/src/sleuthkit/tsk/hashdb/tsk_hashdb.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * The Sleuth Kit |
3 | | * |
4 | | * Brian Carrier [carrier <at> sleuthkit [dot] org] |
5 | | * Copyright (c) 2003-2014 Brian Carrier. All rights reserved |
6 | | * |
7 | | * This software is distributed under the Common Public License 1.0 |
8 | | */ |
9 | | |
10 | | /** |
11 | | * \file tsk_hashdb.h |
12 | | * External header file for hash database support. |
13 | | * Note that this file is not meant to be directly included. |
14 | | * It is included by both libtsk.h and tsk_hashdb_i.h. |
15 | | */ |
16 | | |
17 | | /** |
18 | | * \defgroup hashdblib C Hash Database Functions |
19 | | * \defgroup hashdblib_cpp C++ Hash Database Classes |
20 | | */ |
21 | | |
22 | | #ifndef _TSK_HDB_H |
23 | | #define _TSK_HDB_H |
24 | | |
25 | | #ifdef __cplusplus |
26 | | extern "C" { |
27 | | #endif |
28 | | |
29 | | /** |
30 | | * Flags used for lookups |
31 | | */ |
32 | | enum TSK_HDB_FLAG_ENUM { |
33 | | TSK_HDB_FLAG_QUICK = 0x01, ///< Quickly return if hash is found (do not return file name etc.) |
34 | | TSK_HDB_FLAG_EXT = 0x02 ///< Return other details besides only file name (not used |
35 | | }; |
36 | | typedef enum TSK_HDB_FLAG_ENUM TSK_HDB_FLAG_ENUM; |
37 | | |
38 | | /** |
39 | | * Hash algorithm types |
40 | | */ |
41 | | enum TSK_HDB_HTYPE_ENUM { |
42 | | TSK_HDB_HTYPE_INVALID_ID = 0, ///< Invalid algorithm signals error. |
43 | | TSK_HDB_HTYPE_MD5_ID = 1, ///< MD5 Algorithm |
44 | | TSK_HDB_HTYPE_SHA1_ID = 2, ///< SHA1 Algorithm |
45 | | TSK_HDB_HTYPE_SHA2_256_ID = 4, ///< SHA2-256 (aka SHA-256) Algorithm |
46 | | }; |
47 | | typedef enum TSK_HDB_HTYPE_ENUM TSK_HDB_HTYPE_ENUM; |
48 | | |
49 | | #define TSK_HDB_HTYPE_MD5_STR "md5" ///< String name for MD5 algorithm |
50 | | #define TSK_HDB_HTYPE_SHA1_STR "sha1" ///< String name for SHA1 algorithm |
51 | | #define TSK_HDB_HTYPE_SHA2_256_STR "sha2_256" ///< String name for SHA256 algorithm |
52 | | |
53 | | #define TSK_HDB_HTYPE_SHA2_256_LEN 64 ///< Length of SHA256 hash |
54 | | #define TSK_HDB_HTYPE_SHA1_LEN 40 ///< Length of SHA1 hash |
55 | | #define TSK_HDB_HTYPE_MD5_LEN 32 ///< Length of MD5 hash |
56 | | #define TSK_HDB_HTYPE_CRC32_LEN 8 ///< Length of CRC hash |
57 | | #define TSK_HDB_MAX_BINHASH_LEN 32 ///< Half the length of biggest hash |
58 | | |
59 | | /** |
60 | | * Return the name of the hash algorithm, given its ID |
61 | | */ |
62 | | #define TSK_HDB_HTYPE_STR(x) \ |
63 | | ( ((x) & TSK_HDB_HTYPE_MD5_ID) ? (TSK_HDB_HTYPE_MD5_STR) : ( \ |
64 | | ( ((x) & TSK_HDB_HTYPE_SHA1_ID) ? (TSK_HDB_HTYPE_SHA1_STR) : ( \ |
65 | | ( ((x) & TSK_HDB_HTYPE_SHA2_256_ID) ? TSK_HDB_HTYPE_SHA2_256_STR : "") ) ) ) ) |
66 | | |
67 | | /** |
68 | | * Return the length of a hash, given its ID |
69 | | */ |
70 | | #define TSK_HDB_HTYPE_LEN(x) \ |
71 | | ( ((x) & TSK_HDB_HTYPE_MD5_ID) ? (TSK_HDB_HTYPE_MD5_LEN) : ( \ |
