search for: tsk_name

...nction returns a struct "tsknode" which contains the file name, its inode and it's allocation status. The struct will be employed by other APIs as well (fls, ifind etc..). $ ./run guestfish --ro -a /home/noxdafox/disks/ubuntu.qcow2 ><fs> run ><fs> ffind /dev/sda1 2 tsk_name: / tsk_inode: 2 tsk_allocated: 1 ><fs> ffind /dev/sda1 3 tsk_name: /usr/bin/ tsk_inode: 3 tsk_allocated: 0 /usr/bin/ has been reallocated to node 786577 ><fs> mount /dev/sda1 / ><fs> stat /usr/bin/ dev: 2049 ino: 786577 ... Matteo Cafasso (1): added ffind API daem...

...len = strlen(out) - 1; + ret->tsk_inode = inode; + + if STRPREFIX (out, "File name not found for inode") { + reply_with_error ("%ld Inode not in use", inode); + return NULL; + } + else if STRPREFIX (out, "* ") { + ret->tsk_allocated = 0; + ret->tsk_name = strndup (&out[2], len - 2); + } + else if STRPREFIX (out, "//") { + ret->tsk_allocated = 1; + ret->tsk_name = strndup (&out[1], len - 1); + } + else { + ret->tsk_allocated = 1; + ret->tsk_name = strndup (out, len); + } + + return ret; +} + static i...

Already implemented entries. tsk_inode tsk_type tsk_size tsk_name tsk_flags Easy ones to add. tsk_atime_sec tsk_atime_nsec tsk_mtime_sec tsk_mtime_nsec tsk_ctime_sec tsk_ctime_nsec tsk_blksize tsk_blocks Further ideas. tsk_nlink tsk_link_name Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/tsk.c | 4 +++- generator/...

...6 18:47:28 Matteo Cafasso wrote: > The tsk_dirent struct contains the information gathered via TSK APIs. > > The struct contains the following fields: > * tsk_inode: inode of a file > * tsk_type: type of file such as for dirwalk command > * tsk_size: file size in bytes > * tsk_name: path relative to its disk partition > * tsk_allocated: whether the file has been deleted > > Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> > --- > generator/structs.ml | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > > diff --git a/...

Report access, modification, status update and creation time in Unix format. Report number of links pointing to a given entry. If the entry is a symbolic link, report the path of its target. If the filesystem supports native/transparent compression, report compressed files with dedicated flag (DIRENT_COMPRESSED 0x04). Matteo Cafasso (2): filesystem_walk: more information into tsk_dirent

...id *data) return TSK_WALK_ERROR; } + /* Set dirent fields */ + memset (&dirent, 0, sizeof dirent); + dirent.tsk_inode = fsfile->name->meta_addr; dirent.tsk_type = file_type (fsfile); - dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; dirent.tsk_name = fname; dirent.tsk_flags = file_flags (fsfile); - dirent.tsk_spare1 = dirent.tsk_spare2 = dirent.tsk_spare3 = - dirent.tsk_spare4 = dirent.tsk_spare5 = dirent.tsk_spare6 = - dirent.tsk_spare7 = dirent.tsk_spare8 = dirent.tsk_spare9 = - dirent.tsk_spare10 = dirent.tsk_spare11 = 0; + +...

The filesystem_walk API parses the FS internals of a partition and returns a list of all the files and directories contained within. It list deleted files and directories as well. For each node, it reports its relative path, its inode and its allocation status. This is the end user API for inspecting a disk partition content. The command can handle filenames with special characters. Example

v8: - rebase on master - bump version to 1.33.37 - squash commits 1, 2, 3 Kept original commits messages when squashing them. Matteo Cafasso (3): New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am | 4 +- daemon/tsk.c | 249 ++++++++++++++++++++++++++++++++++++++

...id *data) return TSK_WALK_ERROR; } + /* Set dirent fields */ + memset (&dirent, 0, sizeof dirent); + dirent.tsk_inode = fsfile->name->meta_addr; dirent.tsk_type = file_type (fsfile); - dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; dirent.tsk_name = fname; dirent.tsk_flags = file_flags (fsfile); - dirent.tsk_spare1 = dirent.tsk_spare2 = dirent.tsk_spare3 = - dirent.tsk_spare4 = dirent.tsk_spare5 = dirent.tsk_spare6 = - dirent.tsk_spare7 = dirent.tsk_spare8 = dirent.tsk_spare9 = - dirent.tsk_spare10 = dirent.tsk_spare11 = 0; + +...

v2: - Increased the amount of collected information from the FS content. - Moved filesystem_walk0 as internal command. - Code improvement based on comments. - Adhere to project's coding style. - Better command documentation. - More robust tests. Patch ready for review, code available at: https://github.com/noxdafox/libguestfs/tree/filesystem_walk Matteo Cafasso (5): generator:

...*path, void *data) +{ + CLEANUP_FREE char *file_name = NULL; + struct guestfs_int_tsk_node node_info; + + /* Ignore ./ and ../ */ + if (TSK_FS_ISDOT(fsfile->name->name)) + return 0; + + if ((file_name = join_path(path, fsfile->name->name)) == NULL) + return -1; + + node_info.tsk_name = file_name; + node_info.tsk_inode = fsfile->name->meta_addr; + if (fsfile->name->flags & TSK_FS_NAME_FLAG_UNALLOC) + node_info.tsk_allocated = 0; + else + node_info.tsk_allocated = 1; + + return inode_out(&node_info); +} + +/* Joins the file name and file path. + * Re...

