The Sleuth Kit  4.11.1
Functions
C Volume System Functions

Functions

void tsk_vs_close (TSK_VS_INFO *a_vs)
 Closes an open volume system. More...
 
TSK_VS_INFOtsk_vs_open (TSK_IMG_INFO *img_info, TSK_DADDR_T offset, TSK_VS_TYPE_ENUM type)
 Open a disk image and process the media management system data. More...
 
const TSK_VS_PART_INFOtsk_vs_part_get (const TSK_VS_INFO *a_vs, TSK_PNUM_T a_idx)
 Return handle to a volume in the volume system. More...
 
ssize_t tsk_vs_part_read (const TSK_VS_PART_INFO *a_vs_part, TSK_OFF_T a_off, char *a_buf, size_t a_len)
 Reads data starting at a byte address relative to the start of a VOLUME in a volume system. More...
 
ssize_t tsk_vs_part_read_block (const TSK_VS_PART_INFO *a_vs_part, TSK_DADDR_T a_addr, char *a_buf, size_t a_len)
 Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system. More...
 
uint8_t tsk_vs_part_walk (TSK_VS_INFO *a_vs, TSK_PNUM_T a_start, TSK_PNUM_T a_last, TSK_VS_PART_FLAG_ENUM a_flags, TSK_VS_PART_WALK_CB a_action, void *a_ptr)
 Walk a range of partitions and pass the data to a callback function. More...
 
ssize_t tsk_vs_read_block (TSK_VS_INFO *a_vs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len)
 Reads one or more blocks of data with an address relative to the start of the volume system. More...
 
void tsk_vs_type_print (FILE *hFile)
 Print the supported volume system type names to an open handle. More...
 
TSK_VS_TYPE_ENUM tsk_vs_type_supported ()
 Return the supported volume system types. More...
 
const char * tsk_vs_type_todesc (TSK_VS_TYPE_ENUM type)
 Return the string description of a partition type ID. More...
 
TSK_VS_TYPE_ENUM tsk_vs_type_toid (const TSK_TCHAR *str)
 Parse a string with the volume system type and return its internal ID. More...
 
TSK_VS_TYPE_ENUM tsk_vs_type_toid_utf8 (const char *str)
 Parse a string with the volume system type and return its internal ID. More...
 
const char * tsk_vs_type_toname (TSK_VS_TYPE_ENUM type)
 Return the string name of a partition type ID. More...
 

Detailed Description

Function Documentation

void tsk_vs_close ( TSK_VS_INFO a_vs)

Closes an open volume system.

Parameters
a_vsPointer to the open volume system structure.

Referenced by TskVsInfo::close(), and TskAuto::findFilesInVs().

TSK_VS_INFO* tsk_vs_open ( TSK_IMG_INFO img_info,
TSK_DADDR_T  offset,
TSK_VS_TYPE_ENUM  type 
)

Open a disk image and process the media management system data.

This calls VS specific code to determine the type and collect data.

Parameters
img_infoThe opened disk image.
offsetByte offset in the disk image to start analyzing from.
typeType of volume system (including auto detect)
Returns
NULL on error.

References TSK_VS_PART_INFO::desc, TSK_VS_INFO::is_backup, TSK_IMG_INFO::itype, TSK_VS_PART_INFO::next, TSK_VS_INFO::part_list, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_fprintf(), TSK_IMG_TYPE_LOGICAL, tsk_verbose, TSK_VS_TYPE_APFS, TSK_VS_TYPE_BSD, TSK_VS_TYPE_DETECT, TSK_VS_TYPE_DOS, TSK_VS_TYPE_GPT, TSK_VS_TYPE_MAC, TSK_VS_TYPE_SUN, and TSK_VS_TYPE_UNSUPP.

Referenced by TskAuto::findFilesInVs(), and TskVsInfo::open().

const TSK_VS_PART_INFO* tsk_vs_part_get ( const TSK_VS_INFO a_vs,
TSK_PNUM_T  a_idx 
)

Return handle to a volume in the volume system.

Parameters
a_vsOpen volume system
a_idxIndex for volume to return (0-based)
Returns
Handle to volume or NULL on error

References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::next, TSK_VS_INFO::part_count, TSK_VS_INFO::part_list, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskVsInfo::getPart().

ssize_t tsk_vs_part_read ( const TSK_VS_PART_INFO a_vs_part,
TSK_OFF_T  a_off,
char *  a_buf,
size_t  a_len 
)

Reads data starting at a byte address relative to the start of a VOLUME in a volume system.

