similar to: [PATCH] sleuthkit code cleanup

With this API we complete the set of functions required to extract deleted files/data from most of the available filesystems. The function allows to extract data units (blocks) within a given range from a partition. The tests show an example on how the function can be used to retrieve deleted data. Matteo Cafasso (2): New API: download_blocks Added download_blocks API test

v2: - Rebase on top of master Matteo Cafasso (2): New API: download_blocks Added download_blocks API test daemon/sleuthkit.c | 41 ++++++++++++++++++++++++++- generator/actions.ml | 24 ++++++++++++++++ gobject/Makefile.inc | 2 ++ src/MAX_PROC_NR | 2 +- tests/tsk/Makefile.am | 1 +

The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same go I cleaned up a bit the code following the standards and improved the API documentation. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/download_inode Matteo Cafasso (3):

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 79 ++++++++++++++++++++++++++++------------------------ generator/actions.ml | 6 ++-- 2 files changed, 47 insertions(+), 38 deletions(-) diff --git a/daemon/sleuthkit.c b/daemon/sleuthkit.c index 0fe1250..536febb 100644 --- a/daemon/sleuthkit.c +++ b/daemon/sleuthkit.c @@ -29,55 +29,55 @@ #include

"icat" name comes from the employed command line tool which might be replaced later on with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". Therefore I am renaming it with a more clear name. At the same time I cleaned up a bit the code and improved it's readability and code comments. This

In order to support the new features I am renaming the file with a better name. The file sleuthkit.c will contain the code depending on the sleuthkit package. The original tsk.c file will contain the logic built using libtsk which is the sleuthkit core library. This patch is ready for review. Code available at: https://github.com/noxdafox/libguestfs/tree/sleuthkit_rename Signed-off-by: Matteo

>From 'available icat' to 'available sleuthkit'. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/tsk.c | 6 +++--- generator/actions.ml | 2 +- tests/tsk/test-icat.sh | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/daemon/tsk.c b/daemon/tsk.c index 647d1e7..0fe1250 100644 --- a/daemon/tsk.c +++ b/daemon/tsk.c @@ -31,12

On Tuesday 29 March 2016 22:56:29 Matteo Cafasso wrote: > In order to support the new features I am renaming the file with a better name. > > The file sleuthkit.c will contain the code depending on the sleuthkit package. > > The original tsk.c file will contain the logic built using libtsk > which is the sleuthkit core library. Makes sense, pushed to git with two small

Hi, this patch series fixes some issues discovered by Coverity. Most of them are memory leaks, usually on error; there are also invalid memory access issues. Thanks, Pino Toscano (11): java: link libguestfs_jni against libutils java: fix invalid memory access for FBuffer in struct lists daemon: tsk: properly use GUESTFS_MAX_CHUNK_SIZE edit: fix small memory leak on error java: fix

Thanks, I have pushed this patch series. Could you consider changing: > + optional = Some "icat"; I think it would be nice to have a single feature, and to call the feature "sleuthkit" or "forensics" or something like that. We don't need to have one feature per API since installation of a single package (sleuthkit) is sufficient to make all the APIs

GUESTFSD_EXT_CMD was used by OpenSUSE to track which external commands are run by the daemon and package those commands into the appliance. It is no longer used by recent SUSE builds, so remove it. Thanks: Pino Toscano, Olaf Hering. --- daemon/9p.c | 3 +- daemon/available.c | 7 +-- daemon/base64.c | 6 +-- daemon/blkid.c | 10 ++---

Hi everyone, I lost my complete home directory and am facing the problem of retrieving some of the deleted data. I have search the web for this matter, but the only information I found is, that it's not possible for a program to do this and that I have to puzzle the files together by scanning the disk (or disk image) with tools like sleuthkit (www.sleuthkit.org) or lde (lde.sourceforge.net).

GUESTFSD_EXT_CMD is used by OpenSUSE to track which external commands are run by the daemon and package those commands into the appliance. However because this uses linker trickery it won't work from OCaml code. Replace it with a [nearly] standard C mechanism. Files still have to declare the external commands they will use, eg: DECLARE_EXTERNAL_COMMANDS ("btrfs",

The "icat" name comes from the employed command line tool which might be replaced at any time with a different implementation. The command name is a bit confusing because it's similar to "cat" but act as "donwload". download_inode is more clear and descriptive. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/sleuthkit.c | 2

On Monday, 19 September 2016 23:26:57 CEST Matteo Cafasso wrote: > The internal_find_block command searches all entries referring to the > given filesystem data block and returns a tsk_dirent structure > for each of them. > > For filesystems such as NTFS which do not delete the block mapping > when removing files, it is possible to get multiple non-allocated > entries for the

Greetings, I am playing around with the idea of using libguestfs as a forensic tool to investigate VM disk images. Some use cases as example: * Sandbox for malware analysis. * Incident response in cloud environments. Libguestfs is a precious resource in this case as it allows to abstract the disk image internals and expose them as mountable devices. Combined with some state of the art

The Sleuth Kit is a filesystem forensic tool for accessing disk volumes and extracting digital evidence from. http://www.sleuthkit.org/ The icat API allows to download a file from a device given its metadata number (inode). It supports multiple filesystem types. The icat command allows to access to otherwise unreachable files such as filesystem data structures and deleted files which content is

Patch ready for merging. v4: - check return code of tsk_fs_attr_walk - pass TSK_FS_FILE_WALK_FLAG_NOSPARSE as additional flag to tsk_fs_attr_walk After discussing with TSK authors the behaviour is clear. [1] In case of COMPRESSED blocks, the callback will be called for all the attributes no matter whether they are on disk or not (sparse). In such cases, the block address will be 0. [2] So

Resort to a version check for them, as they do not exist in older versions. --- daemon/tsk.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/daemon/tsk.c b/daemon/tsk.c index af803d749..ad10d74fe 100644 --- a/daemon/tsk.c +++ b/daemon/tsk.c @@ -241,6 +241,9 @@ file_type (TSK_FS_FILE *fsfile) case TSK_FS_NAME_TYPE_SHAD: return 'h'; case TSK_FS_NAME_TYPE_WHT: return

On 07/03/16 13:29, Richard W.M. Jones wrote: > On Sun, Mar 06, 2016 at 05:42:24PM +0200, Matteo Cafasso wrote: >> As discussed in the topic: https://www.redhat.com/archives/libguestfs/2016-March/msg00018.html >> >> I'd like to add to libguestfs the disk forensics capabilities offered by The Sleuth Kit. >> http://www.sleuthkit.org/ >> >> The two APIs