The Sleuth Kit Framework  4.1
Public Member Functions | Protected Member Functions | Friends | List of all members
TskImgDBSqlite Class Reference

Implementation of TskImgDB that uses SQLite to store the data. More...

#include <TskImgDBSqlite.h>

Inheritance diagram for TskImgDBSqlite:
TskImgDB

Public Member Functions

virtual int addAllocUnallocMapInfo (int a_volID, int unallocImgID, uint64_t unallocImgStart, uint64_t length, uint64_t origImgStart)
 Add information about how the unallocated images were created so that we can later map where data was recovered from. More...
 
virtual int addCarvedFileInfo (int vol_id, const char *name, uint64_t size, uint64_t *runStarts, uint64_t *runLengths, int numRuns, uint64_t &fileId)
 Adds information about a carved file into the database. More...
 
virtual int addDerivedFileInfo (const std::string &name, const uint64_t parentId, const bool isDirectory, const uint64_t size, const std::string &details, const int ctime, const int crtime, const int atime, const int mtime, uint64_t &fileId, std::string path)
 Adds information about derived files to the database. More...
 
virtual int addFsBlockInfo (int fsID, uint64_t a_mFileId, int count, uint64_t blk_addr, uint64_t len)
 Add block info to the database. More...
 
virtual int addFsFileInfo (int fsId, const TSK_FS_FILE *fs_file, const char *name, int type, int idx, uint64_t &fileId, const char *path)
 Add data for a file system file to the image database. More...
 
virtual int addFsInfo (int volId, int fsId, const TSK_FS_INFO *fs_info)
 
virtual int addImageInfo (int type, int sectorSize)
 
virtual int addImageName (char const *imgName)
 Add the path to the image to the image database. More...
 
virtual int addModule (const std::string &name, const std::string &description, int &moduleId)
 Insert the Module record, if module name does not already exist in modules table. More...
 
virtual int addToolInfo (const char *name, const char *version)
 
virtual int addUnallocImg (int &unallocImgId)
 Add a new row to the unalloc_img_status table, returning the unalloc_img_id. More...
 
virtual int addUnusedSectors (int unallocImgId, std::vector< TskUnusedSectorsRecord > &unusedSectorsList)
 Find and add all the unused sectors (unallocated and uncarved bytes) in the given unallocImgId. More...
 
virtual int addVolumeInfo (const TSK_VS_PART_INFO *vs_part)
 
virtual int begin ()
 
virtual int close ()
 Close the database. More...
 
virtual int commit ()
 
virtual bool dbExist () const
 
virtual int getAllUnallocImgStatus (std::vector< TskUnallocImgStatusRecord > &unallocImgStatusList) const
 Get all the unalloc_img_status table. More...
 
virtual std::vector< uint64_t > getCarvedFileIds () const
 
virtual std::string getCfileName (const uint64_t a_file_id) const
 
virtual int getFileCount (const std::string &condition) const
 Get the number of files that match the given criteria. More...
 
virtual uint64_t getFileId (int fsId, uint64_t fs_file_id) const
 Given a file system and fs_file_id, return the file_id.
 
virtual int getFileIds (char *a_fileName, uint64_t *a_outBuffer, int a_buffSize) const
 Fills outBuffer with file IDs that match the name fileName. More...
 
virtual std::vector< uint64_t > getFileIds (const std::string &condition) const
 Get the list of file ids that match the given criteria. More...
 
virtual std::vector< uint64_t > getFileIds () const
 
virtual int getFileInfoSummary (std::list< TskFileTypeRecord > &fileTypeInfoList) const
 Return a list of TskFileTypeRecord for all files. More...
 
virtual int getFileInfoSummary (FILE_TYPES fileType, std::list< TskFileTypeRecord > &fileTypeInfoList) const
 Return a list of TskFileTypeRecord for fileType. More...
 
virtual std::string getFileName (uint64_t file_id) const
 
virtual int getFileRecord (const uint64_t fileId, TskFileRecord &fileRecord) const
 Queries the blackboard for raw information about a specific file. More...
 
virtual const std::vector
< TskFileRecord
getFileRecords (const std::string &condition) const
 
virtual SectorRunsgetFileSectors (uint64_t fileId) const
 
virtual int getFileUniqueIdentifiers (uint64_t a_fileId, uint64_t &a_fsOffset, uint64_t &a_fsFileId, int &a_attrType, int &a_attrId) const
 
virtual SectorRunsgetFreeSectors () const
 Get information on all of the free sectors in an image. More...
 
