/src/sleuthkit/tsk/auto/tsk_auto.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | ** The Sleuth Kit |
3 | | ** |
4 | | ** Brian Carrier [carrier <at> sleuthkit [dot] org] |
5 | | ** Copyright (c) 2010-2011 Brian Carrier. All Rights reserved |
6 | | ** |
7 | | ** This software is distributed under the Common Public License 1.0 |
8 | | ** |
9 | | */ |
10 | | |
11 | | /** |
12 | | * \file tsk_auto.h |
13 | | * Contains the class definitions for the automated file extraction classes. |
14 | | * Note that this file is not meant to be directly included. |
15 | | * It is included by libtsk.h. |
16 | | */ |
17 | | |
18 | | /** |
19 | | * \defgroup autolib File Extraction Automation Functionality |
20 | | */ |
21 | | |
22 | | #ifndef _TSK_AUTO_H |
23 | | #define _TSK_AUTO_H |
24 | | |
25 | | #ifdef __cplusplus |
26 | | |
27 | | // Include the other TSK header files |
28 | | |
29 | | #include "tsk/base/tsk_base.h" |
30 | | #include "tsk/img/tsk_img.h" |
31 | | #include "tsk/vs/tsk_vs.h" |
32 | | #include "tsk/fs/tsk_fs.h" |
33 | | #include "tsk/pool/tsk_pool.h" |
34 | | |
35 | | #include <string> |
36 | | #include <vector> |
37 | | #include <list> |
38 | | |
39 | | #define TSK_AUTO_TAG 0x9191ABAB |
40 | | |
41 | | typedef enum { |
42 | | TSK_FILTER_CONT = 0x00, ///< Framework should continue to process this object |
43 | | TSK_FILTER_STOP = 0x01, ///< Framework should stop processing the image |
44 | | TSK_FILTER_SKIP = 0x02, ///< Framework should skip this object and go on to the next |
45 | | } TSK_FILTER_ENUM; |
46 | | |
47 | | |
48 | | /** \ingroup autolib |
49 | | * C++ class that automatically analyzes a disk image to extract files from it. This class |
50 | | * hides many of the details that are required to use lower-level TSK APIs to analyze volume |
51 | | * and file systems. |
52 | | * |
53 | | * The processFile() method must be implemented and it will be called for each file and |
54 | | * directory that is found. |
55 | | * |
56 | | * An image file must be first opened using openImage(). It can then be analyzed using one |
57 | | * of the findFilesInXXXX() methods. The filterXX() methods can be used to skip volumes |
58 | | * and file systems. |
59 | | * |
60 | | * This class, by default, will not stop if an error occurs. It registers the error into an |
61 | | * internal list. Those can be retrieved with getErrorList(). If you want to deal with errors |
62 | | * differently, you must implement handleError(). |
63 | | */ |
64 | | |
65 | | #pragma GCC diagnostic push |
66 | | #pragma GCC diagnostic ignored "-Woverloaded-virtual" |
67 | | |
68 | | class TskAuto { |
69 | | public: |
70 | | unsigned int m_tag; |
71 | | |
72 | | |
73 | | TskAuto(); |
74 | | virtual ~ TskAuto(); |
75 | | |
76 | | virtual uint8_t openImage(int, const TSK_TCHAR * const images[], |
77 | | TSK_IMG_TYPE_ENUM, unsigned int a_ssize); |
78 | | virtual uint8_t openImageUtf8(int, const char *const images[], |
79 | | TSK_IMG_TYPE_ENUM, unsigned int a_ssize); |
80 | | virtual uint8_t openImageHandle(TSK_IMG_INFO *); |
81 | | virtual void closeImage(); |
82 | | |
83 | | TSK_OFF_T getImageSize() const; |
84 | | /** |
85 | | * Returns true if all processing and recursion should stop. |
86 | | */ |
87 | | bool getStopProcessing() const; |
88 | | |
89 | | uint8_t findFilesInImg(); |
90 | | uint8_t findFilesInVs(TSK_OFF_T start); |
91 | | uint8_t findFilesInVs(TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype); |
92 | | bool hasPool(TSK_OFF_T a_start); |
93 | | uint8_t findFilesInPool(TSK_OFF_T start); |
94 | | uint8_t findFilesInPool(TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype); |
