The Sleuth Kit Framework
4.1
|
TskFileTsk is a Sleuthkit and Poco based implementation of the TskFile interface. More...
#include <TskFileTsk.h>
Public Member Functions | |
virtual void | close () |
Close the file. | |
virtual bool | exists () const |
Does a file exist on disk for this TskFile object. More... | |
virtual std::string | getPath () const |
Fully qualified path to on-disk representation of file. | |
virtual bool | isDirectory () const |
Does this file represent a directory. More... | |
virtual bool | isVirtual () const |
Is this a Sleuthkit "virtual" file (created by TSK for file system areas). More... | |
virtual void | open () |
Open the file. Must be called before reading. | |
virtual ssize_t | read (char *buf, const size_t count) |
Read file content into a buffer. More... | |
virtual TSK_OFF_T | seek (const TSK_OFF_T off, std::ios::seekdir origin=std::ios::beg) |
Set the byte offset within the file. More... | |
virtual TSK_OFF_T | tell () const |
Get the current byte offset within the file. More... | |
Public Member Functions inherited from TskFile | |
virtual void | addGenInfoAttribute (TskBlackboardAttribute attr) |
Add an attribute to the general info artifact for this file. More... | |
virtual TskBlackboardArtifact | createArtifact (int artifactTypeID) |
Create a new artifact with the given type id. More... | |
virtual TskBlackboardArtifact | createArtifact (TSK_ARTIFACT_TYPE type) |
Create a new artifact with the given type. More... | |
virtual TskBlackboardArtifact | createArtifact (string artifactTypeName) |
Create a new artifact with the given type name. More... | |
virtual vector < TskBlackboardArtifact > | getAllArtifacts () |
Get all artifacts associated with this file. More... | |
virtual vector < TskBlackboardArtifact > | getArtifacts (string artifactTypeName) |
Get all artifacts associated with this file with the given type name. More... | |
virtual vector < TskBlackboardArtifact > | getArtifacts (int artifactTypeID) |
Get all artifacts associated with this file with the given type id. More... | |
virtual vector < TskBlackboardArtifact > | getArtifacts (TSK_ARTIFACT_TYPE type) |
Get all artifacts associated with this file with the given type. More... | |
time_t | getAtime () const |
Get the last access time. More... | |
time_t | getCrtime () const |
Get the creation time. More... | |
time_t | getCtime () const |
Get the change time. More... | |
TSK_FS_NAME_FLAG_ENUM | getDirFlags () const |
Get the directory flags. More... | |
TSK_FS_NAME_TYPE_ENUM | getDirType () const |
Get the directory type. More... | |
std::string | getExtension () const |
Get the extension. More... | |
std::string | getFullPath () const |
Get the path of the file in the disk image. More... | |
virtual TskBlackboardArtifact | getGenInfo () |
Get the general info artifact for this file. More... | |
TSK_GID_T | getGid () const |
Get the group id. More... | |
std::string | getHash (TskImgDB::HASH_TYPE hashType) const |
Get the pre-calculated hash value of the specified type. More... | |
uint64_t | getId () const |
Returns the file id. More... | |
TskImgDB::KNOWN_STATUS | getKnownStatus () const |
Return the known status of the file. More... | |
TSK_FS_META_FLAG_ENUM | getMetaFlags () const |
Get the metadata flags. More... | |
TSK_FS_META_TYPE_ENUM | getMetaType () const |
Get the metadata flags. More... | |
TSK_FS_META_MODE_ENUM | getMode () const |
Get the mode. More... | |
time_t | getMtime () const |
Get the modify time. More... | |
std::string | getName () const |
Get the name. More... | |
uint64_t | getParentFileId () const |
Get the parent file id. More... | |
TSK_OFF_T | getSize () const |
Get the file size. More... | |
TskImgDB::FILE_STATUS | getStatus () const |
Get the analysis status of the file (where it is in the analysis life cycle) More... | |
TskImgDB::FILE_TYPES | getTypeId () const |
Get the high-level type (file system, local, carved, etc.) | |
TSK_UID_T | getUid () const |
Get the user id. More... | |
std::string | getUniquePath () const |
Get the path of the file in the disk image. More... | |
virtual void | save () |
Save the file to the default location. More... | |
void | setHash (TskImgDB::HASH_TYPE hashType, const std::string hash) |
Sets the file's hash value in the database. More... | |
void | setStatus (TskImgDB::FILE_STATUS status) |
Set the file status (where it is in its analysis life cycle) | |
virtual | ~TskFile () |
Delete the TskFile object. | |
Protected Member Functions | |
TskFileTsk (const uint64_t id) | |
Create a TskFileTsk object given a file id. | |
Protected Member Functions inherited from TskFile | |
void | initialize () |
Loads the raw file data from the database. More... | |
Protected Attributes | |
Poco::File | m_file |
Poco::FileInputStream * | m_fileInStream |
int | m_handle |
TskUnusedSectorsRecord | m_unusedSectorsRecord |
Protected Attributes inherited from TskFile | |
TskFileRecord | m_fileRecord |
uint64_t | m_id |
bool | m_isOpen |
TSK_OFF_T | m_offset |
Friends | |
class | TskFileManagerImpl |
TskFileTsk is a Sleuthkit and Poco based implementation of the TskFile interface.
|
virtual |
|
virtual |
Does this file represent a directory.
Implements TskFile.
References TSK_FS_NAME_TYPE_DIR.
|
virtual |
Is this a Sleuthkit "virtual" file (created by TSK for file system areas).
Implements TskFile.
References TSK_FS_NAME_TYPE_VIRT.
|
virtual |
Read file content into a buffer.
Reads from end of last read.
buf | Buffer into which file content will be placed. Must be at least "count" bytes in size. |
count | The number of bytes to read from the file. |
Implements TskFile.
References TskImageFile::getByteData(), TskServices::getImageFile(), TskFile::getSize(), TskFile::getTypeId(), TskServices::Instance(), LOGERROR, and TskImageFile::readFile().
|
virtual |
Set the byte offset within the file.
If the second parameter is not supplied the offset will be set relative to the beginning of the file.
off | Number off bytes to offset from origin. |
origin | The point from which the given offset is relative to. Defaults to beginning of file. If origin is std::ios::end the offset must be a negative number. |
TskFileException | if file is not open or if you attempt to seek to an invalid offset. |
Implements TskFile.
References TskFile::getSize(), and LOGERROR.
|
virtual |
Copyright © 2011-2013 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.