The Sleuth Kit  4.10.2
Public Member Functions | List of all members
TskDbSqlite Class Reference
Inheritance diagram for TskDbSqlite:
TskDb

Public Member Functions

TSK_RETVAL_ENUM addCarvedFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId, int64_t dataSourceObjId)
 Adds information about a carved file with layout ranges into the database. More...
 
int addFileLayoutRange (const TSK_DB_FILE_LAYOUT_RANGE &fileLayoutRange)
 Add file layout info to the database. More...
 
int addFileLayoutRange (int64_t a_fileObjId, uint64_t a_byteStart, uint64_t a_byteLen, int a_sequence)
 Add file layout info to the database. More...
 
int addFsFile (TSK_FS_FILE *fs_file, const TSK_FS_ATTR *fs_attr, const char *path, const unsigned char *const md5, const TSK_DB_FILES_KNOWN_ENUM known, int64_t fsObjId, int64_t &objId, int64_t dataSourceObjId)
 Add a file system file to the database. More...
 
int addFsInfo (const TSK_FS_INFO *fs_info, int64_t parObjId, int64_t &objId)
 
int addImageInfo (int type, int size, int64_t &objId, const string &timezone)
 deprecated
 
int addImageInfo (int type, int size, int64_t &objId, const string &timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256)
 
int addImageInfo (int type, TSK_OFF_T ssize, int64_t &objId, const string &timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string &deviceId, const string &collectionDetails)
 Adds image details to the existing database tables. More...
 
int addImageName (int64_t objId, char const *imgName, int sequence)
 
int addPoolInfoAndVS (const TSK_POOL_INFO *pool_info, int64_t parObjId, int64_t &vsObjId)
 Creates a new tsk_pool_info database entry and a new tsk_vs_info entry with the tsk_pool_info as its parent. More...
 
int addPoolVolumeInfo (const TSK_POOL_VOLUME_INFO *pool_vol, int64_t parObjId, int64_t &objId)
 Adds the sector addresses of the pool volumes into the db. More...
 
int addUnallocatedPoolVolume (int vol_index, int64_t parObjId, int64_t &objId)
 Adds a fake volume that will hold the unallocated blocks for the pool. More...
 
TSK_RETVAL_ENUM addUnallocBlockFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId, int64_t dataSourceObjId)
 Adds information about a unallocated file with layout ranges into the database. More...
 
TSK_RETVAL_ENUM addUnallocFsBlockFilesParent (const int64_t fsObjId, int64_t &objId, int64_t dataSourceObjId)
 Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs. More...
 
TSK_RETVAL_ENUM addUnusedBlockFile (const int64_t parentObjId, const int64_t fsObjId, const uint64_t size, vector< TSK_DB_FILE_LAYOUT_RANGE > &ranges, int64_t &objId, int64_t dataSourceObjId)
 Adds information about a unused file with layout ranges into the database. More...
 
TSK_RETVAL_ENUM addVirtualDir (const int64_t fsObjId, const int64_t parentDirId, const char *const name, int64_t &objId, int64_t dataSourceObjId)
 Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them. More...
 
int addVolumeInfo (const TSK_VS_PART_INFO *vs_part, int64_t parObjId, int64_t &objId)
 Adds the sector addresses of the volumes into the db. More...
 
int addVsInfo (const TSK_VS_INFO *vs_info, int64_t parObjId, int64_t &objId)
 
int close ()
 
int createSavepoint (const char *name)
 Create a savepoint. More...
 
bool dbExists ()
 
TSK_RETVAL_ENUM getFileLayouts (vector< TSK_DB_FILE_LAYOUT_RANGE > &fileLayouts)
 Query tsk_file_layout and return rows for every entry in tsk_file_layout table. More...
 
TSK_RETVAL_ENUM getFsInfos (int64_t imgId, vector< TSK_DB_FS_INFO > &fsInfos)
 Query tsk_fs_info and return rows for every entry in tsk_fs_info table. More...
 
TSK_RETVAL_ENUM getFsRootDirObjectInfo (const int64_t fsObjId, TSK_DB_OBJECT &rootDirObjInfo)
 Query tsk_objects and tsk_files given file system id and return the root directory object. More...
 
TSK_RETVAL_ENUM getObjectInfo (int64_t objId, TSK_DB_OBJECT &objectInfo)
 Query tsk_objects with given id and returns object info entry. More...
 
