SleuthkitJNI.java

Go to the documentation of this file.

/*
 * Sleuth Kit Data Model
 *
 * Copyright 2011 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.datamodel;

import java.io.BufferedReader;
import java.io.FileReader;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.TimeZone;
import org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM;

public class SleuthkitJNI {

        private static final int MAX_DATABASES = 256;

        //Native methods
        private static native String getVersionNat();

        private static native void startVerboseLoggingNat(String logPath);

        //database
        private static native long newCaseDbNat(String dbPath) throws TskCoreException;

        private static native long openCaseDbNat(String path) throws TskCoreException;

        private static native void closeCaseDbNat(long db) throws TskCoreException;

        private static native int hashDbOpenNat(String hashDbPath) throws TskCoreException;

        private static native int hashDbNewNat(String hashDbPath) throws TskCoreException;

        private static native int hashDbBeginTransactionNat(int dbHandle) throws TskCoreException;

        private static native int hashDbCommitTransactionNat(int dbHandle) throws TskCoreException;

        private static native int hashDbRollbackTransactionNat(int dbHandle) throws TskCoreException;

        private static native int hashDbAddEntryNat(String filename, String hashMd5, String hashSha1, String hashSha256, String comment, int dbHandle) throws TskCoreException;

        private static native boolean hashDbIsUpdateableNat(int dbHandle);

        private static native boolean hashDbIsReindexableNat(int dbHandle);

        private static native String hashDbPathNat(int dbHandle);

        private static native String hashDbIndexPathNat(int dbHandle);

        private static native String hashDbGetDisplayName(int dbHandle) throws TskCoreException;

        private static native void hashDbCloseAll() throws TskCoreException;

        private static native void hashDbClose(int dbHandle) throws TskCoreException;

        //hash-lookup database functions   
        private static native void hashDbCreateIndexNat(int dbHandle) throws TskCoreException;

        private static native boolean hashDbIndexExistsNat(int dbHandle) throws TskCoreException;

        private static native boolean hashDbIsIdxOnlyNat(int dbHandle) throws TskCoreException;

        private static native boolean hashDbLookup(String hash, int dbHandle) throws TskCoreException;

        private static native HashHitInfo hashDbLookupVerbose(String hash, int dbHandle) throws TskCoreException;

        //load image
        private static native long initAddImgNat(long db, String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) throws TskCoreException;

        private static native void runAddImgNat(long process, String[] imgPath, int splits, String timezone) throws TskCoreException, TskDataException; // if runAddImg finishes without being stopped, revertAddImg or commitAddImg MUST be called

        private static native void stopAddImgNat(long process) throws TskCoreException;

        private static native void revertAddImgNat(long process) throws TskCoreException;

        private static native long commitAddImgNat(long process) throws TskCoreException;

        //open functions
        private static native long openImgNat(String[] imgPath, int splits) throws TskCoreException;

        private static native long openVsNat(long imgHandle, long vsOffset) throws TskCoreException;

        private static native long openVolNat(long vsHandle, long volId) throws TskCoreException;

        private static native long openFsNat(long imgHandle, long fsId) throws TskCoreException;

        private static native long openFileNat(long fsHandle, long fileId, int attrType, int attrId) throws TskCoreException;

        //read functions
        private static native int readImgNat(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;

        private static native int readVsNat(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;

        private static native int readVolNat(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;

        private static native int readFsNat(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;

        private static native int readFileNat(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;

        private static native int saveFileMetaDataTextNat(long fileHandle, String fileName) throws TskCoreException;

        //close functions
        private static native void closeImgNat(long imgHandle);

        private static native void closeVsNat(long vsHandle);

        private static native void closeFsNat(long fsHandle);

        private static native void closeFileNat(long fileHandle);

        //util functions
        private static native long findDeviceSizeNat(String devicePath) throws TskCoreException;

        private static native String getCurDirNat(long process);

        //Linked library loading
        static {
                LibraryUtils.loadSleuthkitJNI();
        }

        private SleuthkitJNI() {

        }

        public static class CaseDbHandle {

                private long caseDbPointer;
                //map concat. image paths to cached image handle
                private static final Map<String, Long> imageHandleCache = new HashMap<String, Long>();
                //map image and offsets to cached fs handle
                private static final Map<Long, Map<Long, Long>> fsHandleCache = new HashMap<Long, Map<Long, Long>>();

                private CaseDbHandle(long pointer) {
                        this.caseDbPointer = pointer;
                }

                void free() throws TskCoreException {
                        SleuthkitJNI.closeCaseDbNat(caseDbPointer);
                }

                AddImageProcess initAddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) {
                        return new AddImageProcess(timezone, processUnallocSpace, noFatFsOrphans);
                }

                public class AddImageProcess {

                        private String timezone;
                        private boolean processUnallocSpace;
                        private boolean noFatFsOrphans;
                        private volatile long autoDbPointer;

                        private AddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) {
                                this.timezone = timezone;
                                this.processUnallocSpace = processUnallocSpace;
                                this.noFatFsOrphans = noFatFsOrphans;
                                autoDbPointer = 0;
                        }

