c%c%c%c%c\n", |
133 | 0 | sb->a.f16.vol_lab[0], sb->a.f16.vol_lab[1], |
134 | 0 | sb->a.f16.vol_lab[2], sb->a.f16.vol_lab[3], |
135 | 0 | sb->a.f16.vol_lab[4], sb->a.f16.vol_lab[5], |
136 | 0 | sb->a.f16.vol_lab[6], sb->a.f16.vol_lab[7], |
137 | 0 | sb->a.f16.vol_lab[8], sb->a.f16.vol_lab[9], |
138 | 0 | sb->a.f16.vol_lab[10]); |
139 | |
|
140 | 0 | if ((vol_label_dentry) && (vol_label_dentry->name[0])) { |
141 | 0 | tsk_fprintf(hFile, |
142 | 0 | "Volume Label (Root Directory): %c%c%c%c%c%c%c%c%c%c%c\n", |
143 | 0 | vol_label_dentry->name[0], vol_label_dentry->name[1], vol_label_dentry->name[2], vol_label_dentry->name[3], |
144 | 0 | vol_label_dentry->name[4], vol_label_dentry->name[5], vol_label_dentry->name[6], vol_label_dentry->name[7], |
145 | 0 | vol_label_dentry->ext[0], vol_label_dentry->ext[1], vol_label_dentry->ext[2]); |
146 | 0 | } |
147 | 0 | else { |
148 | 0 | tsk_fprintf(hFile, "Volume Label (Root Directory):\n"); |
149 | 0 | } |
150 | |
|
151 | 0 | tsk_fprintf(hFile, "File System Type Label: %c%c%c%c%c%c%c%c\n", |
152 | 0 | sb->a.f16.fs_type[0], sb->a.f16.fs_type[1], |
153 | 0 | sb->a.f16.fs_type[2], sb->a.f16.fs_type[3], |
154 | 0 | sb->a.f16.fs_type[4], sb->a.f16.fs_type[5], |
155 | 0 | sb->a.f16.fs_type[6], sb->a.f16.fs_type[7]); |
156 | 0 | } |
157 | 0 | else { |
158 | |
|
159 | 0 | char *fat_fsinfo_buf; |
160 | |
|
161 | 0 | if ((fat_fsinfo_buf = (char *) |
162 | 0 | tsk_malloc(sizeof(FATXXFS_FSINFO))) == NULL) { |
163 | 0 | free(data_buf); |
164 | 0 | return 1; |
165 | 0 | } |
166 | | |
167 | 0 | tsk_fprintf(hFile, "Volume ID: 0x%" PRIx32 "\n", |
168 | 0 | tsk_getu32(fs->endian, sb->a.f32.vol_id)); |
169 | |
|
170 | 0 | tsk_fprintf(hFile, |
171 | 0 | "Volume Label (Boot Sector): %c%c%c%c%c%c%c%c%c%c%c\n", |
172 | 0 | sb->a.f32.vol_lab[0], sb->a.f32.vol_lab[1], |
173 | 0 | sb->a.f32.vol_lab[2], sb->a.f32.vol_lab[3], |
174 | 0 | sb->a.f32.vol_lab[4], sb->a.f32.vol_lab[5], |
175 | 0 | sb->a.f32.vol_lab[6], sb->a.f32.vol_lab[7], |
176 | 0 | sb->a.f32.vol_lab[8], sb->a.f32.vol_lab[9], |
177 | 0 | sb->a.f32.vol_lab[10]); |
178 | |
|
179 | 0 | if ((vol_label_dentry) && (vol_label_dentry->name[0])) { |
180 | 0 | tsk_fprintf(hFile, |
181 | 0 | "Volume Label (Root Directory): %c%c%c%c%c%c%c%c%c%c%c\n", |
182 | 0 | vol_label_dentry->name[0], vol_label_dentry->name[1], vol_label_dentry->name[2], vol_label_dentry->name[3], |
183 | 0 | vol_label_dentry->name[4], vol_label_dentry->name[5], vol_label_dentry->name[6], vol_label_dentry->name[7], |
184 | 0 | vol_label_dentry->ext[0], vol_label_dentry->ext[1], vol_label_dentry->ext[2]); |
185 | 0 | } |
186 | 0 | else { |
187 | 0 | tsk_fprintf(hFile, "Volume Label (Root Directory):\n"); |
188 | 0 | } |
189 | |
|
190 | 0 | tsk_fprintf(hFile, "File System Type Label: %c%c%c%c%c%c%c%c\n", |
191 | 0 | sb->a.f32.fs_type[0], sb->a.f32.fs_type[1], |
192 | 0 | sb->a.f32.fs_type[2], sb->a.f32.fs_type[3], |
193 | 0 | sb->a.f32.fs_type[4], sb->a.f32.fs_type[5], |
194 | 0 | sb->a.f32.fs_type[6], sb->a.f32.fs_type[7]); |
195 | | |
196 | | |
197 | | /* Process the FS info */ |
198 | 0 | if (tsk_getu16(fs->endian, sb->a.f32.fsinfo)) { |
199 | 0 | FATXXFS_FSINFO *fat_info; |
200 | 0 | cnt = |
201 | 0 | tsk_fs_read(fs, |
202 | 0 | (TSK_DADDR_T) tsk_getu16(fs->endian, sb->a.f32.fsinfo) * fs->block_size, |
203 | 0 | fat_fsinfo_buf, sizeof(FATXXFS_FSINFO)); |
204 | |
|
205 | 0 | if (cnt != sizeof(FATXXFS_FSINFO)) { |
206 | 0 | if (cnt >= 0) { |
207 | 0 | tsk_error_reset(); |
208 | 0 | tsk_error_set_errno(TSK_ERR_FS_READ); |
209 | 0 | } |
210 | 0 | tsk_error_set_errstr2 |
211 | 0 | ("fatxxfs_fsstat: TSK_FS_TYPE_FAT32 FSINFO block: %" |
212 | 0 | PRIuDADDR, (TSK_DADDR_T) tsk_getu16(fs->endian, |
