The Sleuth Kit 4.15.0-develop
Classes | Typedefs
tsk_fs.h File Reference

External header file for file system support. More...

#include <sys/types.h>

Classes

struct  TSK_FS_ATTR
 Holds information about the location of file content (or a file attribute). More...
struct  TSK_FS_ATTR_RUN
 Holds information about a single data run, which has a starting address and length. More...
struct  TSK_FS_ATTRLIST
 Structure used as the head of an attribute list. More...
struct  TSK_FS_BLOCK
 Generic data structure to hold block data with metadata. More...
struct  TSK_FS_BLOCK_WALK_CPP_DATA
struct  TSK_FS_DIR
 A handle to a directory so that its files can be individually accessed. More...
struct  TSK_FS_DIR_WALK_CPP_DATA
struct  TSK_FS_FILE
 Generic structure used to refer to files in the file system. More...
struct  TSK_FS_FILE_WALK_CPP_DATA
struct  TSK_FS_HASH_RESULTS
struct  TSK_FS_INFO
 Stores state information for an open file system. More...
struct  TSK_FS_JBLK_WALK_CPP_DATA
struct  TSK_FS_JENTRY
struct  TSK_FS_JENTRY_WALK_CPP_DATA
struct  TSK_FS_META
 TSK data structure to store general file and directory metadata. More...
struct  TSK_FS_META_NAME_LIST
 Relatively generic structure to hold file names that are stored with the file metadata. More...
struct  TSK_FS_META_WALK_CPP_DATA
struct  TSK_FS_NAME
 Generic structure to store the file name information that is stored in a directory. More...
class  TskFsAttribute
 Stores information about a file attribute. More...
class  TskFsAttrRun
 Contains information about a single data run, which has a starting address and length. More...
class  TskFsBlock
 Stores information about a file system block. More...
class  TskFsDir
 Stores information about a directory in the file system. More...
class  TskFsFile
 Class that represents an allocated or deleted file. More...
class  TskFsInfo
 Stores information about an open file system. More...
class  TskFsJEntry
class  TskFsMeta
 Stores metadata about a file. More...
class  TskFsMetaName
 Stores information about names that are located in metadata structures. More...
class  TskFsName
 Stores the file name information that is stored in a directory. More...

Typedefs

typedef struct _TSK_POOL_INFO TSK_POOL_INFO
Generic File System Journal Data Structures
typedef TSK_WALK_RET_ENUM(* TSK_FS_JBLK_WALK_CB) (TSK_FS_INFO *, char *, int, void *)
typedef TSK_WALK_RET_ENUM(* TSK_FS_JENTRY_WALK_CB) (TSK_FS_INFO *, TSK_FS_JENTRY *, int, void *)

Generic File System Block Data Structure

typedef enum TSK_FS_BLOCK_FLAG_ENUM TSK_FS_BLOCK_FLAG_ENUM
enum  TSK_FS_BLOCK_FLAG_ENUM {
  TSK_FS_BLOCK_FLAG_UNUSED = 0x0000 , TSK_FS_BLOCK_FLAG_ALLOC = 0x0001 , TSK_FS_BLOCK_FLAG_UNALLOC = 0x0002 , TSK_FS_BLOCK_FLAG_CONT = 0x0004 ,
  TSK_FS_BLOCK_FLAG_META = 0x0008 , TSK_FS_BLOCK_FLAG_BAD = 0x0010 , TSK_FS_BLOCK_FLAG_RAW = 0x0020 , TSK_FS_BLOCK_FLAG_SPARSE = 0x0040 ,
  TSK_FS_BLOCK_FLAG_COMP = 0x0080 , TSK_FS_BLOCK_FLAG_RES = 0x0100 , TSK_FS_BLOCK_FLAG_AONLY = 0x0200
}
 Flags that are used in TSK_FS_BLOCK and in callback of file_walk. More...
void tsk_fs_block_free (TSK_FS_BLOCK *a_fs_block)
 Free the memory associated with the TSK_FS_BLOCK structure.
TSK_FS_BLOCKtsk_fs_block_get (TSK_FS_INFO *fs, TSK_FS_BLOCK *fs_block, TSK_DADDR_T addr)
TSK_FS_BLOCKtsk_fs_block_get_flag (TSK_FS_INFO *a_fs, TSK_FS_BLOCK *a_fs_block, TSK_DADDR_T a_addr, TSK_FS_BLOCK_FLAG_ENUM a_flags)
 Get the contents and flags of a specific file system block.
#define TSK_FS_BLOCK_TAG   0x1b7c3f4a
uint8_t tsk_fs_block_walk (TSK_FS_INFO *a_fs, TSK_DADDR_T a_start_blk, TSK_DADDR_T a_end_blk, TSK_FS_BLOCK_WALK_FLAG_ENUM a_flags, TSK_FS_BLOCK_WALK_CB a_action, void *a_ptr)
 Cycle through a range of file system blocks and call the callback function with the contents and allocation status of each.
typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CB) (const TSK_FS_BLOCK *a_block, void *a_ptr)
 Function definition used for callback to tsk_fs_block_walk().
typedef enum TSK_FS_BLOCK_WALK_FLAG_ENUM TSK_FS_BLOCK_WALK_FLAG_ENUM
enum  TSK_FS_BLOCK_WALK_FLAG_ENUM {
  TSK_FS_BLOCK_WALK_FLAG_NONE = 0x00 , TSK_FS_BLOCK_WALK_FLAG_ALLOC = 0x01 , TSK_FS_BLOCK_WALK_FLAG_UNALLOC = 0x02 , TSK_FS_BLOCK_WALK_FLAG_CONT = 0x04 ,
  TSK_FS_BLOCK_WALK_FLAG_META = 0x08 , TSK_FS_BLOCK_WALK_FLAG_AONLY = 0x10
}
 Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with. More...

