afflib.h

sleuthit-2.09 一个磁盘的工具集

/* navigating within the data segments as if they were a single file */
int	af_read(AFFILE *af,unsigned char *buf,size_t count);
uint64  af_seek(AFFILE *af,int64 pos,int whence); // returns new position
uint64  af_tell(AFFILE *af);
int	af_eof(AFFILE *af);		// is the virtual file at the end?

/* Additional routines for writing */
void	af_enable_writing(AFFILE *af,int flag);	// set true to enable writing; returns old value
void	af_set_callback(AFFILE *af, void (*cb)(struct affcallback_info *acbi)); 
void	af_enable_compression(AFFILE *af,int type,int level); // set/gunset compression for writing
int	af_compression_type(AFFILE *af);
int	af_write(AFFILE *af,unsigned char *buf,size_t count);
const unsigned char
	*af_badflag(AFFILE *af); // return the pattern used to identify bad sectors
int	af_is_badsector(AFFILE *af,unsigned char *buf); // 0 if not, 1 if it is, -1 if error


/* AFF implementation types returned by af_identify_type() and af_identify_name()*/

#define AF_IDENTIFY_RAW 0		// file is a raw file
#define AF_IDENTIFY_AFF 1		// file is an AFF file
#define AF_IDENTIFY_AFD 2		// file is a directory of AFF files
#define AF_IDENTIFY_EVF 3		// file is an EnCase file
#define AF_IDENTIFY_EVD 4		// file is a .E01 file when there are more files following
#define AF_IDENTIFY_SPLIT_RAW 5		// file is a split raw file
#define AF_IDENTIFY_AFM 6             // file is raw file with metadata
#define AF_IDENTIFY_EWF 7		// libewf


#define AF_IDENTIFY_ERR -1		// error encountered on identify
#define AF_IDENTIFY_NOEXIST -2		// file does not exist


/* Misc. Functions */
const char *af_ext(const char *filename);	// return the extension of str including the dot
int	    af_ext_is(const char *filename,const char *ext);
const char *af_filename(AFFILE *af);	// returns the filename of an open stream.
int	    af_identify(AFFILE *af);	// returns type of AFFILE pointer

/* Accessor Functions */
int64	    af_get_imagesize(AFFILE *af);	// byte # of last mapped byte in image, or size of device;
					// returns -1 if error
#define af_imagesize(af) af_get_imagesize(af) // backwards compatiability 
int	    af_get_segq(AFFILE *af,const char *name,int64 *quad);/* Get/set 8-byte values */
int	    af_update_segq(AFFILE *af,const char *name,int64 quad);


/****************************************************************
 * Functions for manipulating the AFFILE as if it were a name/value database.
 ****************************************************************/

/* get functions:
 * get the named segment.
 * If arg!=0, set *arg to be the segment's flag.
 * if data==0, don't return it.
 * if datalen && *datalen==0, return the size of the data segment.
 *** Returns 0 on success, 
 *** -1 on end of file. (AF_ERROR_EOF)
 *** -2 if *data is not large enough to hold the segment (AF_ERROR_DATASMALL)
 *** -3 file is corrupt or other internal error. (AF_ERROR_CORRUPT)
 */

int	af_get_seg(AFFILE *af,const char *name,unsigned long *arg,
		   unsigned char *data,size_t *datalen);
int	af_get_next_seg(AFFILE *af,char *segname,size_t segname_len,
			unsigned long *arg, unsigned char *data, size_t *datalen);

int	af_rewind_seg(AFFILE *af); // rewind seg pointer to beginning

/*
 * af_update_seg() should be your primary routine for writing new values.
 */

/* This one writes arbitrary name/value pairs */
int	af_update_seg(AFFILE *af,const char *name,unsigned long arg,
		      const void *value,unsigned int vallen);

/* Delete functions */

int	af_del_seg(AFFILE *af,const char *name); // complete delete of first name
                                                 // returns 0 if success, -1 if seg not found