TSK_RETVAL_ENUM getParentImageId (const int64_t objId, int64_t &imageId)
 Query tsk_objects to find the root image id for the object. More...
 
TSK_RETVAL_ENUM getVsInfo (int64_t objId, TSK_DB_VS_INFO &vsInfo)
 Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry. More...
 
TSK_RETVAL_ENUM getVsInfos (int64_t imgId, vector< TSK_DB_VS_INFO > &vsInfos)
 Query tsk_vs_info and return rows for every entry in tsk_vs_info table. More...
 
TSK_RETVAL_ENUM getVsPartInfos (int64_t imgId, vector< TSK_DB_VS_PART_INFO > &vsPartInfos)
 Query tsk_vs_part and return rows for every entry in tsk_vs_part table. More...
 
bool inTransaction ()
 
bool isDbOpen ()
 Returns true if database is opened.
 
int open (bool)
 
int releaseSavepoint (const char *name)
 Release a savepoint. More...
 
int revertSavepoint (const char *name)
 Rollback to specified savepoint and release. More...
 
 TskDbSqlite (const char *a_dbFilePathUtf8, bool a_blkMapFlag)
 Set the locations and logging object. More...
 
- Public Member Functions inherited from TskDb
virtual bool getParentPathAndName (const char *path, const char **ret_parent_path, const char **ret_name)
 
 TskDb (const char *a_dbFilePathUtf8, bool a_blkMapFlag)
 Set the locations and logging object. More...
 

Additional Inherited Members

- Protected Member Functions inherited from TskDb
void extractExtension (char *name, char *extension)
 Extract the extension from the given file name and store it in the supplied string. More...
 

Constructor & Destructor Documentation

TskDbSqlite::TskDbSqlite ( const char *  a_dbFilePathUtf8,
bool  a_blkMapFlag 
)

Set the locations and logging object.

Must call open() before the object can be used.

Member Function Documentation

TSK_RETVAL_ENUM TskDbSqlite::addCarvedFile ( const int64_t  parentObjId,
const int64_t  fsObjId,
const uint64_t  size,
vector< TSK_DB_FILE_LAYOUT_RANGE > &  ranges,
int64_t &  objId,
int64_t  dataSourceObjId 
)
virtual

Adds information about a carved file with layout ranges into the database.

Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table

Parameters
parentObjIdId of the parent object in the database (fs, volume, or image)
fsObjIdfs id associated with the file, or NULL
sizeNumber of bytes in file
rangesvector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in)
objIdobject id of the file object created (output)
dataSourceObjIdThe object ID for the data source
Returns
TSK_OK on success or TSK_ERR on error.

Implements TskDb.

References TSK_DB_FILES_TYPE_CARVED.

int TskDbSqlite::addFileLayoutRange ( const TSK_DB_FILE_LAYOUT_RANGE fileLayoutRange)
virtual

Add file layout info to the database.

This table stores the run information for each file so that we can map which parts of an image are used by what files.

Parameters
fileLayoutRangeTSK_DB_FILE_LAYOUT_RANGE object storing a single file layout range entry
Returns
1 on error

Implements TskDb.

References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId.

int TskDbSqlite::addFileLayoutRange ( int64_t  a_fileObjId,
uint64_t  a_byteStart,
uint64_t  a_byteLen,
int  a_sequence 
)
virtual

Add file layout info to the database.

This table stores the run information for each file so that we can map which parts of an image are used by what files.

Parameters
a_fileObjIdID of the file
a_byteStartByte address relative to the start of the image file
a_byteLenLength of the run in bytes
a_sequenceSequence of this run in the file
Returns
1 on error

Implements TskDb.

int TskDbSqlite::addFsFile ( TSK_FS_FILE fs_file,
const TSK_FS_ATTR fs_attr,
const char *  path,
const unsigned char *const  md5,
const TSK_DB_FILES_KNOWN_ENUM  known,
int64_t  fsObjId,
int64_t &  objId,
int64_t  dataSourceObjId 
)
virtual

Add a file system file to the database.

Parameters
fs_fileFile structure to add
fs_attrSpecific attribute to add
pathPath of parent folder
md5Binary value of MD5 (i.e. 16 bytes) or NULL
knownStatus regarding if it was found in hash database or not
fsObjIdFile system object of its file system
objIdID that was assigned to it from the objects table
dataSourceObjIdThe object ID for the data source
Returns
1 on error and 0 on success

Implements TskDb.