Generic File System File Content Data Structures

typedef struct TSK_FS_ATTR TSK_FS_ATTR
enum  TSK_FS_ATTR_FLAG_ENUM {
  TSK_FS_ATTR_FLAG_NONE = 0x00 , TSK_FS_ATTR_INUSE = 0x01 , TSK_FS_ATTR_NONRES = 0x02 , TSK_FS_ATTR_RES = 0x04 ,
  TSK_FS_ATTR_ENC = 0x10 , TSK_FS_ATTR_COMP = 0x20 , TSK_FS_ATTR_SPARSE = 0x40 , TSK_FS_ATTR_RECOVERY = 0x80
}
 Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata. More...
#define TSK_FS_ATTR_ID_DEFAULT   0
 Default Data ID used if file system does not assign one.
typedef struct TSK_FS_ATTR_RUN TSK_FS_ATTR_RUN
enum  TSK_FS_ATTR_RUN_FLAG_ENUM { TSK_FS_ATTR_RUN_FLAG_NONE = 0x00 , TSK_FS_ATTR_RUN_FLAG_FILLER = 0x01 , TSK_FS_ATTR_RUN_FLAG_SPARSE = 0x02 , TSK_FS_ATTR_RUN_FLAG_ENCRYPTED = 0x04 }
 Flags used for a TSK_FS_ATTR_RUN entry. More...
void tsk_fs_attr_run_free (TSK_FS_ATTR_RUN *)
enum  TSK_FS_ATTR_TYPE_ENUM {
  TSK_FS_ATTR_TYPE_NOT_FOUND = 0x00 , TSK_FS_ATTR_TYPE_DEFAULT = 0x01 , TSK_FS_ATTR_TYPE_NTFS_SI = 0x10 , TSK_FS_ATTR_TYPE_NTFS_ATTRLIST = 0x20 ,
  TSK_FS_ATTR_TYPE_NTFS_FNAME = 0x30 , TSK_FS_ATTR_TYPE_NTFS_VVER = 0x40 , TSK_FS_ATTR_TYPE_NTFS_OBJID = 0x40 , TSK_FS_ATTR_TYPE_NTFS_SEC = 0x50 ,
  TSK_FS_ATTR_TYPE_NTFS_VNAME = 0x60 , TSK_FS_ATTR_TYPE_NTFS_VINFO = 0x70 , TSK_FS_ATTR_TYPE_NTFS_DATA = 0x80 , TSK_FS_ATTR_TYPE_NTFS_IDXROOT = 0x90 ,
  TSK_FS_ATTR_TYPE_NTFS_IDXALLOC = 0xA0 , TSK_FS_ATTR_TYPE_NTFS_BITMAP = 0xB0 , TSK_FS_ATTR_TYPE_NTFS_SYMLNK = 0xC0 , TSK_FS_ATTR_TYPE_NTFS_REPARSE = 0xC0 ,
  TSK_FS_ATTR_TYPE_NTFS_EAINFO = 0xD0 , TSK_FS_ATTR_TYPE_NTFS_EA = 0xE0 , TSK_FS_ATTR_TYPE_NTFS_PROP = 0xF0 , TSK_FS_ATTR_TYPE_NTFS_LOG = 0x100 ,
  TSK_FS_ATTR_TYPE_UNIX_INDIR = 0x1001 , TSK_FS_ATTR_TYPE_UNIX_EXTENT = 0x1002 , TSK_FS_ATTR_TYPE_UNIX_XATTR = 0x1003 , TSK_FS_ATTR_TYPE_HFS_DEFAULT = 0x01 ,
  TSK_FS_ATTR_TYPE_HFS_DATA = 0x1100 , TSK_FS_ATTR_TYPE_HFS_RSRC = 0x1101 , TSK_FS_ATTR_TYPE_HFS_EXT_ATTR = 0x1102 , TSK_FS_ATTR_TYPE_HFS_COMP_REC = 0x1103 ,
  TSK_FS_ATTR_TYPE_APFS_DATA = TSK_FS_ATTR_TYPE_HFS_DATA , TSK_FS_ATTR_TYPE_APFS_RSRC = TSK_FS_ATTR_TYPE_HFS_RSRC , TSK_FS_ATTR_TYPE_APFS_EXT_ATTR = TSK_FS_ATTR_TYPE_HFS_EXT_ATTR , TSK_FS_ATTR_TYPE_APFS_COMP_REC = TSK_FS_ATTR_TYPE_HFS_COMP_REC
}
 These are based on the NTFS type values. More...
uint8_t tsk_fs_attr_walk (const TSK_FS_ATTR *a_fs_attr, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr)
 Process an attribute and call a callback function with its contents.
typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CB) (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)
 File walk callback function definition.
enum  TSK_FS_FILE_WALK_FLAG_ENUM {
  TSK_FS_FILE_WALK_FLAG_NONE = 0x00 , TSK_FS_FILE_WALK_FLAG_SLACK = 0x01 , TSK_FS_FILE_WALK_FLAG_NOID = 0x02 , TSK_FS_FILE_WALK_FLAG_AONLY = 0x04 ,
  TSK_FS_FILE_WALK_FLAG_NOSPARSE = 0x08
}
 Flags used by tsk_fs_file_walk to determine when the callback function should be used. More...

Generic File System File Metadata Data Structures

#define TSK_FS_IS_DIR_META(x)
typedef enum TSK_FS_META_ATTR_FLAG_ENUM TSK_FS_META_ATTR_FLAG_ENUM
enum  TSK_FS_META_ATTR_FLAG_ENUM { TSK_FS_META_ATTR_EMPTY , TSK_FS_META_ATTR_STUDIED , TSK_FS_META_ATTR_ERROR }
typedef enum TSK_FS_META_CONTENT_TYPE_ENUM TSK_FS_META_CONTENT_TYPE_ENUM
enum  TSK_FS_META_CONTENT_TYPE_ENUM {
  TSK_FS_META_CONTENT_TYPE_DEFAULT = 0x0 , TSK_FS_META_CONTENT_TYPE_EXT4_EXTENTS = 0x1 , TSK_FS_META_CONTENT_TYPE_EXT4_INLINE = 0x02 , TSK_FS_META_CONTENT_TYPE_XFS_DATA_FORK_SHORTFORM = 0x03 ,
  TSK_FS_META_CONTENT_TYPE_XFS_DATA_FORK_EXTENTS = 0x04 , TSK_FS_META_CONTENT_TYPE_XFS_DATA_FORK_BTREE = 0x05
}
typedef enum TSK_FS_META_FLAG_ENUM TSK_FS_META_FLAG_ENUM
enum  TSK_FS_META_FLAG_ENUM {
  TSK_FS_META_FLAG_ALLOC = 0x01 , TSK_FS_META_FLAG_UNALLOC = 0x02 , TSK_FS_META_FLAG_USED = 0x04 , TSK_FS_META_FLAG_UNUSED = 0x08 ,
  TSK_FS_META_FLAG_COMP = 0x10 , TSK_FS_META_FLAG_ORPHAN = 0x20
}
 Metadata flags used in TSK_FS_META.flags and in request to inode_walk. More...
uint8_t tsk_fs_meta_make_ls (const TSK_FS_META *a_fs_meta, char *a_buf, size_t a_len)
 Makes the "ls -l" permissions string for a file.
typedef enum TSK_FS_META_MODE_ENUM TSK_FS_META_MODE_ENUM
enum  TSK_FS_META_MODE_ENUM {
  TSK_FS_META_MODE_UNSPECIFIED = 0000000 , TSK_FS_META_MODE_ISUID = 0004000 , TSK_FS_META_MODE_ISGID = 0002000 , TSK_FS_META_MODE_ISVTX = 0001000 ,
  TSK_FS_META_MODE_IRUSR = 0000400 , TSK_FS_META_MODE_IWUSR = 0000200 , TSK_FS_META_MODE_IXUSR = 0000100 , TSK_FS_META_MODE_IRGRP = 0000040 ,
  TSK_FS_META_MODE_IWGRP = 0000020 , TSK_FS_META_MODE_IXGRP = 0000010 , TSK_FS_META_MODE_IROTH = 0000004 , TSK_FS_META_MODE_IWOTH = 0000002 ,
  TSK_FS_META_MODE_IXOTH = 0000001
}
typedef struct TSK_FS_META_NAME_LIST TSK_FS_META_NAME_LIST
#define TSK_FS_META_NAME_LIST_NSIZE   512
 Size of name array in TSK_FS_META_NAME_LIST structure.
#define TSK_FS_META_TAG   0x13524635
typedef enum TSK_FS_META_TYPE_ENUM TSK_FS_META_TYPE_ENUM
enum  TSK_FS_META_TYPE_ENUM {
  TSK_FS_META_TYPE_UNDEF = 0x00 , TSK_FS_META_TYPE_REG = 0x01 , TSK_FS_META_TYPE_DIR = 0x02 , TSK_FS_META_TYPE_FIFO = 0x03 ,
  TSK_FS_META_TYPE_CHR = 0x04 , TSK_FS_META_TYPE_BLK = 0x05 , TSK_FS_META_TYPE_LNK = 0x06 , TSK_FS_META_TYPE_SHAD = 0x07 ,
  TSK_FS_META_TYPE_SOCK = 0x08 , TSK_FS_META_TYPE_WHT = 0x09 , TSK_FS_META_TYPE_VIRT = 0x0a , TSK_FS_META_TYPE_VIRT_DIR = 0x0b
}
 Values for the mode field – which identifies the file type and permissions. More...
char tsk_fs_meta_type_str [TSK_FS_META_TYPE_STR_MAX][2]
 Contains the short (1 character) name of the file type.
#define TSK_FS_META_TYPE_STR_MAX   0x0c
 Number of file types in shortname array.
uint8_t tsk_fs_meta_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_start, TSK_INUM_T a_end, TSK_FS_META_FLAG_ENUM a_flags, TSK_FS_META_WALK_CB a_cb, void *a_ptr)
 Walk a range of metadata structures and call a callback for each structure that matches the flags supplied.
typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CB) (TSK_FS_FILE *a_fs_file, void *a_ptr)
 inode walk callback function definition.
#define TSK_FS_ORPHAN_STR   "-ORPHAN_FILE-"
 String that is prepended to orphan FAT & NTFS files when the file name is known, but the parent is not.
#define TSK_FS_ORPHANDIR_INUM(fs_info)