Parameters
a_vs_partinfo Pointer to open volume in a volume system
a_offByte offset to read from, relative to start of VOLUME in volume system.
a_bufBuffer to store data in
a_lenAmount of data to read (in bytes)
Returns
Number of bytes read or -1 on error

References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, TSK_VS_PART_INFO::start, tsk_img_read(), and TSK_VS_PART_INFO::vs.

Referenced by TskVsPartInfo::read().

ssize_t tsk_vs_part_read_block ( const TSK_VS_PART_INFO a_vs_part,
TSK_DADDR_T  a_addr,
char *  a_buf,
size_t  a_len 
)

Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system.

Parameters
a_vs_partinfo Pointer to open volume in a volume system
a_addrBlock address to start reading from, relative to start of VOLUME in volume system.
a_bufBuffer to store data in
a_lenAmount of data to read (in bytes - must be a multiple of block_size)
Returns
Number of bytes read or -1 on error

References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, PRIuSIZE, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_img_read(), and TSK_VS_PART_INFO::vs.

Referenced by TskVsPartInfo::readBlock().

uint8_t tsk_vs_part_walk ( TSK_VS_INFO a_vs,
TSK_PNUM_T  a_start,
TSK_PNUM_T  a_last,
TSK_VS_PART_FLAG_ENUM  a_flags,
TSK_VS_PART_WALK_CB  a_action,
void *  a_ptr 
)

Walk a range of partitions and pass the data to a callback function.

Parameters
a_vsPointer to open volume system
a_startAddress of first partition to walk from.
a_lastAddress of last partition to walk to.
a_flagsFlags that are used to identify which of the partitions in the range should be returned (if 0, all partitions will be returned).
a_actionCallback action to call for each partition.
a_ptrPointer to data that will be passed to callback.
Returns
1 on error and 0 on success

References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::flags, TSK_VS_PART_INFO::next, TSK_VS_INFO::part_count, TSK_VS_INFO::part_list, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_VS_PART_FLAG_ALLOC, TSK_VS_PART_FLAG_META, TSK_VS_PART_FLAG_UNALLOC, TSK_WALK_CONT, TSK_WALK_ERROR, and TSK_WALK_STOP.

Referenced by TskAuto::findFilesInVs(), and TskVsInfo::vsPartWalk().

ssize_t tsk_vs_read_block ( TSK_VS_INFO a_vs,
TSK_DADDR_T  a_addr,
char *  a_buf,
size_t  a_len 
)

Reads one or more blocks of data with an address relative to the start of the volume system.

Parameters
a_vsPointer to open volume system
a_addrSector address to read from, relative to start of VOLUME SYSTEM.
a_bufBuffer to store data in
a_lenAmount of data to read (in bytes - must be a multiple of block_size)
Returns
Number of bytes read or -1 on error

References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, PRIuSIZE, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and tsk_img_read().

Referenced by TskVsInfo::readBlock().

void tsk_vs_type_print ( FILE *  hFile)

Print the supported volume system type names to an open handle.

Parameters
hFileHandle to print to.

References tsk_fprintf().

Referenced by TskVsInfo::typePrint().

TSK_VS_TYPE_ENUM tsk_vs_type_supported ( )

Return the supported volume system types.

Returns
The bit in the return value is 1 if the type is supported.

Referenced by TskVsInfo::typeSupported().

const char* tsk_vs_type_todesc ( TSK_VS_TYPE_ENUM  type)

Return the string description of a partition type ID.

Parameters
typeVolume system type
Returns
description of type or NULL on error

Referenced by TskVsInfo::typeToDesc().

TSK_VS_TYPE_ENUM tsk_vs_type_toid ( const TSK_TCHAR str)

Parse a string with the volume system type and return its internal ID.

Parameters
strString to parse.
Returns
ID of string (or unsupported if the name is unknown)

References tsk_vs_type_toid_utf8().

Referenced by TskVsInfo::typeToId().

TSK_VS_TYPE_ENUM tsk_vs_type_toid_utf8 ( const char *  str)

Parse a string with the volume system type and return its internal ID.

Parameters
strString to parse (always in UTF-8).
Returns
ID of string (or unsupported if the name is unknown)

References TSK_VS_TYPE_UNSUPP.

Referenced by tsk_vs_type_toid().

const char* tsk_vs_type_toname ( TSK_VS_TYPE_ENUM  type)

Return the string name of a partition type ID.

Parameters
typeVolume system type
Returns
name of type or NULL on error

References TSK_VS_TYPE_DBFILLER.

Referenced by TskVsInfo::typeToName().


Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.