Note that this file is not meant to be directly included. It is included by both libtsk.h and tsk_base_i.h.
#include <stdio.h>
#include <stdlib.h>
#include "tsk/tsk_incs.h"
#include "tsk_os.h"
Data Structures | |
| struct | TSK_LIST |
| Linked list structure that holds a 'key' and optional 'length'. More... | |
| struct | TSK_DATA_BUF |
| Data structure used to hold blobs of data along with the address from where it came. More... | |
| struct | TSK_MD5_CTX |
| struct | TSK_SHA_CTX |
Internal integer types and printf macros | |
| #define | PRIuINUM PRIu64 |
| #define | PRIxINUM PRIx64 |
| #define | PRIdINUM PRId64 |
| #define | PRIuUID PRIu32 |
| #define | PRIxUID PRIx32 |
| #define | PRIdUID PRId32 |
| #define | PRIuGID PRIu32 |
| #define | PRIxGID PRIx32 |
| #define | PRIdGID PRId32 |
| #define | PRIuDADDR PRIu64 |
| #define | PRIxDADDR PRIx64 |
| #define | PRIdDADDR PRId64 |
| #define | PRIuOFF PRIu64 |
| #define | PRIxOFF PRIx64 |
| #define | PRIdOFF PRId64 |
| #define | PRIuPNUM PRIu32 |
| #define | PRIxPNUM PRIx32 |
| #define | PRIdPNUM PRId32 |
| typedef uint64_t | TSK_INUM_T |
| Data type used to internally store metadata / inode addresses. | |
| typedef uint32_t | TSK_UID_T |
| Data type used to internally store User IDs. | |
| typedef uint32_t | TSK_GID_T |
| Data type used to internally store Group IDs. | |
| typedef uint64_t | TSK_DADDR_T |
| Data type used to internally store sector and block addresses. | |
| typedef int64_t | TSK_OFF_T |
| Data type used to internally store volume, file, etc. sizes and offsets. | |
| typedef uint32_t | TSK_PNUM_T |
| Data type used to internally store partition addresses. | |
Error Handling | |
| #define | TSK_ERRSTR_L 512 |
| #define | TSK_ERRSTR_PR_L (TSK_ERRSTR_L << 2) |
| #define | TSK_ERR_AUX 0x01000000 |
| #define | TSK_ERR_IMG 0x02000000 |
| #define | TSK_ERR_MM 0x04000000 |
| #define | TSK_ERR_FS 0x08000000 |
| #define | TSK_ERR_HDB 0x10000000 |
| #define | TSK_ERR_MASK 0x00ffffff |
| #define | TSK_ERR_AUX_MALLOC (TSK_ERR_AUX | 0) |
| #define | TSK_ERR_AUX_MAX 2 |
| #define | TSK_ERR_IMG_NOFILE (TSK_ERR_IMG | 0) |
| #define | TSK_ERR_IMG_OFFSET (TSK_ERR_IMG | 1) |
| #define | TSK_ERR_IMG_UNKTYPE (TSK_ERR_IMG | 2) |
| #define | TSK_ERR_IMG_UNSUPTYPE (TSK_ERR_IMG | 3) |
| #define | TSK_ERR_IMG_OPEN (TSK_ERR_IMG | 4) |
| #define | TSK_ERR_IMG_STAT (TSK_ERR_IMG | 5) |
| #define | TSK_ERR_IMG_SEEK (TSK_ERR_IMG | 6) |
| #define | TSK_ERR_IMG_READ (TSK_ERR_IMG | 7) |
| #define | TSK_ERR_IMG_READ_OFF (TSK_ERR_IMG | 8) |
| #define | TSK_ERR_IMG_LAYERS (TSK_ERR_IMG | 9) |
| #define | TSK_ERR_IMG_MAGIC (TSK_ERR_IMG | 10) |
| #define | TSK_ERR_IMG_WRITE (TSK_ERR_IMG | 11) |
| #define | TSK_ERR_IMG_MAX 12 |
| #define | TSK_ERR_MM_UNKTYPE (TSK_ERR_MM | 0) |
| #define | TSK_ERR_MM_UNSUPTYPE (TSK_ERR_MM | 1) |
| #define | TSK_ERR_MM_READ (TSK_ERR_MM | 2) |
| #define | TSK_ERR_MM_MAGIC (TSK_ERR_MM | 3) |
| #define | TSK_ERR_MM_WALK_RNG (TSK_ERR_MM | 4) |