virtual int getFsInfo (std::list< TskFsInfoRecord > &fsInfoList) const
 Return a list of TskFsInfoRecord. More...
 
virtual std::string getImageBaseName () const
 Gets the base name of the image, i.e., the file name of the first image path stored in the database. More...
 
virtual int getImageInfo (int &type, int &sectorSize) const
 Return the ImageInfo. More...
 
virtual std::vector< std::string > getImageNames () const
 
virtual std::vector< std::wstring > getImageNamesW () const
 Gets a list of image paths. More...
 
virtual TskImgDB::KNOWN_STATUS getKnownStatus (const uint64_t fileId) const
 Return the known status of the file with the given id. More...
 
virtual int getMaxFileIdReadyForAnalysis (uint64_t a_lastFileId, uint64_t &maxFileId) const
 Given the last file ID ready for analysis, find the largest file ID ready of analysis (in maxFileId) Returns 0 on success or -1 on error.
 
virtual int getMinFileIdReadyForAnalysis (uint64_t &minFileId) const
 
virtual int getModuleErrors (std::vector< TskModuleStatus > &moduleStatusList) const
 Get a list of TskModuleStatus. More...
 
virtual int getModuleInfo (std::vector< TskModuleInfo > &moduleInfoList) const
 Get a list of TskModuleStatus. More...
 
virtual int getNumFiles () const
 Get number of files in image. More...
 
virtual int getNumVolumes () const
 Get number of volumes in image. More...
 
virtual int getSessionID () const
 
virtual
TskImgDB::UNALLOC_IMG_STATUS 
getUnallocImgStatus (int unallocImgId) const
 Get the status of the unalloc_img_status table given the unalloc_img_id. More...
 
virtual UnallocRungetUnallocRun (int file_id, int file_offset) const
 Given an offset in an unallocated image that was created for carving, return information about where that data came from in the original image. More...
 
virtual std::map< uint64_t,
std::string > 
getUniqueCarvedFiles (HASH_TYPE hashType) const
 Returns the file ids and carved file names for a unique set of carved files. More...
 
virtual std::vector
< TskCarvedFileInfo
getUniqueCarvedFilesInfo (HASH_TYPE hashType) const
 Returns the file ids, content hashes and, carved file names for a unique set of carved files. More...
 
virtual std::vector< uint64_t > getUniqueFileIds (HASH_TYPE hashType) const
 
virtual int getUnusedSector (uint64_t fileId, TskUnusedSectorsRecord &unusedSectorsRecord) const
 Get unused sector record given a file id. More...
 
virtual int getVolumeInfo (std::list< TskVolumeInfoRecord > &volumeInfoList) const
 Return a list of TskVolumeInfoRecord. More...
 
virtual int initialize ()
 Opens the database and creates the needed tables. More...
 
virtual int open ()
 Opens an existing database. More...
 
virtual std::string quote (const std::string str) const
 
virtual int setHash (const uint64_t a_file_id, const TskImgDB::HASH_TYPE hashType, const std::string &hash) const
 
virtual int setModuleStatus (uint64_t file_id, int module_id, int status)
 Insert the module status record. More...
 
virtual int setUnallocImgStatus (int unallocImgId, TskImgDB::UNALLOC_IMG_STATUS status)
 Set the status in the unalloc_img_status table given the unalloc_img_id. More...
 
 TskImgDBSqlite (const char *a_outpath)
 Set the database location. More...
 
virtual int updateFileStatus (uint64_t a_file_id, FILE_STATUS a_status)
 update the status field in the database for a given file. More...
 
virtual int updateKnownStatus (uint64_t a_file_id, KNOWN_STATUS a_status)
 update the known status field in the database for a given file. More...
 
- Public Member Functions inherited from TskImgDB
 TskImgDB ()
 Default constructor.
 
virtual ~TskImgDB ()
 Destructor.
 