95 | | uint8_t findFilesInFs(TSK_OFF_T start); |
96 | | uint8_t findFilesInFs(TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype); |
97 | | uint8_t findFilesInFs(TSK_OFF_T start, TSK_INUM_T inum); |
98 | | uint8_t findFilesInFs(TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype, |
99 | | TSK_INUM_T inum); |
100 | | uint8_t findFilesInFs(TSK_FS_INFO * a_fs_info); |
101 | | uint8_t findFilesInFs(TSK_FS_INFO * a_fs_info, TSK_INUM_T inum); |
102 | | TSK_RETVAL_ENUM findFilesInFsRet(TSK_OFF_T start, |
103 | | TSK_FS_TYPE_ENUM a_ftype); |
104 | | |
105 | | void setFileFilterFlags(TSK_FS_DIR_WALK_FLAG_ENUM); |
106 | | void setVolFilterFlags(TSK_VS_PART_FLAG_ENUM); |
107 | | void setExternalFileSystemList(const std::list<TSK_FS_INFO *>& exteralFsInfoList); |
108 | | |
109 | | /** |
110 | | * Set a password that will be used when trying to open each file system |
111 | | */ |
112 | 0 | void setFileSystemPassword(const std::string& fileSystemPassword) { m_fileSystemPassword = fileSystemPassword; } |
113 | | |
114 | | /** |
115 | | * @returns A password that will be used when trying to open each file system or empty. |
116 | | */ |
117 | 0 | std::string getFileSystemPassword() const { return m_fileSystemPassword; } |
118 | | |
119 | | /** |
120 | | * TskAuto calls this method before it processes the volume system that is found in an |
121 | | * image. You can use this to learn about the volume system before it is processed |
122 | | * and you can force TskAuto to skip this volume system. |
123 | | * @param vs_info volume system details |
124 | | * @returns Value to show if Vs should be processed, skipped, or process should stop. |
125 | | */ |
126 | | virtual TSK_FILTER_ENUM filterVs(const TSK_VS_INFO * vs_info); |
127 | | |
128 | | /** |
129 | | * TskAuto calls this method before it processes each volume that is found in a |
130 | | * volume system. You can use this to learn about each volume before it is processed |
131 | | * and you can force TskAuto to skip this volume. The setvolFilterFlags() method can be |
132 | | * used to configure if TskAuto should process unallocated space. |
133 | | * |
134 | | * @param vs_part Parition details |
135 | | * @returns Value to show if volume should be processed, skipped, or process should stop. |
136 | | */ |
137 | | virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part); |
138 | | |
139 | | /** |
140 | | * TskAuto calls this method before it processes each pool that is found. |
141 | | * You can use this to learn about each pool before it is processed |
142 | | * and you can force TskAuto to skip this volume. |
143 | | * |
144 | | * @param pool_vol Pool details |
145 | | * @returns Value to show if pool should be processed, skipped, or process should stop. |
146 | | */ |
147 | | virtual TSK_FILTER_ENUM filterPool(const TSK_POOL_INFO * pool_info); |
148 | | |
149 | | /** |
150 | | * TskAuto calls this method before it processes each pool volume that is found in a |
151 | | * pool. You can use this to learn about each volume before it is processed |
152 | | * and you can force TskAuto to skip this volume. |
153 | | * |
154 | | * @param pool_vol Pool volume details |
155 | | * @returns Value to show if pool volume should be processed, skipped, or process should stop. |
156 | | */ |
157 | | virtual TSK_FILTER_ENUM filterPoolVol(const TSK_POOL_VOLUME_INFO * pool_vol); |
158 | | |
159 | | /** |
160 | | * TskAuto calls this method before it processes each file system that is found in a |
161 | | * volume. You can use this to learn about each file system before it is processed |
