search for: tsk_alloc

...quot;tsknode" which contains the file name, its inode and it's allocation status. The struct will be employed by other APIs as well (fls, ifind etc..). $ ./run guestfish --ro -a /home/noxdafox/disks/ubuntu.qcow2 ><fs> run ><fs> ffind /dev/sda1 2 tsk_name: / tsk_inode: 2 tsk_allocated: 1 ><fs> ffind /dev/sda1 3 tsk_name: /usr/bin/ tsk_inode: 3 tsk_allocated: 0 /usr/bin/ has been reallocated to node 786577 ><fs> mount /dev/sda1 / ><fs> stat /usr/bin/ dev: 2049 ino: 786577 ... Matteo Cafasso (1): added ffind API daemon/tsk.c | 60 ++++...

...truct contains the information gathered via TSK APIs. > > The struct contains the following fields: > * tsk_inode: inode of a file > * tsk_type: type of file such as for dirwalk command > * tsk_size: file size in bytes > * tsk_name: path relative to its disk partition > * tsk_allocated: whether the file has been deleted > > Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> > --- > generator/structs.ml | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/generator/structs.ml b/generator/structs.ml > index...

...;); + return NULL; + } + + len = strlen(out) - 1; + ret->tsk_inode = inode; + + if STRPREFIX (out, "File name not found for inode") { + reply_with_error ("%ld Inode not in use", inode); + return NULL; + } + else if STRPREFIX (out, "* ") { + ret->tsk_allocated = 0; + ret->tsk_name = strndup (&out[2], len - 2); + } + else if STRPREFIX (out, "//") { + ret->tsk_allocated = 1; + ret->tsk_name = strndup (&out[1], len - 1); + } + else { + ret->tsk_allocated = 1; + ret->tsk_name = strndup (out, len); + }...

The filesystem_walk0 API parses the FS internals of a partition and returns a list of all the files and directories contained within. It list deleted files and directories as well. For each node, it reports its relative path, its inode and its allocation status. The output is serialised in XDR format and written to the given file. The command is similar to The Sleuth Kit "fls -rp

...e->name->name)) + return 0; + + if ((file_name = join_path(path, fsfile->name->name)) == NULL) + return -1; + + node_info.tsk_name = file_name; + node_info.tsk_inode = fsfile->name->meta_addr; + if (fsfile->name->flags & TSK_FS_NAME_FLAG_UNALLOC) + node_info.tsk_allocated = 0; + else + node_info.tsk_allocated = 1; + + return inode_out(&node_info); +} + +/* Joins the file name and file path. + * Return the joined path on success, NULL on failure. + */ +static char *join_path(const char *path, const char *name) +{ + char *buf; + size_t len; + + path =...

The tsk_dirent struct contains the information gathered via TSK APIs. The struct contains the following fields: * tsk_inode: inode of a file * tsk_type: type of file such as for dirwalk command * tsk_size: file size in bytes * tsk_name: path relative to its disk partition * tsk_allocated: whether the file has been deleted Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- generator/structs.ml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/generator/structs.ml b/generator/structs.ml index 6017ba6..d986fd9 100644 --- a/generator/...

v3: - File size will be reported as - 1 if it cannot be retrieved. - Code improvements based on comments. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check daemon: Added internal_filesystem_walk command appliance: Added filesystem_walk command appliance: Added filesystem_walk command tests daemon/Makefile.am | 4 +-

v2: - Increased the amount of collected information from the FS content. - Moved filesystem_walk0 as internal command. - Code improvement based on comments. - Adhere to project's coding style. - Better command documentation. - More robust tests. Patch ready for review, code available at: https://github.com/noxdafox/libguestfs/tree/filesystem_walk Matteo Cafasso (5): generator:

...rm /test.txt : \ + umount / : \ + filesystem-walk /dev/sda2) + +# test $MFT is in the list +echo $output | grep -q "{ tsk_inode: 0 tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_allocated: 1 }" +if [ $? != 0 ]; then + echo "$0: \$MFT not found in files list." + echo "File list:" + echo $output + exit 1 +fi + +# test deleted file is in the list +echo $output | grep -q "{ tsk_inode: .* tsk_type: [ru] tsk_size: .* tsk_name: test.txt tsk_all...

On Monday 04 April 2016 14:58:35 NoxDaFox wrote: > > > + > > > +static int open_filesystem (const char *device, > > > + TSK_IMG_INFO **img, TSK_FS_INFO **fs); > > > +static TSK_WALK_RET_ENUM fswalk_callback (TSK_FS_FILE *fsfile, > > > + const char *path, void *data); > > > >

...\ > + filesystem-walk /dev/sda2) This is a bit unreadable, a better approach is to read commands from stdin; see for example fish/test-copy.sh. > + > +# test $MFT is in the list > +echo $output | grep -q "{ tsk_inode: 0 tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_allocated: 1 }" Hmm are you sure this works when tracing is disabled? The default output in guestfish for structs is each field in a single line. Unless you compare the whole output like other tests do, a better solution could be write this test using a scripting language like Perl: I think most,...