72 | | ( ((x) & TSK_HDB_HTYPE_SHA1_ID) ? (TSK_HDB_HTYPE_SHA1_LEN) : ( \ |
73 | | ( ((x) & TSK_HDB_HTYPE_SHA2_256_ID) ? TSK_HDB_HTYPE_SHA2_256_LEN : 0) ) ) ) ) |
74 | | |
75 | | /** |
76 | | * Hash Database types |
77 | | */ |
78 | | enum TSK_HDB_DBTYPE_ENUM { |
79 | | TSK_HDB_DBTYPE_INVALID_ID = 0, ///< Invalid type signals error. |
80 | | TSK_HDB_DBTYPE_NSRL_ID = 1, ///< NIST NSRL format |
81 | | TSK_HDB_DBTYPE_MD5SUM_ID = 2, ///< md5sum format |
82 | | TSK_HDB_DBTYPE_HK_ID = 3, ///< hashkeeper format |
83 | | TSK_HDB_DBTYPE_IDXONLY_ID = 4, ///< Only the database index was opened -- original dbtype is unknown |
84 | | TSK_HDB_DBTYPE_ENCASE_ID = 5, ///< EnCase format |
85 | | TSK_HDB_DBTYPE_SQLITE_ID = 6 ///< SQLite format |
86 | | }; |
87 | | typedef enum TSK_HDB_DBTYPE_ENUM TSK_HDB_DBTYPE_ENUM; |
88 | | |
89 | | /** |
90 | | * String versions of DB types |
91 | | */ |
92 | | #define TSK_HDB_DBTYPE_NSRL_STR "nsrl" ///< NSRL database |
93 | | #define TSK_HDB_DBTYPE_NSRL_MD5_STR "nsrl-md5" ///< NSRL database with MD5 index |
94 | | #define TSK_HDB_DBTYPE_NSRL_SHA1_STR "nsrl-sha1" ///< NSRL database with SHA1 index |
95 | | #define TSK_HDB_DBTYPE_MD5SUM_STR "md5sum" ///< md5sum |
96 | | #define TSK_HDB_DBTYPE_HK_STR "hk" ///< Hash Keeper |
97 | | #define TSK_HDB_DBTYPE_ENCASE_STR "encase" ///< EnCase |
98 | | |
99 | | /// List of supported hash database types with external indexes; essentially index types. |
100 | | #define TSK_HDB_DBTYPE_SUPPORT_STR "nsrl-md5, nsrl-sha1, md5sum, encase, hk" |
101 | | |
102 | | #define TSK_HDB_NAME_MAXLEN 512 //< Max length for database name |
103 | | |
104 | | typedef struct TSK_HDB_INFO TSK_HDB_INFO; |
105 | | |
106 | | typedef TSK_WALK_RET_ENUM(*TSK_HDB_LOOKUP_FN) (TSK_HDB_INFO *, |
107 | | const char *hash, |
108 | | const char *name, |
109 | | void *); |
110 | | |
111 | | /** |
112 | | * Represents an open hash database. Instances are created using the |
113 | | * tsk_hdb_open() API and are passed to hash database API functions. |
114 | | */ |
115 | | struct TSK_HDB_INFO { |
116 | | TSK_TCHAR *db_fname; ///< Database file path, may be NULL for an index only database |
117 | | char db_name[TSK_HDB_NAME_MAXLEN]; ///< Name of the database, for callbacks |
118 | | TSK_HDB_DBTYPE_ENUM db_type; ///< Type of database |
119 | | tsk_lock_t lock; ///< Lock for lazy loading and idx_lbuf |
120 | | uint8_t transaction_in_progress; ///< Flag set and unset when transaction are begun and ended |
121 | | const TSK_TCHAR*(*get_db_path)(TSK_HDB_INFO*); |
122 | | const char*(*get_display_name)(TSK_HDB_INFO*); |
123 | | uint8_t(*uses_external_indexes)(); |
124 | | const TSK_TCHAR*(*get_index_path)(TSK_HDB_INFO*, TSK_HDB_HTYPE_ENUM); |
125 | | uint8_t(*has_index)(TSK_HDB_INFO*, TSK_HDB_HTYPE_ENUM); |
126 | | uint8_t(*make_index)(TSK_HDB_INFO*, TSK_TCHAR*); |
127 | | uint8_t(*open_index)(TSK_HDB_INFO*, TSK_HDB_HTYPE_ENUM); |
