The Sleuth Kit  4.2
Functions
C Hash Database Functions

Functions

void hdb_base_db_name_from_path (TSK_HDB_INFO *hdb_info)
 Sets hash database name in hdb_info based on database file path. More...
 
int8_t hdb_binsrch_lookup_bin (TSK_HDB_INFO *hdb_info, uint8_t *hash, uint8_t len, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr)
 Search the index for the given hash value given (in binary form). More...
 
int8_t hdb_binsrch_lookup_str (TSK_HDB_INFO *hdb_info_base, const char *hash, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr)
 Search the index for a text/ASCII hash value. More...
 
int8_t hdb_binsrch_lookup_verbose_str (TSK_HDB_INFO *hdb_info_base, const char *hash, void *lookup_result)
 
void hdb_info_base_close (TSK_HDB_INFO *hdb_info)
 De-initializes struct representation of a hash database. More...
 
uint8_t hdb_info_base_open (TSK_HDB_INFO *hdb_info, const TSK_TCHAR *db_path)
 
uint8_t sqlite_hdb_add_entry (TSK_HDB_INFO *hdb_info_base, const char *filename, const char *md5, const char *sha1, const char *sha256, const char *comment)
 
uint8_t sqlite_hdb_begin_transaction (TSK_HDB_INFO *hdb_info_base)
 
uint8_t sqlite_hdb_commit_transaction (TSK_HDB_INFO *hdb_info_base)
 
uint8_t sqlite_hdb_create_db (TSK_TCHAR *db_file_path)
 
uint8_t sqlite_hdb_is_sqlite_file (FILE *hFile)
 
int8_t sqlite_hdb_lookup_bin (TSK_HDB_INFO *hdb_info_base, uint8_t *hash, uint8_t len, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr)
 
int8_t sqlite_hdb_lookup_str (TSK_HDB_INFO *hdb_info_base, const char *hash, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr)
 
int8_t sqlite_hdb_lookup_verbose_bin (TSK_HDB_INFO *hdb_info_base, uint8_t *hash, uint8_t hash_len, void *lookup_result)
 
int8_t sqlite_hdb_lookup_verbose_str (TSK_HDB_INFO *hdb_info_base, const char *hash, void *result)
 
TSK_HDB_INFOsqlite_hdb_open (TSK_TCHAR *db_path)
 
uint8_t sqlite_hdb_rollback_transaction (TSK_HDB_INFO *hdb_info_base)
 
uint8_t tsk_hdb_accepts_updates (TSK_HDB_INFO *hdb_info)
 Indicates whether a hash database accepts updates. More...
 
uint8_t tsk_hdb_add_entry (TSK_HDB_INFO *hdb_info, const char *filename, const char *md5, const char *sha1, const char *sha256, const char *comment)
 Adds a new entry to a hash database. More...
 
uint8_t tsk_hdb_begin_transaction (TSK_HDB_INFO *hdb_info)
 Begins a transaction on a hash database. More...
 
void tsk_hdb_close (TSK_HDB_INFO *hdb_info)
 Closes an open hash database. More...
 
uint8_t tsk_hdb_commit_transaction (TSK_HDB_INFO *hdb_info)
 Commits a transaction on a hash database. More...
 
uint8_t tsk_hdb_create (TSK_TCHAR *file_path)
 Creates a new hash database. More...
 
uint8_t tsk_hdb_has_idx (TSK_HDB_INFO *hdb_info, TSK_HDB_HTYPE_ENUM htype)
 Determine if the open hash database has an index. More...
 
uint8_t tsk_hdb_is_idx_only (TSK_HDB_INFO *hdb_info)
 Test for index only (legacy) Assumes that the db was opened using the TSK_HDB_OPEN_TRY option. More...
 
int8_t tsk_hdb_lookup_raw (TSK_HDB_INFO *hdb_info, uint8_t *hash, uint8_t len, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr)
 Search the index for the given hash value given (in binary form). More...
 
int8_t tsk_hdb_lookup_str (TSK_HDB_INFO *hdb_info, const char *hash, TSK_HDB_FLAG_ENUM flags, TSK_HDB_LOOKUP_FN action, void *ptr)
 Searches a hash database for a text/ASCII hash value. More...
 
uint8_t tsk_hdb_make_index (TSK_HDB_INFO *hdb_info, TSK_TCHAR *type)
 Create an index for an open hash database. More...
 