Generic File System File Name Data Structures

void tsk_fs_dir_close (TSK_FS_DIR *)
 Close the directory that was opened with tsk_fs_dir_open().
TSK_FS_FILEtsk_fs_dir_get (const TSK_FS_DIR *, size_t)
 Return a specific file or subdirectory from an open directory.
TSK_FS_FILEtsk_fs_dir_get2 (const TSK_FS_DIR *, size_t, size_t load_attributes)
 Return a specific file or subdirectory from an open directory.
const TSK_FS_NAMEtsk_fs_dir_get_name (const TSK_FS_DIR *a_fs_dir, size_t a_idx)
 Return only the name for a file or subdirectory from an open directory.
size_t tsk_fs_dir_getsize (const TSK_FS_DIR *)
 Returns the number of files and subdirectories in a directory.
TSK_FS_DIRtsk_fs_dir_open (TSK_FS_INFO *a_fs, const char *a_dir)
 Open a directory (using its path) so that each of the files in it can be accessed.
TSK_FS_DIRtsk_fs_dir_open_meta (TSK_FS_INFO *a_fs, TSK_INUM_T a_addr)
 Open a directory (using its metadata addr) so that each of the files in it can be accessed.
#define TSK_FS_DIR_TAG   0x57531246
uint8_t tsk_fs_dir_walk (TSK_FS_INFO *a_fs, TSK_INUM_T a_inode, TSK_FS_DIR_WALK_FLAG_ENUM a_flags, TSK_FS_DIR_WALK_CB a_action, void *a_ptr)
 Walk the file names in a directory and obtain the details of the files via a callback.
typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CB) (TSK_FS_FILE *a_fs_file, const char *a_path, void *a_ptr)
 Definition of callback function that is used by tsk_fs_dir_walk().
enum  TSK_FS_DIR_WALK_FLAG_ENUM {
  TSK_FS_DIR_WALK_FLAG_NONE = 0x00 , TSK_FS_DIR_WALK_FLAG_ALLOC = 0x01 , TSK_FS_DIR_WALK_FLAG_UNALLOC = 0x02 , TSK_FS_DIR_WALK_FLAG_RECURSE = 0x04 ,
  TSK_FS_DIR_WALK_FLAG_NOORPHAN = 0x08
}
 Flags that are used when walking names in directories. More...
#define TSK_FS_IS_DIR_NAME(x)
enum  TSK_FS_NAME_FLAG_ENUM { TSK_FS_NAME_FLAG_ALLOC = 0x01 , TSK_FS_NAME_FLAG_UNALLOC = 0x02 }
 File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure. More...
#define TSK_FS_NAME_TAG   0x23147869
enum  TSK_FS_NAME_TYPE_ENUM {
  TSK_FS_NAME_TYPE_UNDEF = 0 , TSK_FS_NAME_TYPE_FIFO = 1 , TSK_FS_NAME_TYPE_CHR = 2 , TSK_FS_NAME_TYPE_DIR = 3 ,
  TSK_FS_NAME_TYPE_BLK = 4 , TSK_FS_NAME_TYPE_REG = 5 , TSK_FS_NAME_TYPE_LNK = 6 , TSK_FS_NAME_TYPE_SOCK = 7 ,
  TSK_FS_NAME_TYPE_SHAD = 8 , TSK_FS_NAME_TYPE_WHT = 9 , TSK_FS_NAME_TYPE_VIRT = 10 , TSK_FS_NAME_TYPE_VIRT_DIR = 11
}
 File type values – as specified in the directory entry structure. More...
char tsk_fs_name_type_str [TSK_FS_NAME_TYPE_STR_MAX][2]
#define TSK_FS_NAME_TYPE_STR_MAX   12
 Number of types that have a short string name.
int8_t tsk_fs_path2inum (TSK_FS_INFO *a_fs, const char *a_path, TSK_INUM_T *a_result, TSK_FS_NAME *a_fs_name)
 Find the meta data address for a given file name (UTF-8).