Protected Member Functions

virtual void addArtifactType (int typeID, string artifactTypeName, string displayName)
 Add a new artifact type with the given name, display name and id. More...
 
virtual void addAttributeType (int typeID, string attributeTypeName, string displayName)
 Add a new attribute type with the given name, display name and id. More...
 
virtual void addBlackboardAttribute (TskBlackboardAttribute attr)
 BLACKBOARD FUNCTIONS. More...
 
virtual TskBlackboardArtifact createBlackboardArtifact (uint64_t file_id, int artifactTypeID)
 Create a new blackboard artifact with the given type id and file id. More...
 
virtual vector< int > findAttributeTypes (int artifactTypeId)
 
virtual string getArtifactTypeDisplayName (int artifactTypeID)
 Get the display name for the given artifact type id. More...
 
virtual int getArtifactTypeID (string artifactTypeString)
 Get the artifact type id for the given artifact type string. More...
 
virtual string getArtifactTypeName (int artifactTypeID)
 Get the artifact type name for the given artifact type id. More...
 
virtual string getAttributeTypeDisplayName (int attributeTypeID)
 Get the display name for the given attribute type id. More...
 
virtual int getAttributeTypeID (string attributeTypeString)
 Get the attribute type id for the given artifact type string. More...
 
virtual string getAttributeTypeName (int attributeTypeID)
 Get the attribute type name for the given artifact type id. More...
 
virtual vector
< TskBlackboardArtifact
getMatchingArtifacts (string condition)
 Get all artifacts by performing a SQL Select statement with the given where clause. More...
 
virtual vector
< TskBlackboardAttribute
getMatchingAttributes (string condition)
 Get all attributes with that match the given where clause. More...
 
- Protected Member Functions inherited from TskImgDB
TskBlackboardArtifact createArtifact (uint64_t artifactID, uint64_t objID, int artifactTypeID)
 
TskBlackboardAttribute createAttribute (uint64_t artifactID, int attributeTypeID, uint64_t objectID, string moduleName, string context, TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE valueType, int valueInt, uint64_t valueLong, double valueDouble, string valueString, vector< unsigned char > valueBytes)
 
int64_t findParObjId (const TSK_FS_FILE *fs_file, const int64_t &fsObjId)
 Find parent object id of TSK_FS_FILE. More...
 
virtual map< int,
TskArtifactNames
getAllArtifactTypes ()
 
virtual map< int,
TskAttributeNames
getAllAttributeTypes ()
 
void storeParObjId (const int64_t &fsObjId, const TSK_FS_FILE *fs_file, const int64_t &objId)
 Store meta_addr to object id mapping of the directory in a local cache map. More...
 

Friends

class TskDBBlackboard
 

Additional Inherited Members

- Public Types inherited from TskImgDB
enum  FILE_STATUS {
  IMGDB_FILES_STATUS_CREATED = 0, IMGDB_FILES_STATUS_READY_FOR_ANALYSIS, IMGDB_FILES_STATUS_ANALYSIS_IN_PROGRESS, IMGDB_FILES_STATUS_ANALYSIS_COMPLETE,
  IMGDB_FILES_STATUS_ANALYSIS_FAILED, IMGDB_FILES_STATUS_ANALYSIS_SKIPPED
}
 File analysis statuses used by the framework.
 
enum  FILE_TYPES { IMGDB_FILES_TYPE_FS = 0, IMGDB_FILES_TYPE_CARVED, IMGDB_FILES_TYPE_DERIVED, IMGDB_FILES_TYPE_UNUSED }
 File type classifications used by the framework.
 
enum  HASH_TYPE { MD5 = 0, SHA1, SHA2_256, SHA2_512 }
 Hash types supported by framework. More...
 
enum  KNOWN_STATUS { IMGDB_FILES_KNOWN = 0, IMGDB_FILES_KNOWN_GOOD, IMGDB_FILES_KNOWN_BAD, IMGDB_FILES_UNKNOWN }
 Files have a 'known' status that is updated with the use of hash databases. More...
 
enum  UNALLOC_IMG_STATUS {
  IMGDB_UNALLOC_IMG_STATUS_CREATED = 0, IMGDB_UNALLOC_IMG_STATUS_SCHEDULE_OK, IMGDB_UNALLOC_IMG_STATUS_SCHEDULE_ERR, IMGDB_UNALLOC_IMG_STATUS_CARVED_OK,
  IMGDB_UNALLOC_IMG_STATUS_CARVED_ERR, IMGDB_UNALLOC_IMG_STATUS_CARVED_NOT_NEEDED
}
 Unallocated sectors file statuses used by the framework.
 
enum  VALUE_TYPE {
  BB_VALUE_TYPE_BYTE = 0, BB_VALUE_TYPE_STRING, BB_VALUE_TYPE_INT32, BB_VALUE_TYPE_INT64,
  BB_VALUE_TYPE_DOUBLE
}
 Data types that can be stored in blackboard. More...
 