/* Segname parse functions.
 * af_segname_page_number:
 *   - Returns page number if segment name is a page #, and -1 if it is not
 * af_segname_hash_page_number:
 *   - Returns page number if segment name is a page hash, sets hash function
 *     to be the function used.
 */
int64	af_segname_page_number(const char *name);
int64	af_segname_hash_page_number(const char *name,char *hash,int hashlen);

/****************************************************************/



/* Metadata access */


/* Compression amounts */

#define AF_COMPRESSION_MIN  1
#define AF_COMPRESSION_DEFAULT -1
#define AF_COMPRESSION_MAX 9
#define AF_COMPRESSION_MIN 1


/****************************************************************
 *** AF segment names that you might be interested in...
 ****************************************************************/

#define AF_IGNORE       ""		// ignore segments with 0-length name
#define AF_DIRECTORY    "dir"		// the directory
#define AF_RAW_IMAGE_FILE_EXTENSION "raw_image_file_extension"
#define AF_PAGES_PER_RAW_IMAGE_FILE "pages_per_raw_image_file"

#define AF_PAGESIZE	"pagesize"	// page data size, in bytes, stored in arg
#define AF_IMAGESIZE	"imagesize"	// last logical byte in image, stored as a 64-bit number
#define AF_BADSECTORS	"badsectors"	// number of bad sectors
#define AF_SECTORSIZE	"sectorsize"	// in bytes, stored in arg
#define AF_DEVICE_SECTORS "devicesectors"// stored as a 64-bit number
#define AF_BADFLAG      "badflag"	// data used to mark a bad sector
#define AF_PAGE		"page%"I64d	// segment flag indicates compression (replaces seg%d)
#define AF_PAGE_MD5	AF_PAGE"_md5"

#define AF_BLANKSECTORS "blanksectors"	// all NULs; 8-bytes
#define AF_RAW_IMAGE_FILE_EXTENSION "raw_image_file_extension"
#define AF_PAGES_PER_RAW_IMAGE_FILE "pages_per_raw_image_file"
#define AF_AFF_FILE_TYPE "aff_file_type" // contents should be "AFF", "AFM" or "AFD"

/* Deprecated terminology; pages were originally called data segments */
#define AF_SEG_D        "seg%"I64d	// segment flag indicates compression (deprecated)
#define AF_SEGSIZE_D	"segsize"	// segment data size (deprecated)

/* AFF Flags */
/* Flags for 8-byte segments */
#define AF_SEG_QUADWORD        0x0002	

/* Flags for selecting compression algorithm to try */
#define AF_COMPRESSION_ALG_NONE 0	// don't compress
#define AF_COMPRESSION_ALG_ZLIB 1	// try to compress with zlib
#define AF_COMPRESSION_ALG_LZMA 2	// try to compress with LZMA

/* Flags for data pages */
#define AF_PAGE_COMPRESSED      0x0001
#define AF_PAGE_COMP_MAX        0x0002	// compressed at maximum; nice to know
#define AF_PAGE_COMP_ALG_MASK   0x00F0	// up to 16 compression algorithms may be used
#define AF_PAGE_COMP_ALG_ZLIB   0x0000	
#define AF_PAGE_COMP_ALG_BZIP   0x0010	// not implemented; why bother?
#define AF_PAGE_COMP_ALG_LZMA   0x0020
#define AF_PAGE_COMP_ALG_ZERO   0x0030  // Data segment is a 4-byte value of # of NULLs. 

#define AF_MD5  "md5"			// stores image md5
#define AF_SHA1 "sha1"			// stores image sha1

#define AF_CREATOR	"creator"	// progname of the program that created the AFF file