...0) { + fprintf (stderr, "asprintf: %m"); + return TSK_WALK_ERROR; + } + + dirent.tsk_inode = fsfile->name->meta_addr; + dirent.tsk_type = file_type (fsfile); + dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : 0; + dirent.tsk_name = fname; + dirent.tsk_allocated = !(fsfile->name->flags & TSK_FS_NAME_FLAG_UNALLOC); + + ret = send_dirent_info (&dirent); + ret = (ret == 0) ? TSK_WALK_CONT : TSK_WALK_ERROR; + + return ret; +} + +/* Inspect fsfile to identify its type. */ +static char +file_type(TSK_FS_FILE *fsfile) +{ + if (fsfile->nam...

...e->meta != NULL) ? fsfile->meta->size : 0; If 'meta' is null, then I guess the size should be -1 to indicate it was not available; otherwise, there is no difference between an empty file, and a file whose metadata could not be read. > + dirent.tsk_name = fname; > + dirent.tsk_allocated = !(fsfile->name->flags & TSK_FS_NAME_FLAG_UNALLOC); > + > + ret = send_dirent_info (&dirent); > + ret = (ret == 0) ? TSK_WALK_CONT : TSK_WALK_ERROR; > + > + return ret; > +} > + > +/* Inspect fsfile to identify its type. */ > +static char > +file_...

The filesystem_walk API parses the FS internals of a partition and returns a list of all the files and directories contained within. It list deleted files and directories as well. For each node, it reports its relative path, its inode and its allocation status. This is the end user API for inspecting a disk partition content. The command can handle filenames with special characters. Example

...can and set to 0 the rest (same applies with inode for example, the inode is set to 0 instead of -1). The command documentation reports this "issue" (or feature?). Anyway I'll triple-check in order to be sure about it. > > > + dirent.tsk_name = fname; > > + dirent.tsk_allocated = !(fsfile->name->flags & > TSK_FS_NAME_FLAG_UNALLOC); > > + > > + ret = send_dirent_info (&dirent); > > + ret = (ret == 0) ? TSK_WALK_CONT : TSK_WALK_ERROR; > > + > > + return ret; > > +} > > + > > +/* Inspect fsfile to identi...

...+ CLEANUP_FREE char *buf = NULL; + + if (!xdr_u_long(xdrs, &len)) + return -1; + + buf = safe_malloc(g, len); + + if (!xdr_string(xdrs, &buf, len)) + return -1; + if (!xdr_uint64_t(xdrs, &node_info->tsk_inode)) + return -1; + if (!xdr_uint32_t(xdrs, &node_info->tsk_allocated)) + return -1; + + node_info->tsk_name = safe_strndup(g, buf, len); + + return 0; +} + +/* Free the nodes list. */ +static void +free_nodes(struct guestfs_tsk_node_list *nodes) +{ + uint32_t index = 0; + + for (index = 0; index < nodes->len; index++) + if (nodes->val[index...

...tsk_size)) + return -1; + + /* Deserialise filename. */ + if (!xdr_u_long (xdrs, &len)) + return -1; + buf = safe_malloc (g, len); + if (!xdr_string (xdrs, &buf, len)) + return -1; + dirent->tsk_name = safe_strndup(g, buf, len); + + if (!xdr_uint32_t (xdrs, &dirent->tsk_allocated)) + return -1; + + return 0; +} -- 2.8.0.rc3

...) { + fprintf (stderr, "asprintf: %m"); + return TSK_WALK_ERROR; + } + + dirent.tsk_inode = fsfile->name->meta_addr; + dirent.tsk_type = file_type (fsfile); + dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; + dirent.tsk_name = fname; + dirent.tsk_allocated = !(fsfile->name->flags & TSK_FS_NAME_FLAG_UNALLOC); + + ret = send_dirent_info (&dirent); + ret = (ret == 0) ? TSK_WALK_CONT : TSK_WALK_ERROR; + + return ret; +} + +/* Inspect fsfile to identify its type. */ +static char +file_type(TSK_FS_FILE *fsfile) +{ + if (fsfile->nam...

v4: - Changed tsk_allocated struct field into tsk_flags. - Added optional dependency in documentation. - Use asprintf and perror instead of asprintf_nowarn and fprintf. - Ensure CLEANUP_FREE vars are initialised. - Reworked the function documentation. - Improved tests robustness. Matteo Cafasso (5): generato...