- Protected Attributes inherited from TskImgDB
map< int64_t, map< TSK_INUM_T,
map< uint32_t, int64_t > > > 
m_parentDirIdCache
 

Detailed Description

Implementation of TskImgDB that uses SQLite to store the data.

Do not use this in a distributed environment if multiple processes will be accessing the database at the same time.

Constructor & Destructor Documentation

TskImgDBSqlite::TskImgDBSqlite ( const char *  a_outpath)

Set the database location.

Must call initialize() before the object can be used.

Parameters
a_outpathDirectory to store the database in. This directory must already exist.

Member Function Documentation

int TskImgDBSqlite::addAllocUnallocMapInfo ( int  a_volID,
int  unallocImgID,
uint64_t  unallocImgStart,
uint64_t  length,
uint64_t  origImgStart 
)
virtual

Add information about how the unallocated images were created so that we can later map where data was recovered from.

This is typically used by CarvePrep and the results are used by CarveExtract via getUnallocRun().

Parameters
a_volIDVolume ID that the data was extracted from.
unallocImgIDID of the unallocated image that the sectors were copied into.
unallocImgStartSector offset of where in the unallocated image that t he run starts.
lengthNumber of sectors that are in the run.
origImgStartSector offset in the original image (relative to start of image) where the run starts
Returns
1 on errror

Implements TskImgDB.

References LOGERROR.

void TskImgDBSqlite::addArtifactType ( int  typeID,
string  artifactTypeName,
string  displayName 
)
protectedvirtual

Add a new artifact type with the given name, display name and id.

Parameters
artifactTypeNametype name
displayNamedisplay name
typeIDtype id

Implements TskImgDB.

References LOGERROR.

Referenced by initialize().

void TskImgDBSqlite::addAttributeType ( int  typeID,
string  attributeTypeName,
string  displayName 
)
protectedvirtual

Add a new attribute type with the given name, display name and id.

Parameters
attributeTypeNametype name
displayNamedisplay name
typeIDtype id

Implements TskImgDB.

References LOGERROR.

Referenced by initialize().

void TskImgDBSqlite::addBlackboardAttribute ( TskBlackboardAttribute  attr)
protectedvirtual
int TskImgDBSqlite::addCarvedFileInfo ( int  vol_id,
const char *  name,
uint64_t  size,
uint64_t *  runStarts,
uint64_t *  runLengths,
int  numRuns,
uint64_t &  fileId 
)
virtual

Adds information about a carved file into the database.

This includes the sector layout information.

Parameters
vol_idVolume in which the carved file was found in
nameName of the file
sizeNumber of bytes in file
runStartsArray with starting sector (relative to start of image) for each run in file.
runLengthsArray with number of sectors in each run
numRunsNumber of entries in previous arrays
fileIdCarved file Id (output)
Returns
0 on success or -1 on error.

Implements TskImgDB.

References LOGERROR, TSK_FS_META_FLAG_UNALLOC, TSK_FS_META_TYPE_REG, TSK_FS_NAME_FLAG_UNALLOC, and TSK_FS_NAME_TYPE_REG.

int TskImgDBSqlite::addDerivedFileInfo ( const std::string &  name,
const uint64_t  parentId,
const bool  isDirectory,
const uint64_t  size,
const std::string &  details,
const int  ctime,
const int  crtime,
const int  atime,
const int  mtime,
uint64_t &  fileId,
std::string  path 
)
virtual

Adds information about derived files to the database.

Derived files typically come from archives and may be compressed.

Parameters
nameThe name of the file.
parentIdThe id of the file from which this file is derived.
isDirectoryTrue if entry is for a directory verus a file
sizeThe size of the file.
detailsThis is a string that may contain extra details related to the particular type of mechanism that was used to derive this file, e.g. files derived from zip archives may have extra information about the compressed size of the file.
ctimeTime file system file entry was changed.
crtimeTime the file was created.
atimeLast access time.
mtimeLast modified time.
fileIdReference to location where file_id for file can be assigned
pathPath of file
Returns
0 on success or -1 on error.