Generic File System File Data Structures

ssize_t tsk_fs_attr_read (const TSK_FS_ATTR *a_fs_attr, TSK_OFF_T a_offset, char *a_buf, size_t a_len, TSK_FS_FILE_READ_FLAG_ENUM a_flags)
 Read the contents of a given attribute using a typical read() type interface.
const TSK_FS_ATTRtsk_fs_file_attr_get (TSK_FS_FILE *a_fs_file)
 Return the default attribute for the file.
const TSK_FS_ATTRtsk_fs_file_attr_get_id (TSK_FS_FILE *a_fs_file, uint16_t)
 Return a specific attribute by its ID for the file.
const TSK_FS_ATTRtsk_fs_file_attr_get_idx (TSK_FS_FILE *a_fs_file, int a_idx)
 Get a file's attribute based on the 0-based index in the list (and not type, id pair).
const TSK_FS_ATTRtsk_fs_file_attr_get_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM, uint16_t, uint8_t)
 Return a specific type and id attribute for the file.
int tsk_fs_file_attr_getsize (TSK_FS_FILE *a_fs_file)
 Return the number of attributes in the file.
void tsk_fs_file_close (TSK_FS_FILE *a_fs_file)
 Close an open file.
uint8_t tsk_fs_file_get_owner_sid (TSK_FS_FILE *, char **)
 Returns a string representation of the security attributes of a file.
uint8_t tsk_fs_file_hash_calc (TSK_FS_FILE *, TSK_FS_HASH_RESULTS *, TSK_BASE_HASH_ENUM)
 Returns a string containing the md5 hash of the given file.
TSK_FS_FILEtsk_fs_file_open (TSK_FS_INFO *a_fs, TSK_FS_FILE *a_fs_file, const char *a_path)
 Return the handle structure for a specific file, given its full path.
TSK_FS_FILEtsk_fs_file_open_meta (TSK_FS_INFO *fs, TSK_FS_FILE *fs_file, TSK_INUM_T addr)
 Open a file given its metadata address.
ssize_t tsk_fs_file_read (TSK_FS_FILE *, TSK_OFF_T, char *, size_t, TSK_FS_FILE_READ_FLAG_ENUM)
 Read the contents of a specific attribute of a file using a typical read() type interface.
enum  TSK_FS_FILE_READ_FLAG_ENUM { TSK_FS_FILE_READ_FLAG_NONE = 0x00 , TSK_FS_FILE_READ_FLAG_SLACK = 0x01 , TSK_FS_FILE_READ_FLAG_NOID = 0x02 }
 Flags used by tsk_fs_file_read. More...
ssize_t tsk_fs_file_read_type (TSK_FS_FILE *, TSK_FS_ATTR_TYPE_ENUM, uint16_t, TSK_OFF_T, char *, size_t, TSK_FS_FILE_READ_FLAG_ENUM)
 Read the contents of a specific attribute of a file using a typical read() type interface and be able specify a specific attribute to read (applies only to file systems with multiple attributes per file, such as NTFS).
#define TSK_FS_FILE_TAG   0x11212212
uint8_t tsk_fs_file_walk (TSK_FS_FILE *a_fs_file, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr)
 Process a file and call a callback function with the file contents.
uint8_t tsk_fs_file_walk_type (TSK_FS_FILE *a_fs_file, TSK_FS_ATTR_TYPE_ENUM a_type, uint16_t a_id, TSK_FS_FILE_WALK_FLAG_ENUM a_flags, TSK_FS_FILE_WALK_CB a_action, void *a_ptr)
 Process a specific attribute in a file and call a callback function with the file contents.