                        public void run(String[] imgPath) throws TskCoreException, TskDataException {
                                if (autoDbPointer != 0) {
                                        throw new TskCoreException("AddImgProcess:run: AutoDB pointer is already set");
                                }

                                synchronized (this) {
                                        autoDbPointer = initAddImgNat(caseDbPointer, timezoneLongToShort(timezone), processUnallocSpace, noFatFsOrphans);
                                }
                                if (autoDbPointer == 0) {
                                        //additional check in case initAddImgNat didn't throw exception
                                        throw new TskCoreException("AddImgProcess::run: AutoDB pointer is NULL after initAddImgNat");
                                }
                                runAddImgNat(autoDbPointer, imgPath, imgPath.length, timezone);
                        }

                        public void stop() throws TskCoreException {
                                if (autoDbPointer == 0) {
                                        throw new TskCoreException("AddImgProcess::stop: AutoDB pointer is NULL");
                                }

                                stopAddImgNat(autoDbPointer);
                        }

                        public synchronized void revert() throws TskCoreException {
                                if (autoDbPointer == 0) {
                                        throw new TskCoreException("AddImgProcess::revert: AutoDB pointer is NULL");
                                }

                                revertAddImgNat(autoDbPointer);
                                // the native code deleted the object
                                autoDbPointer = 0;
                        }

                        public synchronized long commit() throws TskCoreException {
                                if (autoDbPointer == 0) {
                                        throw new TskCoreException("AddImgProcess::commit: AutoDB pointer is NULL");
                                }

                                long id = commitAddImgNat(autoDbPointer);
                                // the native code deleted the object
                                autoDbPointer = 0;
                                return id;
                        }

                        public synchronized String currentDirectory() {
                                return autoDbPointer == 0 ? "NO_INFO" : getCurDirNat(autoDbPointer); //NON-NLS
                        }
                }
        }

        static CaseDbHandle newCaseDb(String path) throws TskCoreException {
                return new CaseDbHandle(newCaseDbNat(path));
        }

        static CaseDbHandle openCaseDb(String path) throws TskCoreException {
                return new CaseDbHandle(openCaseDbNat(path));
        }

        public static String getVersion() {
                return getVersionNat();
        }

        public static void startVerboseLogging(String logPath) {
                startVerboseLoggingNat(logPath);
        }

        public synchronized static long openImage(String[] imageFiles) throws TskCoreException {
                long imageHandle = 0;

                StringBuilder keyBuilder = new StringBuilder();
                for (int i = 0; i < imageFiles.length; ++i) {
                        keyBuilder.append(imageFiles[i]);
                }
                final String imageKey = keyBuilder.toString();

                if (CaseDbHandle.imageHandleCache.containsKey(imageKey)) //get from cache
                {
                        imageHandle = CaseDbHandle.imageHandleCache.get(imageKey);
                } else {
                        //open new handle and cache it
                        imageHandle = openImgNat(imageFiles, imageFiles.length);
                        CaseDbHandle.fsHandleCache.put(imageHandle, new HashMap<Long, Long>());
                        CaseDbHandle.imageHandleCache.put(imageKey, imageHandle);
                }

                return imageHandle;

        }

        public static long openVs(long imgHandle, long vsOffset) throws TskCoreException {
                return openVsNat(imgHandle, vsOffset);
        }

        //get pointers
        public static long openVsPart(long vsHandle, long volId) throws TskCoreException {
                //returned long is ptr to vs Handle object in tsk
                return openVolNat(vsHandle, volId);
        }

        public synchronized static long openFs(long imgHandle, long fsOffset) throws TskCoreException {
                long fsHandle = 0;
                final Map<Long, Long> imgOffSetToFsHandle = CaseDbHandle.fsHandleCache.get(imgHandle);
                if (imgOffSetToFsHandle.containsKey(fsOffset)) {
                        //return cached
                        fsHandle = imgOffSetToFsHandle.get(fsOffset);
                } else {
                        fsHandle = openFsNat(imgHandle, fsOffset);
                        //cache it
                        imgOffSetToFsHandle.put(fsOffset, fsHandle);
                }
                return fsHandle;
        }

        public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId) throws TskCoreException {
                return openFileNat(fsHandle, fileId, attrType.getValue(), attrId);
        }

        //do reads
        public static int readImg(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
                //returned byte[] is the data buffer
                return readImgNat(imgHandle, readBuffer, offset, len);
        }

        public static int readVs(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
                return readVsNat(vsHandle, readBuffer, offset, len);
        }

        public static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
                //returned byte[] is the data buffer
                return readVolNat(volHandle, readBuffer, offset, len);
        }

        public static int readFs(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
                //returned byte[] is the data buffer
                return readFsNat(fsHandle, readBuffer, offset, len);
        }

        public static int readFile(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
                return readFileNat(fileHandle, readBuffer, offset, len);
        }

        public static List<String> getFileMetaDataText(long fileHandle) throws TskCoreException {
                try {
                        java.io.File tmp = java.io.File.createTempFile("tsk", ".txt");

                        saveFileMetaDataTextNat(fileHandle, tmp.getAbsolutePath());