References TSK_FS_FILE::fs_info, TSK_FS_NAME::meta_addr, TSK_FS_NAME::name, TSK_FS_FILE::name, and TSK_FS_INFO::root_inum.

int TskDbSqlite::addFsInfo ( const TSK_FS_INFO fs_info,
int64_t  parObjId,
int64_t &  objId 
)
virtual
int TskDbSqlite::addImageInfo ( int  type,
int  ssize,
int64_t &  objId,
const string &  timezone,
TSK_OFF_T  size,
const string &  md5,
const string &  sha1,
const string &  sha256 
)
virtual
Returns
1 on error, 0 on success

Implements TskDb.

References addImageInfo().

int TskDbSqlite::addImageInfo ( int  type,
TSK_OFF_T  ssize,
int64_t &  objId,
const string &  timezone,
TSK_OFF_T  size,
const string &  md5,
const string &  sha1,
const string &  sha256,
const string &  deviceId,
const string &  collectionDetails 
)
virtual

Adds image details to the existing database tables.

Parameters
typeImage type
ssizeSize of device sector in bytes (or 0 for default)
objIdThe object id assigned to the image (out param)
timezoneThe timezone the image is from
sizeThe size of the image in bytes.
md5MD5 hash of the image
deviceIdAn ASCII-printable identifier for the device associated with the data source that is intended to be unique across multiple cases (e.g., a UUID).
Returns
1 on error, 0 on success

Implements TskDb.

References TSK_DB_OBJECT_TYPE_IMG.

int TskDbSqlite::addImageName ( int64_t  objId,
char const *  imgName,
int  sequence 
)
virtual
Returns
1 on error, 0 on success

Implements TskDb.

int TskDbSqlite::addPoolInfoAndVS ( const TSK_POOL_INFO *  pool_info,
int64_t  parObjId,
int64_t &  vsObjId 
)
virtual

Creates a new tsk_pool_info database entry and a new tsk_vs_info entry with the tsk_pool_info as its parent.

@ param pool_info The pool to save to the database @ param parObjId The ID of the parent of the pool object @ param vsObjId Will be set to the object ID of the new volume system created as a child of the new pool.

Returns
1 on error, 0 on success

Implements TskDb.

References TSK_DB_OBJECT_TYPE_POOL, TSK_DB_OBJECT_TYPE_VS, and TSK_VS_TYPE_APFS.

int TskDbSqlite::addPoolVolumeInfo ( const TSK_POOL_VOLUME_INFO *  pool_vol,
int64_t  parObjId,
int64_t &  objId 
)
virtual

Adds the sector addresses of the pool volumes into the db.

Parameters
pool_volThe pool volume to save to the DB
parObjIdThe ID of the parent of the pool volume (should be a volume system)
objIdWill be set to the object ID of the new volume
Returns
1 on error, 0 on success

Implements TskDb.

References TSK_DB_OBJECT_TYPE_VOL.

int TskDbSqlite::addUnallocatedPoolVolume ( int  vol_index,
int64_t  parObjId,
int64_t &  objId 
)
virtual

Adds a fake volume that will hold the unallocated blocks for the pool.

Parameters
vol_indexThe index for the new volume (should be one higher than the number of pool volumes)
parObjIdThe object ID of the parent volume system
objIdWill be set to the object ID of the new volume
Returns
1 on error, 0 on success

Implements TskDb.

References TSK_DB_OBJECT_TYPE_VOL.

TSK_RETVAL_ENUM TskDbSqlite::addUnallocBlockFile ( const int64_t  parentObjId,
const int64_t  fsObjId,
const uint64_t  size,
vector< TSK_DB_FILE_LAYOUT_RANGE > &  ranges,
int64_t &  objId,
int64_t  dataSourceObjId 
)
virtual

Adds information about a unallocated file with layout ranges into the database.

Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table

Parameters
parentObjIdId of the parent object in the database (fs, volume, or image)
fsObjIdparent fs, or NULL if the file is not associated with fs
sizeNumber of bytes in file
rangesvector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in)
objIdobject id of the file object created (output)
dataSourceObjIdThe object ID for the data source
Returns
TSK_OK on success or TSK_ERR on error.

Implements TskDb.

References TSK_DB_FILES_TYPE_UNALLOC_BLOCKS.

TSK_RETVAL_ENUM TskDbSqlite::addUnallocFsBlockFilesParent ( const int64_t  fsObjId,
int64_t &  objId,
int64_t  dataSourceObjId 
)
virtual

Internal helper method to add a virtual root dir, a parent dir of files representing unalloc space within fs.

