The Sleuth Kit 4.15.0-develop
Public Member Functions | List of all members
TskFsAttribute Class Reference
C++ File System Classes

Stores information about a file attribute. More...

#include <tsk_fs.h>

Public Member Functions

TSK_OFF_T getAllocSize () const
const uint8_t * getBuf () const
uint32_t getCompSize () const
TSK_FS_ATTR_FLAG_ENUM getFlags () const
uint16_t getId () const
TSK_OFF_T getInitSize () const
const char * getName () const
const TskFsAttrRungetRun (int a_idx) const
int getRunCount () const
TSK_OFF_T getSize () const
uint32_t getSkipLen () const
TSK_FS_ATTR_TYPE_ENUM getType () const
ssize_t read (TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags)
 TskFsAttribute (const TSK_FS_ATTR *a_fsAttr)
uint8_t walk (TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CPP_CB a_action, void *a_ptr)

Detailed Description

Stores information about a file attribute.

File attributes store data for a file. Most files have at least one attribute that stores the file content. See TSK_FS_ATTR for details on attributes.

Constructor & Destructor Documentation

◆ TskFsAttribute()

TskFsAttribute::TskFsAttribute ( const TSK_FS_ATTR * a_fsAttr)
inline 
  construct a TskFsAttribute object
Parameters
a_fsAttra pointer of TSK_FS_ATTR. If NULL, the getX() return values are undefi ned.

Member Function Documentation

◆ getAllocSize()

TSK_OFF_T TskFsAttribute::getAllocSize ( ) const
inline 
get number of bytes that are allocated in all clusters of non-resident run

(will be larger than size - does not include skiplen). This is defined when the attribute is created and used to determine slack space.

Returns
number of bytes that are allocated in all clusters of non-resident run

◆ getBuf()

const uint8_t * TskFsAttribute::getBuf ( ) const
inline 
Pointer to buffer with resident data.  Only getSize() bytes will be valid.
Returns
pointer to buffer with resident data.

◆ getCompSize()

uint32_t TskFsAttribute::getCompSize ( ) const
inline 
get size of compression units (needed only if NTFS file is compressed)
Returns
size of compression units (needed only if NTFS file is compressed)

◆ getFlags()

TSK_FS_ATTR_FLAG_ENUM TskFsAttribute::getFlags ( ) const
inline 
get the attribute's flags
Returns
flags for attribute

◆ getId()

uint16_t TskFsAttribute::getId ( ) const
inline 
get id of attribute
Returns
id of attribute

◆ getInitSize()

TSK_OFF_T TskFsAttribute::getInitSize ( ) const
inline 
get number of bytes (starting from offset 0) that have data

(including FILLER) saved for them (smaller then or equal to size). This is defined when the attribute is created.

Returns
number of bytes (starting from offset 0) that have data

◆ getName()

const char * TskFsAttribute::getName ( ) const
inline 
get the attributes's name (in UTF-8).
Returns
name of attribute (or NULL if attribute doesn't have one)

◆ getRun()

const TskFsAttrRun * TskFsAttribute::getRun ( int a_idx) const
inline 
get a run for a non-resident attribute.

It's caller's responsibility to free memory of TskFsAttrRun

Parameters
a_idxThe index of the run to return.
Returns
A run in the attribute.

References TSK_FS_ATTR_RUN::next.

◆ getRunCount()

int TskFsAttribute::getRunCount ( ) const
inline 
 gets the number of runs in a non-resident attribute.
Returns
number of runs.

References TSK_FS_ATTR_RUN::next.

◆ getSize()

TSK_OFF_T TskFsAttribute::getSize ( ) const
inline 
get size in bytes of attribute (does not include skiplen for non-resident)
Returns
size in bytes of attribute

◆ getSkipLen()

uint32_t TskFsAttribute::getSkipLen ( ) const
inline 
get number of initial bytes in run to skip before content begins.

The size field does not include this length.

Returns
number of initial bytes in run to skip before content begins

◆ getType()

TSK_FS_ATTR_TYPE_ENUM TskFsAttribute::getType ( ) const
inline 
get type of attribute
Returns
type of attribute

◆ read()

ssize_t TskFsAttribute::read ( TSK_OFF_T a_offset,
char * a_buf,
size_t a_len,
TSK_FS_FILE_READ_FLAG_ENUM a_flags )
inline 
Read the contents of this attribute using a typical read() type interface.

0s are returned for missing runs.

See tsk_fs_attr_read() for details

Parameters
a_offsetThe byte offset to start reading from.
a_bufThe buffer to read the data into.
a_lenThe number of bytes to read from the file.
a_flagsFlags to use while reading
Returns
The number of bytes read or -1 on error (incl if offset is past end of file).

References tsk_fs_attr_read().

◆ walk()

uint8_t TskFsAttribute::walk ( TSK_FS_FILE_WALK_FLAG_ENUM a_flags,
TSK_FS_FILE_WALK_CPP_CB a_action,
void * a_ptr )
inline 
Process an attribute and call a callback function with its contents. The callback will be

called with chunks of data that are fs->block_size or less. The address given in the callback will be correct only for raw files (when the raw file contents were stored in the block). For compressed and sparse attributes, the address may be zero.

See tsk_fs_attr_walk() for details

Parameters
a_flagsFlags to use while processing attribute
a_actionCallback action to call with content
a_ptrPointer that will passed to callback
Returns
1 on error and 0 on success.

References tsk_fs_attr_walk().

The documentation for this class was generated from the following file:

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.