213 | 0 | sb->a.f32.fsinfo)); |
214 | 0 | free(data_buf); |
215 | 0 | free(fat_fsinfo_buf); |
216 | 0 | return 1; |
217 | 0 | } |
218 | | |
219 | | |
220 | 0 | fat_info = (FATXXFS_FSINFO *) fat_fsinfo_buf; |
221 | 0 | tsk_fprintf(hFile, |
222 | 0 | "Next Free Sector (FS Info): %" PRIuDADDR "\n", |
223 | 0 | FATFS_CLUST_2_SECT(fatfs, tsk_getu32(fs->endian, |
224 | 0 | fat_info->nextfree))); |
225 | |
|
226 | 0 | tsk_fprintf(hFile, |
227 | 0 | "Free Sector Count (FS Info): %" PRIu32 "\n", |
228 | 0 | (tsk_getu32(fs->endian, |
229 | 0 | fat_info->freecnt) * fatfs->csize)); |
230 | |
|
231 | 0 | free(fat_fsinfo_buf); |
232 | 0 | } |
233 | 0 | } |
234 | | |
235 | 0 | free(data_buf); |
236 | |
|
237 | 0 | tsk_fprintf(hFile, "\nSectors before file system: %" PRIu32 "\n", |
238 | 0 | tsk_getu32(fs->endian, sb->prevsect)); |
239 | |
|
240 | 0 | tsk_fprintf(hFile, "\nFile System Layout (in sectors)\n"); |
241 | |
|
242 | 0 | tsk_fprintf(hFile, "Total Range: %" PRIuDADDR " - %" PRIuDADDR "\n", |
243 | 0 | fs->first_block, fs->last_block); |
244 | |
|
245 | 0 | if (fs->last_block != fs->last_block_act) |
246 | 0 | tsk_fprintf(hFile, |
247 | 0 | "Total Range in Image: %" PRIuDADDR " - %" PRIuDADDR "\n", |
248 | 0 | fs->first_block, fs->last_block_act); |
249 | |
|
250 | 0 | tsk_fprintf(hFile, "* Reserved: 0 - %" PRIuDADDR "\n", |
251 | 0 | fatfs->firstfatsect - 1); |
252 | |
|
253 | 0 | tsk_fprintf(hFile, "** Boot Sector: 0\n"); |
254 | |
|
255 | 0 | if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) { |
256 | 0 | tsk_fprintf(hFile, "** FS Info Sector: %" PRIu16 "\n", |
257 | 0 | tsk_getu16(fs->endian, sb->a.f32.fsinfo)); |
258 | |
|
259 | 0 | tsk_fprintf(hFile, "** Backup Boot Sector: %" PRIu16 "\n", |
260 | 0 | tsk_getu16(fs->endian, sb->a.f32.bs_backup)); |
261 | 0 | } |
262 | |
|
263 | 0 | for (i = 0; i < fatfs->numfat; i++) { |
264 | 0 | TSK_DADDR_T base = fatfs->firstfatsect + i * (fatfs->sectperfat); |
265 | |
|
266 | 0 | tsk_fprintf(hFile, "* FAT %d: %" PRIuDADDR " - %" PRIuDADDR "\n", |
267 | 0 | i, base, (base + fatfs->sectperfat - 1)); |
268 | 0 | } |
269 | |
|
270 | 0 | tsk_fprintf(hFile, "* Data Area: %" PRIuDADDR " - %" PRIuDADDR "\n", |
271 | 0 | fatfs->firstdatasect, fs->last_block); |
272 | |
|
273 | 0 | if (fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) { |
274 | 0 | TSK_DADDR_T x = fatfs->csize * fatfs->clustcnt; |
275 | |
|
276 | 0 | tsk_fprintf(hFile, |
277 | 0 | "** Root Directory: %" PRIuDADDR " - %" PRIuDADDR "\n", |
278 | 0 | fatfs->firstdatasect, fatfs->firstclustsect - 1); |
279 | |
|
280 | 0 | tsk_fprintf(hFile, |
281 | 0 | "** Cluster Area: %" PRIuDADDR " - %" PRIuDADDR "\n", |
282 | 0 | fatfs->firstclustsect, (fatfs->firstclustsect + x - 1)); |
283 | |
|
284 | 0 | if ((fatfs->firstclustsect + x - 1) != fs->last_block) { |
285 | 0 | tsk_fprintf(hFile, |
286 | 0 | "** Non-clustered: %" PRIuDADDR " - %" PRIuDADDR "\n", |
287 | 0 | (fatfs->firstclustsect + x), fs->last_block); |
288 | 0 | } |
289 | 0 | } |
290 | 0 | else { |
291 | 0 | TSK_LIST *list_seen = NULL; |
292 | 0 | TSK_DADDR_T x = fatfs->csize * (fatfs->lastclust - 1); |
293 | 0 | TSK_DADDR_T clust, clust_p; |
294 | |
|
295 | 0 | tsk_fprintf(hFile, |
296 | 0 | "** Cluster Area: %" PRIuDADDR " - %" PRIuDADDR "\n", |
297 | 0 | fatfs->firstclustsect, (fatfs->firstclustsect + x - 1)); |
298 | | |
299 | |
|
300 | 0 | clust_p = fatfs->rootsect; |
301 | 0 | clust = FATFS_SECT_2_CLUST(fatfs, fatfs->rootsect); |
302 | 0 | while ((clust) && (0 == FATFS_ISEOF(clust, FATFS_32_MASK))) { |
303 | 0 | TSK_DADDR_T nxt; |
304 | 0 | clust_p = clust; |
305 | | |
306 | | /* Make sure we do not get into an infinite loop */ |