128 | | int8_t(*lookup_str)(TSK_HDB_INFO*, const char*, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void*); |
129 | | int8_t(*lookup_raw)(TSK_HDB_INFO*, uint8_t *, uint8_t, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void*); |
130 | | int8_t(*lookup_verbose_str)(TSK_HDB_INFO *, const char *, void *); |
131 | | uint8_t(*accepts_updates)(); |
132 | | uint8_t(*add_entry)(TSK_HDB_INFO*, const char*, const char*, const char*, const char*, const char *); |
133 | | uint8_t(*begin_transaction)(TSK_HDB_INFO *); |
134 | | uint8_t(*commit_transaction)(TSK_HDB_INFO *); |
135 | | uint8_t(*rollback_transaction)(TSK_HDB_INFO *); |
136 | | void(*close_db)(TSK_HDB_INFO *); |
137 | | }; |
138 | | |
139 | | /** |
140 | | * Represents a text-format hash database (NSRL, EnCase, etc.) with the TSK binary search index. |
141 | | */ |
142 | | typedef struct TSK_HDB_BINSRCH_INFO { |
143 | | TSK_HDB_INFO base; |
144 | | FILE *hDb; ///< File handle to database (always open) |
145 | | uint8_t(*get_entry) (TSK_HDB_INFO *, const char *, TSK_OFF_T, TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *); ///< \internal Database-specific function to find entry at a given offset |
146 | | TSK_HDB_HTYPE_ENUM hash_type; ///< Type of hash used in currently open index |
147 | | uint16_t hash_len; ///< Length of hash used in currently open index |
148 | | TSK_TCHAR *idx_fname; ///< Name of index file, may be NULL for database without external index |
149 | | FILE *hIdx; ///< File handle to index (only open during lookups) |
150 | | FILE *hIdxTmp; ///< File handle to temp (unsorted) index file (only open during index creation) |
151 | | TSK_TCHAR *uns_fname; ///< Name of unsorted index file |
152 | | TSK_OFF_T idx_size; ///< Size of index file |
153 | | uint16_t idx_off; ///< Offset in index file to first index entry |
154 | | size_t idx_llen; ///< Length of each line in index |
155 | | char *idx_lbuf; ///< Buffer to hold a line from the index (r/w shared - lock) |
156 | | TSK_TCHAR *idx_idx_fname; ///< Name of index of index file, may be NULL |
157 | | uint64_t *idx_offsets; ///< Maps the first three bytes of a hash value to an offset in the index file |
158 | | } TSK_HDB_BINSRCH_INFO; |
159 | | |
160 | | /** |
161 | | * Options for opening a hash database |
162 | | */ |
163 | | enum TSK_HDB_OPEN_ENUM { |
164 | | TSK_HDB_OPEN_NONE = 0, ///< No special flags |
165 | | TSK_HDB_OPEN_IDXONLY = (0x1 << 0) ///< Open only the index -- do not look for the original DB |
166 | | }; |
167 | | typedef enum TSK_HDB_OPEN_ENUM TSK_HDB_OPEN_ENUM; |
168 | | |
169 | | /* Hash database API functions */ |
170 | | extern uint8_t tsk_hdb_create(TSK_TCHAR *); |
171 | | extern TSK_HDB_INFO *tsk_hdb_open(TSK_TCHAR *, TSK_HDB_OPEN_ENUM); |
172 | | extern const TSK_TCHAR *tsk_hdb_get_db_path(TSK_HDB_INFO * hdb_info); |