162 | | * and you can force TskAuto to skip this file system. |
163 | | * @param fs_info file system details |
164 | | * @returns Value to show if FS should be processed, skipped, or process should stop. |
165 | | */ |
166 | | virtual TSK_FILTER_ENUM filterFs(TSK_FS_INFO * fs_info); |
167 | | |
168 | | /** |
169 | | * TskAuto calls this method for each file and directory that it finds in an image. |
170 | | * The setFileFilterFlags() method can be used to set the criteria for what types of |
171 | | * files this should be called for. There are several methods, such as isDir() that |
172 | | * can be used by this method to help focus in on the files that you care about. |
173 | | * When errors are encountered, send them to registerError(). |
174 | | * |
175 | | * @param fs_file file details |
176 | | * @param path full path of parent directory |
177 | | * @returns STOP or OK. All error must have been registered. |
178 | | */ |
179 | | virtual TSK_RETVAL_ENUM processFile(TSK_FS_FILE * fs_file, |
180 | | const char *path) = 0; |
181 | | |
182 | | /** |
183 | | * Enables image writer, which creates a copy of the image as it is being processed. |
184 | | * @param imagePath UTF8 version of path to write the image to |
185 | | */ |
186 | | virtual TSK_RETVAL_ENUM enableImageWriter(const char * imagePath); |
187 | | |
188 | | /** |
189 | | * Disables image writer |
190 | | */ |
191 | | virtual void disableImageWriter(); |
192 | | |
193 | | /** |
194 | | * Internal method that TskAuto calls when it encounters issues while processing an image. |
195 | | * It will add the error to an internal list and then call handleError() to allow the |
196 | | * sub-class to decide what to do with the error. |
197 | | * The tsk global error values must be set before this is called (tsk_error_set_errno, etc.). |
198 | | * This method will reset the error values before it returns. |
199 | | * |
200 | | * @returns 1 if the caller should stop processing (registerError() implementation should |
201 | | * also call setStopProcessing() to ensure all processes stop) or 0 if they should continue. |
202 | | */ |
203 | | uint8_t registerError(); |
204 | | |
205 | | struct error_record { |
206 | | int code; |
207 | | std::string msg1; |
208 | | std::string msg2; |
209 | | }; |
210 | | |
211 | | /** |
212 | | * Get the list of errors that were added to |
213 | | * the internal list. This list could be empty |
214 | | * if the implementing class already acted on |
215 | | * the errors or never called addToErrorList(). |
216 | | * @returns list of errors. |
217 | | */ |
218 | | const std::vector<error_record>& getErrorList(); |
219 | | |
220 | | /** |
221 | | * Remove the errors on the internal list. |
222 | | */ |
223 | | void resetErrorList(); |
224 | | |
225 | | static std::string errorRecordToString(const error_record &rec); |
226 | | |
227 | | |
228 | | /** |
229 | | * Override this method to get called for each error that |
230 | | * is registered. This method allows you to log the message |
231 | | * or stop processing. Use setStopProcessing() to do that. |
232 | | * |
233 | | * @return 1 to stop the processing flow and 0 to continue. |
234 | | */ |
235 | | virtual uint8_t handleError(); |
236 | | |
237 | | /** |
238 | | * get volume description of the lastly processed volume |
239 | | * @return volume description string of the lastly processed volume |
240 | | */ |
241 | | const std::string& getCurVsPartDescr() const; |
242 | | |
243 | | /** |
244 | | * get volume flags of the lastly processed volume. |
245 | | * @return flags for lastly processed volume. |
246 | | */ |