Implements TskImgDB.

References LOGERROR, TSK_FS_META_TYPE_DIR, TSK_FS_META_TYPE_REG, TSK_FS_NAME_TYPE_DIR, and TSK_FS_NAME_TYPE_REG.

int TskImgDBSqlite::addFsBlockInfo ( int  a_fsId,
uint64_t  a_fileId,
int  a_sequence,
uint64_t  a_blk_addr,
uint64_t  a_len 
)
virtual

Add block info to the database.

This table stores the run information for each file so that we can map which blocks are used by what files.

Parameters
a_fsIdId that the file is located in
a_fileIdID of the file
a_sequenceThe sequence number of this run in the file (0 for the first run, 1 for the second run, etc.)
a_blk_addrBlock address (the address that the file system uses – NOT the physical sector addr)
a_lenThe number of blocks in the run
Returns
1 on error

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::addFsFileInfo ( int  fileSystemID,
const TSK_FS_FILE fileSystemFile,
const char *  fileName,
int  fileSystemAttrType,
int  fileSystemAttrID,
uint64_t &  fileID,
const char *  filePath 
)
virtual

Add data for a file system file to the image database.

Parameters
fileSystemIDFile system ID of the file system the file belongs to
fileSystemFileTSK_FS_FILE object for the file
fileNameFile name
fileSystemAttrTypeFile system attribute type (see TSK_FS_ATTR_TYPE_ENUM)
fileSystemAttrIDFile system attribute ID, used to index attributes for files with multiple attributes
[out]fileIDFile ID assigned to the file by the image database
filePathPath to the file in the image, file name omitted
Returns
0 on success or -1 on error.

Implements TskImgDB.

References TSK_FS_META::atime, TSK_FS_META::crtime, TSK_FS_META::ctime, TskImgDB::findParObjId(), TSK_FS_META::flags, TSK_FS_NAME::flags, TSK_FS_META::gid, LOGERROR, TSK_FS_FILE::meta, TSK_FS_NAME::meta_addr, TSK_FS_META::mode, TSK_FS_META::mtime, TSK_FS_FILE::name, TSK_FS_ATTR::size, TskImgDB::storeParObjId(), tsk_fs_file_attr_get_id(), TSK_FS_META_TYPE_DIR, TSK_FS_META::type, TSK_FS_NAME::type, and TSK_FS_META::uid.

int TskImgDBSqlite::addImageName ( char const *  imgPath)
virtual

Add the path to the image to the image database.

Parameters
imgPathThe image path.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::addModule ( const std::string &  name,
const std::string &  description,
int &  moduleId 
)
virtual

Insert the Module record, if module name does not already exist in modules table.

Returns Module Id associated with the Module record.

Parameters
nameModule name
descriptionModule description
moduleIdModule Id (output)
Returns
0 on success, -1 on error.

Implements TskImgDB.

References LOGERROR, and LOGWARN.

int TskImgDBSqlite::addUnallocImg ( int &  unallocImgId)
virtual

Add a new row to the unalloc_img_status table, returning the unalloc_img_id.

Parameters
unallocImgIdunalloc_img_id (output)
Returns
-1 on error, 0 on success.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::addUnusedSectors ( int  unallocImgId,
std::vector< TskUnusedSectorsRecord > &  unusedSectorsList 
)
virtual

Find and add all the unused sectors (unallocated and uncarved bytes) in the given unallocImgId.

Parameters
unallocImgIdThe unalloc image id.
unusedSectorsListA vector of TskUnusedSectorsRecord
Returns
-1 on error, 0 on success.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::close ( )
virtual

Close the database.

Returns
0 on success and 1 on failure.

Implements TskImgDB.

TskBlackboardArtifact TskImgDBSqlite::createBlackboardArtifact ( uint64_t  file_id,
int  artifactTypeID 
)
protectedvirtual

Create a new blackboard artifact with the given type id and file id.

Parameters
artifactTypeIDartifact type id
file_idassociated file id
Returns
the new artifact

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getAllUnallocImgStatus ( std::vector< TskUnallocImgStatusRecord > &  unallocImgStatusList) const
virtual

Get all the unalloc_img_status table.