307 | 0 | if (tsk_list_find(list_seen, clust)) { |
308 | 0 | if (tsk_verbose) |
309 | 0 | tsk_fprintf(stderr, |
310 | 0 | "Loop found while determining root directory size\n"); |
311 | 0 | break; |
312 | 0 | } |
313 | 0 | if (tsk_list_add(&list_seen, clust)) { |
314 | 0 | tsk_list_free(list_seen); |
315 | 0 | list_seen = NULL; |
316 | 0 | return 1; |
317 | 0 | } |
318 | | |
319 | 0 | if (fatfs_getFAT(fatfs, clust, &nxt)) |
320 | 0 | break; |
321 | 0 | clust = nxt; |
322 | 0 | } |
323 | 0 | tsk_list_free(list_seen); |
324 | 0 | list_seen = NULL; |
325 | |
|
326 | 0 | tsk_fprintf(hFile, |
327 | 0 | "*** Root Directory: %" PRIuDADDR " - %" PRIuDADDR "\n", |
328 | 0 | fatfs->rootsect, (FATFS_CLUST_2_SECT(fatfs, clust_p + 1) - 1)); |
329 | |
|
330 | 0 | if ((fatfs->firstclustsect + x - 1) != fs->last_block) { |
331 | 0 | tsk_fprintf(hFile, |
332 | 0 | "** Non-clustered: %" PRIuDADDR " - %" PRIuDADDR "\n", |
333 | 0 | (fatfs->firstclustsect + x), fs->last_block); |
334 | 0 | } |
335 | 0 | } |
336 | | |
337 | | |
338 | 0 | tsk_fprintf(hFile, "\nMETADATA INFORMATION\n"); |
339 | 0 | tsk_fprintf(hFile, "--------------------------------------------\n"); |
340 | |
|
341 | 0 | tsk_fprintf(hFile, "Range: %" PRIuINUM " - %" PRIuINUM "\n", |
342 | 0 | fs->first_inum, fs->last_inum); |
343 | 0 | tsk_fprintf(hFile, "Root Directory: %" PRIuINUM "\n", fs->root_inum); |
344 | | |
345 | |
|
346 | 0 | tsk_fprintf(hFile, "\nCONTENT INFORMATION\n"); |
347 | 0 | tsk_fprintf(hFile, "--------------------------------------------\n"); |
348 | 0 | tsk_fprintf(hFile, "Sector Size: %" PRIu16 "\n", fatfs->ssize); |
349 | 0 | tsk_fprintf(hFile, "Cluster Size: %" PRIu32 "\n", |
350 | 0 | (uint32_t) fatfs->csize << fatfs->ssize_sh); |
351 | |
|
352 | 0 | tsk_fprintf(hFile, "Total Cluster Range: 2 - %" PRIuDADDR "\n", |
353 | 0 | fatfs->lastclust); |
354 | | |
355 | | |
356 | | /* cycle via cluster and look at each cluster in the FAT |
357 | | * for clusters marked as bad */ |
358 | 0 | cnt = 0; |
359 | 0 | for (i = 2; i <= fatfs->lastclust; i++) { |
360 | 0 | TSK_DADDR_T entry; |
361 | 0 | TSK_DADDR_T sect; |
362 | 0 | unsigned int a; |
363 | | |
364 | | /* Get the FAT table entry */ |
365 | 0 | if (fatfs_getFAT(fatfs, i, &entry)) |
366 | 0 | break; |
367 | | |
368 | 0 | if (FATFS_ISBAD(entry, fatfs->mask) == 0) { |
369 | 0 | continue; |
370 | 0 | } |
371 | | |
372 | 0 | if (cnt == 0) |
373 | 0 | tsk_fprintf(hFile, "Bad Sectors: "); |
374 | |
|
375 | 0 | sect = FATFS_CLUST_2_SECT(fatfs, i); |
376 | 0 | for (a = 0; a < fatfs->csize; a++) { |
377 | 0 | tsk_fprintf(hFile, "%" PRIuDADDR " ", sect + a); |
378 | 0 | if ((++cnt % 8) == 0) |
379 | 0 | tsk_fprintf(hFile, "\n"); |
380 | 0 | } |
381 | 0 | } |
382 | 0 | if ((cnt > 0) && ((cnt % 8) != 0)) |
383 | 0 | tsk_fprintf(hFile, "\n"); |
384 | | |
385 | | /* Display the FAT Table */ |
386 | 0 | tsk_fprintf(hFile, "\nFAT CONTENTS (in sectors)\n"); |
387 | 0 | tsk_fprintf(hFile, "--------------------------------------------\n"); |
388 | | |
389 | | /* 'sstart' marks the first sector of the current run to print */ |
390 | 0 | sstart = fatfs->firstclustsect; |
391 | | |
392 | | /* cycle via cluster and look at each cluster in the FAT to make runs */ |
393 | 0 | for (i = 2; i <= fatfs->lastclust; i++) { |
394 | | |
395 | | /* 'send' marks the end sector of the current run, which will extend |
396 | | * when the current cluster continues to the next |
397 | | */ |
398 | 0 | send = FATFS_CLUST_2_SECT(fatfs, i + 1) - 1; |
399 | | |
400 | | /* get the next cluster */ |
401 | 0 | if (fatfs_getFAT(fatfs, i, &next)) |
402 | 0 | break; |
403 | | |
404 | 0 | snext = FATFS_CLUST_2_SECT(fatfs, next); |
405 | | |
