/src/sleuthkit/tsk/img/tsk_img.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * The Sleuth Kit |
3 | | * |
4 | | * Brian Carrier [carrier <at> sleuthkit [dot] org] |
5 | | * Copyright (c) 2005-2011 Brian Carrier. All rights reserved |
6 | | * |
7 | | * This software is distributed under the Common Public License 1.0 |
8 | | */ |
9 | | #ifndef _TSK_IMG_H |
10 | | #define _TSK_IMG_H |
11 | | |
12 | | /** |
13 | | * \file tsk_img.h |
14 | | * Contains the external library definitions for the disk image functions. |
15 | | * Note that this file is not meant to be directly included. |
16 | | * It is included by both libtsk.h and tsk_img_i.h. |
17 | | */ |
18 | | |
19 | | /** |
20 | | * \defgroup imglib C Disk Image Functions |
21 | | * \defgroup imglib_cpp C++ Disk Image Classes |
22 | | */ |
23 | | |
24 | | #ifdef __cplusplus |
25 | | extern "C" { |
26 | | #endif |
27 | | /** |
28 | | * \ingroup imglib |
29 | | * Macro that takes a image type and returns 1 if the type |
30 | | * is for a raw file format. */ |
31 | | #define TSK_IMG_TYPE_ISRAW(t) \ |
32 | | ((((t) & TSK_IMG_TYPE_RAW))?1:0) |
33 | | |
34 | | /** |
35 | | * \ingroup imglib |
36 | | * Macro that takes a image type and returns 1 if the type |
37 | | * is for an AFF file format. */ |
38 | | #define TSK_IMG_TYPE_ISAFF(t) \ |
39 | | ((((t) & TSK_IMG_TYPE_AFF_AFF) || ((t) & TSK_IMG_TYPE_AFF_AFD) || ((t) & TSK_IMG_TYPE_AFF_AFM) || \ |
40 | | ((t) & TSK_IMG_TYPE_AFF_ANY))?1:0) |
41 | | |
42 | | /** |
43 | | * \ingroup imglib |
44 | | * Macro that takes a image type and returns 1 if the type |
45 | | * is for an EWF file format. */ |
46 | | #define TSK_IMG_TYPE_ISEWF(t) \ |
47 | | ((((t) & TSK_IMG_TYPE_EWF_EWF))?1:0) |
48 | | |
49 | | /** |
50 | | * \ingroup imglib |
51 | | * Macro that takes a image type and returns 1 if the type |
52 | | * is for a logical directory file format. */ |
53 | | #define TSK_IMG_TYPE_ISDIR(t) \ |
54 | | ((((t) & TSK_IMG_TYPE_LOGICAL))?1:0) |
55 | | |
56 | | |
57 | | /** |
58 | | * Flag values for the disk image format type. Each type has a |
59 | | * bit associated with it. There are TSK_IMG_TYPE_ISXXX macros |
60 | | * to determine the broad group of the type (raw vs aff etc.) |
61 | | */ |
62 | | typedef enum { |
63 | | TSK_IMG_TYPE_DETECT = 0x0000, ///< Use autodetection methods |
64 | | |
65 | | TSK_IMG_TYPE_RAW = 0x0001, ///< Raw disk image (single or split) |
66 | | TSK_IMG_TYPE_RAW_SING = TSK_IMG_TYPE_RAW, ///< Raw single (backward compatibility) depreciated |
67 | | TSK_IMG_TYPE_RAW_SPLIT = TSK_IMG_TYPE_RAW, ///< Raw single (backward compatibility) depreciated |
68 | | |
69 | | TSK_IMG_TYPE_AFF_AFF = 0x0004, ///< AFF AFF Format |
70 | | TSK_IMG_TYPE_AFF_AFD = 0x0008, ///< AFD AFF Format |
71 | | TSK_IMG_TYPE_AFF_AFM = 0x0010, ///< AFM AFF Format |
72 | | TSK_IMG_TYPE_AFF_ANY = 0x0020, ///< Any format supported by AFFLIB (including beta ones) |
73 | | |
74 | | TSK_IMG_TYPE_EWF_EWF = 0x0040, ///< EWF version |
75 | | TSK_IMG_TYPE_VMDK_VMDK = 0x0080, ///< VMDK version |
76 | | TSK_IMG_TYPE_VHD_VHD = 0x0100, ///< VHD version |
77 | | TSK_IMG_TYPE_AFF4_AFF4 = 0x0200, ///< AFF4 version |
