sorter.base

linux下开发的针对所有磁盘的数据恢复的源码

if ($DO_SHA1 == 1) {
    find_sha1();
}

# Verify that the TSK binaries are there
check_execs();

# Process the rest of the arguments - image and optional meta addr
my $IMG       = "";    # global for image path
my $first_img = "";
my $META      = "";    # global for root directory to start with

# Cycle through the rest of the args
while (my $tmpimg = shift @ARGV) {

    # If it isn't a file, then it is probably the last meta addr
    unless ((-e "$tmpimg") || (-l "$tmpimg")) {
        if ($tmpimg =~ /^\d+$/) {
            if (scalar @ARGV != 0) {
                print "Invalid image file (additional args after meta addr)\n";
                usage();
            }

            $META = $tmpimg;
            print "Using Directory $META\n" if ($VERBOSE);

            last;
        }
        else {
            print "Image file not found: $tmpimg\n";
            exit(1);
        }
    }

    # Append it to the list
    $IMG .= " \"$tmpimg\"";
    $first_img = $tmpimg
      if ($first_img eq "");

}

# Update the output message
$img_str .= "${BUL}$first_img${NL}";

# Determine the short name
$img_shrt = $first_img;
$img_shrt = substr($first_img, rindex($first_img, '/') + 1)
  if ($first_img =~ /\//);

# Figure out the temp file name
$TEMP_FILE = "${DIR}/.sorter-$img_shrt-$$-";

# verify that the correct arguments were given
check_args();

# Set the $PLATFORM variable based on $FSTYPE
set_platform();

# Read the config file
if ($ALL_CONFIGS == 1) {
    read_config("${SHARE_DIR}default.sort")
      if (-e "$SHARE_DIR/default.sort");

    read_config("${SHARE_DIR}${PLATFORM}.sort")
      if (($PLATFORM ne "") && (-e "${SHARE_DIR}${PLATFORM}.sort"));

    read_config("${SHARE_DIR}${PLATFORM}.lcl.sort")
      if (($PLATFORM ne "") && (-e "${SHARE_DIR}${PLATFORM}.lcl.sort"));
}

read_config($CONFIG) if ($CONFIG ne "");

# any config data?
if ((scalar(keys %file_to_cat) == 0) && ($DO_INDEX == 1) && ($DO_EXT == 0)) {
    print "Error: Empty config files\n";
    exit(1);
}

if ((scalar(keys %file_to_ext) == 0) && ($DO_EXT == 1) && ($DO_INDEX == 0)) {
    print "Error: No defined extensions\n";
    exit(1);
}

# Open the file handles
open_files() if ($LIST == 0);

analyze_img();

if ($LIST == 0) {
    close_files();
    print "\nAll files have been saved to: ${DIR}\n";
}

# close off the thumbnails if we used them
print_thumb_footer() if ($img_cnt != 0);

print_summary();

exit(0);

#########################################################################
#
# subroutines
#
#################################################################3

#################################################################3
# analyze_img
#
# Analyze one image.  This function calls 'fls', parses the
# output, and then calls analyze_file for each file
#
# Argument is the meta address of directory (null to use root)
#
sub analyze_img {

    #################################################################3
    # Process the allocated files in the image
    my $pr_str = "";

    $pr_str = "of Directory $META"
      unless ($META eq "");

    print "\nAnalyzing $IMG\n" . "  Loading Allocated File Listing $pr_str\n"
      if ($LIST == 0);

    my @out     = `\"$SK_FLS\" $IMGTYPE -o $IMGOFF $FSTYPE -rpl $IMG $META`;
    my $tmp_cnt = scalar @out;
    $alloc_cnt += $tmp_cnt;
    print "  Processing $tmp_cnt Allocated Files and Directories\n  "
      if ($LIST == 0);

    my $prev = 0;
    my $cnt  = 0;
    foreach (@out) {
        my $del;
        my $inode;
        my $path;
        my $size;

        # Print the status
        if ((++$cnt % 1000) == 0) {
            my $cur = int(100 * ($cnt / $tmp_cnt));
            if ($cur > $prev + 1) {
                print "$cur%," if ($LIST == 0);
                $prev = $cur;
            }
        }

        # Extract the file name and inode, skip if it is a directory
        # TYPE/TYPE * INUM (realloc): NAME
        if (
/^([\w\-])\/[\w\-]\s+(\*?)\s*([\d\-]+)[\(\)\w]*:\s+(.*)\s+$REG_DATE\s+$REG_DATE\s+$REG_DATE\s+$REG_DATE\s+(\d+)\s+\d+\s+\d+\s*$/
          )
        {
            if (($1 ne "r") && ($1 ne "-")) {
                $dirskip_cnt++;
                next;
            }
            $inode = $3;
            $path  = $4;
            $size  = $5;
            $del   = ($2 eq '*') ? $DEL_DEL : $DEL_ALLOC;
        }
        else {
            print "Error Parsing Output: $_";
            next;
        }