Parameters
unallocImgStatusListA vector of TskUnallocImgStatusRecord (output)
Returns
-1 on error, 0 on success.

Implements TskImgDB.

References LOGERROR.

string TskImgDBSqlite::getArtifactTypeDisplayName ( int  artifactTypeID)
protectedvirtual

Get the display name for the given artifact type id.

Parameters
artifactTypeIDartifact type id
Returns
display name

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getArtifactTypeID ( string  artifactTypeString)
protectedvirtual

Get the artifact type id for the given artifact type string.

Parameters
artifactTypeStringdisplay name
Returns
artifact type id

Implements TskImgDB.

References LOGERROR.

string TskImgDBSqlite::getArtifactTypeName ( int  artifactTypeID)
protectedvirtual

Get the artifact type name for the given artifact type id.

Parameters
artifactTypeIDid
Returns
artifact type name

Implements TskImgDB.

References LOGERROR.

string TskImgDBSqlite::getAttributeTypeDisplayName ( int  attributeTypeID)
protectedvirtual

Get the display name for the given attribute type id.

Parameters
attributeTypeIDattribute type id
Returns
display name

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getAttributeTypeID ( string  attributeTypeString)
protectedvirtual

Get the attribute type id for the given artifact type string.

Parameters
attributeTypeStringdisplay name
Returns
attribute type id

Implements TskImgDB.

References LOGERROR.

string TskImgDBSqlite::getAttributeTypeName ( int  attributeTypeID)
protectedvirtual

Get the attribute type name for the given artifact type id.

Parameters
attributeTypeIDid
Returns
attribute type name

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getFileCount ( const std::string &  condition) const
virtual

Get the number of files that match the given criteria.

The given string will be appended to "select files.file_id from files".

Parameters
conditionMust be a valid SQL string defining the selection criteria.
Returns
The number of files matching the selection criteria.

Implements TskImgDB.

References LOGERROR.

Referenced by getNumFiles().

int TskImgDBSqlite::getFileIds ( char *  a_fileName,
uint64_t *  a_outBuffer,
int  a_buffSize 
) const
virtual

Fills outBuffer with file IDs that match the name fileName.

Returns the number of file IDs written into outBuffer or -1 on error.

Implements TskImgDB.

References getFileIds(), and LOGERROR.

Referenced by getFileIds().

std::vector< uint64_t > TskImgDBSqlite::getFileIds ( const std::string &  condition) const
virtual

Get the list of file ids that match the given criteria.

The given string will be appended to "select files.file_id from files". See SQLite Image Database Schema v1.5 for tables and columns to include in the selection criteria.

Parameters
conditionMust be a valid SQL string defining the selection criteria.
Returns
The collection of file ids matching the selection criteria. Throws TskException if database not initialized.

Implements TskImgDB.

References getFileIds(), and LOGERROR.

int TskImgDBSqlite::getFileInfoSummary ( std::list< TskFileTypeRecord > &  fileTypeInfoList) const
virtual

Return a list of TskFileTypeRecord for all files.

Parameters
fileTypeInfoListA list of TskFileTypeRecord (output)
Returns
0 on success or -1 on error.

Implements TskImgDB.

References TSK_FS_NAME_TYPE_REG.

int TskImgDBSqlite::getFileInfoSummary ( FILE_TYPES  fileType,
std::list< TskFileTypeRecord > &  fileTypeInfoList 
) const
virtual

Return a list of TskFileTypeRecord for fileType.

Parameters
fileTypeFILE_TYPE to report
fileTypeInfoListA list of TskFileTypeRecord (output)
Returns
0 on success or -1 on error.

Implements TskImgDB.

References TSK_FS_NAME_TYPE_REG.

int TskImgDBSqlite::getFileRecord ( const uint64_t  fileId,
TskFileRecord fileRecord 
) const
virtual

Queries the blackboard for raw information about a specific file.