| #define | TSK_ERR_MM_BUF (TSK_ERR_MM | 5) |
| #define | TSK_ERR_MM_BLK_NUM (TSK_ERR_MM | 6) |
| #define | TSK_ERR_MM_MAX 7 |
| #define | TSK_ERR_FS_UNKTYPE (TSK_ERR_FS | 0) |
| #define | TSK_ERR_FS_UNSUPTYPE (TSK_ERR_FS | 1) |
| #define | TSK_ERR_FS_FUNC (TSK_ERR_FS | 2) |
| #define | TSK_ERR_FS_WALK_RNG (TSK_ERR_FS | 3) |
| #define | TSK_ERR_FS_READ (TSK_ERR_FS | 4) |
| #define | TSK_ERR_FS_ARG (TSK_ERR_FS | 5) |
| #define | TSK_ERR_FS_BLK_NUM (TSK_ERR_FS | 6) |
| #define | TSK_ERR_FS_INODE_NUM (TSK_ERR_FS | 7) |
| #define | TSK_ERR_FS_INODE_INT (TSK_ERR_FS | 8) |
| #define | TSK_ERR_FS_MAGIC (TSK_ERR_FS | 9) |
| #define | TSK_ERR_FS_FWALK (TSK_ERR_FS | 10) |
| #define | TSK_ERR_FS_WRITE (TSK_ERR_FS | 11) |
| #define | TSK_ERR_FS_UNICODE (TSK_ERR_FS | 12) |
| #define | TSK_ERR_FS_RECOVER (TSK_ERR_FS | 13) |
| #define | TSK_ERR_FS_GENFS (TSK_ERR_FS | 14) |
| #define | TSK_ERR_FS_CORRUPT (TSK_ERR_FS | 15) |
| #define | TSK_ERR_FS_MAX 16 |
| #define | TSK_ERR_HDB_UNKTYPE (TSK_ERR_HDB | 0) |
| #define | TSK_ERR_HDB_UNSUPTYPE (TSK_ERR_HDB | 1) |
| #define | TSK_ERR_HDB_READDB (TSK_ERR_HDB | 2) |
| #define | TSK_ERR_HDB_READIDX (TSK_ERR_HDB | 3) |
| #define | TSK_ERR_HDB_ARG (TSK_ERR_HDB | 4) |
| #define | TSK_ERR_HDB_WRITE (TSK_ERR_HDB | 5) |
| #define | TSK_ERR_HDB_CREATE (TSK_ERR_HDB | 6) |
| #define | TSK_ERR_HDB_DELETE (TSK_ERR_HDB | 7) |
| #define | TSK_ERR_HDB_MISSING (TSK_ERR_HDB | 8) |
| #define | TSK_ERR_HDB_PROC (TSK_ERR_HDB | 9) |
| #define | TSK_ERR_HDB_OPEN (TSK_ERR_HDB | 10) |
| #define | TSK_ERR_HDB_CORRUPT (TSK_ERR_HDB | 11) |
| #define | TSK_ERR_HDB_MAX 12 |
| uint32_t | tsk_errno |
| char | tsk_errstr [TSK_ERRSTR_L] |
| char | tsk_errstr2 [TSK_ERRSTR_L] |
| char | tsk_errstr_print [TSK_ERRSTR_PR_L] |
| const char * | tsk_error_get () |
| Return the string with the current error message. | |
| void | tsk_error_print (FILE *) |
| Print the current error message to a file. | |
| void | tsk_error_reset () |
Endian Ordering Functions | |
| #define | tsk_getu16(endian, x) |
| #define | tsk_gets16(endian, x) ((int16_t)tsk_getu16(endian, x)) |
| #define | tsk_getu32(endian, x) |
| #define | tsk_gets32(endian, x) ((int32_t)tsk_getu32(endian, x)) |
| #define | tsk_getu48(endian, x) |
| #define | tsk_getu64(endian, x) |
| #define | tsk_gets64(endian, x) ((int64_t)tsk_getu64(endian, x)) |
| enum | TSK_ENDIAN_ENUM { TSK_LIT_ENDIAN = 0x01, TSK_BIG_ENDIAN = 0x02 } |
| Flag that identifies the endian ordering of the data being read. More... | |
| uint8_t | tsk_guess_end_u16 (TSK_ENDIAN_ENUM *, uint8_t *, uint16_t) |
| uint8_t | tsk_guess_end_u32 (TSK_ENDIAN_ENUM *, uint8_t *, uint32_t) |
MD5 and SHA-1 hashing | |
| #define | FALSE 0 |
| #define | TRUE ( !FALSE ) |
| typedef unsigned char * | POINTER |
| typedef uint16_t | UINT2 |
| typedef uint32_t | UINT4 |
| typedef uint8_t | BYTE |
| void | TSK_MD5_Init (TSK_MD5_CTX *) |