78 | | TSK_IMG_TYPE_QCOW_QCOW = 0x0400, ///< QCOW version |
79 | | TSK_IMG_TYPE_EXTERNAL = 0x1000, ///< external defined format which at least implements TSK_IMG_INFO, used by pytsk |
80 | | TSK_IMG_TYPE_POOL = 0x4000, ///< Pool |
81 | | TSK_IMG_TYPE_LOGICAL = 0x8000, ///< Logical directory |
82 | | |
83 | | TSK_IMG_TYPE_UNSUPP = 0xffff ///< Unsupported disk image type |
84 | | } TSK_IMG_TYPE_ENUM; |
85 | | |
86 | | typedef struct TSK_IMG_OPTIONS { |
87 | | int dummy; |
88 | | } TSK_IMG_OPTIONS; |
89 | | |
90 | | #define TSK_IMG_INFO_CACHE_NUM 32 |
91 | | #define TSK_IMG_INFO_CACHE_LEN 65536 |
92 | | |
93 | | typedef struct TSK_IMG_INFO TSK_IMG_INFO; |
94 | 4 | #define TSK_IMG_INFO_TAG 0x39204231 |
95 | | |
96 | | typedef struct Stats { |
97 | | size_t hits; |
98 | | size_t hit_ns; |
99 | | size_t hit_bytes; |
100 | | size_t misses; |
101 | | size_t miss_ns; |
102 | | size_t miss_bytes; |
103 | | size_t histogram[64]; |
104 | | } Stats; |
105 | | |
106 | | /** |
107 | | * Created when a disk image has been opened and stores general information and handles. |
108 | | */ |
109 | | struct TSK_IMG_INFO { |
110 | | uint32_t tag; ///< Set to TSK_IMG_INFO_TAG when struct is alloc |
111 | | TSK_IMG_TYPE_ENUM itype; ///< Type of disk image format |
112 | | TSK_OFF_T size; ///< Total size of image in bytes |
113 | | int num_img; ///< Number of image files |
114 | | unsigned int sector_size; ///< sector size of device in bytes (typically 512) |
115 | | unsigned int page_size; ///< page size of NAND page in bytes (defaults to 2048) |
116 | | unsigned int spare_size; ///< spare or OOB size of NAND in bytes (defaults to 64) |
117 | | |
118 | | TSK_TCHAR **images; ///< Image names |
119 | | }; |
120 | | |
121 | | // open and close functions |
122 | | extern TSK_IMG_INFO *tsk_img_open_sing(const TSK_TCHAR * a_image, |
123 | | TSK_IMG_TYPE_ENUM type, unsigned int a_ssize |
124 | | ); |
125 | | |
126 | | extern TSK_IMG_INFO *tsk_img_open(int num_img, |
127 | | const TSK_TCHAR * const images[], TSK_IMG_TYPE_ENUM, |
128 | | unsigned int a_ssize); |
129 | | |
130 | | extern TSK_IMG_INFO *tsk_img_open_utf8_sing(const char *a_image, |
131 | | TSK_IMG_TYPE_ENUM type, unsigned int a_ssize); |
132 | | |
133 | | extern TSK_IMG_INFO *tsk_img_open_utf8(int num_img, |
134 | | const char *const images[], TSK_IMG_TYPE_ENUM type, |
135 | | unsigned int a_ssize); |
136 | | |
137 | | TSK_IMG_INFO *tsk_img_open_sing_opt( |
138 | | const TSK_TCHAR * a_image, |
139 | | TSK_IMG_TYPE_ENUM type, |
140 | | unsigned int a_ssize, |
141 | | const TSK_IMG_OPTIONS* opts |
142 | | ); |
143 | | |
144 | | TSK_IMG_INFO *tsk_img_open_opt( |
145 | | int num_img, |
146 | | const TSK_TCHAR * const images[], |
147 | | TSK_IMG_TYPE_ENUM, |
148 | | unsigned int a_ssize, |
149 | | const TSK_IMG_OPTIONS* opts |
150 | | ); |
151 | | |
152 | | TSK_IMG_INFO *tsk_img_open_utf8_sing_opt( |
153 | | const char *a_image, |
154 | | TSK_IMG_TYPE_ENUM type, |
155 | | unsigned int a_ssize, |
156 | | const TSK_IMG_OPTIONS* opts |
157 | | ); |
158 | | |
159 | | TSK_IMG_INFO* tsk_img_open_utf8_opt( |
160 | | int num_img, |
