An interface to a class that allows file system and low-level access to a disk image. More...
#include <TskImageFile.h>
Public Member Functions | |
| virtual void | close ()=0 |
| Close the disk image. | |
| virtual int | closeFile (const int handle)=0 |
| Closes an opened file. More... | |
| virtual int | extractFiles ()=0 |
| Analyze the volume and file systems in the opened images and populate the TskImgDB instance registered with TskServices. More... | |
| virtual int | getByteData (const uint64_t byte_start, const uint64_t byte_len, char *buffer)=0 |
| Return the data located at the given byte offset in the disk image. More... | |
| virtual std::vector< std::string > | getFileNames () const =0 |
| Return the file name(s) that make up the image. | |
| virtual std::vector< std::wstring > | getFileNamesW () const =0 |
| virtual int | getSectorData (const uint64_t sect_start, const uint64_t sect_len, char *buffer)=0 |
| Return the data located at the given sector offset in the disk image. More... | |
| virtual int | open ()=0 |
| open the images at the paths saved in ImgDB More... | |
| virtual int | open (const TSK_TCHAR *imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0)=0 |
| Opens a single (non-split) disk image file so that it can be read. More... | |
| virtual int | open (const int numberOfImages, const TSK_TCHAR *const imageFile[], const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0)=0 |
| Opens one or more disk image files so that they can be read. More... | |
| virtual int | open (const std::string &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0)=0 |
| Opens a single (non-split) disk image file so that it can be read. More... | |
| virtual int | open (const std::wstring &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0)=0 |
| Opens a single (non-split) disk image file so that it can be read. More... | |
| virtual int | open (const std::vector< std::string > &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0)=0 |
| Opens one or more disk image files so that they can be read. More... | |
| virtual int | open (const std::vector< std::wstring > &imageFile, const TSK_IMG_TYPE_ENUM imageType=TSK_IMG_TYPE_DETECT, const unsigned int sectorSize=0)=0 |
| Opens one or more disk image files so that they can be read. More... | |
| virtual int | openFile (const uint64_t fileId)=0 |
| Provides access to the content of a specific file that was extracted from the disk image. More... | |
| virtual int | readFile (const int handle, const TSK_OFF_T byte_offset, const size_t byte_len, char *buffer)=0 |
| Reads content of a file that was opened with openFile(). More... | |
| TskImageFile () | |
| You must call one of the open() methods after creating the object. | |
Detailed Description
An interface to a class that allows file system and low-level access to a disk image.
It supports opening split image files, extracting file system information from the image and extracting data for a specific file or for a range of sectors. You must call one of the open() methods before using any of the other methods in the interface.
Member Function Documentation
|
pure virtual |
Closes an opened file.
- Parameters
-
handle File handle that was returned by an earlier call to openFile()
Implemented in TskImageFileTsk.
Referenced by TskFileTsk::close().
|
pure virtual |
Analyze the volume and file systems in the opened images and populate the TskImgDB instance registered with TskServices.
This will not perform file carving.
- Returns
- 1 if there was a major error that prevented any extraction. 0 will be returned if there were minor errors during extraction or if there were no errors.
Implemented in TskImageFileTsk.
|
pure virtual |
Return the data located at the given byte offset in the disk image.
- Parameters
-
byte_start Byte offset into image from which to return data byte_len Number of bytes to read buffer A buffer into which data will be placed. Must be at least byte_len large
- Returns
- Number of bytes read or -1 on error
Implemented in TskImageFileTsk.
Referenced by TskFileTsk::read().
|
pure virtual |
Return the data located at the given sector offset in the disk image.
- Parameters
-
sect_start Sector offset into image from which to return data sect_len Number of sectors to read buffer A buffer into which data will be placed. Must be at least len * 512 large
- Returns
- Number of sectors read or -1 on error
Implemented in TskImageFileTsk.
Referenced by SectorRuns::getData().
|
pure virtual |
open the images at the paths saved in ImgDB
- Returns
- 0 on success and -1 on error
Implemented in TskImageFileTsk.
|
pure virtual |
Opens a single (non-split) disk image file so that it can be read.
- Parameters
-
imageFile The path to the image file imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implemented in TskImageFileTsk.
|
pure virtual |
Opens one or more disk image files so that they can be read.
e UTF8, then consider
- Parameters
-
numberOfImages The number of images to open (will be > 1 for split images). imageFile The path to the image files (the number of files must be equal to num_img and they must be in a sorted order) imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implemented in TskImageFileTsk.
|
pure virtual |
Opens a single (non-split) disk image file so that it can be read.
This version always takes a UTF-8 encoding of the disk image.
- Parameters
-
imageFile The UTF-8 path to the image file imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implemented in TskImageFileTsk.
|
pure virtual |
Opens a single (non-split) disk image file so that it can be read.
- Parameters
-
imageFile The path to the image file imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implemented in TskImageFileTsk.
|
pure virtual |
Opens one or more disk image files so that they can be read.
This version always takes a UTF-8 encoding of the image files.
- Parameters
-
imageFile A vector of UTF-8 encoded image files imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implemented in TskImageFileTsk.
|
pure virtual |
Opens one or more disk image files so that they can be read.
- Parameters
-
imageFile A vector of image files imageType The disk image type (can be autodetection) sectorSize Size of device sector in bytes (or 0 for default)
- Returns
- -1 on error and 0 on success
Implemented in TskImageFileTsk.
|
pure virtual |
Provides access to the content of a specific file that was extracted from the disk image.
- Parameters
-
fileId ID of the file (can be found in database)
- Returns
- A handle to the file or -1 on error.
Implemented in TskImageFileTsk.
Referenced by TskFileTsk::open().
|
pure virtual |
Reads content of a file that was opened with openFile().
- Parameters
-
handle File handle that was returned by an earlier call to openFile() byte_offset Starting byte offset from which to read data byte_len The number of bytes to read buffer A buffer into which data will be placed. Must be at least byte_len bytes.
- Returns
- Number of bytes read or -1 on error
Implemented in TskImageFileTsk.
Referenced by TskFileTsk::read().
The documentation for this class was generated from the following files:
- framework/tsk/framework/extraction/TskImageFile.h
- framework/tsk/framework/extraction/TskImageFile.cpp