#include <tsk_fs.h>
Note that the file in the file system may have more metadata than is stored here. For performance reasons, the run list of the file content is not always known when the file is loaded. It may be loaded only when needed by the internal code. The TSK_FS_META::content_ptr pointer contains file system-specific data that will be used to determine the full run. After it has been loaded, the TSK_FS_META::attr field will contain that info.
Data Fields | |
| TSK_INUM_T | addr |
| Address of the meta data structure for this file. | |
| time_t | atime |
| last file content accessed time (stored in number of seconds since Jan 1, 1970 UTC) | |
| TSK_FS_ATTRLIST * | attr |
| Contains run data on the file content (specific locations where content is stored). | |
| TSK_FS_META_ATTR_FLAG_ENUM | attr_state |
| State of the data in the TSK_FS_META::attr structure. | |
| size_t | content_len |
| size of content buffer | |
| void * | content_ptr |
| Pointer to file system specific data that is used to store references to file content. | |
| time_t | crtime |
| Created time (stored in number of seconds since Jan 1, 1970 UTC). | |
| time_t | ctime |
| last file / metadata status change time (stored in number of seconds since Jan 1, 1970 UTC) | |
| TSK_FS_META_FLAG_ENUM | flags |
| Flags for this file for its allocation status etc. | |
| TSK_FS_INFO * | fs_info |
| Pointer to file system that file is located in. | |
| TSK_GID_T | gid |
| group id | |
| char * | link |
| Name of target file if this is a symbolic link. | |
| TSK_FS_META_MODE_ENUM | mode |
| Unix-style permissions. | |
| time_t | mtime |
| last file content modification time (stored in number of seconds since Jan 1, 1970 UTC) | |
| TSK_FS_META_NAME_LIST * | name2 |
| Name of file stored in metadata (FAT and NTFS Only). | |
| int | nlink |
| link count (number of file names pointing to this) | |
| uint32_t | seq |
| Sequence number for file (NTFS only, is incremented when entry is reallocated). | |
| TSK_OFF_T | size |
| file size (in bytes) | |
| int | tag |
| union { | |
| struct { | |
| time_t dtime | |
| Linux deletion time. | |
| } ext2 | |
| struct { | |
| time_t bkup_time | |
| HFS+ backup time. | |
| } hfs | |
| } | time2 |
| TSK_FS_META_TYPE_ENUM | type |
| File type. | |
| TSK_UID_T | uid |
| owner id | |
Contains run data on the file content (specific locations where content is stored).
Check attr_state to determine if data in here is valid because not all file systems load this data when a file is loaded. It may not be loaded until needed by one of the APIs. Most file systems will have only one attribute, but NTFS will have several.
Referenced by tsk_fs_file_attr_get(), tsk_fs_file_attr_get_idx(), tsk_fs_file_attr_get_type(), and tsk_fs_file_attr_getsize().
Copyright © 2007-2008 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.