                        FileReader fr = new FileReader(tmp.getAbsolutePath());
                        BufferedReader textReader = new BufferedReader(fr);

                        List<String> lines = new ArrayList<String>();
                        while (true) {
                                String line = textReader.readLine();
                                if (line == null) {
                                        break;
                                }
                                lines.add(line);
                        }
                        textReader.close();
                        fr.close();
                        tmp.delete();
                        return lines;
                } catch (IOException ex) {
                        throw new TskCoreException("Error reading istat output: " + ex.getLocalizedMessage());
                }
        }

        //free pointers
        public static void closeImg(long imgHandle) {
                //@@@ TODO close the image handle when Case is closed instead
                //currently the image handle is not being freed, it's cached for duration of the application
                //closeImgNat(imgHandle); 
        }

        public static void closeVs(long vsHandle) {
                closeVsNat(vsHandle);
        }

        public static void closeFs(long fsHandle) {
                //@@@ TODO close the fs handle when Case is closed instead
                //currently the fs handle is not being freed, it's cached for duration of the application
                //closeFsNat(fsHandle);
        }

        public static void closeFile(long fileHandle) {
                closeFileNat(fileHandle);
        }

        public static void createLookupIndexForHashDatabase(int dbHandle) throws TskCoreException {
                hashDbCreateIndexNat(dbHandle);
        }

        public static boolean hashDatabaseHasLookupIndex(int dbHandle) throws TskCoreException {
                return hashDbIndexExistsNat(dbHandle);
        }

        public static boolean hashDatabaseCanBeReindexed(int dbHandle) throws TskCoreException {
                return hashDbIsReindexableNat(dbHandle);
        }

        public static String getHashDatabasePath(int dbHandle) throws TskCoreException {
                return hashDbPathNat(dbHandle);
        }

        public static String getHashDatabaseIndexPath(int dbHandle) throws TskCoreException {
                return hashDbIndexPathNat(dbHandle);
        }

        public static int openHashDatabase(String path) throws TskCoreException {
                return hashDbOpenNat(path);
        }

        public static int createHashDatabase(String path) throws TskCoreException {
                return hashDbNewNat(path);
        }

        public static void closeAllHashDatabases() throws TskCoreException {
                hashDbCloseAll();
        }

        public static void closeHashDatabase(int dbHandle) throws TskCoreException {
                hashDbClose(dbHandle);
        }

        public static String getHashDatabaseDisplayName(int dbHandle) throws TskCoreException {
                return hashDbGetDisplayName(dbHandle);
        }

        public static boolean lookupInHashDatabase(String hash, int dbHandle) throws TskCoreException {
                return hashDbLookup(hash, dbHandle);
        }

        public static HashHitInfo lookupInHashDatabaseVerbose(String hash, int dbHandle) throws TskCoreException {
                return hashDbLookupVerbose(hash, dbHandle);
        }

        public static void addToHashDatabase(String filename, String md5, String sha1, String sha256, String comment, int dbHandle) throws TskCoreException {
                hashDbAddEntryNat(filename, md5, sha1, sha256, comment, dbHandle);
        }

        public static void addToHashDatabase(List<HashEntry> hashes, int dbHandle) throws TskCoreException {
                hashDbBeginTransactionNat(dbHandle);
                try {
                        for (HashEntry entry : hashes) {
                                hashDbAddEntryNat(entry.getFileName(), entry.getMd5Hash(), entry.getSha1Hash(), entry.getSha256Hash(), entry.getComment(), dbHandle);
                        }
                        hashDbCommitTransactionNat(dbHandle);
                } catch (TskCoreException ex) {
                        try {
                                hashDbRollbackTransactionNat(dbHandle);
                        } catch (TskCoreException ex2) {
                                ex2.initCause(ex);
                                throw ex2;
                        }
                        throw ex;
                }
        }

        public static boolean isUpdateableHashDatabase(int dbHandle) throws TskCoreException {
                return hashDbIsUpdateableNat(dbHandle);
        }

        public static boolean hashDatabaseIsIndexOnly(int dbHandle) throws TskCoreException {
                return hashDbIsIdxOnlyNat(dbHandle);
        }

        private static String timezoneLongToShort(String timezoneLongForm) {
                if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
                        return "";
                }

                String timezoneShortForm = "";
                TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
                int offset = zone.getRawOffset() / 1000;
                int hour = offset / 3600;
                int min = (offset % 3600) / 60;
                DateFormat dfm = new SimpleDateFormat("z");
                dfm.setTimeZone(zone);
                boolean hasDaylight = zone.useDaylightTime();
                String first = dfm.format(new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3); // make it only 3 letters code
                String second = dfm.format(new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3); // make it only 3 letters code
                int mid = hour * -1;
                timezoneShortForm = first + Integer.toString(mid);
                if (min != 0) {
                        timezoneShortForm = timezoneShortForm + ":" + (min < 10 ? "0" : "") + Integer.toString(min);
                }
                if (hasDaylight) {
                        timezoneShortForm = timezoneShortForm + second;
                }
                return timezoneShortForm;
        }

        public static long findDeviceSize(String devPath) throws TskCoreException {
                return findDeviceSizeNat(devPath);
        }
}