The dir has is associated with its root dir parent for the fs.

Parameters
fsObjId(in) fs id to find root dir for and create $Unalloc dir for
objId(out) object id of the $Unalloc dir created
dataSourceObjIdThe object ID for the data source
Returns
TSK_ERR on error or TSK_OK on success

Implements TskDb.

References addVirtualDir(), getFsRootDirObjectInfo(), _TSK_DB_OBJECT::objId, and TSK_ERR.

TSK_RETVAL_ENUM TskDbSqlite::addUnusedBlockFile ( const int64_t  parentObjId,
const int64_t  fsObjId,
const uint64_t  size,
vector< TSK_DB_FILE_LAYOUT_RANGE > &  ranges,
int64_t &  objId,
int64_t  dataSourceObjId 
)
virtual

Adds information about a unused file with layout ranges into the database.

Adds a single entry to tsk_files table with an auto-generated file name, tsk_objects table, and one or more entries to tsk_file_layout table

Parameters
parentObjIdId of the parent object in the database (fs, volume, or image)
fsObjIdparent fs, or NULL if the file is not associated with fs
sizeNumber of bytes in file
rangesvector containing one or more TSK_DB_FILE_LAYOUT_RANGE layout ranges (in)
objIdobject id of the file object created (output)
dataSourceObjIdThe object ID for the data source
Returns
TSK_OK on success or TSK_ERR on error.

Implements TskDb.

References TSK_DB_FILES_TYPE_UNUSED_BLOCKS.

TSK_RETVAL_ENUM TskDbSqlite::addVirtualDir ( const int64_t  fsObjId,
const int64_t  parentDirId,
const char *const  name,
int64_t &  objId,
int64_t  dataSourceObjId 
)
virtual

Add virtual dir of type TSK_DB_FILES_TYPE_VIRTUAL_DIR that can be a parent of other non-fs virtual files or directories, to organize them.

Parameters
fsObjId(in) file system object id to associate with the virtual directory.
parentDirId(in) parent dir object id of the new directory: either another virtual directory or root fs directory
namename (int) of the new virtual directory
objId(out) object id of the created virtual directory object
dataSourceObjIdThe object Id of the data source
Returns
TSK_ERR on error or TSK_OK on success

Implements TskDb.

References TSK_DB_FILES_KNOWN_UNKNOWN, TSK_DB_FILES_TYPE_VIRTUAL_DIR, TSK_DB_OBJECT_TYPE_FILE, TSK_ERR, TSK_FS_META_FLAG_ALLOC, TSK_FS_META_FLAG_USED, TSK_FS_META_TYPE_DIR, TSK_FS_NAME_FLAG_ALLOC, TSK_FS_NAME_TYPE_DIR, and TSK_OK.

Referenced by addUnallocFsBlockFilesParent().

int TskDbSqlite::addVolumeInfo ( const TSK_VS_PART_INFO vs_part,
int64_t  parObjId,
int64_t &  objId 
)
virtual

Adds the sector addresses of the volumes into the db.

Returns
1 on error, 0 on success

Implements TskDb.

References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::desc, TSK_VS_PART_INFO::flags, TSK_VS_PART_INFO::len, TSK_VS_PART_INFO::start, and TSK_DB_OBJECT_TYPE_VOL.

int TskDbSqlite::addVsInfo ( const TSK_VS_INFO vs_info,
int64_t  parObjId,
int64_t &  objId 
)
virtual
Returns
1 on error, 0 on success

Implements TskDb.

References TSK_VS_INFO::block_size, TSK_VS_INFO::offset, TSK_DB_OBJECT_TYPE_VS, and TSK_VS_INFO::vstype.

int TskDbSqlite::createSavepoint ( const char *  name)
virtual

Create a savepoint.

Call revertSavepoint() or releaseSavepoint() to revert or commit.

Parameters
nameName to call savepoint
Returns
1 on error, 0 on success

Implements TskDb.

TSK_RETVAL_ENUM TskDbSqlite::getFileLayouts ( vector< TSK_DB_FILE_LAYOUT_RANGE > &  fileLayouts)
virtual

Query tsk_file_layout and return rows for every entry in tsk_file_layout table.

Parameters
fileLayouts(out) TSK_DB_FILE_LAYOUT_RANGE row representations to return
Returns
TSK_ERR on error, TSK_OK on success

Implements TskDb.

References _TSK_DB_FILE_LAYOUT_RANGE::fileObjId, TSK_ERR, and TSK_OK.

