search for: tsk_type

On Tuesday 05 April 2016 18:47:28 Matteo Cafasso wrote: > The tsk_dirent struct contains the information gathered via TSK APIs. > > The struct contains the following fields: > * tsk_inode: inode of a file > * tsk_type: type of file such as for dirwalk command > * tsk_size: file size in bytes > * tsk_name: path relative to its disk partition > * tsk_allocated: whether the file has been deleted > > Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> > --- > generator/structs.ml | 16...

Report access, modification, status update and creation time in Unix format. Report number of links pointing to a given entry. If the entry is a symbolic link, report the path of its target. If the filesystem supports native/transparent compression, report compressed files with dedicated flag (DIRENT_COMPRESSED 0x04). Matteo Cafasso (2): filesystem_walk: more information into tsk_dirent

...id reply_with_tsk_error (const char *); @@ -122,15 +124,15 @@ fswalk_callback (TSK_FS_FILE *fsfile, const char *path, void *data) return TSK_WALK_ERROR; } + /* Set dirent fields */ + memset (&dirent, 0, sizeof dirent); + dirent.tsk_inode = fsfile->name->meta_addr; dirent.tsk_type = file_type (fsfile); - dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; dirent.tsk_name = fname; dirent.tsk_flags = file_flags (fsfile); - dirent.tsk_spare1 = dirent.tsk_spare2 = dirent.tsk_spare3 = - dirent.tsk_spare4 = dirent.tsk_spare5 = dirent.tsk_spare6...

v8: - rebase on master - bump version to 1.33.37 - squash commits 1, 2, 3 Kept original commits messages when squashing them. Matteo Cafasso (3): New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am | 4 +- daemon/tsk.c | 249 ++++++++++++++++++++++++++++++++++++++

...id reply_with_tsk_error (const char *); @@ -122,19 +124,24 @@ fswalk_callback (TSK_FS_FILE *fsfile, const char *path, void *data) return TSK_WALK_ERROR; } + /* Set dirent fields */ + memset (&dirent, 0, sizeof dirent); + dirent.tsk_inode = fsfile->name->meta_addr; dirent.tsk_type = file_type (fsfile); - dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; dirent.tsk_name = fname; dirent.tsk_flags = file_flags (fsfile); - dirent.tsk_spare1 = dirent.tsk_spare2 = dirent.tsk_spare3 = - dirent.tsk_spare4 = dirent.tsk_spare5 = dirent.tsk_spare6...

v5: - fixed compile-time warning - removed unused flag enumeration - new version 1.33.19 Patch ready for review. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am | 4 +- daemon/tsk.c

v4: - Changed tsk_allocated struct field into tsk_flags. - Added optional dependency in documentation. - Use asprintf and perror instead of asprintf_nowarn and fprintf. - Ensure CLEANUP_FREE vars are initialised. - Reworked the function documentation. - Improved tests robustness. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check

v2: - Increased the amount of collected information from the FS content. - Moved filesystem_walk0 as internal command. - Code improvement based on comments. - Adhere to project's coding style. - Better command documentation. - More robust tests. Patch ready for review, code available at: https://github.com/noxdafox/libguestfs/tree/filesystem_walk Matteo Cafasso (5): generator:

v6: - added metadata reallocation flag in tsk_flags Certain filesystems separate file name structures and metadata ones. Therefore, deleted entries with file name structures in an unallocated state might point to metadata structures which have been reallocated to new files. A flag set to 1 is generally an indication that the information gathered from the metadata structure (file

v7: - iterate over output file instead of reading it into memory Instead of reading the whole output file in memory and iterating over the resulting buffer, use XDR primitives to directly iterate over the file itself. This should reduce the API memory consumption. Patch ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/filesystem_walk Matteo Cafasso

v3: - File size will be reported as - 1 if it cannot be retrieved. - Code improvements based on comments. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check daemon: Added internal_filesystem_walk command appliance: Added filesystem_walk command appliance: Added filesystem_walk command tests daemon/Makefile.am | 4 +-

...@@ -122,20 +124,38 @@ fswalk_callback (TSK_FS_FILE *fsfile, const char *path, void *data) > return TSK_WALK_ERROR; > } > > + /* Set dirent fields */ > + memset (&dirent, 0, sizeof dirent); > + > dirent.tsk_inode = fsfile->name->meta_addr; > dirent.tsk_type = file_type (fsfile); > dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : -1; > dirent.tsk_name = fname; > dirent.tsk_flags = file_flags (fsfile); > - dirent.tsk_spare1 = dirent.tsk_spare2 = dirent.tsk_spare3 = > - dirent.tsk_spare4 = dirent.tsk_sp...

