The Sleuth Kit Framework  4.1
Public Member Functions | Protected Member Functions | Protected Attributes | Friends | List of all members
TskFileTsk Class Reference

TskFileTsk is a Sleuthkit and Poco based implementation of the TskFile interface. More...

#include <TskFileTsk.h>

Inheritance diagram for TskFileTsk:
TskFile

Public Member Functions

virtual void close ()
 Close the file.
 
virtual bool exists () const
 Does a file exist on disk for this TskFile object. More...
 
virtual std::string getPath () const
 Fully qualified path to on-disk representation of file.
 
virtual bool isDirectory () const
 Does this file represent a directory. More...
 
virtual bool isVirtual () const
 Is this a Sleuthkit "virtual" file (created by TSK for file system areas). More...
 
virtual void open ()
 Open the file. Must be called before reading.
 
virtual ssize_t read (char *buf, const size_t count)
 Read file content into a buffer. More...
 
virtual TSK_OFF_T seek (const TSK_OFF_T off, std::ios::seekdir origin=std::ios::beg)
 Set the byte offset within the file. More...
 
virtual TSK_OFF_T tell () const
 Get the current byte offset within the file. More...
 
- Public Member Functions inherited from TskFile
virtual void addGenInfoAttribute (TskBlackboardAttribute attr)
 Add an attribute to the general info artifact for this file. More...
 
virtual TskBlackboardArtifact createArtifact (int artifactTypeID)
 Create a new artifact with the given type id. More...
 
virtual TskBlackboardArtifact createArtifact (TSK_ARTIFACT_TYPE type)
 Create a new artifact with the given type. More...
 
virtual TskBlackboardArtifact createArtifact (string artifactTypeName)
 Create a new artifact with the given type name. More...
 
virtual vector
< TskBlackboardArtifact
getAllArtifacts ()
 Get all artifacts associated with this file. More...
 
virtual vector
< TskBlackboardArtifact
getArtifacts (string artifactTypeName)
 Get all artifacts associated with this file with the given type name. More...
 
virtual vector
< TskBlackboardArtifact
getArtifacts (int artifactTypeID)
 Get all artifacts associated with this file with the given type id. More...
 
virtual vector
< TskBlackboardArtifact
getArtifacts (TSK_ARTIFACT_TYPE type)
 Get all artifacts associated with this file with the given type. More...
 
time_t getAtime () const
 Get the last access time. More...
 
time_t getCrtime () const
 Get the creation time. More...
 
time_t getCtime () const
 Get the change time. More...
 
TSK_FS_NAME_FLAG_ENUM getDirFlags () const
 Get the directory flags. More...
 
TSK_FS_NAME_TYPE_ENUM getDirType () const
 Get the directory type. More...
 
std::string getExtension () const
 Get the extension. More...
 
std::string getFullPath () const
 Get the path of the file in the disk image. More...
 
virtual TskBlackboardArtifact getGenInfo ()
 Get the general info artifact for this file. More...
 
TSK_GID_T getGid () const
 Get the group id. More...
 
std::string getHash (TskImgDB::HASH_TYPE hashType) const
 Get the pre-calculated hash value of the specified type. More...
 
uint64_t getId () const
 Returns the file id. More...
 
TskImgDB::KNOWN_STATUS getKnownStatus () const
 Return the known status of the file. More...
 
TSK_FS_META_FLAG_ENUM getMetaFlags () const
 Get the metadata flags. More...
 
TSK_FS_META_TYPE_ENUM getMetaType () const
 Get the metadata flags. More...
 
TSK_FS_META_MODE_ENUM getMode () const
 Get the mode. More...
 
time_t getMtime () const
 Get the modify time. More...
 
std::string getName () const
 Get the name. More...
 
uint64_t getParentFileId () const
 Get the parent file id. More...
 
TSK_OFF_T getSize () const
 Get the file size. More...
 
TskImgDB::FILE_STATUS getStatus () const
 Get the analysis status of the file (where it is in the analysis life cycle) More...
 
TskImgDB::FILE_TYPES getTypeId () const
 Get the high-level type (file system, local, carved, etc.)
 
TSK_UID_T getUid () const
 Get the user id. More...
 
std::string getUniquePath () const
 Get the path of the file in the disk image. More...
 
virtual void save ()
 Save the file to the default location. More...
 
void setHash (TskImgDB::HASH_TYPE hashType, const std::string hash)
 Sets the file's hash value in the database. More...
 
void setStatus (TskImgDB::FILE_STATUS status)
 Set the file status (where it is in its analysis life cycle)
 
virtual ~TskFile ()
 Delete the TskFile object.
 

Protected Member Functions

 TskFileTsk (const uint64_t id)
 Create a TskFileTsk object given a file id.
 
- Protected Member Functions inherited from TskFile
void initialize ()
 Loads the raw file data from the database. More...
 

Protected Attributes

Poco::File m_file
 
Poco::FileInputStream * m_fileInStream
 
int m_handle
 
TskUnusedSectorsRecord m_unusedSectorsRecord
 
- Protected Attributes inherited from TskFile
TskFileRecord m_fileRecord
 
uint64_t m_id
 
bool m_isOpen
 
TSK_OFF_T m_offset
 

Friends

class TskFileManagerImpl
 

Detailed Description

TskFileTsk is a Sleuthkit and Poco based implementation of the TskFile interface.

Member Function Documentation

bool TskFileTsk::exists ( ) const
virtual

Does a file exist on disk for this TskFile object.

Returns
True if a file exists, false otherwise

Implements TskFile.

Referenced by open().

bool TskFileTsk::isDirectory ( ) const
virtual

Does this file represent a directory.

Returns
True if this is a directory, false otherwise

Implements TskFile.

References TSK_FS_NAME_TYPE_DIR.

bool TskFileTsk::isVirtual ( ) const
virtual

Is this a Sleuthkit "virtual" file (created by TSK for file system areas).

Returns
True if this is a "virtual" file, false otherwise

Implements TskFile.

References TSK_FS_NAME_TYPE_VIRT.

ssize_t TskFileTsk::read ( char *  buf,
const size_t  count 
)
virtual

Read file content into a buffer.

Reads from end of last read.

Parameters
bufBuffer into which file content will be placed. Must be at least "count" bytes in size.
countThe number of bytes to read from the file.
Returns
The number of bytes read or -1 on error.

Implements TskFile.

References TskImageFile::getByteData(), TskServices::getImageFile(), TskFile::getSize(), TskFile::getTypeId(), TskServices::Instance(), LOGERROR, and TskImageFile::readFile().

TSK_OFF_T TskFileTsk::seek ( const TSK_OFF_T  off,
std::ios::seekdir  origin = std::ios::beg 
)
virtual

Set the byte offset within the file.

If the second parameter is not supplied the offset will be set relative to the beginning of the file.

Parameters
offNumber off bytes to offset from origin.
originThe point from which the given offset is relative to. Defaults to beginning of file. If origin is std::ios::end the offset must be a negative number.
Returns
The absolute file offset resulting from the repositioning.
Exceptions
TskFileExceptionif file is not open or if you attempt to seek to an invalid offset.

Implements TskFile.

References TskFile::getSize(), and LOGERROR.

TSK_OFF_T TskFileTsk::tell ( ) const
virtual

Get the current byte offset within the file.

Returns
Current byte offset.
Exceptions
TskFileExceptionif file is not open.

Implements TskFile.

References LOGERROR.


The documentation for this class was generated from the following files:

Copyright © 2011-2013 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.