406 | | /* we are also using the next sector (clust) */ |
407 | 0 | if ((next & fatfs->mask) == (i + 1)) { |
408 | 0 | continue; |
409 | 0 | } |
410 | | |
411 | | /* The next clust is either further away or the clust is available, |
412 | | * print it if is further away |
413 | | */ |
414 | 0 | else if ((next & fatfs->mask)) { |
415 | 0 | if (FATFS_ISEOF(next, fatfs->mask)) |
416 | 0 | tsk_fprintf(hFile, |
417 | 0 | "%" PRIuDADDR "-%" PRIuDADDR " (%" PRIuDADDR |
418 | 0 | ") -> EOF\n", sstart, send, send - sstart + 1); |
419 | 0 | else if (FATFS_ISBAD(next, fatfs->mask)) |
420 | 0 | tsk_fprintf(hFile, |
421 | 0 | "%" PRIuDADDR "-%" PRIuDADDR " (%" PRIuDADDR |
422 | 0 | ") -> BAD\n", sstart, send, send - sstart + 1); |
423 | 0 | else |
424 | 0 | tsk_fprintf(hFile, |
425 | 0 | "%" PRIuDADDR "-%" PRIuDADDR " (%" PRIuDADDR |
426 | 0 | ") -> %" PRIuDADDR "\n", sstart, send, |
427 | 0 | send - sstart + 1, snext); |
428 | 0 | } |
429 | | |
430 | | /* reset the starting counter */ |
431 | 0 | sstart = send + 1; |
432 | 0 | } |
433 | |
|
434 | 0 | return 0; |
435 | 0 | } |
436 | | |
437 | | uint8_t |
438 | | fatxxfs_open(FATFS_INFO *fatfs) |
439 | 0 | { |
440 | 0 | const char *func_name = "fatxxfs_open"; |
441 | 0 | TSK_FS_INFO *fs = &(fatfs->fs_info); |
442 | 0 | FATXXFS_SB *fatsb = (FATXXFS_SB*)(&fatfs->boot_sector_buffer); |
443 | 0 | int i = 0; |
444 | 0 | TSK_DADDR_T sectors = 0; |
445 | | |
446 | | // clean up any error messages that are lying around |
447 | 0 | tsk_error_reset(); |
448 | | |
449 | | /* Calculate block sizes and layout info */ |
450 | | // sector size |
451 | 0 | fatfs->ssize = tsk_getu16(fs->endian, fatsb->ssize); |
452 | 0 | if (fatfs->ssize == 512) { |
453 | 0 | fatfs->ssize_sh = 9; |
454 | 0 | } |
455 | 0 | else if (fatfs->ssize == 1024) { |
456 | 0 | fatfs->ssize_sh = 10; |
457 | 0 | } |
458 | 0 | else if (fatfs->ssize == 2048) { |
459 | 0 | fatfs->ssize_sh = 11; |
460 | 0 | } |
461 | 0 | else if (fatfs->ssize == 4096) { |
462 | 0 | fatfs->ssize_sh = 12; |
463 | 0 | } |
464 | 0 | else { |
465 | 0 | tsk_error_reset(); |
466 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
467 | 0 | tsk_error_set_errstr |
468 | 0 | ("Error: sector size (%d) is not a multiple of device size (%d)\nDo you have a disk image instead of a partition image?", |
469 | 0 | fatfs->ssize, fs->dev_bsize); |
470 | 0 | if (tsk_verbose) |
471 | 0 | fprintf(stderr, "%s: Invalid sector size (%d)\n", |
472 | 0 | func_name, fatfs->ssize); |
473 | 0 | return 1; |
474 | 0 | } |
475 | | |
476 | | // cluster size |
477 | 0 | fatfs->csize = fatsb->csize; |
478 | 0 | if ((fatfs->csize != 0x01) && |
479 | 0 | (fatfs->csize != 0x02) && |
480 | 0 | (fatfs->csize != 0x04) && |
481 | 0 | (fatfs->csize != 0x08) && |
482 | 0 | (fatfs->csize != 0x10) && |
483 | 0 | (fatfs->csize != 0x20) && |
484 | 0 | (fatfs->csize != 0x40) && (fatfs->csize != 0x80)) { |
485 | 0 | if (tsk_verbose) |
486 | 0 | fprintf(stderr, "%s: Invalid cluster size (%d)\n", |
487 | 0 | func_name, fatfs->csize); |
488 | 0 | tsk_error_reset(); |
489 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
490 | 0 | tsk_error_set_errstr("Not a FATXX file system (cluster size)"); |
491 | 0 | return 1; |
492 | 0 | } |
493 | | |
494 | | // number of FAT tables |
495 | 0 | fatfs->numfat = fatsb->numfat; |
496 | 0 | if ((fatfs->numfat == 0) || (fatfs->numfat > 8)) { |
497 | 0 | if (tsk_verbose) |
498 | 0 | fprintf(stderr, "%s: Invalid number of FATS (%d)\n", |
499 | 0 | func_name, fatfs->numfat); |
500 | 0 | tsk_error_reset(); |
501 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
502 | 0 | tsk_error_set_errstr("Not a FATXX file system (number of FATs)"); |
503 | 0 | return 1; |