TSK_HDB_INFOtsk_hdb_open (TSK_TCHAR *file_path, TSK_HDB_OPEN_ENUM flags)
 Opens an existing hash database. More...
 
uint8_t tsk_hdb_rollback_transaction (TSK_HDB_INFO *hdb_info)
 Rolls back a transaction on a hash database. More...
 

Detailed Description

Function Documentation

void hdb_base_db_name_from_path ( TSK_HDB_INFO hdb_info)

Sets hash database name in hdb_info based on database file path.

Parameters
hdb_infoStruct representation of an open hash database.

References TSK_HDB_INFO::db_fname, and TSK_HDB_INFO::db_name.

int8_t hdb_binsrch_lookup_bin ( TSK_HDB_INFO hdb_info,
uint8_t *  hash,
uint8_t  len,
TSK_HDB_FLAG_ENUM  flags,
TSK_HDB_LOOKUP_FN  action,
void *  ptr 
)

Search the index for the given hash value given (in binary form).

Parameters
hdb_infoOpen hash database (with index)
hashArray with binary hash value to search for
lenNumber of bytes in binary hash value
flagsFlags to use in lookup
actionCallback function to call for each hash db entry (not called if QUICK flag is given)
ptrPointer to data to pass to each callback
Returns
-1 on error, 0 if hash value not found, and 1 if value was found.

References tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_HTYPE_SHA1_LEN, and tsk_hdb_lookup_str().

Referenced by hdb_binsrch_open().

int8_t hdb_binsrch_lookup_str ( TSK_HDB_INFO hdb_info_base,
const char *  hash,
TSK_HDB_FLAG_ENUM  flags,
TSK_HDB_LOOKUP_FN  action,
void *  ptr 
)

Search the index for a text/ASCII hash value.

Parameters
hdb_info_baseOpen hash database (with index)
hashHash value to search for (NULL terminated string)
flagsFlags to use in lookup
actionCallback function to call for each hash db entry (not called if QUICK flag is given)
ptrPointer to data to pass to each callback
Returns
-1 on error, 0 if hash value not found, and 1 if value was found.

References TSK_HDB_BINSRCH_INFO::hash_len, TSK_HDB_BINSRCH_INFO::hIdx, TSK_HDB_BINSRCH_INFO::idx_lbuf, TSK_HDB_BINSRCH_INFO::idx_llen, TSK_HDB_BINSRCH_INFO::idx_off, TSK_HDB_BINSRCH_INFO::idx_offsets, TSK_HDB_BINSRCH_INFO::idx_size, TSK_HDB_INFO::lock, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), tsk_error_set_errstr2(), TSK_HDB_FLAG_QUICK, TSK_HDB_HTYPE_MD5_ID, TSK_HDB_HTYPE_MD5_LEN, TSK_HDB_HTYPE_SHA1_ID, and TSK_HDB_HTYPE_SHA1_LEN.

Referenced by hdb_binsrch_open().

void hdb_info_base_close ( TSK_HDB_INFO hdb_info)

De-initializes struct representation of a hash database.

Parameters
hdb_infoStruct representation of a hash database.
Returns
0 on sucess, 1 on failure.

References TSK_HDB_INFO::db_fname, and TSK_HDB_INFO::lock.

uint8_t tsk_hdb_accepts_updates ( TSK_HDB_INFO hdb_info)

Indicates whether a hash database accepts updates.

Parameters
hdb_infoThe hash database object
Returns
1 if hash database accepts updates, 0 if it does not

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

uint8_t tsk_hdb_add_entry ( TSK_HDB_INFO hdb_info,
const char *  filename,
const char *  md5,
const char *  sha1,
const char *  sha256,
const char *  comment 
)

Adds a new entry to a hash database.

Parameters
hdb_infoThe hash database object
filenameName of the file that was hashed (can be NULL)
md5Text representation of MD5 hash (can be NULL)
sha1Text representation of SHA1 hash (can be NULL)
sha256Text representation of SHA256 hash (can be NULL)
commentA comment to asociate with the hash (can be NULL)
Returns
1 on error, 0 on success

References TSK_HDB_INFO::db_type, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

uint8_t tsk_hdb_begin_transaction ( TSK_HDB_INFO hdb_info)

Begins a transaction on a hash database.

Parameters
hdb_infoA hash database info object
Returns
1 on error, 0 on success

References TSK_HDB_INFO::db_type, TSK_HDB_INFO::transaction_in_progress, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

void tsk_hdb_close ( TSK_HDB_INFO hdb_info)

Closes an open hash database.