        # skip if file is too small
        if (($MIN_SIZE > 0) && ($size < $MIN_SIZE)) {
            $dirskip_cnt++;
            next;
        }

        # NTFS can have an inode of 0, but the others cannot
        my $inode_int = $inode;
        $inode_int = $1 if ($inode_int =~ /^(\d+)-[\d\-]+$/);
        if (($inode_int == 0) && ($FSTYPE ne "-f ntfs")) {
            $dirskip_cnt++;
            next;
        }

        analyze_file($path, $inode, $del);
    }
    print "100%\n" if ($LIST == 0);
}

#################################################################3
# analyze_file
#
# Process one file
#
# Arguments are the name of the file, the inode number of the file,
# and the deletion status ($DEL_*)
sub analyze_file {
    if (scalar(@_) != 3) {
        print "Incorrect Number of Arguments for analyze_file\n";
        return;
    }

    my $path  = shift;
    my $inode = shift;
    my $del   = shift;

    my $sha1 = "";
    my $md5  = "";
    my $file;

    my $recflag = "";
    $recflag = " -R " if ($del != $DEL_ALLOC);

    ###############################################################
    # Setup & Data Collection

    # The FAT full path has the short name in parenths, so
    # take them off first
    if (($path =~ /\)$/) && ($FSTYPE =~ /fat/)) {
        $path = substr($path, 0, rindex($path, '(') - 1);
    }

    # This was mainly because of the ils output which is <sdas-dead-X>
    my $path_encode = $path;
    if ($HTML == 1) {
        $path_encode =~ s/</&lt;/gs;
        $path_encode =~ s/>/&gt;/gs;
    }

    # Get the hash values and file type

    # Are we listing (i.e. can't write files) or we aren't going to save
    # the file and do not need the MD5?
    if (($LIST) || (($SAVE == 0) && ($DO_MD5 == 0) && ($DO_SHA1 == 0))) {
        $file =
`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" | \"$SK_FILE\" -b -z -`;
        chomp $file;
        if ($DO_SHA1 == 1) {
            $sha1 =
`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" | \"$SK_SHA1\"`;
            chomp $sha1;
        }
        if ($DO_MD5 == 1) {
            $sha1 =
`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" | \"$SK_MD5\"`;
            chomp $md5;
        }
    }

    # Save to temp file
    else {
`\"$SK_ICAT\" $IMGTYPE -o $IMGOFF $FSTYPE $recflag $IMG \"$inode\" > \"${TEMP_FILE}$inode\"`;
        $file = `\"$SK_FILE\" -b -z \"${TEMP_FILE}$inode\"`;
        chomp $file;
        if ($DO_SHA1 == 1) {
            $sha1 = `\"$SK_SHA1\" \"${TEMP_FILE}$inode\"`;
            if ($sha1 =~ /^([A-Fa-f0-9]+)\s+.*$/) {
                $sha1 = $1;
            }
            elsif ($sha1 =~ /=\s+([A-Fa-f0-9]+)$/) {
                $sha1 = $1;
            }
        }
        if ($DO_MD5 == 1) {
            $md5 = `\"$SK_MD5\" \"${TEMP_FILE}$inode\"`;
            if ($md5 =~ /^([A-Fa-f0-9]+)\s+.*$/) {
                $md5 = $1;
            }
            elsif ($md5 =~ /=\s+([A-Fa-f0-9]+)$/) {
                $md5 = $1;
            }
        }

        unlink("${TEMP_FILE}$inode") if ($SAVE == 0);
    }

    # Remove non-printable values from the 'file' output
    $file =~ s/[\x00-\x19\x7F-\xFF]//g;

    # "empty" is a null size file
    if ($file eq 'empty') {
        unlink("${TEMP_FILE}$inode") if ($SAVE == 1);
        $dirskip_cnt++;
        return;
    }

    ###############################################################
    # Lookup in hash databases

    #
    # We will first examine any hashes of known files to alert on.
    # Next, we wil look if this is a file that is known and that we can
    # ignore (NSRL and the -x flag).  If one of these files is found, we do
    # no immediately exit the function.  We also check the extension and
    # make sure that it is appropriate.

    my $exclude = "";
    my $alert   = 0;

    # First the alert data base
    if ("$ALERT_DB" ne "") {
        print "Looking up in Alert Hash Database\n" if ($VERBOSE);
        my $out = `\"$SK_HFIND\" -q \"$ALERT_DB\" \"$md5\"`;
        if ($out =~ /^1\s+$/) {
            $alert = 1;
        }
        elsif ($out !~ /^0\s+$/) {
            print "Error running 'hfind': $out\n";
            exit(1);
        }
    }