504 | 0 | } |
505 | | |
506 | | /* We can't do a sanity check on this b.c. TSK_FS_TYPE_FAT32 has a value of 0 */ |
507 | | /* num of root entries */ |
508 | 0 | fatfs->numroot = tsk_getu16(fs->endian, fatsb->numroot); |
509 | | |
510 | | /* if sectors16 is 0, then the number of sectors is stored in sectors32 */ |
511 | 0 | if (0 == (sectors = tsk_getu16(fs->endian, fatsb->sectors16))) |
512 | 0 | sectors = tsk_getu32(fs->endian, fatsb->sectors32); |
513 | | |
514 | | /* if secperfat16 is 0, then read sectperfat32 */ |
515 | 0 | if (0 == (fatfs->sectperfat = |
516 | 0 | tsk_getu16(fs->endian, fatsb->sectperfat16))) |
517 | 0 | fatfs->sectperfat = |
518 | 0 | tsk_getu32(fs->endian, fatsb->a.f32.sectperfat32); |
519 | |
|
520 | 0 | if (fatfs->sectperfat == 0) { |
521 | 0 | if (tsk_verbose) |
522 | 0 | fprintf(stderr, |
523 | 0 | "%s: Invalid number of sectors per FAT (%d)\n", |
524 | 0 | func_name, fatfs->sectperfat); |
525 | 0 | tsk_error_reset(); |
526 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
527 | 0 | tsk_error_set_errstr |
528 | 0 | ("Not a FATXX file system (invalid sectors per FAT)"); |
529 | 0 | return 1; |
530 | 0 | } |
531 | | |
532 | 0 | fatfs->firstfatsect = tsk_getu16(fs->endian, fatsb->reserved); |
533 | 0 | if ((fatfs->firstfatsect == 0) || (fatfs->firstfatsect > sectors)) { |
534 | 0 | tsk_error_reset(); |
535 | 0 | tsk_error_set_errno(TSK_ERR_FS_WALK_RNG); |
536 | 0 | tsk_error_set_errstr |
537 | 0 | ("Not a FATXX file system (invalid first FAT sector %" |
538 | 0 | PRIuDADDR ")", fatfs->firstfatsect); |
539 | 0 | if (tsk_verbose) |
540 | 0 | fprintf(stderr, |
541 | 0 | "%s: Invalid first FAT (%" PRIuDADDR ")\n", |
542 | 0 | func_name, fatfs->firstfatsect); |
543 | 0 | return 1; |
544 | 0 | } |
545 | | |
546 | | /* Calculate the block info |
547 | | * |
548 | | * The sector of the beginning of the data area - which is |
549 | | * after all of the FATs |
550 | | * |
551 | | * For TSK_FS_TYPE_FAT12 and TSK_FS_TYPE_FAT16, the data area starts with the root |
552 | | * directory entries and then the first cluster. For TSK_FS_TYPE_FAT32, |
553 | | * the data area starts with clusters and the root directory |
554 | | * is somewhere in the data area |
555 | | */ |
556 | 0 | fatfs->firstdatasect = fatfs->firstfatsect + |
557 | 0 | fatfs->sectperfat * fatfs->numfat; |
558 | | |
559 | | /* The sector where the first cluster is located. It will be used |
560 | | * to translate cluster addresses to sector addresses |
561 | | * |
562 | | * For TSK_FS_TYPE_FAT32, the first cluster is the start of the data area and |
563 | | * it is after the root directory for TSK_FS_TYPE_FAT12 and TSK_FS_TYPE_FAT16. At this |
564 | | * point in the program, numroot is set to 0 for TSK_FS_TYPE_FAT32 |
565 | | */ |
566 | 0 | fatfs->firstclustsect = fatfs->firstdatasect + |
567 | 0 | ((fatfs->numroot * 32 + fatfs->ssize - 1) / fatfs->ssize); |
568 | | |
569 | | /* total number of clusters */ |
570 | 0 | fatfs->clustcnt = (sectors - fatfs->firstclustsect) / fatfs->csize; |
571 | | |
572 | | /* the first cluster is #2, so the final cluster is: */ |
573 | 0 | fatfs->lastclust = 1 + fatfs->clustcnt; |
574 | | |
575 | | |
576 | | /* identify the FAT type by the total number of data clusters |
577 | | * this calculation is from the MS FAT Overview Doc |
578 | | * |
579 | | * A FAT file system made by another OS could use different values |
580 | | */ |
581 | 0 | if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT_DETECT) { |
582 | |
|
583 | 0 | if (fatfs->clustcnt < 4085) { |
584 | 0 | fatfs->fs_info.ftype = TSK_FS_TYPE_FAT12; |
585 | 0 | } |
586 | 0 | else if (fatfs->clustcnt < 65525) { |