173 | | extern const char *tsk_hdb_get_display_name(TSK_HDB_INFO * hdb_info); |
174 | | extern uint8_t tsk_hdb_is_idx_only(TSK_HDB_INFO *); |
175 | | extern uint8_t tsk_hdb_uses_external_indexes(TSK_HDB_INFO *); |
176 | | extern uint8_t tsk_hdb_has_idx(TSK_HDB_INFO * hdb_info, TSK_HDB_HTYPE_ENUM); |
177 | | extern uint8_t tsk_hdb_make_index(TSK_HDB_INFO *, TSK_TCHAR *); |
178 | | extern const TSK_TCHAR *tsk_hdb_get_idx_path(TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM); |
179 | | extern uint8_t tsk_hdb_open_idx(TSK_HDB_INFO *, TSK_HDB_HTYPE_ENUM); |
180 | | extern int8_t tsk_hdb_lookup_str(TSK_HDB_INFO *, const char *, |
181 | | TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *); |
182 | | extern int8_t tsk_hdb_lookup_raw(TSK_HDB_INFO *, uint8_t *, uint8_t, |
183 | | TSK_HDB_FLAG_ENUM, TSK_HDB_LOOKUP_FN, void *); |
184 | | extern int8_t tsk_hdb_lookup_verbose_str(TSK_HDB_INFO *, const char *, void *); |
185 | | extern uint8_t tsk_hdb_accepts_updates(TSK_HDB_INFO *); |
186 | | extern uint8_t tsk_hdb_add_entry(TSK_HDB_INFO *, const char*, const char*, |
187 | | const char*, const char*, const char*); |
188 | | extern uint8_t tsk_hdb_begin_transaction(TSK_HDB_INFO *); |
189 | | extern uint8_t tsk_hdb_commit_transaction(TSK_HDB_INFO *); |
190 | | extern uint8_t tsk_hdb_rollback_transaction(TSK_HDB_INFO *); |
191 | | extern void tsk_hdb_close(TSK_HDB_INFO *); |
192 | | |
193 | | #ifdef __cplusplus |
194 | | } |
195 | | #endif |
196 | | |
197 | | #ifdef __cplusplus |
198 | | |
199 | | /** |
200 | | * \ingroup hashdblib_cpp |
201 | | * Stores information about an open hash database. |
202 | | * To use this object, open() should be called first. Otherwise, the other |
203 | | * functions will have undefined return values. |
204 | | */ |
205 | | class TskHdbInfo{ |
206 | | private: |
207 | | TSK_HDB_INFO * m_hdbInfo; |
208 | | TskHdbInfo(const TskHdbInfo& rhs); |
209 | | TskHdbInfo& operator=(const TskHdbInfo& rhs); |
210 | | |
211 | | public: |
212 | | /** |
213 | | * Close an open hash database. |
214 | | */ |
215 | 0 | ~TskHdbInfo() { |
216 | 0 | tsk_hdb_close(m_hdbInfo); |
217 | 0 | }; |
218 | | |
219 | | /** |
220 | | * Open a hash database. See tsk_hdb_open() for details. |
221 | | * |
222 | | * @param a_dbFile Path to database. |
223 | | * @param a_flags Flags for opening the database. |
224 | | * |
225 | | * @return 1 on error and 0 on success |
226 | | */ |
227 | 0 | uint8_t open(TSK_TCHAR * a_dbFile, TSK_HDB_OPEN_ENUM a_flags) { |
228 | 0 | if ((m_hdbInfo = tsk_hdb_open(a_dbFile, a_flags)) != NULL) |
229 | 0 | return 0; |
230 | 0 | else |
231 | 0 | return 1; |
232 | 0 | }; |
233 | | |
234 | | /** |
235 | | * Search the index for a text/ASCII hash value |
236 | | * See tsk_hdb_lookup_str() for details. |
237 | | * @param a_hash Hash value to search for (NULL terminated string) |
238 | | |
239 | | * @param a_flags Flags to use in lookup |
