Stores information about an open file system.
More...
#include <tsk_fs.h>
|
| uint8_t | blockWalk (TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CPP_CB a_action, void *a_ptr) |
| | Walk a range of file system blocks and call the callback function with the contents and allocation status of each.
|
| void | close () |
| | Close an open file system.
|
|
uint8_t | dirWalk (TSK_INUM_T a_addr, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CPP_CB a_action, void *a_ptr) |
| TSK_DADDR_T | getBlockCount () const |
| unsigned int | getBlockSize () const |
| const char * | getDataUnitName () const |
| unsigned int | getDeviceSize () const |
| TSK_DADDR_T | getFirstBlock () const |
| TSK_INUM_T | getFirstINum () const |
| TSK_FS_INFO_FLAG_ENUM | getFlags () const |
| const uint8_t * | getFsId () const |
| size_t | getFsIdLen () const |
| TSK_FS_TYPE_ENUM | getFsType () const |
| TSK_INUM_T | getINumCount () const |
| TSK_INUM_T | getJournalINum () const |
| TSK_DADDR_T | getLastBlock () const |
| TSK_DADDR_T | getLastBlockAct () const |
| TSK_INUM_T | getLastINum () const |
| TSK_OFF_T | getOffset () const |
| TSK_INUM_T | getRootINum () const |
|
uint8_t | jblkWalk (TSK_DADDR_T a_addr1, TSK_DADDR_T a_addr2, int a_num, TSK_FS_JBLK_WALK_CPP_CB a_action, void *a_ptr) |
|
uint8_t | jentryWalk (int a_num, TSK_FS_JENTRY_WALK_CPP_CB a_action, void *a_ptr) |
|
uint8_t | jopen (TSK_INUM_T a_inum) |
| uint8_t | metaWalk (TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CPP_CB a_cb, void *a_ptr) |
| | Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.
|
| uint8_t | open (const TskVsPartInfo *a_part_info, TSK_FS_TYPE_ENUM a_ftype) |
| uint8_t | open (TskImgInfo *a_img_info, TSK_OFF_T a_offset, TSK_FS_TYPE_ENUM a_ftype) |
| int8_t | path2INum (const char *a_path, TSK_INUM_T *a_result, TskFsName *a_fs_name) |
| | Find the meta data address for a given file name (UTF-8).
|
| ssize_t | read (TSK_OFF_T a_off, char *a_buf, size_t a_len) |
| | Read arbitrary data from inside of the file system.
|
| ssize_t | readBlock (TSK_DADDR_T a_addr, char *a_buf, size_t a_len) |
| | Read a file system block.
|
|
| TskFsInfo (TSK_FS_INFO *a_fsInfo) |
|
|
class | TskFsBlock |
|
class | TskFsDir |
|
class | TskFsFile |
Stores information about an open file system.
One of the open() commands needs to be used before any of the getX() or read() methods will return valid data. See TSK_FS_INFO for more details.
◆ blockWalk()
Walk a range of file system blocks and call the callback function with the contents and allocation status of each.
See tsk_fs_block_walk() for details.
- Parameters
-
| a_start_blk | Block address to start walking from |
| a_end_blk | Block address to walk to |
| a_flags | Flags used during walk to determine which blocks to call callback with |
| a_action | Callback function |
| a_ptr | Pointer that will be passed to callback |
- Returns
- 1 on error and 0 on success
References tsk_fs_block_walk().
◆ close()
| void TskFsInfo::close |
( |
| ) |
|
|
inline |
◆ getBlockCount()
return number of blocks in fs
- Returns
- number of blocks in fs
◆ getBlockSize()
| unsigned int TskFsInfo::getBlockSize |
( |
| ) |
const |
|
inline |
return size of each file system block (in bytes)
- Returns
- size of each block
◆ getDataUnitName()
| const char * TskFsInfo::getDataUnitName |
( |
| ) |
const |
|
inline |
return the "name" of data unit type as a string ("Cluster", for example)
- Returns
- string "name" of data unit type
◆ getDeviceSize()
| unsigned int TskFsInfo::getDeviceSize |
( |
| ) |
const |
|
inline |
return size of device block (typically always 512)
- Returns
- size of device block
◆ getFirstBlock()
return address of first block
- Returns
- address of first block
◆ getFirstINum()
return first valid metadata address
- Returns
- first valid metadata address
◆ getFlags()
return flags for file system
- Returns
- flags for file system
◆ getFsId()
| const uint8_t * TskFsInfo::getFsId |
( |
| ) |
const |
|
inline |
return file system id (as reported in boot sector). Use getFsIdLen() to determine how many byts in buffer are used.
- Returns
- Buffer with file system id
◆ getFsIdLen()
| size_t TskFsInfo::getFsIdLen |
( |
| ) |
const |
|
inline |
return the number of bytes used in the buffer returned by getFsId().