Generic File System Handle Data Structure

int8_t tsk_fs_blkcalc (TSK_FS_INFO *fs, TSK_FS_BLKCALC_FLAG_ENUM flags, TSK_DADDR_T cnt)
typedef enum TSK_FS_BLKCALC_FLAG_ENUM TSK_FS_BLKCALC_FLAG_ENUM
enum  TSK_FS_BLKCALC_FLAG_ENUM { TSK_FS_BLKCALC_DD = 0x01 , TSK_FS_BLKCALC_BLKLS = 0x02 , TSK_FS_BLKCALC_SLACK = 0x04 }
uint8_t tsk_fs_blkcat (TSK_FS_INFO *fs, TSK_FS_BLKCAT_FLAG_ENUM flags, TSK_DADDR_T addr, TSK_DADDR_T read_num_units)
 Read a specific number of blocks and print the contents to STDOUT.
typedef enum TSK_FS_BLKCAT_FLAG_ENUM TSK_FS_BLKCAT_FLAG_ENUM
enum  TSK_FS_BLKCAT_FLAG_ENUM {
  TSK_FS_BLKCAT_NONE = 0x00 , TSK_FS_BLKCAT_HEX = 0x01 , TSK_FS_BLKCAT_ASCII = 0x02 , TSK_FS_BLKCAT_HTML = 0x04 ,
  TSK_FS_BLKCAT_STAT = 0x08
}
uint8_t tsk_fs_blkls (TSK_FS_INFO *fs, TSK_FS_BLKLS_FLAG_ENUM lclflags, TSK_DADDR_T bstart, TSK_DADDR_T bend, TSK_FS_BLOCK_WALK_FLAG_ENUM flags)
typedef enum TSK_FS_BLKLS_FLAG_ENUM TSK_FS_BLKLS_FLAG_ENUM
enum  TSK_FS_BLKLS_FLAG_ENUM { TSK_FS_BLKLS_NONE = 0x00 , TSK_FS_BLKLS_CAT = 0x01 , TSK_FS_BLKLS_LIST = 0x02 , TSK_FS_BLKLS_SLACK = 0x04 }
uint8_t tsk_fs_blkstat (TSK_FS_INFO *fs, TSK_DADDR_T addr)
TSK_WALK_RET_ENUM tsk_fs_block_cpp_c_cb (const TSK_FS_BLOCK *a_block, void *a_ptr)
typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CPP_CB) (const TskFsBlock *a_block, void *a_ptr)
 Function definition used for callback to blockWalk().
void tsk_fs_close (TSK_FS_INFO *)
 Close an open file system.
TSK_WALK_RET_ENUM tsk_fs_dir_walk_cpp_c_cb (TSK_FS_FILE *a_file, const char *a_path, void *a_ptr)
typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CPP_CB) (TskFsFile *a_fs_file, const char *a_path, void *a_ptr)
 Definition of callback function that is used by tsk_fs_dir_walk().
typedef enum TSK_FS_ENCRYPTION_TYPE_ENUM TSK_FS_ENCRYPTION_TYPE_ENUM
enum  TSK_FS_ENCRYPTION_TYPE_ENUM { TSK_FS_ENCRYPTION_TYPE_NONE = 0x00 , TSK_FS_ENCRYPTION_TYPE_BITLOCKER = 0x01 }
uint8_t tsk_fs_ffind (TSK_FS_INFO *fs, TSK_FS_FFIND_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_DIR_WALK_FLAG_ENUM flags)
typedef enum TSK_FS_FFIND_FLAG_ENUM TSK_FS_FFIND_FLAG_ENUM
enum  TSK_FS_FFIND_FLAG_ENUM { TSK_FS_FFIND_ALL = 0x01 }
TSK_WALK_RET_ENUM tsk_fs_file_cpp_c_cb (TSK_FS_FILE *a_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)
typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CPP_CB) (TskFsFile *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)
 File walk callback function definition.
uint8_t tsk_fs_fls (TSK_FS_INFO *fs, TSK_FS_FLS_FLAG_ENUM lclflags, TSK_INUM_T inode, TSK_FS_DIR_WALK_FLAG_ENUM flags, const TSK_TCHAR *pre, int32_t skew)
typedef enum TSK_FS_FLS_FLAG_ENUM TSK_FS_FLS_FLAG_ENUM
enum  TSK_FS_FLS_FLAG_ENUM {
  TSK_FS_FLS_NONE = 0x00 , TSK_FS_FLS_DOT = 0x01 , TSK_FS_FLS_LONG = 0x02 , TSK_FS_FLS_FILE = 0x04 ,
  TSK_FS_FLS_DIR = 0x08 , TSK_FS_FLS_FULL = 0x10 , TSK_FS_FLS_MAC = 0x20 , TSK_FS_FLS_HASH = 0x40
}
void tsk_fs_get_encryption_description (TSK_FS_INFO *a_fs_info, char *a_desc, size_t a_descLen)
 Copys a summary of the encryption algoritm to a_desc.
uint8_t tsk_fs_icat (TSK_FS_INFO *fs, TSK_INUM_T inum, TSK_FS_ATTR_TYPE_ENUM type, uint8_t type_used, uint16_t id, uint8_t id_used, TSK_FS_FILE_WALK_FLAG_ENUM flags)
uint8_t tsk_fs_ifind_data (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM flags, TSK_DADDR_T blk)
typedef enum TSK_FS_IFIND_FLAG_ENUM TSK_FS_IFIND_FLAG_ENUM
enum  TSK_FS_IFIND_FLAG_ENUM { TSK_FS_IFIND_NONE = 0x00 , TSK_FS_IFIND_ALL = 0x01 , TSK_FS_IFIND_PAR_LONG = 0x02 }
uint8_t tsk_fs_ifind_par (TSK_FS_INFO *fs, TSK_FS_IFIND_FLAG_ENUM flags, TSK_INUM_T par)
 Searches for unallocated MFT entries that have a given MFT entry as their parent directory (as reported in FILE_NAME).
int8_t tsk_fs_ifind_path (TSK_FS_INFO *fs, TSK_TCHAR *path, TSK_INUM_T *result)
 Find the meta data address for a given file TCHAR name.
uint8_t tsk_fs_ils (TSK_FS_INFO *fs, TSK_FS_ILS_FLAG_ENUM lclflags, TSK_INUM_T istart, TSK_INUM_T ilast, TSK_FS_META_FLAG_ENUM flags, int32_t skew, const TSK_TCHAR *img)
 Library API for inode walking.
typedef enum TSK_FS_ILS_FLAG_ENUM TSK_FS_ILS_FLAG_ENUM
enum  TSK_FS_ILS_FLAG_ENUM {
  TSK_FS_ILS_NONE = 0x00 , TSK_FS_ILS_OPEN = 0x01 , TSK_FS_ILS_MAC = 0x02 , TSK_FS_ILS_LINK = 0x04 ,
  TSK_FS_ILS_UNLINK = 0x08
}
typedef enum TSK_FS_INFO_FLAG_ENUM TSK_FS_INFO_FLAG_ENUM
enum  TSK_FS_INFO_FLAG_ENUM { TSK_FS_INFO_FLAG_NONE = 0x00 , TSK_FS_INFO_FLAG_HAVE_SEQ = 0x01 , TSK_FS_INFO_FLAG_HAVE_NANOSEC = 0x02 , TSK_FS_INFO_FLAG_ENCRYPTED = 0x04 }
 Flags for the FS_INFO structure. More...
#define TSK_FS_INFO_FS_ID_LEN   32
#define TSK_FS_INFO_TAG   0x10101010
#define TSK_FS_ISDOT(str)
typedef enum TSK_FS_ISTAT_FLAG_ENUM TSK_FS_ISTAT_FLAG_ENUM
enum  TSK_FS_ISTAT_FLAG_ENUM { TSK_FS_ISTAT_NONE = 0x00 , TSK_FS_ISTAT_RUNLIST = 0x01 }
TSK_WALK_RET_ENUM tsk_fs_jblk_walk_cpp_c_cb (TSK_FS_INFO *a_fsInfo, char *a_string, int a_num, void *a_ptr)
typedef TSK_WALK_RET_ENUM(* TSK_FS_JBLK_WALK_CPP_CB) (TskFsInfo *a_fsInfo, char *a_string, int a_num, void *a_ptr)
 Function definition for callback in TskFsInfo.jblkWalk().
TSK_WALK_RET_ENUM tsk_fs_jentry_walk_cpp_c_cb (TSK_FS_INFO *a_fsInfo, TSK_FS_JENTRY *a_jentry, int a_num, void *a_ptr)
typedef TSK_WALK_RET_ENUM(* TSK_FS_JENTRY_WALK_CPP_CB) (TskFsInfo *a_fsInfo, TskFsJEntry *a_jentry, int a_num, void *a_ptr)
 Function definition for callback in TskFsInfo.jentryWalk().
TSK_WALK_RET_ENUM tsk_fs_meta_walk_cpp_c_cb (TSK_FS_FILE *a_file, void *a_ptr)
typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CPP_CB) (TskFsFile *a_fs_file, void *a_ptr)
 inode walk callback function definition.
TSK_FS_INFOtsk_fs_open_img (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM)
 Tries to process data in a disk image at a given offset as a file system.
TSK_FS_INFOtsk_fs_open_img_decrypt (TSK_IMG_INFO *, TSK_OFF_T, TSK_FS_TYPE_ENUM, const char *password)
 Tries to process data in a disk image at a given offset as a file system.
TSK_FS_INFOtsk_fs_open_pool (const TSK_POOL_INFO *, TSK_DADDR_T, TSK_FS_TYPE_ENUM)
TSK_FS_INFOtsk_fs_open_pool_decrypt (const TSK_POOL_INFO *, TSK_DADDR_T, TSK_FS_TYPE_ENUM, const char *password)
TSK_FS_INFOtsk_fs_open_vol (const TSK_VS_PART_INFO *, TSK_FS_TYPE_ENUM)
 Tries to process data in a volume as a file system.
TSK_FS_INFOtsk_fs_open_vol_decrypt (const TSK_VS_PART_INFO *, TSK_FS_TYPE_ENUM, const char *password)
 Tries to process data in a volume as a file system.
int tsk_fs_parse_inum (const TSK_TCHAR *str, TSK_INUM_T *, TSK_FS_ATTR_TYPE_ENUM *, uint8_t *, uint16_t *, uint8_t *)
 Parse a TSK_TCHAR string of an inode, type, and id pair (not all parts need to be there).
ssize_t tsk_fs_read (TSK_FS_INFO *a_fs, TSK_OFF_T a_off, char *a_buf, size_t a_len)
 Read arbitrary data from inside of the file system.
ssize_t tsk_fs_read_block (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len)
 Read a file system block into a char* buffer.
ssize_t tsk_fs_read_block_decrypt (TSK_FS_INFO *a_fs, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_DADDR_T crypto_id)
 Read a file system block into a char* buffer.
ssize_t tsk_fs_read_decrypt (TSK_FS_INFO *a_fs, TSK_OFF_T a_off, char *a_buf, size_t a_len, TSK_DADDR_T crypto_id)
 Read arbitrary data from inside of the file system.
typedef enum TSK_FS_TYPE_ENUM TSK_FS_TYPE_ENUM
enum  TSK_FS_TYPE_ENUM {
  TSK_FS_TYPE_DETECT = 0x00000000 , TSK_FS_TYPE_NTFS = 0x00000001 , TSK_FS_TYPE_NTFS_DETECT = 0x00000001 , TSK_FS_TYPE_FAT12 = 0x00000002 ,
  TSK_FS_TYPE_FAT16 = 0x00000004 , TSK_FS_TYPE_FAT32 = 0x00000008 , TSK_FS_TYPE_EXFAT = 0x0000000a , TSK_FS_TYPE_FAT_DETECT = 0x0000000e ,
  TSK_FS_TYPE_FFS1 = 0x00000010 , TSK_FS_TYPE_FFS1B = 0x00000020 , TSK_FS_TYPE_FFS2 = 0x00000040 , TSK_FS_TYPE_FFS_DETECT = 0x00000070 ,
  TSK_FS_TYPE_EXT2 = 0x00000080 , TSK_FS_TYPE_EXT3 = 0x00000100 , TSK_FS_TYPE_EXT_DETECT = 0x00002180 , TSK_FS_TYPE_SWAP = 0x00000200 ,
  TSK_FS_TYPE_SWAP_DETECT = 0x00000200 , TSK_FS_TYPE_RAW = 0x00000400 , TSK_FS_TYPE_RAW_DETECT = 0x00000400 , TSK_FS_TYPE_ISO9660 = 0x00000800 ,
  TSK_FS_TYPE_ISO9660_DETECT = 0x00000800 , TSK_FS_TYPE_HFS = 0x00001000 , TSK_FS_TYPE_HFS_DETECT = 0x00009000 , TSK_FS_TYPE_EXT4 = 0x00002000 ,
  TSK_FS_TYPE_YAFFS2 = 0x00004000 , TSK_FS_TYPE_YAFFS2_DETECT = 0x00004000 , TSK_FS_TYPE_HFS_LEGACY = 0x00008000 , TSK_FS_TYPE_APFS = 0x00010000 ,
  TSK_FS_TYPE_APFS_DETECT = 0x00010000 , TSK_FS_TYPE_LOGICAL = 0x00020000 , TSK_FS_TYPE_BTRFS = 0x00040000 , TSK_FS_TYPE_BTRFS_DETECT = TSK_FS_TYPE_BTRFS ,
  TSK_FS_TYPE_XFS = 0x00080000 , TSK_FS_TYPE_XFS_DETECT = 0x00080000 , TSK_FS_TYPE_UNSUPP = 0xffffffff
}
 Values for the file system type. More...
#define TSK_FS_TYPE_ISAPFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for an APFS "file system".
#define TSK_FS_TYPE_ISAPFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for an APFS "file system".
#define TSK_FS_TYPE_ISBTRFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for a Btrfs file system.
#define TSK_FS_TYPE_ISDIR(ftype)
 Macro that takes a file system type and returns 1 if the type is for a logical directory "file system".
#define TSK_FS_TYPE_ISEXT(ftype)
 Macro that takes a file system type and returns 1 if the type is for a ExtX file system.
#define TSK_FS_TYPE_ISFAT(ftype)
 Macro that takes a file system type and returns 1 if the type is for a FAT file system.
#define TSK_FS_TYPE_ISFFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for a FFS file system.
#define TSK_FS_TYPE_ISHFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for a HFS file system.
#define TSK_FS_TYPE_ISISO9660(ftype)
 Macro that takes a file system type and returns 1 if the type is for a ISO9660 file system.
#define TSK_FS_TYPE_ISNTFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for an NTFS file system.
#define TSK_FS_TYPE_ISRAW(ftype)
 Macro that takes a file system type and returns 1 if the type is for a raw "file system".
#define TSK_FS_TYPE_ISSWAP(ftype)
 Macro that takes a file system type and returns 1 if the type is for a swap "file system".
#define TSK_FS_TYPE_ISXFS(ftype)
 Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.
#define TSK_FS_TYPE_ISYAFFS2(ftype)
 Macro that takes a file system type and returns 1 if the type is for a YAFFS2 file system.
void tsk_fs_type_print (FILE *)
 Print the supported file system types to a file handle.
TSK_FS_TYPE_ENUM tsk_fs_type_supported ()
 Return the supported file system types.
TSK_FS_TYPE_ENUM tsk_fs_type_toid (const TSK_TCHAR *)
 Parse a string with the file system type and return its internal ID.
TSK_FS_TYPE_ENUM tsk_fs_type_toid_utf8 (const char *)
 Parse a string with the file system type and return its internal ID.
const char * tsk_fs_type_toname (TSK_FS_TYPE_ENUM)
 Return the string name of a file system type id.