161 | | const char *const images[], |
162 | | TSK_IMG_TYPE_ENUM type, |
163 | | unsigned int a_ssize, |
164 | | const TSK_IMG_OPTIONS* opts |
165 | | ); |
166 | | |
167 | | extern TSK_IMG_INFO *tsk_img_open_external(void* ext_img_info, |
168 | | TSK_OFF_T size, unsigned int sector_size, |
169 | | ssize_t(*read) (TSK_IMG_INFO * img, TSK_OFF_T off, char *buf, size_t len), |
170 | | void (*close) (TSK_IMG_INFO *), |
171 | | void (*imgstat) (TSK_IMG_INFO *, FILE *)); |
172 | | |
173 | | extern void tsk_img_close(TSK_IMG_INFO *); |
174 | | |
175 | | // read functions |
176 | | extern ssize_t tsk_img_read(TSK_IMG_INFO * img, TSK_OFF_T off, |
177 | | char *buf, size_t len); |
178 | | |
179 | | // type conversion functions |
180 | | extern TSK_IMG_TYPE_ENUM tsk_img_type_toid_utf8(const char *); |
181 | | extern TSK_IMG_TYPE_ENUM tsk_img_type_toid(const TSK_TCHAR *); |
182 | | extern const char *tsk_img_type_toname(TSK_IMG_TYPE_ENUM); |
183 | | extern const char *tsk_img_type_todesc(TSK_IMG_TYPE_ENUM); |
184 | | extern TSK_IMG_TYPE_ENUM tsk_img_type_supported(); |
185 | | extern void tsk_img_type_print(FILE *); |
186 | | |
187 | | #ifdef __cplusplus |
188 | | } |
189 | | #endif |
190 | | #ifdef __cplusplus |
191 | | /** |
192 | | \ingroup imglib_cpp |
193 | | * Stores information about an image that is open and being analyzed. |
194 | | * To use this object, open() should be called first. Otherwise, the get() |
195 | | * methods will return undefined values. |
196 | | */ class TskImgInfo { |
197 | | friend class TskFsInfo; |
198 | | friend class TskVsInfo; |
199 | | |
200 | | private: |
201 | | TSK_IMG_INFO * m_imgInfo; |
202 | | bool m_opened; // true if open() was called and we need to free it |
203 | | TskImgInfo(const TskImgInfo & rhs); |
204 | | TskImgInfo & operator=(const TskImgInfo & rhs); |
205 | | |
206 | | public: |
207 | 0 | TskImgInfo() { |
208 | 0 | m_imgInfo = NULL; |
209 | 0 | m_opened = false; |
210 | 0 | }; |
211 | | |
212 | 0 | ~TskImgInfo() { |
213 | 0 | tsk_img_close(m_imgInfo); |
214 | 0 | }; |
215 | | |
216 | 0 | TskImgInfo(TSK_IMG_INFO * a_imgInfo) { |
217 | 0 | m_imgInfo = a_imgInfo; |
218 | 0 | m_opened = false; |
219 | 0 | }; |
220 | | |
221 | | /** |
222 | | * Opens a single (non-split) disk image file so that it can be read. |
223 | | * See tsk_img_open_sing() for more details. |
224 | | * |
225 | | * @param a_image The path to the image file |
226 | | * @param a_type The disk image type (can be autodetection) |
227 | | * @param a_ssize Size of device sector in bytes (or 0 for default) |
228 | | * |
229 | | * @return 1 on error and 0 on success |
230 | | */ |
231 | | uint8_t open(const TSK_TCHAR * a_image, TSK_IMG_TYPE_ENUM a_type, |
232 | 0 | unsigned int a_ssize) { |
233 | 0 | if ((m_imgInfo = |
234 | 0 | tsk_img_open_sing(a_image, a_type, a_ssize)) != NULL) { |
235 | 0 | m_opened = true; |
236 | 0 | return 0; |
237 | 0 | } |
238 | 0 | else { |
239 | 0 | return 1; |
240 | 0 | } |
241 | 0 | }; |
242 | | |
243 | | /** |
244 | | * Opens one or more disk image files so that they can be read. e UTF8, then consider |
245 | | * See tsk_img_open() for more details. |