| void | TSK_MD5_Update (TSK_MD5_CTX *, unsigned char *, unsigned int) |
| void | TSK_MD5_Final (unsigned char[16], TSK_MD5_CTX *) |
| void | TSK_SHA_Init (TSK_SHA_CTX *) |
| void | TSK_SHA_Update (TSK_SHA_CTX *, BYTE *buffer, int count) |
| void | TSK_SHA_Final (BYTE *output, TSK_SHA_CTX *) |
List Structure | |
| typedef TSK_LIST | TSK_LIST |
| uint8_t | tsk_list_add (TSK_LIST **list, uint64_t key) |
| uint8_t | tsk_list_find (TSK_LIST *list, uint64_t key) |
| void | tsk_list_free (TSK_LIST *list) |
Defines | |
printf macros if system does not define them | |
| #define | PRIx64 "llx" |
| #define | PRIX64 "llX" |
| #define | PRIu64 "llu" |
| #define | PRId64 "lld" |
| #define | PRIo64 "llo" |
| #define | PRIx32 "x" |
| #define | PRIX32 "X" |
| #define | PRIu32 "u" |
| #define | PRId32 "d" |
| #define | PRIx16 "hx" |
| #define | PRIX16 "hX" |
| #define | PRIu16 "hu" |
| #define | PRIu8 "hhu" |
| #define | PRIx8 "hhx" |
Enumerations | |
| enum | TSK_RETVAL_ENUM { TSK_OK, TSK_ERR, TSK_COR } |
| Return values for some TSK functions that need to differentiate between errors and corrupt data. More... | |
| enum | TSK_WALK_RET_ENUM { TSK_WALK_CONT = 0x0, TSK_WALK_STOP = 0x1, TSK_WALK_ERROR = 0x2 } |
| Values that callback functions can return to calling walk function. More... | |
Functions | |
| void | tsk_print_version (FILE *) |
| Print the version to a handle. | |
| const char * | tskGetVersion () |
| Return the library version as a string. | |
| TSK_DATA_BUF * | tsk_data_buf_alloc (size_t) |
| Allocate and initialize a tsk_data_buf structure. | |
| void | tsk_data_buf_free (TSK_DATA_BUF *) |
| Free the tsk_data_buf and its buffers. | |
| TSK_OFF_T | tsk_parse_offset (const TSK_TCHAR *) |
| Parse a string in the cnt@size or cnt format and return the byte offset. | |
| int | tsk_parse_inum (const TSK_TCHAR *str, TSK_INUM_T *, uint32_t *, uint16_t *, int *) |
| Convert a string to an inode, type, and id pair. | |
Cross-platform printf | |
| void | tsk_fprintf (FILE *fd, const char *msg,...) |
| void | tsk_printf (const char *msg,...) |
Variables | |
| int | tsk_verbose |
| Set to 1 to have verbose debug messages printed to stderr. | |
| #define tsk_getu16 | ( | endian, | |||
| x | ) |
Value:
(uint16_t)(((endian) == TSK_LIT_ENDIAN) ? \ (((uint8_t *)(x))[0] + (((uint8_t *)(x))[1] << 8)) : \ (((uint8_t *)(x))[1] + (((uint8_t *)(x))[0] << 8)) )
| #define tsk_getu32 | ( | endian, | |||
| x | ) |
Value:
(uint32_t)( ((endian) == TSK_LIT_ENDIAN) ? \ ((((uint8_t *)(x))[0] << 0) + \ (((uint8_t *)(x))[1] << 8) + \ (((uint8_t *)(x))[2] << 16) + \ (((uint8_t *)(x))[3] << 24) ) \ : \ ((((uint8_t *)(x))[3] << 0) + \ (((uint8_t *)(x))[2] << 8) + \ (((uint8_t *)(x))[1] << 16) + \ (((uint8_t *)(x))[0] << 24) ) )
| #define tsk_getu48 | ( | endian, | |||
| x | ) |
Value:
(uint64_t)( ((endian) == TSK_LIT_ENDIAN) ? \ ((uint64_t) \ ((uint64_t)((uint8_t *)(x))[0] << 0)+ \ ((uint64_t)((uint8_t *)(x))[1] << 8) + \ ((uint64_t)((uint8_t *)(x))[2] << 16) + \ ((uint64_t)((uint8_t *)(x))[3] << 24) + \ ((uint64_t)((uint8_t *)(x))[4] << 32) + \ ((uint64_t)((uint8_t *)(x))[5] << 40)) \ : \ ((uint64_t) \ ((uint64_t)((uint8_t *)(x))[5] << 0)+ \ ((uint64_t)((uint8_t *)(x))[4] << 8) + \ ((uint64_t)((uint8_t *)(x))[3] << 16) + \ ((uint64_t)((uint8_t *)(x))[2] << 24) + \ ((uint64_t)((uint8_t *)(x))[1] << 32) + \ ((uint64_t)((uint8_t *)(x))[0] << 40)) )
| #define tsk_getu64 | ( | endian, | |||
| x | ) |
Value:
(uint64_t)( ((endian) == TSK_LIT_ENDIAN) ? \ ((uint64_t) \ ((uint64_t)((uint8_t *)(x))[0] << 0) + \ ((uint64_t)((uint8_t *)(x))[1] << 8) + \ ((uint64_t)((uint8_t *)(x))[2] << 16) + \ ((uint64_t)((uint8_t *)(x))[3] << 24) + \ ((uint64_t)((uint8_t *)(x))[4] << 32) + \ ((uint64_t)((uint8_t *)(x))[5] << 40) + \ ((uint64_t)((uint8_t *)(x))[6] << 48) + \ ((uint64_t)((uint8_t *)(x))[7] << 56)) \ : \ ((uint64_t) \ ((uint64_t)((uint8_t *)(x))[7] << 0) + \ ((uint64_t)((uint8_t *)(x))[6] << 8) + \ ((uint64_t)((uint8_t *)(x))[5] << 16) + \ ((uint64_t)((uint8_t *)(x))[4] << 24) + \ ((uint64_t)((uint8_t *)(x))[3] << 32) + \ ((uint64_t)((uint8_t *)(x))[2] << 40) + \ ((uint64_t)((uint8_t *)(x))[1] << 48) + \ ((uint64_t)((uint8_t *)(x))[0] << 56)) )
| enum TSK_ENDIAN_ENUM |
| enum TSK_RETVAL_ENUM |
| enum TSK_WALK_RET_ENUM |
| TSK_DATA_BUF* tsk_data_buf_alloc | ( | size_t | size | ) |
Allocate and initialize a tsk_data_buf structure.
| size | Size in bytes to allocated for the buffer |
| void tsk_data_buf_free | ( | TSK_DATA_BUF * | buf | ) |
Free the tsk_data_buf and its buffers.
| buf | The structure to free. |
| const char* tsk_error_get | ( | ) |
Return the string with the current error message.
The string does not end with a newline and it should not be freed.
| void tsk_error_print | ( | FILE * | hFile | ) |
Print the current error message to a file.
| hFile | File to print message to |
| int tsk_parse_inum | ( | const TSK_TCHAR * | str, | |
| TSK_INUM_T * | inum, | |||
| uint32_t * | type, | |||
| uint16_t * | id, | |||
| int * | id_used | |||
| ) |
Convert a string to an inode, type, and id pair.
This assumes the string is either: INUM, INUM-TYPE, or INUM-TYPE-ID
| [in] | str | Input string to parse |
| [out] | inum | Pointer to location where inode can be stored. |
| [out] | type | Pointer to location where type can be stored |
| [out] | id | Pointer to location where id can be stored |
| [out] | id_used | Pointer to location where the value can be set to 1 if the id was set (to differentiate between meanings of 0). |
| TSK_OFF_T tsk_parse_offset | ( | const TSK_TCHAR * | a_offset_str | ) |
Parse a string in the cnt@size or cnt format and return the byte offset.
| [in] | a_offset_str | The string version of the offset |
| void tsk_print_version | ( | FILE * | hFile | ) |
Print the version to a handle.
| hFile | Handle to print to |
| const char* tskGetVersion | ( | ) |
Return the library version as a string.
1.5.1