TSK_RETVAL_ENUM TskDbSqlite::getFsInfos ( int64_t  imgId,
vector< TSK_DB_FS_INFO > &  fsInfos 
)
virtual

Query tsk_fs_info and return rows for every entry in tsk_fs_info table.

Parameters
imgIdthe object id of the image to get filesystems for
fsInfos(out) TSK_DB_FS_INFO row representations to return
Returns
TSK_ERR on error, TSK_OK on success

Implements TskDb.

References getParentImageId(), _TSK_DB_FS_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_OK.

TSK_RETVAL_ENUM TskDbSqlite::getFsRootDirObjectInfo ( const int64_t  fsObjId,
TSK_DB_OBJECT rootDirObjInfo 
)
virtual

Query tsk_objects and tsk_files given file system id and return the root directory object.

Parameters
fsObjId(int) file system id to query root dir object for
rootDirObjInfo(out) TSK_DB_OBJECT root dir entry representation to return
Returns
TSK_ERR on error (or if not found), TSK_OK on success

Implements TskDb.

References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.

Referenced by addUnallocFsBlockFilesParent().

TSK_RETVAL_ENUM TskDbSqlite::getObjectInfo ( int64_t  objId,
TSK_DB_OBJECT objectInfo 
)
virtual

Query tsk_objects with given id and returns object info entry.

Parameters
objIdobject id to query
objectInfo(out) TSK_DB_OBJECT entry representation to return
Returns
TSK_ERR on error (or if not found), TSK_OK on success

Implements TskDb.

References _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.

Referenced by getParentImageId().

TSK_RETVAL_ENUM TskDbSqlite::getParentImageId ( const int64_t  objId,
int64_t &  imageId 
)
virtual

Query tsk_objects to find the root image id for the object.

Parameters
objId(in) object id to query
imageId(out) root parent image id returned
Returns
TSK_ERR on error (or if not found), TSK_OK on success

Implements TskDb.

References getObjectInfo(), _TSK_DB_OBJECT::objId, TSK_ERR, and TSK_OK.

Referenced by getFsInfos(), getVsInfos(), and getVsPartInfos().

TSK_RETVAL_ENUM TskDbSqlite::getVsInfo ( int64_t  objId,
TSK_DB_VS_INFO vsInfo 
)
virtual

Query tsk_vs_info with given id and returns TSK_DB_VS_INFO info entry.

Parameters
objIdvs id to query
vsInfo(out) TSK_DB_VS_INFO entry representation to return
Returns
TSK_ERR on error (or if not found), TSK_OK on success

Implements TskDb.

References _TSK_DB_VS_INFO::objId, TSK_ERR, and TSK_OK.

TSK_RETVAL_ENUM TskDbSqlite::getVsInfos ( int64_t  imgId,
vector< TSK_DB_VS_INFO > &  vsInfos 
)
virtual

Query tsk_vs_info and return rows for every entry in tsk_vs_info table.

Parameters
imgIdthe object id of the image to get volumesystems for
vsInfos(out) TSK_DB_VS_INFO row representations to return
Returns
TSK_ERR on error, TSK_OK on success

Implements TskDb.

References getParentImageId(), _TSK_DB_VS_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_OK.

TSK_RETVAL_ENUM TskDbSqlite::getVsPartInfos ( int64_t  imgId,
vector< TSK_DB_VS_PART_INFO > &  vsPartInfos 
)
virtual

Query tsk_vs_part and return rows for every entry in tsk_vs_part table.

Parameters
imgIdthe object id of the image to get vs parts for
vsPartInfos(out) TSK_DB_VS_PART_INFO row representations to return
Returns
TSK_ERR on error, TSK_OK on success

Implements TskDb.

References getParentImageId(), _TSK_DB_VS_PART_INFO::objId, TSK_ERR, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_MAX_DB_VS_PART_INFO_DESC_LEN, and TSK_OK.

int TskDbSqlite::releaseSavepoint ( const char *  name)
virtual

Release a savepoint.

Commits if savepoint was not rollbacked.

Parameters
nameName of savepoint
Returns
1 on error, 0 on success

Implements TskDb.

Referenced by revertSavepoint().

int TskDbSqlite::revertSavepoint ( const char *  name)
virtual

Rollback to specified savepoint and release.

Parameters
nameName of savepoint
Returns
1 on error, 0 on success

Implements TskDb.

References releaseSavepoint().


The documentation for this class was generated from the following files:

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.