/* segment names: imaging */
#define AF_CASE_NUM			"case_num"      // case number
#define AF_IMAGE_GID			"image_gid"      // 128-bit unique number
#define AF_ACQUISITION_ISO_COUNTRY  "acquisition_iso_country" // ISO country code
#define AF_ACQUISITION_COMMAND_LINE "acquisition_commandline" // actual command line used to create the image
#define AF_ACQUISITION_DATE	    "acquisition_date" // YYYY-MM-DD HH:MM:SS TZT
#define AF_ACQUISITION_NOTES	    "acquisition_notes" // notes made while imaging
#define AF_ACQUISITION_DEVICE	    "acquisition_device" // device used to do the imaging
#define AF_ACQUISITION_SECONDS      "acquisition_seconds" // stored in arg
#define AF_ACQUISITION_TECHNICIAN   "acquisition_tecnician" 
#define AF_ACQUISITION_MACADDR      "acquisition_macaddr" 
#define AF_ACQUISITION_DMESG	    "acquisition_dmesg"


//  mac addresses are store in ASCII as a list of lines that end with \n,
//  for example, "00:03:93:14:c5:04\n" 
//  It is all the mac addresses that were on the acquisition system

// DMESG is the output from the "dmesg" command at the time of acquisition


/* segment names: device hardware */

#define AF_AFFLIB_VERSION	"afflib_version" // version of AFFLIB that made this file
#define AF_DEVICE_MANUFACTURER  "device_manufacturer"
#define AF_DEVICE_MODEL		"device_model"	// string for ident from drive
#define AF_DEVICE_SN		"device_sn"	// string of drive capabilities
#define AF_DEVICE_FIRMWARE	"device_firmware"	// string of drive capabilities
#define AF_DEVICE_SOURCE        "device_source" // string
#define AF_CYLINDERS		"cylinders" // quad with # cylinders
#define AF_HEADS		"heads"	// quad with # heads
#define AF_SECTORS_PER_TRACK	"sectors_per_track"// quad with # sectors/track
#define AF_LBA_SIZE		"lbasize"
#define AF_HPA_PRESENT          "hpa_present"   // flag = 1 or 0
#define AF_DCO_PRESENT          "dco_present"   // flag = 1 or 0
#define AF_LOCATION_IN_COMPUTER "location_in_computer" // text, where it was found
#define AF_DEVICE_CAPABILITIES	"device_capabilities" // string; human-readable

#define AF_MAX_NAME_LEN 64	// segment names should not be larger than this

/* AFF error codes */
#define AF_ERROR_EOF -1
#define AF_ERROR_DATASMALL -2
#define AF_ERROR_TAIL  -3		// no tail, or error reading tail
#define AF_ERROR_SEGH  -4		// no head, or error reading head
#define AF_ERROR_NAME  -5		// segment name invalid
#define AF_ERROR_INVALID_ARG -6		// argument invalid


/* AFF environment variables */
#define AFFLIB_CACHE_STATS  "AFFLIB_CACHE_STATS" // make non-zero to dump stats to STDERR at end
#define AFFLIB_CACHE_DEBUG  "AFFLIB_CACHE_DEBUG" // make "1" to dump a trace of cache events to stderr
#define AFFLIB_CACHE_PAGES  "AFFLIB_CACHE_PAGES" // Size of the page cache
#define AFFLIB_CACHE_PAGES_DEFAULT 2	// default number of cache pages
#define AFFLIB_BIGTMP       "AFFLIB_BIGTMP" // default directory to put very big files for test programs
#define AFFLIB_TRACE        "AFFLIB_TRACE" // make "1" to send all AFFLIB activity to stdout; "2" for stderr
extern FILE *af_trace;		// fd to trace to

/****************************************************************
 *** Not AFF functions at all, but placed here for convenience.
 ****************************************************************/
const char *af_hexbuf(char *dst,int dst_len,const unsigned char *bin,int bytes,int format_flag);

/* af_hexbuf formats: */
#define AF_HEXBUF_NO_SPACES 0
#define AF_HEXBUF_SPACE2    0x0001	// space every 2 characters
#define AF_HEXBUF_SPACE4    0x0002	// space every 4 characters
#define AF_HEXBUF_UPPERCASE 0x1000	// uppercase


/****************************************************************
 *** Internal implementation details below.
 ****************************************************************/


#ifdef __never_defined__
{
#endif
#ifdef __cplusplus
}
#endif
#endif