The Sleuth Kit 4.15.0-develop
Classes | Macros | Typedefs | Enumerations | Functions
tsk_db.h File Reference

Contains TSK interface to abstract database handling class. More...

#include <vector>
#include <string>
#include <ostream>
#include "tsk_auto_i.h"

Classes

struct  _TSK_DB_FILE_LAYOUT_RANGE
 Structure wrapping a single file_layout db entry. More...
struct  _TSK_DB_FS_INFO
 Structure wrapping a single fs info db entry. More...
struct  _TSK_DB_OBJECT
 Structure wrapping a single tsk objects db entry. More...
struct  _TSK_DB_VS_INFO
 Structure wrapping a single vs info db entry. More...
struct  _TSK_DB_VS_PART_INFO
class  TskDb

Macros

#define MAX_PATH_LENGTH   2048
#define TSK_MAX_DB_VS_PART_INFO_DESC_LEN   512
 Structure wrapping a single vs part db entry.
#define TSK_SCHEMA_MINOR_VER   4
#define TSK_SCHEMA_VER   8
 Do not change these values - the schema is no longer being updated in this code and does not match the current version in SleuthkitCase.java.

Typedefs

typedef struct _TSK_DB_FILE_LAYOUT_RANGE TSK_DB_FILE_LAYOUT_RANGE
 Structure wrapping a single file_layout db entry.
typedef struct _TSK_DB_FS_INFO TSK_DB_FS_INFO
 Structure wrapping a single fs info db entry.
typedef struct _TSK_DB_OBJECT TSK_DB_OBJECT
 Structure wrapping a single tsk objects db entry.
typedef struct _TSK_DB_VS_INFO TSK_DB_VS_INFO
 Structure wrapping a single vs info db entry.
typedef struct _TSK_DB_VS_PART_INFO TSK_DB_VS_PART_INFO

Enumerations

enum  TSK_DB_FILES_KNOWN_ENUM { TSK_DB_FILES_KNOWN_UNKNOWN = 0 , TSK_DB_FILES_KNOWN_KNOWN = 1 , TSK_DB_FILES_KNOWN_KNOWN_BAD = 2 , TSK_DB_FILES_KNOWN_KNOWN_GOOD = 3 }
 Values for the "known" column of the tsk_files table. More...
enum  TSK_DB_FILES_TYPE_ENUM {
  TSK_DB_FILES_TYPE_FS = 0 , TSK_DB_FILES_TYPE_CARVED , TSK_DB_FILES_TYPE_DERIVED , TSK_DB_FILES_TYPE_LOCAL ,
  TSK_DB_FILES_TYPE_UNALLOC_BLOCKS , TSK_DB_FILES_TYPE_UNUSED_BLOCKS , TSK_DB_FILES_TYPE_VIRTUAL_DIR , TSK_DB_FILES_TYPE_SLACK
}
 Values for the files type column in the tsk_files table. More...
enum  TSK_DB_OBJECT_TYPE_ENUM {
  TSK_DB_OBJECT_TYPE_IMG = 0 , TSK_DB_OBJECT_TYPE_VS , TSK_DB_OBJECT_TYPE_VOL , TSK_DB_OBJECT_TYPE_FS ,
  TSK_DB_OBJECT_TYPE_FILE , TSK_DB_OBJECT_TYPE_ARTIFACT , TSK_DB_OBJECT_TYPE_REPORT , TSK_DB_OBJECT_TYPE_POOL
}
 Values for the type column in the tsk_objects table. More...

Functions

ostream & operator<< (ostream &os, const TSK_DB_FILE_LAYOUT_RANGE &layoutRange)
ostream & operator<< (ostream &os, const TSK_DB_FS_INFO &fsInfo)
ostream & operator<< (ostream &os, const TSK_DB_OBJECT &dbObject)
ostream & operator<< (ostream &os, const TSK_DB_VS_INFO &vsInfo)
ostream & operator<< (ostream &os, const TSK_DB_VS_PART_INFO &vsPartInfos)

Detailed Description

Contains TSK interface to abstract database handling class.

The intent of this class is so that different databases can be seamlessly used by TSK.

Enumeration Type Documentation

◆ TSK_DB_FILES_KNOWN_ENUM

enum TSK_DB_FILES_KNOWN_ENUM

Values for the "known" column of the tsk_files table.

Enumerator
TSK_DB_FILES_KNOWN_UNKNOWN 

Not matched against an index.

TSK_DB_FILES_KNOWN_KNOWN 

Match found in a "known" file index (such as NIST NSRL)and could be good or bad.

TSK_DB_FILES_KNOWN_KNOWN_BAD 

Match found in a "known bad" index.

TSK_DB_FILES_KNOWN_KNOWN_GOOD 

Match found in a "known good" index.

◆ TSK_DB_FILES_TYPE_ENUM

enum TSK_DB_FILES_TYPE_ENUM

Values for the files type column in the tsk_files table.

Enumerator
TSK_DB_FILES_TYPE_FS 

File that can be found in file system tree.

TSK_DB_FILES_TYPE_CARVED 

Set of blocks for a file found from carving. Could be on top of a TSK_DB_FILES_TYPE_UNALLOC_BLOCKS range.

TSK_DB_FILES_TYPE_DERIVED 

File derived from a parent file (i.e. from ZIP).

TSK_DB_FILES_TYPE_LOCAL 

Local file that was added (not from a disk image).

TSK_DB_FILES_TYPE_UNALLOC_BLOCKS 

Set of blocks not allocated by file system. Parent should be image, volume, or file system. Many columns in tsk_files will be NULL. Set layout in tsk_file_layout.

TSK_DB_FILES_TYPE_UNUSED_BLOCKS 

Set of blocks that are unallocated AND not used by a carved or other file type. Parent should be UNALLOC_BLOCKS, many columns in tsk_files will be NULL, set layout in tsk_file_layout.

TSK_DB_FILES_TYPE_VIRTUAL_DIR 

Virtual directory (not on fs) with no meta-data entry that can be used to group files of types other than TSK_DB_FILES_TYPE_FS. Its parent is either another TSK_DB_FILES_TYPE_FS or a root directory or type TSK_DB_FILES_TYPE_FS.

TSK_DB_FILES_TYPE_SLACK 

Slack space for a single file.

◆ TSK_DB_OBJECT_TYPE_ENUM

enum TSK_DB_OBJECT_TYPE_ENUM

Values for the type column in the tsk_objects table.

Enumerator
TSK_DB_OBJECT_TYPE_IMG 

Object is a disk image.

TSK_DB_OBJECT_TYPE_VS 

Object is a volume system.

TSK_DB_OBJECT_TYPE_VOL 

Object is a volume.

TSK_DB_OBJECT_TYPE_FS 

Object is a file system.

TSK_DB_OBJECT_TYPE_FILE 

Object is a file (exact type can be determined in the tsk_files table via TSK_DB_FILES_TYPE_ENUM).

TSK_DB_OBJECT_TYPE_ARTIFACT 

Autopsy placeholder.

TSK_DB_OBJECT_TYPE_REPORT 

Autopsy placeholder.

TSK_DB_OBJECT_TYPE_POOL 

Object is a pool.

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.