    # Ones we can ignore
    if (($alert == 0) && ("$EXCLUDE_DB" ne "")) {
        print "Looking up in Exclude Hash Database\n" if ($VERBOSE);

        my $out = `\"$SK_HFIND\" -q \"$EXCLUDE_DB\" \"$md5\"`;
        if ($out =~ /^1\s+$/) {

            # Print to the appropriate files
            if ($LIST == 0) {
                print EXCLUDE "${MNT}$path_encode${NL}";
                print EXCLUDE "${TAB}Image: $first_img  Inode: $inode${NL}";
                print EXCLUDE "${TAB}$file${NL}";
                print EXCLUDE "${TAB}MD5: $md5${NL}";
                print EXCLUDE "${TAB}Exclude Database${NL}${NL}";

            }
            $exclude = "Exclude Hash Database";
            $excl_cnt++;
        }
        elsif ($out !~ /^0\s+$/) {
            print "Error running 'hfind': $out\n";
            exit(1);
        }
    }

    # NSRL
    if (($alert == 0) && ("$NSRL" ne "") && ($exclude eq "")) {
        print "Looking up in NSRL Hash Database\n" if ($VERBOSE);

        my $out = `\"$SK_HFIND\" -q \"$NSRL\" \"$md5\"`;
        if ($out =~ /^1\s+$/) {

            # Print to the appropriate files
            if ($LIST == 0) {
                print EXCLUDE "${MNT}$path_encode${NL}";
                print EXCLUDE "${TAB}Image: $first_img  Inode: $inode${NL}";
                print EXCLUDE "${TAB}$file${NL}";
                print EXCLUDE "${TAB}MD5: $md5${NL}";
                print EXCLUDE "${TAB}NSRL Database${NL}${NL}";
            }
            $exclude = "NSRL";
            $excl_cnt++;
        }
        elsif ($out !~ /^0\s+$/) {
            print "Error running 'hfind': $out\n";
            exit(1);
        }
    }

    ###############################################################
    #
    # Extension versus File Type
    #
    ###############################################################

    my $mismatch = 0;
    my $ext      = "";

    # Is there an extension on this file?
    my $ext_off = rindex($path, ".");

    # Some sanity checks to verify that the '.' is after the '/' and
    # add one so that we don't process /.asd as an extension
    if (($ext_off != -1) && ($ext_off > (rindex($path, "/") + 1))) {
        $ext = substr($path, $ext_off + 1);
        $ext =~ tr/[A-Z]/[a-z]/;
    }

    $path .= " (deleted)" if ($del == $DEL_DEL);

    if ($VERBOSE) {
        print "File ${MNT}$path (ext: $ext)\n";
        print "File Output: $file\n";
    }

    # Check the extension if it exists
    # Ignore data as it is unknown stuff
    if (($DO_EXT == 1) && ($ext ne "") && ($file ne 'data')) {

        my $found = 0;

        # cycle through the known file keywords that have a known ext
        for (my $ext_i = $#ext_order; $ext_i >= 0; $ext_i--) {
            my $ext_kw = $ext_order[$ext_i];

            print "Trying Extension Keyword: $ext_kw\n" if ($VERBOSE);

            # is this the 'file' category?
            if ($file =~ /$ext_kw/i) {

                print "Found Extension Keyword\n" if ($VERBOSE);

                # we found at least one set of extensions that matches
                # this file type, so set the mismatch to 1 and if we
                # find this extension we will set it to 0, otherwise
                # it will be considered a mismatch
                $mismatch = 1;

                $ext =~ tr/[A-Z]/[a-z/;

                # cycle through each possible extension for this type
                foreach my $cat_ext (@{$file_to_ext{$ext_kw}}) {
                    print "Comparing ext with $cat_ext\n" if ($VERBOSE);
                    if ($cat_ext eq $ext) {
                        print "Found ext\n" if ($VERBOSE);
                        $mismatch = 0;
                        $found    = 1;
                        last;
                    }
                }
            }

            # If we have found the extension, then get out of the loop
            last if ($found == 1);
        }

    }

    # The special mismatch file for those that we should be ignoring
    # but they may be worthwhile looking at now
    if (($mismatch == 1) && ($exclude ne "")) {

        $exclmis_cnt++;

        if ($LIST == 0) {
            print EXCLUDEMIS "${MNT}$path_encode${NL}";
            print EXCLUDEMIS "${TAB}$file$  (Ext: $ext)${NL}";
            print EXCLUDEMIS "${TAB}Image: $first_img  Inode: $inode${NL}";
            print EXCLUDEMIS "${TAB}SHA-1: $sha1${NL}" if ($DO_SHA1 == 1);