Detailed Description

External header file for file system support.

Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_fs_i.h.

Macro Definition Documentation

◆ TSK_FS_IS_DIR_META

#define TSK_FS_IS_DIR_META ( x)
Value:
((x == TSK_FS_META_TYPE_DIR) || (x == TSK_FS_META_TYPE_VIRT_DIR))
TSK_FS_META_TYPE_VIRT_DIR
@ TSK_FS_META_TYPE_VIRT_DIR
"Virtual Directory" created by TSK to hold data like orphan files
Definition tsk_fs.h:408
TSK_FS_META_TYPE_DIR
@ TSK_FS_META_TYPE_DIR
Directory file.
Definition tsk_fs.h:399

◆ TSK_FS_IS_DIR_NAME

#define TSK_FS_IS_DIR_NAME ( x)
Value:
((x == TSK_FS_NAME_TYPE_DIR) || (x == TSK_FS_NAME_TYPE_VIRT_DIR))
TSK_FS_NAME_TYPE_VIRT_DIR
@ TSK_FS_NAME_TYPE_VIRT_DIR
Special (TSK added "Virtual" directories).
Definition tsk_fs.h:588
TSK_FS_NAME_TYPE_DIR
@ TSK_FS_NAME_TYPE_DIR
Directory.
Definition tsk_fs.h:580

◆ TSK_FS_ORPHANDIR_INUM

#define TSK_FS_ORPHANDIR_INUM ( fs_info)
Value:
(fs_info->last_inum)

Typedef Documentation

◆ TSK_FS_BLOCK_WALK_CB

typedef TSK_WALK_RET_ENUM(* TSK_FS_BLOCK_WALK_CB) (const TSK_FS_BLOCK *a_block, void *a_ptr)

Function definition used for callback to tsk_fs_block_walk().

Parameters
a_blockPointer to block structure that holds block content and flags
a_ptrPointer that was supplied by the caller who called tsk_fs_block_walk
Returns
Value to identify if walk should continue, stop, or stop because of error

◆ TSK_FS_DIR_WALK_CB

typedef TSK_WALK_RET_ENUM(* TSK_FS_DIR_WALK_CB) (TSK_FS_FILE *a_fs_file, const char *a_path, void *a_ptr)

Definition of callback function that is used by tsk_fs_dir_walk().

This is is called for each file in a directory.

Parameters
a_fs_filePointer to the current file in the directory
a_pathPath of the file
a_ptrPointer that was originally passed by caller to tsk_fs_dir_walk.
Returns
Value to signal if tsk_fs_dir_walk should stop or continue.