587 | 0 | fatfs->fs_info.ftype = TSK_FS_TYPE_FAT16; |
588 | 0 | } |
589 | 0 | else { |
590 | 0 | fatfs->fs_info.ftype = TSK_FS_TYPE_FAT32; |
591 | 0 | } |
592 | |
|
593 | 0 | fatfs->fs_info.ftype = fatfs->fs_info.ftype; |
594 | 0 | } |
595 | | |
596 | | /* Some sanity checks */ |
597 | 0 | else { |
598 | 0 | if ((fatfs->fs_info.ftype == TSK_FS_TYPE_FAT12) |
599 | 0 | && (fatfs->clustcnt >= 4085)) { |
600 | 0 | tsk_error_reset(); |
601 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
602 | 0 | tsk_error_set_errstr |
603 | 0 | ("Too many sectors for TSK_FS_TYPE_FAT12: try auto-detect mode"); |
604 | 0 | if (tsk_verbose) |
605 | 0 | fprintf(stderr, |
606 | 0 | "%s: Too many sectors for FAT12\n", func_name); |
607 | 0 | return 1; |
608 | 0 | } |
609 | 0 | } |
610 | | |
611 | 0 | if ((fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) && (fatfs->numroot != 0)) { |
612 | 0 | tsk_error_reset(); |
613 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
614 | 0 | tsk_error_set_errstr |
615 | 0 | ("Invalid TSK_FS_TYPE_FAT32 image (numroot != 0)"); |
616 | 0 | if (tsk_verbose) |
617 | 0 | fprintf(stderr, "%s: numroom != 0 for FAT32\n", func_name); |
618 | 0 | return 1; |
619 | 0 | } |
620 | | |
621 | 0 | if ((fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) && (fatfs->numroot == 0)) { |
622 | 0 | tsk_error_reset(); |
623 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
624 | 0 | tsk_error_set_errstr |
625 | 0 | ("Invalid FAT image (numroot == 0, and not TSK_FS_TYPE_FAT32)"); |
626 | 0 | if (tsk_verbose) |
627 | 0 | fprintf(stderr, "%s: numroom == 0 and not FAT32\n", func_name); |
628 | 0 | return 1; |
629 | 0 | } |
630 | | |
631 | | /* additional sanity checks if we think we are using the backup boot sector. |
632 | | * The scenario to prevent here is if fat_open is called 6 sectors before the real start |
633 | | * of the file system, then we want to detect that it was not a backup that we saw. |
634 | | */ |
635 | 0 | if (fatfs->using_backup_boot_sector) { |
636 | | // only FAT32 has backup boot sectors.. |
637 | 0 | if (fatfs->fs_info.ftype != TSK_FS_TYPE_FAT32) { |
638 | 0 | tsk_error_reset(); |
639 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
640 | 0 | tsk_error_set_errstr |
641 | 0 | ("Invalid FAT image (Used what we thought was a backup boot sector, but it is not TSK_FS_TYPE_FAT32)"); |
642 | 0 | if (tsk_verbose) |
643 | 0 | fprintf(stderr, |
644 | 0 | "%s: Had to use backup boot sector, but this isn't FAT32\n", func_name); |
645 | 0 | return 1; |
646 | 0 | } |
647 | 0 | if (fatfs->numroot > 1) { |
648 | 0 | uint8_t buf1[512]; |
649 | 0 | uint8_t buf2[512]; |
650 | 0 | int i2; |
651 | 0 | int numDiffs; |
652 | 0 | ssize_t cnt = 0; |
653 | |
|
654 | 0 | cnt = |
655 | 0 | tsk_fs_read(fs, fatfs->firstfatsect * fatfs->ssize, |
656 | 0 | (char *) buf1, 512); |
657 | 0 | if (cnt != 512) { |
658 | 0 | if (cnt >= 0) { |
659 | 0 | tsk_error_reset(); |
660 | 0 | tsk_error_set_errno(TSK_ERR_FS_READ); |
661 | 0 | } |
662 | 0 | tsk_error_set_errstr2("%s: FAT1", func_name); |
663 | 0 | fs->tag = 0; |
664 | 0 | return 1; |
665 | 0 | } |
666 | | |
667 | 0 | cnt = |
668 | 0 | tsk_fs_read(fs, |
669 | 0 | (fatfs->firstfatsect + fatfs->sectperfat) * fatfs->ssize, |
670 | 0 | (char *) buf2, 512); |
671 | 0 | if (cnt != 512) { |
672 | 0 | if (cnt >= 0) { |
673 | 0 | tsk_error_reset(); |
674 | 0 | tsk_error_set_errno(TSK_ERR_FS_READ); |
675 | 0 | } |
676 | 0 | tsk_error_set_errstr2("%s: FAT2", func_name); |
677 | 0 | fs->tag = 0; |
678 | 0 | return 1; |
679 | 0 | } |
680 | | |
681 | 0 | numDiffs = 0; |
682 | 0 | for (i2 = 0; i2 < 512; i2++) { |
683 | 0 | if (buf1[i2] != buf2[i2]) { |
684 | 0 | numDiffs++; |
685 | 0 | } |