...long(xdrs, &len)) + return -1; + + buf = safe_malloc(g, len); + + if (!xdr_string(xdrs, &buf, len)) + return -1; + if (!xdr_uint64_t(xdrs, &node_info->tsk_inode)) + return -1; + if (!xdr_uint32_t(xdrs, &node_info->tsk_allocated)) + return -1; + + node_info->tsk_name = safe_strndup(g, buf, len); + + return 0; +} + +/* Free the nodes list. */ +static void +free_nodes(struct guestfs_tsk_node_list *nodes) +{ + uint32_t index = 0; + + for (index = 0; index < nodes->len; index++) + if (nodes->val[index].tsk_name != NULL) + free(nodes->val[inde...

...} > > + /* Set dirent fields */ > + memset (&dirent, 0, sizeof dirent); > + > dirent.tsk_inode = fsfile->name->meta_addr; > dirent.tsk_type = file_type (fsfile); > dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; > dirent.tsk_name = fname; > dirent.tsk_flags = file_flags (fsfile); > - dirent.tsk_spare1 = dirent.tsk_spare2 = dirent.tsk_spare3 = > - dirent.tsk_spare4 = dirent.tsk_spare5 = dirent.tsk_spare6 = > - dirent.tsk_spare7 = dirent.tsk_spare8 = dirent.tsk_spare9 = > - dirent.tsk_spare10 = dir...

v5: - fixed compile-time warning - removed unused flag enumeration - new version 1.33.19 Patch ready for review. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am | 4 +- daemon/tsk.c

v4: - Changed tsk_allocated struct field into tsk_flags. - Added optional dependency in documentation. - Use asprintf and perror instead of asprintf_nowarn and fprintf. - Ensure CLEANUP_FREE vars are initialised. - Reworked the function documentation. - Improved tests robustness. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check

The filesystem_walk0 API parses the FS internals of a partition and returns a list of all the files and directories contained within. It list deleted files and directories as well. For each node, it reports its relative path, its inode and its allocation status. The output is serialised in XDR format and written to the given file. The command is similar to The Sleuth Kit "fls -rp

The tsk_dirent struct contains the information gathered via TSK APIs. The struct contains the following fields: * tsk_inode: inode of a file * tsk_type: type of file such as for dirwalk command * tsk_size: file size in bytes * tsk_name: path relative to its disk partition * tsk_allocated: whether the file has been deleted Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- generator/structs.ml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/generator/structs.ml b/generator/structs...

The tsk_dirent struct contains the information gathered via TSK APIs. The struct contains the following fields: * tsk_inode: inode of a file * tsk_type: type of file such as for dirwalk command * tsk_size: file size in bytes * tsk_name: path relative to its disk partition * tsk_flags: bitfield containing extra information Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- generator/structs.ml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/generator/structs.ml b/generator/structs.m...

...gt; }; > + > + (* The Sleuth Kit directory entry information. *) > + { defaults with > + s_name = "tsk_dirent"; > + s_cols = [ > + "tsk_inode", FUInt64; > + "tsk_type", FChar; > + "tsk_size", FInt64; > + "tsk_name", FString; > + "tsk_flags", FUInt32; Note if you ever need to add more columns in future, you won't be able to, unless you reserve some space in the struct now by adding: "tsk_spare1", FInt64; "tsk_spare2", FInt64; "tsk_spare3", FInt...

...------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/tests/tsk/test-filesystem-walk.sh b/tests/tsk/test-filesystem-walk.sh index 6ee3f71..d0f0df6 100755 --- a/tests/tsk/test-filesystem-walk.sh +++ b/tests/tsk/test-filesystem-walk.sh @@ -51,17 +51,17 @@ tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_flags: 1 -tsk_spare1: 0 -tsk_spare2: 0 -tsk_spare3: 0 -tsk_spare4: 0 -tsk_spare5: 0 -tsk_spare6: 0 -tsk_spare7: 0 -tsk_spare8: 0 -tsk_spare9: 0 -tsk_spare10: 0 -tsk_spare11: 0 }' +tsk_atime_sec: .* +tsk_atime_nsec: .* +tsk_mtime_sec: .* +tsk_mtime_nsec: .* +tsk_ctime_sec: .* +tsk_ct...