240 | | * @param a_action Callback function to call for each hash db entry |
241 | | * (not called if QUICK flag is given) |
242 | | * @param a_ptr Pointer to data to pass to each callback |
243 | | * |
244 | | * @return -1 on error, 0 if hash value not found, and 1 if value was found. |
245 | | */ |
246 | | int8_t lookupStr(const char *a_hash, |
247 | 0 | TSK_HDB_FLAG_ENUM a_flags, TSK_HDB_LOOKUP_FN a_action, void *a_ptr) { |
248 | 0 | if (m_hdbInfo != NULL) |
249 | 0 | return tsk_hdb_lookup_str(m_hdbInfo, a_hash, |
250 | 0 | a_flags, a_action, a_ptr); |
251 | 0 | else |
252 | 0 | return 0; |
253 | 0 | }; |
254 | | |
255 | | /** |
256 | | * Search the index for the given hash value given (in binary form). |
257 | | * See tsk_hdb_lookup_raw() for details. |
258 | | * @param a_hash Array with binary hash value to search for |
259 | | * @param a_len Number of bytes in binary hash value |
260 | | * @param a_flags Flags to use in lookup |
261 | | * @param a_action Callback function to call for each hash db entry |
262 | | * (not called if QUICK flag is given) |
263 | | * @param a_ptr Pointer to data to pass to each callback |
264 | | * |
265 | | * @return -1 on error, 0 if hash value not found, and 1 if value was found. |
266 | | */ |
267 | | int8_t lookupRaw(uint8_t * a_hash, uint8_t a_len, |
268 | 0 | TSK_HDB_FLAG_ENUM a_flags, TSK_HDB_LOOKUP_FN a_action, void *a_ptr) { |
269 | 0 | if (m_hdbInfo != NULL) |
270 | 0 | return tsk_hdb_lookup_raw(m_hdbInfo, a_hash, a_len, a_flags, |
271 | 0 | a_action, a_ptr); |
272 | 0 | else |
273 | 0 | return 0; |
274 | 0 | }; |
275 | | |
276 | | /** |
277 | | * Create an index for an open hash database. |
278 | | * See tsk_hdb_makeindex() for details. |
279 | | * @param a_type Text of hash database type |
280 | | * @return 1 on error |
281 | | */ |
282 | 0 | uint8_t createIndex(TSK_TCHAR * a_type) { |
283 | 0 | if (m_hdbInfo != NULL) |
284 | 0 | return tsk_hdb_make_index(m_hdbInfo, a_type); |
285 | 0 | else |
286 | 0 | return 0; |
287 | 0 | }; |
288 | | |
289 | | /** |
290 | | * Determine if the open hash database has an index. |
291 | | * See tsk_hdb_hasindex for details. |
292 | | * @param a_htype Hash type that index should be of |
293 | | * |
294 | | * @return 1 if index exists and 0 if not |
295 | | */ |
296 | 0 | uint8_t hasIndex(uint8_t a_htype) { |
297 | 0 | if (m_hdbInfo != NULL) |
298 | 0 | return tsk_hdb_has_idx(m_hdbInfo, (TSK_HDB_HTYPE_ENUM)a_htype); |
299 | 0 | else |
300 | 0 | return 0; |
301 | 0 | }; |
302 | | |
303 | | /** |
304 | | * get type of database |
305 | | * @return type of database, or TSK_HDB_DBTYPE_INVALID_ID on error. |
306 | | */ |
307 | 0 | TSK_HDB_DBTYPE_ENUM getDbType() const { |
308 | 0 | if (m_hdbInfo != NULL) |
309 | 0 | return m_hdbInfo->db_type; |
310 | 0 | return TSK_HDB_DBTYPE_INVALID_ID; |
311 | 0 | }; |
312 | | }; |
313 | | #endif |
314 | | #endif |