similar to: [PATCH 1/2] added ntfscat_i api

Adding ntfscat_i command for downloading files based on their inode number. This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. --- daemon/ntfs.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 15 +++++++++++++ 2 files changed, 77 insertions(+) diff --git a/daemon/ntfs.c b/daemon/ntfs.c index 568899e..58f62fa 100644

On 22/02/16 17:26, Richard W.M. Jones wrote: > On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: >> Adding ntfscat_i command for downloading files based on their inode number. >> >> This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. > The patch seems fine, but it really needs a test otherwise this > feature could silently

On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: > Adding ntfscat_i command for downloading files based on their inode number. > > This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. The patch seems fine, but it really needs a test otherwise this feature could silently break. Have a look at the tests/ntfsclone/ subdirectory for the

On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: > On 22/02/16 17:26, Richard W.M. Jones wrote: > >On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: > >>Adding ntfscat_i command for downloading files based on their inode number. > >> > >>This allows the dowload of files unaccessible otherwise from a NTFS guest disk image. > >The

On 22/02/16 19:43, Richard W.M. Jones wrote: > On Mon, Feb 22, 2016 at 07:23:45PM +0200, noxdafox wrote: >> On 22/02/16 17:26, Richard W.M. Jones wrote: >>> On Sun, Feb 21, 2016 at 11:22:23PM +0200, Matteo Cafasso wrote: >>>> Adding ntfscat_i command for downloading files based on their inode number. >>>> >>>> This allows the dowload of files

Test is based on file signature, it checks whether the extracted file is the $MFT. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- Makefile.am | 1 + configure.ac | 1 + generator/actions.ml | 6 ++++- tests/ntfscat/Makefile.am | 26 +++++++++++++++++++++ tests/ntfscat/test-ntfscat.sh | 53 +++++++++++++++++++++++++++++++++++++++++++

On Tue, Feb 02, 2016 at 07:40:12PM +0200, noxdafox wrote: > Greetings, > > I'm playing around an idea and I'd like to ask you some questions. > > I'd like to extract the MFT table from a disk image file. The idea > is to employ it to build a sort of reverse lookup table which, given > a cluster, could retrieve the corresponding file with the related >

As discussed in the topic: https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. http://www.sleuthkit.org/ The two APIs I'm adding with the patch are a simple example of which type of features TSK can enable. The icat API it's very similar to the previously added ntfscat_i but it

Use PRIi64 as format string for int64_t, so it builds and works fine also on 32bit. Also switch from asprintf_nowarn to asprintf, since no custom formats (eg %Q, %R) are used. --- daemon/ntfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/daemon/ntfs.c b/daemon/ntfs.c index 92088f7..e555c63 100644 --- a/daemon/ntfs.c +++ b/daemon/ntfs.c @@ -282,8 +282,8 @@

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 79 ++++++++++++++++++++++++++++------------------------ generator/actions.ml | 6 ++-- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c index 0fe1250..536febb 100644 --- a/daemon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -29,55 +29,55 @@ #include

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same time I cleaned up a bit the code and improved it's readability and code comments. This

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/Makefile.am | 1 + daemon/tsk.c | 114 +++++++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 13 ++++++ po/POTFILES | 1 + src/MAX_PROC_NR | 2 +- 5 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 daemon/tsk.c diff --git a/daemon/Makefile.am

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- appliance/packagelist.in | 3 ++ daemon/Makefile.am | 1 + daemon/tsk.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++ generator/actions.ml | 33 +++++++++++++ po/POTFILES | 1 + src/MAX_PROC_NR | 2 +- 6 files changed, 161 insertions(+), 1 deletion(-) create mode 100644

In order to support the new features I am renaming the file with a better name. The file sleuthkit.c will contain the code depending on the sleuthkit package. The original tsk.c file will contain the logic built using libtsk which is the sleuthkit core library. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/sleuthkit_rename Signed-off-by: Matteo

The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3):

The find_inode API allows the User to search all the entries referring to a given inode and returns a tsk_dirent structure for each of them. As I didn't want to change unrelated code, there is a little bit of code duplication at the moment. Plan is to refactor the logic in a dedicated set of patches. Matteo Cafasso (3): New API: internal_find_inode New API: find_inode find_inode: added

This series should be ready for merge v6: - rebase on master - changes according to last comments Matteo Cafasso (6): filesystem_walk: fixed root inode listing daemon: refactor tsk code lib: rename tsk internal function New API: internal_find_inode New API: find_inode find_inode: added API tests daemon/tsk.c | 155 ++++++++++++++++++++++++++++++-------------

v7: - Merge src/tsk.c refactoring patch with #4 of find_block series Matteo Cafasso (4): lib: logic refactoring New API: internal_find_inode New API: find_inode find_inode: added API tests daemon/tsk.c | 52 ++++++++++++++++++++++++++++++++++ generator/actions.ml | 21 ++++++++++++++ src/MAX_PROC_NR | 2 +- src/tsk.c | 52

v3: - File size will be reported as - 1 if it cannot be retrieved. - Code improvements based on comments. Matteo Cafasso (5): generator: Added tsk_dirent struct configure: Added libtsk compile-time check daemon: Added internal_filesystem_walk command appliance: Added filesystem_walk command appliance: Added filesystem_walk command tests daemon/Makefile.am | 4 +-