Parameters
hdb_infoThe hash database object

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskHdbInfo::~TskHdbInfo().

uint8_t tsk_hdb_commit_transaction ( TSK_HDB_INFO hdb_info)

Commits a transaction on a hash database.

Parameters
hdb_infoA hash database info object
Returns
1 on error, 0 on success

References TSK_HDB_INFO::db_type, TSK_HDB_INFO::transaction_in_progress, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

uint8_t tsk_hdb_create ( TSK_TCHAR file_path)

Creates a new hash database.

Parameters
file_pathPath for database to create.
Returns
0 on success, 1 otherwise

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

uint8_t tsk_hdb_has_idx ( TSK_HDB_INFO hdb_info,
TSK_HDB_HTYPE_ENUM  htype 
)

Determine if the open hash database has an index.

Parameters
hdb_infoHash database to consider
htypeHash type that index should be of
Returns
1 if index exists and 0 if not

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskHdbInfo::hasIndex().

uint8_t tsk_hdb_is_idx_only ( TSK_HDB_INFO hdb_info)

Test for index only (legacy) Assumes that the db was opened using the TSK_HDB_OPEN_TRY option.

Parameters
hdb_infoHash database to consider
Returns
1 if there is only a legacy index AND no db, 0 otherwise

References TSK_HDB_INFO::db_type, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), and TSK_HDB_DBTYPE_IDXONLY_ID.

int8_t tsk_hdb_lookup_raw ( TSK_HDB_INFO hdb_info,
uint8_t *  hash,
uint8_t  len,
TSK_HDB_FLAG_ENUM  flags,
TSK_HDB_LOOKUP_FN  action,
void *  ptr 
)

Search the index for the given hash value given (in binary form).

Parameters
hdb_infoOpen hash database (with index)
hashArray with binary hash value to search for
lenNumber of bytes in binary hash value
flagsFlags to use in lookup
actionCallback function to call for each hash db entry (not called if QUICK flag is given)
ptrPointer to data to pass to each callback
Returns
-1 on error, 0 if hash value not found, and 1 if value was found.

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskHdbInfo::lookupRaw().

int8_t tsk_hdb_lookup_str ( TSK_HDB_INFO hdb_info,
const char *  hash,
TSK_HDB_FLAG_ENUM  flags,
TSK_HDB_LOOKUP_FN  action,
void *  ptr 
)

Searches a hash database for a text/ASCII hash value.

Parameters
hdb_infoStruct representing an open hash database.
hashHash value to search for (NULL terminated string).
flagsFlags to control behavior of the lookup.
actionCallback function to call for each entry in the hash database that matches the hash value argument (not called if QUICK flag is given).
ptrPointer to data to pass to each invocation of the callback.
Returns
-1 on error, 0 if hash value not found, and 1 if value was found.

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by hdb_binsrch_lookup_bin(), and TskHdbInfo::lookupStr().

uint8_t tsk_hdb_make_index ( TSK_HDB_INFO hdb_info,
TSK_TCHAR type 
)

Create an index for an open hash database.

Parameters
hdb_infoOpen hash database to index
typeText of hash database type
Returns
1 on error

References tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().

Referenced by TskHdbInfo::createIndex().

TSK_HDB_INFO* tsk_hdb_open ( TSK_TCHAR file_path,
TSK_HDB_OPEN_ENUM  flags 
)

Opens an existing hash database.

Parameters
file_pathPath to database or database index file.
flagsFlags for opening the database.
Returns
Pointer to a struct representing the hash database or NULL on error.

References PRIttocTSK, tsk_error_reset(), tsk_error_set_errno(), tsk_error_set_errstr(), TSK_HDB_DBTYPE_ENCASE_ID, TSK_HDB_DBTYPE_HK_ID, TSK_HDB_DBTYPE_IDXONLY_ID, TSK_HDB_DBTYPE_INVALID_ID, TSK_HDB_DBTYPE_MD5SUM_ID, TSK_HDB_DBTYPE_NSRL_ID, TSK_HDB_DBTYPE_SQLITE_ID, and TSK_HDB_OPEN_IDXONLY.

Referenced by TskHdbInfo::open().

uint8_t tsk_hdb_rollback_transaction ( TSK_HDB_INFO hdb_info)

Rolls back a transaction on a hash database.

Parameters
hdb_infoA hash database info object
Returns
1 on error, 0 on success

References TSK_HDB_INFO::db_type, TSK_HDB_INFO::transaction_in_progress, tsk_error_reset(), tsk_error_set_errno(), and tsk_error_set_errstr().


Copyright © 2007-2015 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.