v9: - add missing files: java/Makefile.inc, java/com/redhat/et/libguestfs/.gitignore, gobject/Makefile.inc - reserve space in tsk_dirent struct for future usage - use int instead of bool_t type - improve API documentation Matteo Cafasso (3): New API: internal_filesystem_walk New API: filesystem_walk lib: Added filesystem_walk command tests daemon/Makefile.am

The tsk_dirent struct contains the information gathered via TSK APIs. The struct contains the following fields: * tsk_inode: inode of a file * tsk_type: type of file such as for dirwalk command * tsk_size: file size in bytes * tsk_name: path relative to its disk partition * tsk_allocated: whether the file has been deleted Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- generator/structs.ml | 16 ++++++++++++++-- 1 file changed, 1...

The tsk_dirent struct contains the information gathered via TSK APIs. The struct contains the following fields: * tsk_inode: inode of a file * tsk_type: type of file such as for dirwalk command * tsk_size: file size in bytes * tsk_name: path relative to its disk partition * tsk_flags: bitfield containing extra information Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- generator/structs.ml | 15 ++++++++++++++- 1 file changed, 14...

...ucts = [ > ]; > s_camel_name = "InternalMountable"; > }; > + > + (* The Sleuth Kit directory entry information. *) > + { defaults with > + s_name = "tsk_dirent"; > + s_cols = [ > + "tsk_inode", FUInt64; > + "tsk_type", FChar; > + "tsk_size", FInt64; > + "tsk_name", FString; > + "tsk_flags", FUInt32; Note if you ever need to add more columns in future, you won't be able to, unless you reserve some space in the struct now by adding: "tsk_spare1&qu...

...++++++++++++++-------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/tests/tsk/test-filesystem-walk.sh b/tests/tsk/test-filesystem-walk.sh index 6ee3f71..d0f0df6 100755 --- a/tests/tsk/test-filesystem-walk.sh +++ b/tests/tsk/test-filesystem-walk.sh @@ -51,17 +51,17 @@ tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_flags: 1 -tsk_spare1: 0 -tsk_spare2: 0 -tsk_spare3: 0 -tsk_spare4: 0 -tsk_spare5: 0 -tsk_spare6: 0 -tsk_spare7: 0 -tsk_spare8: 0 -tsk_spare9: 0 -tsk_spare10: 0 -tsk_spare11: 0 }' +tsk_atime_sec: .* +tsk_atime_nsec: .* +tsk_mtime_sec: .* +tsk_mtime_nsec: .*...

...ile names are not quoted. > > > + if (ret < 0) { > > > + fprintf (stderr, "asprintf: %m"); > > > + return TSK_WALK_ERROR; > > > + } > > > + > > > + dirent.tsk_inode = fsfile->name->meta_addr; > > > + dirent.tsk_type = file_type (fsfile); > > > + dirent.tsk_size = (fsfile->meta != NULL) ? fsfile->meta->size : 0; > > > > If 'meta' is null, then I guess the size should be -1 to indicate it > > was not available; otherwise, there is no difference between an empty > &...

Already implemented entries. tsk_inode tsk_type tsk_size tsk_name tsk_flags Easy ones to add. tsk_atime_sec tsk_atime_nsec tsk_mtime_sec tsk_mtime_nsec tsk_ctime_sec tsk_ctime_nsec tsk_blksize tsk_blocks Further ideas. tsk_nlink tsk_link_name Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/tsk.c |...

...t; + exit 77 +fi + +output=$( +guestfish --ro -a ../../test-data/phony-guests/windows.img <<EOF +run +mount /dev/sda2 / +write /test.txt "foobar" +rm /test.txt +umount / +filesystem-walk /dev/sda2 +EOF +) + +# test $MFT is in the list +echo $output | grep -zq "{ tsk_inode: 0 tsk_type: r tsk_size: .* tsk_name: \$MFT tsk_flags: 1 }" +if [ $? != 0 ]; then + echo "$0: \$MFT not found in files list." + echo "File list:" + echo $output + exit 1 +fi + +# test deleted file is in the list +echo $output | grep -zq "{ tsk_inode: .* tsk_type: [ru]...