◆ TSK_FS_FILE_WALK_CB

typedef TSK_WALK_RET_ENUM(* TSK_FS_FILE_WALK_CB) (TSK_FS_FILE *a_fs_file, TSK_OFF_T a_off, TSK_DADDR_T a_addr, char *a_buf, size_t a_len, TSK_FS_BLOCK_FLAG_ENUM a_flags, void *a_ptr)

File walk callback function definition.

This is called for chunks of content in the file being processed.

Parameters
a_fs_filePointer to file being processed
a_offByte offset in file that this data is for
a_addrAddress of data being passed (valid only if a_flags have RAW set)
a_bufPointer to buffer with file content
a_lenSize of data in buffer (in bytes)
a_flagsFlags about the file content
a_ptrPointer that was specified by caller to inode_walk
Returns
Value that tells file walk to continue or stop

◆ TSK_FS_META_WALK_CB

typedef TSK_WALK_RET_ENUM(* TSK_FS_META_WALK_CB) (TSK_FS_FILE *a_fs_file, void *a_ptr)

inode walk callback function definition.

This is called for every file that meets the criteria specified when inode_walk was called.

Parameters
a_fs_filePointer to the current file
a_ptrPointer that was specified by caller to inode_walk
Returns
Value that tells inode walk to continue or stop

Enumeration Type Documentation

◆ TSK_FS_ATTR_FLAG_ENUM

enum TSK_FS_ATTR_FLAG_ENUM

Flags used for the TSK_FS_ATTR structure, which is used to store file content metadata.

Enumerator
TSK_FS_ATTR_FLAG_NONE 

No Flag.

TSK_FS_ATTR_INUSE 

data structure is in use

TSK_FS_ATTR_NONRES 

Contains non-resident data (i.e. located in blocks).

TSK_FS_ATTR_RES 

Contains resident data (i.e. in a small buffer).

TSK_FS_ATTR_ENC 

Contains encrypted data.

TSK_FS_ATTR_COMP 

Contains compressed data.

TSK_FS_ATTR_SPARSE 

Contains sparse data.

TSK_FS_ATTR_RECOVERY 

Data was determined in file recovery mode.

◆ TSK_FS_ATTR_RUN_FLAG_ENUM

enum TSK_FS_ATTR_RUN_FLAG_ENUM

Flags used for a TSK_FS_ATTR_RUN entry.

Enumerator
TSK_FS_ATTR_RUN_FLAG_NONE 

No Flag.

TSK_FS_ATTR_RUN_FLAG_FILLER 

Entry is a filler for a run that has not been seen yet in the processing (or has been lost).

TSK_FS_ATTR_RUN_FLAG_SPARSE 

Entry is a sparse run where all data in the run is zeros.

TSK_FS_ATTR_RUN_FLAG_ENCRYPTED 

Entry is arun where the data is encrypted.

◆ TSK_FS_ATTR_TYPE_ENUM

enum TSK_FS_ATTR_TYPE_ENUM

These are based on the NTFS type values.

Added types for HFS+. NOTE: Update bindings/java/src/org/sleuthkit/datamodel/TskData.java with any changes.

◆ TSK_FS_BLOCK_FLAG_ENUM

enum TSK_FS_BLOCK_FLAG_ENUM

Flags that are used in TSK_FS_BLOCK and in callback of file_walk.

Note that some of these are dependent. A block can be either TSK_FS_BLOCK_FLAG_ALLOC or TSK_FS_BLOCK_FLAG_UNALLOC. It can be one of TSK_FS_BLOCK_FLAG_RAW, TSK_FS_BLOCK_FLAG_BAD, TSK_FS_BLOCK_FLAG_RES, TSK_FS_BLOCK_FLAG_SPARSE, or TSK_FS_BLOCK_FLAG_COMP. Note that some of these are set only by file_walk because they are file-level details, such as compression and sparse.

Enumerator
TSK_FS_BLOCK_FLAG_UNUSED 

Used to show that TSK_FS_BLOCK structure has no data in it.

TSK_FS_BLOCK_FLAG_ALLOC 

Block is allocated (and not TSK_FS_BLOCK_FLAG_UNALLOC).

TSK_FS_BLOCK_FLAG_UNALLOC 

Block is unallocated (and not TSK_FS_BLOCK_FLAG_ALLOC).

TSK_FS_BLOCK_FLAG_CONT 

Block (could) contain file content (and not TSK_FS_BLOCK_FLAG_META).

TSK_FS_BLOCK_FLAG_META 

Block (could) contain file system metadata (and not TSK_FS_BLOCK_FLAG_CONT).

TSK_FS_BLOCK_FLAG_BAD 

Block has been marked as bad by the file system.

TSK_FS_BLOCK_FLAG_RAW 

The data has been read raw from the disk (and not COMP or SPARSE).

TSK_FS_BLOCK_FLAG_SPARSE 

The data passed in the file_walk callback was stored as sparse (all zeros) (and not RAW or COMP).

TSK_FS_BLOCK_FLAG_COMP 

The data passed in the file_walk callback was stored in a compressed form (and not RAW or SPARSE).

TSK_FS_BLOCK_FLAG_RES 

The data passed in the file_walk callback is from an NTFS resident file.

◆ TSK_FS_BLOCK_WALK_FLAG_ENUM

enum TSK_FS_BLOCK_WALK_FLAG_ENUM

Flags that are used to specify which blocks to call the tsk_fs_block_walk() callback function with.

Enumerator
TSK_FS_BLOCK_WALK_FLAG_NONE 

No Flags.

TSK_FS_BLOCK_WALK_FLAG_ALLOC 

Allocated blocks.

TSK_FS_BLOCK_WALK_FLAG_UNALLOC 

Unallocated blocks.

TSK_FS_BLOCK_WALK_FLAG_CONT 

Blocks that could store file content.

TSK_FS_BLOCK_WALK_FLAG_META 

Blocks that could store file system metadata.

TSK_FS_BLOCK_WALK_FLAG_AONLY 

Do not include content in callback only address and allocation status.

◆ TSK_FS_DIR_WALK_FLAG_ENUM

enum TSK_FS_DIR_WALK_FLAG_ENUM

Flags that are used when walking names in directories.

These are used to identify which files to call the callback function on.

Enumerator
TSK_FS_DIR_WALK_FLAG_NONE 

No Flags.

TSK_FS_DIR_WALK_FLAG_ALLOC 

Return allocated names in callback.

TSK_FS_DIR_WALK_FLAG_UNALLOC 

Return unallocated names in callback.

TSK_FS_DIR_WALK_FLAG_RECURSE 

Recurse into sub-directories.

TSK_FS_DIR_WALK_FLAG_NOORPHAN 

Do not return (or recurse into) the special Orphan directory.

◆ TSK_FS_FILE_READ_FLAG_ENUM

enum TSK_FS_FILE_READ_FLAG_ENUM

Flags used by tsk_fs_file_read.

Enumerator
TSK_FS_FILE_READ_FLAG_NONE 

No Flags.

TSK_FS_FILE_READ_FLAG_SLACK 

Allow read access into slack space.

TSK_FS_FILE_READ_FLAG_NOID 

Ignore the Id argument given in the API (use only the type).

