Libguestfs - Mar 2016 - [PATCH 0/2] blkcat API to extract device data units

blkcat allows to extract files given their data units (clusters for NTFS,
fragments for ExtX).

This API allows to recover files which icat cannot. For example icat often fails
retrieving deleted files on Ext3/Ext4 filesystems.

As this API works at data unit level, some garbage at the beginning or at the
end of the files is expected.

An example of blkcat can be found here:

http://wiki.sleuthkit.org/index.php?title=FS_Analysis

Matteo Cafasso (2):
  added blkcat API
  added blkcat API tests

 daemon/tsk.c             | 27 ++++++++++++++++++++++++
 generator/actions.ml     | 18 ++++++++++++++++
 src/MAX_PROC_NR          |  2 +-
 tests/tsk/Makefile.am    |  3 ++-
 tests/tsk/test-blkcat.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 101 insertions(+), 2 deletions(-)
 create mode 100755 tests/tsk/test-blkcat.sh

--
2.7.0

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com>
---
 daemon/tsk.c         | 27 +++++++++++++++++++++++++++
 generator/actions.ml | 18 ++++++++++++++++++
 src/MAX_PROC_NR      |  2 +-
 3 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/daemon/tsk.c b/daemon/tsk.c
index 0fe1250..5b55739 100644
--- a/daemon/tsk.c
+++ b/daemon/tsk.c
@@ -59,6 +59,33 @@ do_icat (const mountable_t *mountable, int64_t inode)
   return file_out (cmd);
 }

+int
+do_blkcat (const mountable_t *mountable, int64_t start, int64_t number)
+{
+  CLEANUP_FREE char *cmd = NULL;
+
+  /* Data unit address start must be greater than 0 */
+  if (start < 0) {
+    reply_with_error ("data unit starting address must be >= 0");
+    return -1;
+  }
+
+  /* Data unit number must be greater than 1 */
+  if (number < 1) {
+    reply_with_error ("data unit number must be >= 1");
+    return -1;
+  }
+
+  /* Construct the command. */
+  if (asprintf (&cmd, "blkcat %s %" PRIi64 " %" PRIi64,
+                mountable->device, start, number) == -1) {
+    reply_with_perror ("asprintf");
+    return -1;
+  }
+
+  return file_out (cmd);
+}
+
 static int
 file_out (const char *cmd)
 {
diff --git a/generator/actions.ml b/generator/actions.ml
index ff72cfe..0fabed6 100644
--- a/generator/actions.ml
+++ b/generator/actions.ml
@@ -12958,6 +12958,24 @@ and save it as F<filename> on the local machine.

 This allows to download deleted or inaccessible files." };

+  { defaults with
+    name = "blkcat"; added = (1, 33, 14);
+    style = RErr, [Mountable "device"; Int64 "start"; Int64
"number"; FileOut "filename"], [];
+    proc_nr = Some 465;
+    optional = Some "sleuthkit";
+    progress = true; cancellable = true;
+    shortdesc = "download the device data units to the local
machine";
+    longdesc = "\
+Download F<number> amount of data units starting from F<start>
+from the disk partition (eg. F</dev/sda1>)
+and save them as F<filename> on the local machine.
+
+The size of a data unit varies across filesystem implementations.
+On NTFS filesystems data units are referred as clusters
+while on ExtX ones they are referred as fragments.
+
+This command allows to download unallocated sectors of the disk." };
+
 ]

 (* Non-API meta-commands available only in guestfish.
diff --git a/src/MAX_PROC_NR b/src/MAX_PROC_NR
index 3bb8a49..073c57b 100644
--- a/src/MAX_PROC_NR
+++ b/src/MAX_PROC_NR
@@ -1 +1 @@
-464
+465
--
2.7.0

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com>
---
 tests/tsk/Makefile.am    |  3 ++-
 tests/tsk/test-blkcat.sh | 53 ++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100755 tests/tsk/test-blkcat.sh

diff --git a/tests/tsk/Makefile.am b/tests/tsk/Makefile.am
index e060e58..37fc13c 100644
--- a/tests/tsk/Makefile.am
+++ b/tests/tsk/Makefile.am
@@ -18,7 +18,8 @@
 include $(top_srcdir)/subdir-rules.mk

 TESTS = \
-	test-icat.sh
+	test-icat.sh \
+	test-blkcat.sh

 TESTS_ENVIRONMENT = $(top_builddir)/run --test

diff --git a/tests/tsk/test-blkcat.sh b/tests/tsk/test-blkcat.sh
new file mode 100755
index 0000000..686ab47
--- /dev/null
+++ b/tests/tsk/test-blkcat.sh
@@ -0,0 +1,53 @@
+#!/bin/bash -
+# libguestfs
+# Copyright (C) 2016 Red Hat Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+# Test the blkcat command.
+
+set -e
+
+if [ -n "$SKIP_TEST_BLKCAT_SH" ]; then
+    echo "$0: test skipped because environment variable is set."
+    exit 77
+fi
+
+rm -f test-blk0.bin
+
+# Skip if TSK is not supported by the appliance.
+if ! guestfish add /dev/null : run : available "sleuthkit"; then
+    echo "$0: skipped because TSK is not available in the appliance"
+    exit 77
+fi
+
+if [ ! -s ../../test-data/phony-guests/windows.img ]; then
+    echo "$0: skipped because windows.img is zero-sized"
+    exit 77
+fi
+
+# download Master File Table ($MFT).
+guestfish --ro -a ../../test-data/phony-guests/windows.img <<EOF
+run
+blkcat /dev/sda2 0 1 test-blk0.bin
+EOF
+
+# test extracted data contains NTFS FS signature
+if [ `head -c 5 test-mft.bin` != "NTFS" ]; then
+    echo "$0: wrong cluster extracted."
+    exit 1
+fi
+
+rm -f test-blk0.bin
--
2.7.0