247 | | TSK_VS_PART_FLAG_ENUM getCurVsPartFlag() const; |
248 | | |
249 | | /** |
250 | | * Determine if we are inside of a volume system and |
251 | | * therefore we can trust the results of getCurVsPartFlag/Desc. |
252 | | */ |
253 | | bool isCurVsValid() const; |
254 | | |
255 | | private: |
256 | | TSK_VS_PART_FLAG_ENUM m_volFilterFlags; |
257 | | TSK_FS_DIR_WALK_FLAG_ENUM m_fileFilterFlags; |
258 | | std::string m_fileSystemPassword; |
259 | | |
260 | | std::vector<error_record> m_errors; |
261 | | |
262 | | // prevent copying until we add proper logic to handle it |
263 | | TskAuto(const TskAuto&); |
264 | | TskAuto & operator=(const TskAuto&); |
265 | | |
266 | | static TSK_WALK_RET_ENUM dirWalkCb(TSK_FS_FILE * fs_file, |
267 | | const char *path, void *ptr); |
268 | | static TSK_WALK_RET_ENUM vsWalkCb(TSK_VS_INFO * vs_info, |
269 | | const TSK_VS_PART_INFO * vs_part, void *ptr); |
270 | | |
271 | | TSK_RETVAL_ENUM findFilesInFsInt(TSK_FS_INFO *, TSK_INUM_T inum); |
272 | | |
273 | | std::string m_curVsPartDescr; ///< description string of the current volume being processed |
274 | | TSK_VS_PART_FLAG_ENUM m_curVsPartFlag; ///< Flag of the current volume being processed |
275 | | bool m_curVsPartValid; ///< True if we are inside of a volume system (and therefore m_CurVs are valid) |
276 | | void setCurVsPart(const TSK_VS_PART_INFO *); |
277 | | |
278 | | |
279 | | |
280 | | protected: |
281 | | TSK_IMG_INFO * m_img_info; |
282 | | std::vector<const TSK_POOL_INFO*> m_poolInfos; |
283 | | std::list<TSK_FS_INFO *> m_exteralFsInfoList; // Stores TSK_FS_INFO structures that were opened outside of TskAuto and passed in |
284 | | |
285 | | bool m_internalOpen; ///< True if m_img_info was opened in TskAuto and false if passed in |
286 | | bool m_stopAllProcessing; ///< True if no further processing should occur |
287 | | |
288 | | uint8_t isNtfsSystemFiles(TSK_FS_FILE * fs_file, const char *path); |
289 | | uint8_t isFATSystemFiles(TSK_FS_FILE * fs_file); |
290 | | uint8_t isDotDir(TSK_FS_FILE * fs_file); |
291 | | uint8_t isDir(TSK_FS_FILE * fs_file); |
292 | | uint8_t isFile(TSK_FS_FILE * fs_file); |
293 | | uint8_t isDefaultType(TSK_FS_FILE * fs_file, |
294 | | const TSK_FS_ATTR * fs_attr); |
295 | | uint8_t isNonResident(const TSK_FS_ATTR * fs_attr); |
296 | | bool m_imageWriterEnabled; |
297 | | TSK_TCHAR * m_imageWriterPath; |
298 | | |
299 | | |
300 | | TSK_RETVAL_ENUM processAttributes(TSK_FS_FILE * fs_file, |
301 | | const char *path); |
302 | | |
303 | | /** |
304 | | * Method that is called from processAttributes() for each attribute that a file |
305 | | * has. processAttributes() is not called by default. It exists so that implementations |
306 | | * of processFile() can choose to call it if they want to look at all of the attributes. |
307 | | * You must implement this method to see each attribute and modify processFile() so that |
308 | | * it calls processAttributes(). |
309 | | * |
310 | | * @param fs_file File being analyzed. |
311 | | * @param fs_attr Attribute of the file. |
312 | | * @param path full path of parent directory |
313 | | * @returns STOP or OK. All error must have been registered. |
314 | | */ |
315 | | virtual TSK_RETVAL_ENUM processAttribute(TSK_FS_FILE * fs_file, |
316 | | const TSK_FS_ATTR * fs_attr, const char *path); |
317 | | |
318 | | /** |
319 | | * When called, will cause TskAuto to not continue to recurse into directories and volumes. |
320 | | */ |
321 | | void setStopProcessing(); |
322 | | }; |
323 | | |
324 | | #pragma GCC diagnostic pop |
325 | | |
326 | | #endif |
327 | | |
328 | | #endif |