The Sleuth Kit  4.10.2
Classes | Macros | Typedefs | Enumerations | Functions
tsk_db.h File Reference

Contains TSK interface to abstract database handling class. More...

#include <vector>
#include <string>
#include <ostream>
#include "tsk_auto_i.h"

Classes

struct  _TSK_DB_FILE_LAYOUT_RANGE
 Structure wrapping a single file_layout db entry. More...
 
struct  _TSK_DB_FS_INFO
 Structure wrapping a single fs info db entry. More...
 
struct  _TSK_DB_OBJECT
 Structure wrapping a single tsk objects db entry. More...
 
struct  _TSK_DB_VS_INFO
 Structure wrapping a single vs info db entry. More...
 
struct  _TSK_DB_VS_PART_INFO
 
class  TskDb
 

Macros

#define MAX_PATH_LENGTH   2048
 
#define TSK_MAX_DB_VS_PART_INFO_DESC_LEN   512
 Structure wrapping a single vs part db entry.
 
#define TSK_SCHEMA_MINOR_VER   4
 
#define TSK_SCHEMA_VER   8
 Do not change these values - the schema is no longer being updated in this code and does not match the current version in SleuthkitCase.java.
 

Typedefs

typedef struct _TSK_DB_FILE_LAYOUT_RANGE TSK_DB_FILE_LAYOUT_RANGE
 Structure wrapping a single file_layout db entry.
 
typedef struct _TSK_DB_FS_INFO TSK_DB_FS_INFO
 Structure wrapping a single fs info db entry.
 
typedef struct _TSK_DB_OBJECT TSK_DB_OBJECT
 Structure wrapping a single tsk objects db entry.
 
typedef struct _TSK_DB_VS_INFO TSK_DB_VS_INFO
 Structure wrapping a single vs info db entry.
 
typedef struct _TSK_DB_VS_PART_INFO TSK_DB_VS_PART_INFO
 

Enumerations

enum  TSK_DB_FILES_KNOWN_ENUM { TSK_DB_FILES_KNOWN_UNKNOWN = 0, TSK_DB_FILES_KNOWN_KNOWN = 1, TSK_DB_FILES_KNOWN_KNOWN_BAD = 2, TSK_DB_FILES_KNOWN_KNOWN_GOOD = 3 }
 Values for the "known" column of the tsk_files table. More...
 
enum  TSK_DB_FILES_TYPE_ENUM {
  TSK_DB_FILES_TYPE_FS = 0, TSK_DB_FILES_TYPE_CARVED, TSK_DB_FILES_TYPE_DERIVED, TSK_DB_FILES_TYPE_LOCAL,
  TSK_DB_FILES_TYPE_UNALLOC_BLOCKS, TSK_DB_FILES_TYPE_UNUSED_BLOCKS, TSK_DB_FILES_TYPE_VIRTUAL_DIR, TSK_DB_FILES_TYPE_SLACK
}
 Values for the files type column in the tsk_files table. More...
 
enum  TSK_DB_OBJECT_TYPE_ENUM {
  TSK_DB_OBJECT_TYPE_IMG = 0, TSK_DB_OBJECT_TYPE_VS, TSK_DB_OBJECT_TYPE_VOL, TSK_DB_OBJECT_TYPE_FS,
  TSK_DB_OBJECT_TYPE_FILE, TSK_DB_OBJECT_TYPE_ARTIFACT, TSK_DB_OBJECT_TYPE_REPORT, TSK_DB_OBJECT_TYPE_POOL
}
 Values for the type column in the tsk_objects table. More...
 

Functions

ostream & operator<< (ostream &os, const TSK_DB_OBJECT &dbObject)
 
ostream & operator<< (ostream &os, const TSK_DB_FILE_LAYOUT_RANGE &layoutRange)
 
ostream & operator<< (ostream &os, const TSK_DB_FS_INFO &fsInfo)
 
ostream & operator<< (ostream &os, const TSK_DB_VS_INFO &vsInfo)
 
ostream & operator<< (ostream &os, const TSK_DB_VS_PART_INFO &vsPartInfos)
 

Detailed Description

Contains TSK interface to abstract database handling class.

The intent of this class is so that different databases can be seamlessly used by TSK.

Enumeration Type Documentation

Values for the "known" column of the tsk_files table.

Enumerator
TSK_DB_FILES_KNOWN_UNKNOWN 

Not matched against an index.

TSK_DB_FILES_KNOWN_KNOWN 

Match found in a "known" file index (such as NIST NSRL)and could be good or bad.

TSK_DB_FILES_KNOWN_KNOWN_BAD 

Match found in a "known bad" index.

TSK_DB_FILES_KNOWN_KNOWN_GOOD 

Match found in a "known good" index.

Values for the files type column in the tsk_files table.

Enumerator
TSK_DB_FILES_TYPE_FS 

File that can be found in file system tree.

TSK_DB_FILES_TYPE_CARVED 

Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS range.

TSK_DB_FILES_TYPE_DERIVED 

File derived from a parent file (i.e. from ZIP)

TSK_DB_FILES_TYPE_LOCAL 

Local file that was added (not from a disk image)

TSK_DB_FILES_TYPE_UNALLOC_BLOCKS 

Set of blocks not allocated by file system. Parent should be image, volume, or file system. Many columns in tsk_files will be NULL. Set layout in tsk_file_layout.

TSK_DB_FILES_TYPE_UNUSED_BLOCKS 

Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNALLOC_BLOCKS, many columns in tsk_files will be NULL, set layout in tsk_file_layout.

TSK_DB_FILES_TYPE_VIRTUAL_DIR 

Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other than TSK_DB_FILES_TYPE_FS. Its parent is either another TSK_DB_FILES_TYPE_FS or a root directory or type TSK_DB_FILES_TYPE_FS.

TSK_DB_FILES_TYPE_SLACK 

Slack space for a single file.

Values for the type column in the tsk_objects table.

Enumerator
TSK_DB_OBJECT_TYPE_IMG 

Object is a disk image.

TSK_DB_OBJECT_TYPE_VS 

Object is a volume system.

TSK_DB_OBJECT_TYPE_VOL 

Object is a volume.

TSK_DB_OBJECT_TYPE_FS 

Object is a file system.

TSK_DB_OBJECT_TYPE_FILE 

Object is a file (exact type can be determined in the tsk_files table via TSK_DB_FILES_TYPE_ENUM)

TSK_DB_OBJECT_TYPE_ARTIFACT 

Autopsy placeholder.

TSK_DB_OBJECT_TYPE_REPORT 

Autopsy placeholder.

TSK_DB_OBJECT_TYPE_POOL 

Object is a pool.


Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.