686 | 0 | } |
687 | 0 | if (numDiffs > 25) { |
688 | 0 | tsk_error_reset(); |
689 | 0 | tsk_error_set_errno(TSK_ERR_FS_MAGIC); |
690 | 0 | tsk_error_set_errstr |
691 | 0 | ("Invalid FAT image (Too many differences between FATS from guessing (%d diffs))", |
692 | 0 | numDiffs); |
693 | 0 | if (tsk_verbose) |
694 | 0 | fprintf(stderr, |
695 | 0 | "%s: Too many differences in FAT from guessing (%d diffs)\n", |
696 | 0 | func_name, numDiffs); |
697 | 0 | return 1; |
698 | 0 | } |
699 | 0 | } |
700 | 0 | } |
701 | | |
702 | | /* Set the mask to use on the cluster values */ |
703 | 0 | if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT12) { |
704 | 0 | fatfs->mask = FATFS_12_MASK; |
705 | 0 | } |
706 | 0 | else if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT16) { |
707 | 0 | fatfs->mask = FATFS_16_MASK; |
708 | 0 | } |
709 | 0 | else if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) { |
710 | 0 | fatfs->mask = FATFS_32_MASK; |
711 | 0 | } |
712 | 0 | else { |
713 | 0 | tsk_error_reset(); |
714 | 0 | tsk_error_set_errno(TSK_ERR_FS_ARG); |
715 | 0 | tsk_error_set_errstr("Unknown FAT type in %s: %d\n", |
716 | 0 | func_name, fatfs->fs_info.ftype); |
717 | 0 | return 1; |
718 | 0 | } |
719 | 0 | fs->duname = "Sector"; |
720 | | |
721 | | /* the root directories are always after the FAT for TSK_FS_TYPE_FAT12 and TSK_FS_TYPE_FAT16, |
722 | | * but are dynamically located for TSK_FS_TYPE_FAT32 |
723 | | */ |
724 | 0 | if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) |
725 | 0 | fatfs->rootsect = FATFS_CLUST_2_SECT(fatfs, |
726 | 0 | tsk_getu32(fs->endian, fatsb->a.f32.rootclust)); |
727 | 0 | else |
728 | 0 | fatfs->rootsect = fatfs->firstdatasect; |
729 | |
|
730 | 0 | for (i = 0; i < FATFS_FAT_CACHE_N; i++) { |
731 | 0 | fatfs->fatc_addr[i] = 0; |
732 | 0 | fatfs->fatc_ttl[i] = 0; |
733 | 0 | } |
734 | | |
735 | | /* |
736 | | * block calculations : although there are no blocks in fat, we will |
737 | | * use these fields for sector calculations |
738 | | */ |
739 | 0 | fs->first_block = 0; |
740 | 0 | fs->block_count = sectors; |
741 | 0 | fs->last_block = fs->last_block_act = fs->block_count - 1; |
742 | 0 | fs->block_size = fatfs->ssize; |
743 | | |
744 | | // determine the last block we have in this image |
745 | 0 | if ((TSK_DADDR_T) ((fatfs->fs_info.img_info->size - fatfs->fs_info.offset) / fs->block_size) < |
746 | 0 | fs->block_count) |
747 | 0 | fs->last_block_act = |
748 | 0 | (fatfs->fs_info.img_info->size - fatfs->fs_info.offset) / fs->block_size - 1; |
749 | | |
750 | | /* |
751 | | * inode calculations |
752 | | */ |
753 | | |
754 | | /* maximum number of dentries in a sector & cluster */ |
755 | 0 | fatfs->dentry_cnt_se = fatfs->ssize / sizeof(FATXXFS_DENTRY); |
756 | 0 | fatfs->dentry_cnt_cl = fatfs->dentry_cnt_se * fatfs->csize; |
757 | |
|
758 | 0 | fs->root_inum = FATFS_ROOTINO; |
759 | 0 | fs->first_inum = FATFS_FIRSTINO; |
760 | | |
761 | | /* Calculate inode addresses for the virtual files (MBR, one or two FATS) |
762 | | * and the virtual orphan files directory. */ |
763 | 0 | fs->last_inum = (FATFS_SECT_2_INODE(fatfs, fs->last_block_act + 1) - 1) + FATFS_NUM_VIRT_FILES(fatfs); |
764 | 0 | fatfs->mbr_virt_inum = fs->last_inum - FATFS_NUM_VIRT_FILES(fatfs) + 1; |
765 | 0 | fatfs->fat1_virt_inum = fatfs->mbr_virt_inum + 1; |
766 | 0 | if (fatfs->numfat == 2) { |
767 | 0 | fatfs->fat2_virt_inum = fatfs->fat1_virt_inum + 1; |
768 | 0 | } |
769 | 0 | else { |
770 | 0 | fatfs->fat2_virt_inum = fatfs->fat1_virt_inum; |
771 | 0 | } |
772 | | |
773 | | /* Calculate the total number of inodes. */ |
774 | 0 | fs->inum_count = fs->last_inum - fs->first_inum + 1; |
775 | | |