- Returns
- number of bytes used.
◆ getFsType()
return type of file system
- Returns
- type of file system
◆ getINumCount()
return number of metadata addresses in FS
- Returns
- number of metatdata addresses
◆ getJournalINum()
return address of journal inode
- Returns
- address of journal inode
◆ getLastBlock()
return address of last block that is adjusted so that
(could be larger than last_block in image if end of image does not exist)
- Returns
- address of last block
◆ getLastBlockAct()
return address of last block as reported by file system
(it is equal to the last block in the image or volume (if image is not complete)
- Returns
- address of last block
◆ getLastINum()
return last valid metadata address
- Returns
- last valid metadata address
◆ getOffset()
return byte offset in image that fs starts
- Returns
- offset in bytes.
◆ getRootINum()
return metadata address of root directory
- Returns
- metadata address of root directory
◆ metaWalk()
Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.
For example, it can call the callback on only allocated or unallocated entries. See tsk_fs_meta_walk() for details
- Parameters
-
| a_start | Metadata address to start walking from |
| a_end | Metadata address to walk to |
| a_flags | Flags that specify the desired metadata features |
| a_cb | Callback function to call |
| a_ptr | Pointer to pass to the callback |
- Returns
- 1 on error and 0 on success
References tsk_fs_meta_walk().
◆ open() [1/2]
Opens a file system that is inside of a Volume.
Returns a structure that can be used for analysis and reporting. See tsk_fs_open_vol() for details
- Parameters
-
| a_part_info | Open volume to read from and analyze |
| a_ftype | Type of file system (or autodetect) |
- Returns
- 1 on error 0 on success.
References tsk_fs_open_vol().
◆ open() [2/2]
Opens a file system at a given offset in a disk image.
Returns a structure that can be used for analysis and reporting. See tsk_fs_open_img() for details
- Parameters
-
| a_img_info | Disk image to analyze |
| a_offset | Byte offset to start analyzing from |
| a_ftype | Type of file system (or autodetect) |
- Returns
- 1 on error 0 on success.
References tsk_fs_open_img().
◆ parseINum()
Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts
need to be there). This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID. Return the values in integer form. See tsk_fs_parse_inum() for details
- Parameters
-
| [in] | a_str | Input string to parse |
| [out] | a_inum | Pointer to location where inode can be stored. |
| [out] | a_type | Pointer to location where type can be stored (or NULL) |
| [out] | a_type_used | Pointer to location where the value can be set to 1 if the type was set (to differentiate between meanings of 0) (or NULL). |
| [out] | a_id | Pointer to location where id can be stored (or NULL) |
| [out] | a_id_used | Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0) (or NULL). |
- Returns
- 1 on error or if not an inode and 0 on success
References tsk_fs_parse_inum().
◆ path2INum()
| int8_t TskFsInfo::path2INum |
( |
const char * | a_path, |
|
|
TSK_INUM_T * | a_result, |
|
|
TskFsName * | a_fs_name ) |
|
inline |
Find the meta data address for a given file name (UTF-8).
See tsk_fs_path2inum() for details
- Parameters
-
| a_path | UTF-8 path of file to search for |
| [out] | a_result | Meta data address of file |
| [out] | a_fs_name | Copy of name details (or NULL if details not wanted) |
- Returns
- -1 on (system) error, 0 if found, and 1 if not found
References tsk_fs_path2inum().
◆ read()
| ssize_t TskFsInfo::read |
( |
TSK_OFF_T | a_off, |
|
|
char * | a_buf, |
|
|
size_t | a_len ) |
|
inline |
Read arbitrary data from inside of the file system.
See tsk_fs_block_free() for details
- Parameters
-
| a_off | The byte offset to start reading from (relative to start of file system) |
| a_buf | The buffer to store the block in. |
| a_len | The number of bytes to read |
- Returns
- The number of bytes read or -1 on error.
References tsk_fs_read().
◆ readBlock()
| ssize_t TskFsInfo::readBlock |
( |
TSK_DADDR_T | a_addr, |
|
|
char * | a_buf, |
|
|
size_t | a_len ) |
|
inline |
Read a file system block.
See tsk_fs_read_block() for details
- Parameters
-
| a_addr | The starting block file system address. |
| a_buf | The char * buffer to store the block data in. |
| a_len | The number of bytes to read (must be a multiple of the block size) |
- Returns
- The number of bytes read or -1 on error.
References tsk_fs_read_block().
◆ typePrint()
| void TskFsInfo::typePrint |
( |
FILE * | a_hFile | ) |
|
|
inlinestatic |
◆ typeSupported()
◆ typeToId()
Parse a string with the file system type and return its internal ID.
See tsk_fs_type_toid() for details
- Parameters
-
- Returns
- ID of string (or unsupported if the name is unknown)
References tsk_fs_type_toid().
◆ typeToName()
The documentation for this class was generated from the following file: