search for: do_icat

...l.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +static int file_out (const char *cmd); + +GUESTFSD_EXT_CMD(str_sleuthkit_probe, icat); + +int +optgroup_sleuthkit_available (void) +{ + return prog_exists (str_sleuthkit_probe); +} + +int +do_icat (const mountable_t *mountable, int64_t inode) +{ + CLEANUP_FREE char *cmd = NULL; + + /* Inode must be greater than 0 */ + if (inode < 0) { + reply_with_error ("inode must be >= 0"); + return -1; + } + + /* Construct the command. */ + if (asprintf (&cmd, "icat -...

...e_out (const char *cmd); +int optgroup_sleuthkit_available(void); +static int send_command_output(const char *cmd); -GUESTFSD_EXT_CMD(str_sleuthkit_probe, icat); +GUESTFSD_EXT_CMD(str_icat, icat); -int -optgroup_sleuthkit_available (void) -{ - return prog_exists (str_sleuthkit_probe); -} - -int -do_icat (const mountable_t *mountable, int64_t inode) +/* Has one FileOut parameter. */ +int do_download_inode(const mountable_t *mountable, int64_t inode) { CLEANUP_FREE char *cmd = NULL; /* Inode must be greater than 0 */ if (inode < 0) { - reply_with_error ("inode must be >= 0&q...

...t;guestfs_protocol.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +static int file_out (const char *cmd); + +GUESTFSD_EXT_CMD(str_tsk_probe, icat); + +int +optgroup_icat_available (void) +{ + return prog_exists (str_tsk_probe); +} + +int +do_icat (const mountable_t *mountable, int64_t inode) +{ + CLEANUP_FREE char *cmd = NULL; + + /* Inode must be greater than 0 */ + if (inode < 0) { + reply_with_error ("inode must be >= 0"); + return -1; + } + + /* Construct the command. */ + if (asprintf (&cmd, "icat -...

blkcat allows to extract files given their data units (clusters for NTFS, fragments for ExtX). This API allows to recover files which icat cannot. For example icat often fails retrieving deleted files on Ext3/Ext4 filesystems. As this API works at data unit level, some garbage at the beginning or at the end of the files is expected. An example of blkcat can be found here:

...ns(-) create mode 100755 tests/tsk/test-download-inode.sh delete mode 100755 tests/tsk/test-icat.sh diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c index 0fe1250..2f8c97b 100644 --- a/daemon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -40,7 +40,7 @@ optgroup_sleuthkit_available (void) } int -do_icat (const mountable_t *mountable, int64_t inode) +do_download_inode (const mountable_t *mountable, int64_t inode) { CLEANUP_FREE char *cmd = NULL; diff --git a/generator/actions.ml b/generator/actions.ml index ff72cfe..e5cb939 100644 --- a/generator/actions.ml +++ b/generator/actions.ml @@ -12946...

...t;guestfs_protocol.h" +#include "daemon.h" +#include "actions.h" +#include "optgroups.h" + +static int file_out (const char *cmd); + +GUESTFSD_EXT_CMD(str_tsk_probe, icat); + +int +optgroup_icat_available (void) +{ + return prog_exists (str_tsk_probe); +} + +int +do_icat (const mountable_t *mountable, int64_t inode) +{ + CLEANUP_FREE char *cmd = NULL; + + /* Inode must be greater than 0 */ + if (inode < 0) { + reply_with_error ("inode must be >= 0"); + return -1; + } + + /* Construct the command. */ + if (asprintf (&cmd, "icat -...

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same time I cleaned up a bit the code and improved it's readability and code comments. This

The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3):

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is

As discussed in the topic: https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. http://www.sleuthkit.org/ The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable. The icat API it's very similar to the previously added ntfscat_i but it