776 | | /* Volume ID */ |
777 | 0 | for (fs->fs_id_used = 0; fs->fs_id_used < 4; fs->fs_id_used++) { |
778 | 0 | if (fatfs->fs_info.ftype == TSK_FS_TYPE_FAT32) |
779 | 0 | fs->fs_id[fs->fs_id_used] = |
780 | 0 | fatsb->a.f32.vol_id[fs->fs_id_used]; |
781 | 0 | else |
782 | 0 | fs->fs_id[fs->fs_id_used] = |
783 | 0 | fatsb->a.f16.vol_id[fs->fs_id_used]; |
784 | 0 | } |
785 | | |
786 | | /* |
787 | | * Set the function pointers |
788 | | */ |
789 | |
|
790 | 0 | fs->block_walk = fatfs_block_walk; |
791 | 0 | fs->block_getflags = fatfs_block_getflags; |
792 | |
|
793 | 0 | fs->inode_walk = fatfs_inode_walk; |
794 | 0 | fs->istat = fatfs_istat; |
795 | 0 | fs->file_add_meta = fatfs_inode_lookup; |
796 | |
|
797 | 0 | fs->get_default_attr_type = fatfs_get_default_attr_type; |
798 | 0 | fs->load_attrs = fatfs_make_data_runs; |
799 | |
|
800 | 0 | fs->dir_open_meta = fatfs_dir_open_meta; |
801 | 0 | fs->name_cmp = fatfs_name_cmp; |
802 | |
|
803 | 0 | fs->fsstat = fatxxfs_fsstat; |
804 | 0 | fs->fscheck = fatfs_fscheck; |
805 | |
|
806 | 0 | fs->close = fatfs_close; |
807 | |
|
808 | 0 | fs->jblk_walk = fatfs_jblk_walk; |
809 | 0 | fs->jentry_walk = fatfs_jentry_walk; |
810 | 0 | fs->jopen = fatfs_jopen; |
811 | |
|
812 | 0 | fatfs->is_cluster_alloc = fatxxfs_is_cluster_alloc; |
813 | 0 | fatfs->is_dentry = fatxxfs_is_dentry; |
814 | 0 | fatfs->dinode_copy = fatxxfs_dinode_copy; |
815 | 0 | fatfs->inode_lookup = fatxxfs_inode_lookup; |
816 | 0 | fatfs->inode_walk_should_skip_dentry = fatxxfs_inode_walk_should_skip_dentry; |
817 | 0 | fatfs->istat_attr_flags = fatxxfs_istat_attr_flags; |
818 | 0 | fatfs->dent_parse_buf = fatxxfs_dent_parse_buf; |
819 | | |
820 | | // initialize the caches |
821 | 0 | tsk_init_lock(&fatfs->cache_lock); |
822 | 0 | tsk_init_lock(&fatfs->dir_lock); |
823 | 0 | fatfs->inum2par = NULL; |
824 | | |
825 | | // Test to see if this is the odd Android case where the FAT entries have no short name |
826 | | // |
827 | | // If there are no entries found with the normal short name |
828 | | // and we find more entries by removing the short name test for allocated directories, then assume |
829 | | // this is the case where we have no short names |
830 | 0 | fatfs->subtype = TSK_FATFS_SUBTYPE_SPEC; |
831 | | |
832 | | // Directories used to try opening the root directory |
833 | 0 | std::unique_ptr<TSK_FS_DIR, decltype(&tsk_fs_dir_close)> test_dir1{ |
834 | 0 | tsk_fs_dir_open_meta(fs, fs->root_inum), |
835 | 0 | tsk_fs_dir_close |
836 | 0 | }; |
837 | |
|
838 | 0 | if (test_dir1 && test_dir1->names_used <= 4){ // At most four automatic directories ($MBR, $FAT1, $FAT1, $OrphanFiles) |
839 | |
|
840 | 0 | fatfs->subtype = TSK_FATFS_SUBTYPE_ANDROID_1; |
841 | | |
842 | | // to see if it's the Android FAT version |
843 | 0 | std::unique_ptr<TSK_FS_DIR, decltype(&tsk_fs_dir_close)> test_dir2{ |
844 | 0 | tsk_fs_dir_open_meta(fs, fs->root_inum), |
845 | 0 | tsk_fs_dir_close |
846 | 0 | }; |
847 | |
|
848 | 0 | if (test_dir2 && test_dir2->names_used > test_dir1->names_used){ |
849 | 0 | fatfs->subtype = TSK_FATFS_SUBTYPE_ANDROID_1; |
850 | 0 | } |
851 | 0 | else{ |
852 | 0 | fatfs->subtype = TSK_FATFS_SUBTYPE_SPEC; |
853 | 0 | } |
854 | 0 | } |
855 | |
|
856 | 0 | return 0; |
857 | 0 | } |
858 | | |
859 | | /* Return 1 if allocated, 0 if unallocated, and -1 if error */ |
860 | | int8_t |
861 | | fatxxfs_is_cluster_alloc(FATFS_INFO *fatfs, TSK_DADDR_T clust) |
862 | 0 | { |
863 | 0 | TSK_DADDR_T content = 0; |
864 | |
|
865 | 0 | if (fatfs_getFAT(fatfs, clust, &content)) |
866 | 0 | return -1; |
867 | 0 | else if (content == FATFS_UNALLOC) |
868 | 0 | return 0; |
869 | 0 | else |
870 | 0 | return 1; |
871 | 0 | } |