◆ TSK_FS_FILE_WALK_FLAG_ENUM

enum TSK_FS_FILE_WALK_FLAG_ENUM

Flags used by tsk_fs_file_walk to determine when the callback function should be used.

Enumerator
TSK_FS_FILE_WALK_FLAG_NONE 

No Flag.

TSK_FS_FILE_WALK_FLAG_SLACK 

Include the file's slack space in the callback.

TSK_FS_FILE_WALK_FLAG_NOID 

Ignore the Id argument given in the API (use only the type).

TSK_FS_FILE_WALK_FLAG_AONLY 

Provide callback with only addresses and no file content.

TSK_FS_FILE_WALK_FLAG_NOSPARSE 

Do not include sparse blocks in the callback.

◆ TSK_FS_META_ATTR_FLAG_ENUM

enum TSK_FS_META_ATTR_FLAG_ENUM
Enumerator
TSK_FS_META_ATTR_EMPTY 

The data in the attributes (if any) is not for this file.

TSK_FS_META_ATTR_STUDIED 

The data in the attributes are for this file.

TSK_FS_META_ATTR_ERROR 

The attributes for this file could not be loaded.

◆ TSK_FS_META_CONTENT_TYPE_ENUM

enum TSK_FS_META_CONTENT_TYPE_ENUM
Enumerator
TSK_FS_META_CONTENT_TYPE_EXT4_EXTENTS 

Ext4 with extents instead of individual pointers.

TSK_FS_META_CONTENT_TYPE_EXT4_INLINE 

Ext4 with inline data.

◆ TSK_FS_META_FLAG_ENUM

enum TSK_FS_META_FLAG_ENUM

Metadata flags used in TSK_FS_META.flags and in request to inode_walk.

Enumerator
TSK_FS_META_FLAG_ALLOC 

Metadata structure is currently in an allocated state.

TSK_FS_META_FLAG_UNALLOC 

Metadata structure is currently in an unallocated state.

TSK_FS_META_FLAG_USED 

Metadata structure has been allocated at least once.

TSK_FS_META_FLAG_UNUSED 

Metadata structure has never been allocated.

TSK_FS_META_FLAG_COMP 

The file contents are compressed.

TSK_FS_META_FLAG_ORPHAN 

Return only metadata structures that have no file name pointing to the (inode_walk flag only).

◆ TSK_FS_META_MODE_ENUM

enum TSK_FS_META_MODE_ENUM
Enumerator
TSK_FS_META_MODE_UNSPECIFIED 

unspecified

TSK_FS_META_MODE_ISUID 

set user id on execution

TSK_FS_META_MODE_ISGID 

set group id on execution

TSK_FS_META_MODE_ISVTX 

sticky bit

TSK_FS_META_MODE_IRUSR 

R for owner.

TSK_FS_META_MODE_IWUSR 

W for owner.

TSK_FS_META_MODE_IXUSR 

X for owner.

TSK_FS_META_MODE_IRGRP 

R for group.

TSK_FS_META_MODE_IWGRP 

W for group.

TSK_FS_META_MODE_IXGRP 

X for group.

TSK_FS_META_MODE_IROTH 

R for other.

TSK_FS_META_MODE_IWOTH 

W for other.

TSK_FS_META_MODE_IXOTH 

X for other.

◆ TSK_FS_META_TYPE_ENUM

enum TSK_FS_META_TYPE_ENUM

Values for the mode field – which identifies the file type and permissions.

Enumerator
TSK_FS_META_TYPE_REG 

Regular file.

TSK_FS_META_TYPE_DIR 

Directory file.

TSK_FS_META_TYPE_FIFO 

Named pipe (fifo).

TSK_FS_META_TYPE_CHR 

Character device.

TSK_FS_META_TYPE_BLK 

Block device.

TSK_FS_META_TYPE_LNK 

Symbolic link.

TSK_FS_META_TYPE_SHAD 

SOLARIS ONLY.

TSK_FS_META_TYPE_SOCK 

UNIX domain socket.

TSK_FS_META_TYPE_WHT 

Whiteout.

TSK_FS_META_TYPE_VIRT 

"Virtual File" created by TSK for file system areas

TSK_FS_META_TYPE_VIRT_DIR 

"Virtual Directory" created by TSK to hold data like orphan files

◆ TSK_FS_NAME_FLAG_ENUM

enum TSK_FS_NAME_FLAG_ENUM

File name flags that are used when specifying the status of a name in the TSK_FS_NAME structure.

Enumerator
TSK_FS_NAME_FLAG_ALLOC 

Name is in an allocated state.

TSK_FS_NAME_FLAG_UNALLOC 

Name is in an unallocated state.

◆ TSK_FS_NAME_TYPE_ENUM

enum TSK_FS_NAME_TYPE_ENUM

File type values – as specified in the directory entry structure.

Enumerator
TSK_FS_NAME_TYPE_UNDEF 

Unknown type.

TSK_FS_NAME_TYPE_FIFO 

Named pipe.

TSK_FS_NAME_TYPE_CHR 

Character device.

TSK_FS_NAME_TYPE_DIR 

Directory.

TSK_FS_NAME_TYPE_BLK 

Block device.

TSK_FS_NAME_TYPE_REG 

Regular file.

TSK_FS_NAME_TYPE_LNK 

Symbolic link.

TSK_FS_NAME_TYPE_SOCK 

Socket.

TSK_FS_NAME_TYPE_SHAD 

Shadow inode (solaris).

TSK_FS_NAME_TYPE_WHT 

Whiteout (openbsd).

TSK_FS_NAME_TYPE_VIRT 

Special (TSK added "Virtual" files).

TSK_FS_NAME_TYPE_VIRT_DIR 

Special (TSK added "Virtual" directories).

Function Documentation

◆ tsk_fs_file_get_owner_sid()

uint8_t tsk_fs_file_get_owner_sid ( TSK_FS_FILE * a_fs_file,
char ** sid_str )
extern

Returns a string representation of the security attributes of a file.

Parameters
a_fs_fileThe file to get security info about.
sid_strA pointer to a pointer that will contain the SID string. This function will allocate the string and the caller must free it.
Returns
0 on success or 1 on error.

References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_reset(), and tsk_error_set_errno().

◆ tsk_fs_file_hash_calc()

uint8_t tsk_fs_file_hash_calc ( TSK_FS_FILE * a_fs_file,
TSK_FS_HASH_RESULTS * a_hash_results,
TSK_BASE_HASH_ENUM a_flags )
extern

Returns a string containing the md5 hash of the given file.

Parameters
a_fs_fileThe file to calculate the hash of
a_hash_resultsThe results will be stored here (must be allocated beforehand)
a_flagsIndicates which hash algorithm(s) to use
Returns
0 on success or 1 on error

References TSK_FS_FILE::fs_info, TSK_FS_FILE::meta, tsk_error_set_errno(), tsk_fs_file_walk(), TSK_FS_FILE_WALK_FLAG_NONE, TSK_MD5_Final(), TSK_MD5_Init(), TSK_SHA_Final(), and TSK_SHA_Init().

Copyright © 2007-2020 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.