Parameters
fileIdID of file to lookup
fileRecordLocation where data should be stored
Returns
-1 on error and 0 on success.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getFileUniqueIdentifiers ( uint64_t  a_fileId,
uint64_t &  a_fsOffset,
uint64_t &  a_fsFileId,
int &  a_attrType,
int &  a_attrId 
) const
virtual
Parameters
a_fileIdFile id to get information about
a_fsOffsetByte offset of start of file system that the file is located in
a_fsFileIdFile system-specific id of the file
a_attrTypeType of attribute for this file
a_attrIdThe ID of the attribute for this file
Returns
-1 on error

Implements TskImgDB.

References LOGERROR.

SectorRuns * TskImgDBSqlite::getFreeSectors ( ) const
virtual

Get information on all of the free sectors in an image.

Returns
Info on unallocated runs (or NULL on error). Caller must free this when done.

Implements TskImgDB.

References SectorRuns::addRun(), LOGERROR, LOGINFO, TSK_FS_META_FLAG_UNALLOC, tsk_list_add(), tsk_list_find(), tsk_list_free(), and TSK_VS_PART_FLAG_UNALLOC.

int TskImgDBSqlite::getFsInfo ( std::list< TskFsInfoRecord > &  fsInfoList) const
virtual

Return a list of TskFsInfoRecord.

Parameters
fsInfoListA list of TskFsInfoRecord (output)
Returns
0 on success or -1 on error.

Implements TskImgDB.

References LOGERROR.

std::string TskImgDBSqlite::getImageBaseName ( ) const
virtual

Gets the base name of the image, i.e., the file name of the first image path stored in the database.

Returns
The name of the image, possibly the empty string if no image paths have been stored.

Implements TskImgDB.

int TskImgDBSqlite::getImageInfo ( int &  type,
int &  sectorSize 
) const
virtual

Return the ImageInfo.

Parameters
typeImage Type (output)
sectorSizeImage sector size (output)
Returns
0 on success or -1 on error.

Implements TskImgDB.

References LOGERROR.

std::vector< std::wstring > TskImgDBSqlite::getImageNamesW ( ) const
virtual

Gets a list of image paths.

Returns
A vector of image paths as std::strings. There may be multiple paths for a split image or the list may be empty if no image paths have been stored.

Implements TskImgDB.

TskImgDB::KNOWN_STATUS TskImgDBSqlite::getKnownStatus ( const uint64_t  fileId) const
virtual

Return the known status of the file with the given id.

Parameters
fileIdid of the file to get the status of
Returns
KNOWN_STATUS or -1 on error

Implements TskImgDB.

References LOGERROR.

vector< TskBlackboardArtifact > TskImgDBSqlite::getMatchingArtifacts ( string  condition)
protectedvirtual

Get all artifacts by performing a SQL Select statement with the given where clause.

Parameters
conditionThe SQL select where clause that should be used in the query.
Returns
vector of matching artifacts

Implements TskImgDB.

References LOGERROR.

vector< TskBlackboardAttribute > TskImgDBSqlite::getMatchingAttributes ( string  condition)
protectedvirtual

Get all attributes with that match the given where clause.

Parameters
conditionwhere clause to use for matching
Returns
vector of matching attributes

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getModuleErrors ( std::vector< TskModuleStatus > &  moduleStatusList) const
virtual

Get a list of TskModuleStatus.

Parameters
moduleStatusListA list of TskModuleStatus (output)
Returns
0 on success, -1 on error.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getModuleInfo ( std::vector< TskModuleInfo > &  moduleInfoList) const
virtual

Get a list of TskModuleStatus.

Parameters
moduleInfoListA list of TskModuleStatus (output)
Returns
0 on success, -1 on error.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getNumFiles ( ) const
virtual

Get number of files in image.

Returns
Number of files in image or -1 on error

Implements TskImgDB.

References getFileCount().

int TskImgDBSqlite::getNumVolumes ( ) const
virtual

Get number of volumes in image.

Returns
Number of volumes in image or -1 on error

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getSessionID ( ) const
virtual
Returns
the session_id or -1 on error.

Implements TskImgDB.

References LOGERROR.

TskImgDB::UNALLOC_IMG_STATUS TskImgDBSqlite::getUnallocImgStatus ( int  unallocImgId) const
virtual

Get the status of the unalloc_img_status table given the unalloc_img_id.

Can throws TskException.

Parameters
unallocImgIdunalloc_img_id
Returns
TskImgDB::UNALLOC_IMG_STATUS

Implements TskImgDB.

References LOGERROR.

