|
The Sleuth Kit 4.15.0-develop
|
Functions | |
| void | tsk_vs_close (TSK_VS_INFO *a_vs) |
| Closes an open volume system. | |
| TSK_VS_INFO * | tsk_vs_open (TSK_IMG_INFO *img_info, TSK_DADDR_T offset, TSK_VS_TYPE_ENUM type) |
| Open a disk image and process the media management system data. | |
| const TSK_VS_PART_INFO * | tsk_vs_part_get (const TSK_VS_INFO *a_vs, TSK_PNUM_T a_idx) |
| Return handle to a volume in the volume system. | |
| ssize_t | tsk_vs_part_read (const TSK_VS_PART_INFO *a_vs_part, TSK_OFF_T a_off, char *a_buf, size_t a_len) |
| Reads data starting at a byte address relative to the start of a VOLUME in a volume system. | |
| ssize_t | tsk_vs_part_read_block (const TSK_VS_PART_INFO *a_vs_part, TSK_DADDR_T a_addr, char *a_buf, size_t a_len) |
| Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system. | |
| uint8_t | tsk_vs_part_walk (TSK_VS_INFO *a_vs, TSK_PNUM_T a_start, TSK_PNUM_T a_last, TSK_VS_PART_FLAG_ENUM a_flags, TSK_VS_PART_WALK_CB a_action, void *a_ptr) |
| Walk a range of partitions and pass the data to a callback function. | |
| ssize_t | tsk_vs_read_block (TSK_VS_INFO *a_vs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len) |
| Reads one or more blocks of data with an address relative to the start of the volume system. | |
| void | tsk_vs_type_print (FILE *hFile) |
| Print the supported volume system type names to an open handle. | |
| TSK_VS_TYPE_ENUM | tsk_vs_type_supported () |
| Return the supported volume system types. | |
| const char * | tsk_vs_type_todesc (TSK_VS_TYPE_ENUM type) |
| Return the string description of a partition type ID. | |
| TSK_VS_TYPE_ENUM | tsk_vs_type_toid (const TSK_TCHAR *str) |
| Parse a string with the volume system type and return its internal ID. | |
| TSK_VS_TYPE_ENUM | tsk_vs_type_toid_utf8 (const char *str) |
| Parse a string with the volume system type and return its internal ID. | |
| const char * | tsk_vs_type_toname (TSK_VS_TYPE_ENUM type) |
| Return the string name of a partition type ID. | |
| void tsk_vs_close | ( | TSK_VS_INFO * | a_vs | ) |
Closes an open volume system.
| a_vs | Pointer to the open volume system structure. |
Referenced by TskVsInfo::close(), and TskAuto::findFilesInVs().
| TSK_VS_INFO * tsk_vs_open | ( | TSK_IMG_INFO * | img_info, |
| TSK_DADDR_T | offset, | ||
| TSK_VS_TYPE_ENUM | type ) |
Open a disk image and process the media management system data.
This calls VS specific code to determine the type and collect data.
| img_info | The opened disk image. |
| offset | Byte offset in the disk image to start analyzing from. |
| type | Type of volume system (including auto detect) |
References TSK_VS_PART_INFO::desc, TSK_VS_INFO::is_backup, TSK_IMG_INFO::itype, TSK_VS_PART_INFO::next, TSK_VS_INFO::part_list, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_fprintf(), TSK_IMG_TYPE_LOGICAL, tsk_verbose, TSK_VS_TYPE_APFS, TSK_VS_TYPE_BSD, TSK_VS_TYPE_DETECT, TSK_VS_TYPE_DOS, TSK_VS_TYPE_GPT, TSK_VS_TYPE_LVM, TSK_VS_TYPE_MAC, TSK_VS_TYPE_SUN, and TSK_VS_TYPE_UNSUPP.
Referenced by TskAuto::findFilesInVs(), and TskVsInfo::open().
| const TSK_VS_PART_INFO * tsk_vs_part_get | ( | const TSK_VS_INFO * | a_vs, |
| TSK_PNUM_T | a_idx ) |
Return handle to a volume in the volume system.
| a_vs | Open volume system |
| a_idx | Index for volume to return (0-based) |
References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::next, TSK_VS_INFO::part_count, TSK_VS_INFO::part_list, tsk_error_reset(), and tsk_error_set_errno().
Referenced by TskVsInfo::getPart().
| ssize_t tsk_vs_part_read | ( | const TSK_VS_PART_INFO * | a_vs_part, |
| TSK_OFF_T | a_off, | ||
| char * | a_buf, | ||
| size_t | a_len ) |
Reads data starting at a byte address relative to the start of a VOLUME in a volume system.
| a_vs_part | info Pointer to open volume in a volume system |
| a_off | Byte offset to read from, relative to start of VOLUME in volume system. |
| a_buf | Buffer to store data in |
| a_len | Amount of data to read (in bytes) |
References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, TSK_VS_PART_INFO::start, tsk_img_read(), and TSK_VS_PART_INFO::vs.