246 | | * |
247 | | * @param a_num_img The number of images to open (will be > 1 for split images). |
248 | | * @param a_images The path to the image files (the number of files must |
249 | | * be equal to num_img and they must be in a sorted order) |
250 | | * @param a_type The disk image type (can be autodetection) |
251 | | * @param a_ssize Size of device sector in bytes (or 0 for default) |
252 | | * |
253 | | * @return 1 on error and 0 on success |
254 | | */ |
255 | | uint8_t open(int a_num_img, const TSK_TCHAR * const a_images[], |
256 | 0 | TSK_IMG_TYPE_ENUM a_type, unsigned int a_ssize) { |
257 | 0 | if ((m_imgInfo = |
258 | 0 | tsk_img_open(a_num_img, a_images, a_type, |
259 | 0 | a_ssize)) != NULL) { |
260 | 0 | m_opened = true; |
261 | 0 | return 0; |
262 | 0 | } |
263 | 0 | else { |
264 | 0 | return 1; |
265 | 0 | } |
266 | 0 |
|
267 | 0 | }; |
268 | | |
269 | | #ifdef TSK_WIN32 |
270 | | /** |
271 | | * Opens a single (non-split) disk image file so that it can be read. This version |
272 | | * always takes a UTF-8 encoding of the disk image. See tsk_img_open_utf8_sing() for details. |
273 | | * |
274 | | * @param a_image The UTF-8 path to the image file |
275 | | * @param a_type The disk image type (can be autodetection) |
276 | | * @param a_ssize Size of device sector in bytes (or 0 for default) |
277 | | * |
278 | | * @return 1 on error and 0 on success |
279 | | */ |
280 | | uint8_t open(const char *a_image, TSK_IMG_TYPE_ENUM a_type, |
281 | | unsigned int a_ssize) { |
282 | | if ((m_imgInfo = |
283 | | tsk_img_open_utf8_sing(a_image, a_type, |
284 | | a_ssize)) != NULL) { |
285 | | m_opened = true; |
286 | | return 0; |
287 | | } |
288 | | else { |
289 | | return 1; |
290 | | } |
291 | | |
292 | | }; |
293 | | |
294 | | /** |
295 | | * Opens one or more disk image files so that they can be read. This |
296 | | * version always takes a UTF-8 encoding of the image files. See tsk_img_open_utf8() |
297 | | * for more details. |
298 | | * |
299 | | * @param a_num_img The number of images to open (will be > 1 for split images). |
300 | | * @param a_images The path to the UTF-8 encoded image files (the number of files must |
301 | | * be equal to a_num_img and they must be in a sorted order) |
302 | | * @param a_type The disk image type (can be autodetection) |
303 | | * @param a_ssize Size of device sector in bytes (or 0 for default) |
304 | | * |
305 | | * @return 1 on error and 0 on success |
306 | | */ |
307 | | uint8_t open(int a_num_img, const char *const a_images[], |
308 | | TSK_IMG_TYPE_ENUM a_type, unsigned int a_ssize) { |
309 | | if ((m_imgInfo = |
310 | | tsk_img_open_utf8(a_num_img, a_images, a_type, |
311 | | a_ssize)) != NULL) { |
312 | | m_opened = true; |
313 | | return 0; |
314 | | } |
315 | | else { |
316 | | return 1; |
317 | | } |
318 | | |
319 | | }; |
320 | | #endif |
321 | | |
322 | | /** |
323 | | * Reads data from an open disk image |
324 | | * |
325 | | * @param a_off Byte offset to start reading from |
326 | | * @param a_buf Buffer to read into |
327 | | * @param a_len Number of bytes to read into buffer |