UnallocRun * TskImgDBSqlite::getUnallocRun ( int  a_unalloc_img_id,
int  a_file_offset 
) const
virtual

Given an offset in an unallocated image that was created for carving, return information about where that data came from in the original image.

This is used to map where a carved file is located in the original image.

Parameters
a_unalloc_img_idID of the unallocated image that you want data about
a_file_offsetSector offset where file was found in the unallocated image
Returns
NULL on error or a run descriptor.

Implements TskImgDB.

References LOGERROR.

std::map< uint64_t, std::string > TskImgDBSqlite::getUniqueCarvedFiles ( HASH_TYPE  hashType) const
virtual

Returns the file ids and carved file names for a unique set of carved files.

Uniqueness is based on the value of a particular hash type. Where duplicate hash values exist, the lowest file_id is chosen. NOTE: This function is deprecated and will be removed in the next major release, use the getUniqueCarvedFilesInfo() member function instead.

Parameters
hashTypeThe type of hash value to use when determining uniqueness.
Returns
A map of file ids to the corresponding carved file name.

Implements TskImgDB.

References LOGERROR, TskImgDB::MD5, TskImgDB::SHA1, TskImgDB::SHA2_256, and TskImgDB::SHA2_512.

std::vector< TskCarvedFileInfo > TskImgDBSqlite::getUniqueCarvedFilesInfo ( HASH_TYPE  hashType) const
virtual

Returns the file ids, content hashes and, carved file names for a unique set of carved files.

Uniqueness is based on the value of a particular hash type. Where duplicate hash values exist, the lowest file_id is chosen.

Parameters
hashTypeThe type of hash value to use when determining uniqueness.
Returns
A map of file ids to the corresponding carved file name. Throws TskException.

Implements TskImgDB.

References LOGWARN, TskImgDB::MD5, TskImgDB::SHA1, TskImgDB::SHA2_256, and TskImgDB::SHA2_512.

int TskImgDBSqlite::getUnusedSector ( uint64_t  fileId,
TskUnusedSectorsRecord unusedSectorsRecord 
) const
virtual

Get unused sector record given a file id.

Parameters
fileIdFile id of the unused sector.
unusedSectorsRecordTskUnusedSectorsRecord (output)
Returns
-1 on error, 0 on success.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::getVolumeInfo ( std::list< TskVolumeInfoRecord > &  volumeInfoList) const
virtual

Return a list of TskVolumeInfoRecord.

Parameters
volumeInfoListA list of TskVolumeInfoRecord (output)
Returns
0 on success or -1 on error.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::initialize ( )
virtual

Opens the database and creates the needed tables.

Returns
1 on error and 0 on success.

Implements TskImgDB.

References addArtifactType(), addAttributeType(), LOGERROR, LOGINFO, and open().

int TskImgDBSqlite::open ( )
virtual

Opens an existing database.

Use initialize() to create a new one.

Returns
1 on error and 0 on success.

Implements TskImgDB.

References LOGERROR, and LOGINFO.

Referenced by initialize().

int TskImgDBSqlite::setModuleStatus ( uint64_t  file_id,
int  module_id,
int  status 
)
virtual

Insert the module status record.

Parameters
file_idfile_id
module_idmodule_id
statusStatus of module
Returns
0 on success, -1 on error.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::setUnallocImgStatus ( int  unallocImgId,
TskImgDB::UNALLOC_IMG_STATUS  status 
)
virtual

Set the status in the unalloc_img_status table given the unalloc_img_id.

Parameters
unallocImgIdunalloc_img_id
statusstatus of unalloc_img_id
Returns
-1 on error, 0 on success.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::updateFileStatus ( uint64_t  a_file_id,
FILE_STATUS  a_status 
)
virtual

update the status field in the database for a given file.

Parameters
a_file_idFile to update.
a_statusStatus flag to update to.
Returns
1 on error.

Implements TskImgDB.

References LOGERROR.

int TskImgDBSqlite::updateKnownStatus ( uint64_t  a_file_id,
KNOWN_STATUS  a_status 
)
virtual

update the known status field in the database for a given file.

Parameters
a_file_idFile to update.
a_statusStatus flag to update to.
Returns
1 on error.

Implements TskImgDB.

References LOGERROR.


The documentation for this class was generated from the following files:

Copyright © 2011-2013 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.