Referenced by TskVsPartInfo::read().
| ssize_t tsk_vs_part_read_block | ( | const TSK_VS_PART_INFO * | a_vs_part, |
| TSK_DADDR_T | a_addr, | ||
| char * | a_buf, | ||
| size_t | a_len ) |
Reads one or more blocks of data with an address relative to the start of a VOLUME in a volume system.
| a_vs_part | info Pointer to open volume in a volume system |
| a_addr | Block address to start reading from, relative to start of VOLUME in volume system. |
| a_buf | Buffer to store data in |
| a_len | Amount of data to read (in bytes - must be a multiple of block_size) |
References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, PRIuSIZE, TSK_VS_PART_INFO::start, tsk_error_reset(), tsk_error_set_errno(), tsk_img_read(), and TSK_VS_PART_INFO::vs.
Referenced by TskVsPartInfo::readBlock().
| uint8_t tsk_vs_part_walk | ( | TSK_VS_INFO * | a_vs, |
| TSK_PNUM_T | a_start, | ||
| TSK_PNUM_T | a_last, | ||
| TSK_VS_PART_FLAG_ENUM | a_flags, | ||
| TSK_VS_PART_WALK_CB | a_action, | ||
| void * | a_ptr ) |
Walk a range of partitions and pass the data to a callback function.
| a_vs | Pointer to open volume system |
| a_start | Address of first partition to walk from. |
| a_last | Address of last partition to walk to. |
| a_flags | Flags that are used to identify which of the partitions in the range should be returned (if 0, all partitions will be returned). |
| a_action | Callback action to call for each partition. |
| a_ptr | Pointer to data that will be passed to callback. |
References TSK_VS_PART_INFO::addr, TSK_VS_PART_INFO::flags, TSK_VS_PART_INFO::next, TSK_VS_INFO::part_count, TSK_VS_INFO::part_list, tsk_error_reset(), tsk_error_set_errno(), TSK_VS_PART_FLAG_ALLOC, TSK_VS_PART_FLAG_META, TSK_VS_PART_FLAG_UNALLOC, TSK_WALK_CONT, TSK_WALK_ERROR, and TSK_WALK_STOP.
Referenced by TskAuto::findFilesInVs(), and TskVsInfo::vsPartWalk().
| ssize_t tsk_vs_read_block | ( | TSK_VS_INFO * | a_vs, |
| TSK_DADDR_T | a_addr, | ||
| char * | a_buf, | ||
| size_t | a_len ) |
Reads one or more blocks of data with an address relative to the start of the volume system.
| a_vs | Pointer to open volume system |
| a_addr | Sector address to read from, relative to start of VOLUME SYSTEM. |
| a_buf | Buffer to store data in |
| a_len | Amount of data to read (in bytes - must be a multiple of block_size) |
References TSK_VS_INFO::block_size, TSK_VS_INFO::img_info, TSK_VS_INFO::offset, PRIuSIZE, tsk_error_reset(), tsk_error_set_errno(), and tsk_img_read().
Referenced by TskVsInfo::readBlock().
| void tsk_vs_type_print | ( | FILE * | hFile | ) |
Print the supported volume system type names to an open handle.
| hFile | Handle to print to. |
References tsk_fprintf().
Referenced by TskVsInfo::typePrint().
| TSK_VS_TYPE_ENUM tsk_vs_type_supported | ( | ) |
Return the supported volume system types.
Referenced by TskVsInfo::typeSupported().
| const char * tsk_vs_type_todesc | ( | TSK_VS_TYPE_ENUM | type | ) |
Return the string description of a partition type ID.
| type | Volume system type |
Referenced by TskVsInfo::typeToDesc().
| TSK_VS_TYPE_ENUM tsk_vs_type_toid | ( | const TSK_TCHAR * | str | ) |
Parse a string with the volume system type and return its internal ID.
| str | String to parse. |
References tsk_vs_type_toid_utf8().
Referenced by TskVsInfo::typeToId().
| TSK_VS_TYPE_ENUM tsk_vs_type_toid_utf8 | ( | const char * | str | ) |
Parse a string with the volume system type and return its internal ID.
| str | String to parse (always in UTF-8). |
References TSK_VS_TYPE_UNSUPP.
Referenced by tsk_vs_type_toid().
| const char * tsk_vs_type_toname | ( | TSK_VS_TYPE_ENUM | type | ) |
Return the string name of a partition type ID.
| type | Volume system type |
References TSK_VS_TYPE_DBFILLER.
Referenced by TskVsInfo::typeToName().
Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.