328 | | * @returns number of bytes read or -1 on error |
329 | | */ |
330 | 0 | ssize_t read(TSK_OFF_T a_off, char *a_buf, size_t a_len) { |
331 | 0 | return tsk_img_read(m_imgInfo, a_off, a_buf, a_len); |
332 | 0 | }; |
333 | | |
334 | | |
335 | | /** |
336 | | * returns the image format type. |
337 | | * @returns image format type |
338 | | */ |
339 | 0 | TSK_IMG_TYPE_ENUM getType() const { |
340 | 0 | if (m_imgInfo != NULL) |
341 | 0 | return m_imgInfo->itype; |
342 | 0 | else |
343 | 0 | return (TSK_IMG_TYPE_ENUM) 0; |
344 | 0 | }; |
345 | | |
346 | | /** |
347 | | * Returns the size of the image. |
348 | | * @returns total size of image in bytes |
349 | | */ |
350 | 0 | TSK_OFF_T getSize() const { |
351 | 0 | if (m_imgInfo != NULL) |
352 | 0 | return m_imgInfo->size; |
353 | 0 | else |
354 | 0 | return 0; |
355 | 0 | }; |
356 | | |
357 | | /** |
358 | | * Returns the sector size of the disk |
359 | | * @returns sector size of original device in bytes |
360 | | */ |
361 | 0 | unsigned int getSectorSize() const { |
362 | 0 | if (m_imgInfo != NULL) |
363 | 0 | return m_imgInfo->sector_size; |
364 | 0 | else |
365 | 0 | return 0; |
366 | 0 | }; |
367 | | |
368 | | |
369 | | /** |
370 | | * Parses a string that specifies an image format to determine the |
371 | | * associated type ID. This is used by the TSK command line tools to |
372 | | * parse the type given on the command line. |
373 | | * |
374 | | * @param a_str String of image format type |
375 | | * @return ID of image type |
376 | | */ |
377 | 0 | static TSK_IMG_TYPE_ENUM typeToId(const TSK_TCHAR * a_str) { |
378 | 0 | return tsk_img_type_toid(a_str); |
379 | 0 | }; |
380 | | |
381 | | /** |
382 | | * Returns the name of an image format type, given its type ID. |
383 | | * @param a_type ID of image type |
384 | | * @returns Pointer to string of the name. |
385 | | */ |
386 | 0 | static const char *typeToName(TSK_IMG_TYPE_ENUM a_type) { |
387 | 0 | return tsk_img_type_toname(a_type); |
388 | 0 | }; |
389 | | |
390 | | /** |
391 | | * Returns the description of an image format type, given its type ID. |
392 | | * @param a_type ID of image type |
393 | | * @returns Pointer to string of the description |
394 | | */ |
395 | 0 | static const char *typeToDesc(TSK_IMG_TYPE_ENUM a_type) { |
396 | 0 | return tsk_img_type_todesc(a_type); |
397 | 0 | }; |
398 | | |
399 | | /** |
400 | | * Returns the supported file format types. |
401 | | * @returns A bit in the return value is set to 1 if the type is supported. |
402 | | */ |
403 | 0 | static TSK_IMG_TYPE_ENUM typeSupported() { |
404 | 0 | return tsk_img_type_supported(); |
405 | 0 | }; |
406 | | |
407 | | /** |
408 | | * Prints the name and description of the supported image types to a handle. |
409 | | * This is used by the TSK command line tools to print the supported types |
410 | | * to the console. |
411 | | * @param a_file Handle to print names and descriptions to. |
412 | | */ |
413 | 0 | static void typePrint(FILE * a_file) { |
414 | 0 | tsk_img_type_print(a_file); |
415 | 0 | }; |
416 | | }; |
417 | | |
418 | | #endif //__cplusplus |
419 | | #endif //_TSK_IMG_H |