fs.dox

linux下开发的针对所有磁盘的数据恢复的源码

	\subsection fs_file_open Opening a File

With TSK, you can open a file from either the metadata or file name layer. To open at the metadata layer, you need the metadata address of the file. To open at the file name layer, you need the name of the file. 

Regardless of the method used to open a file, a TSK_FS_FILE structure will be returned.  This structure can point to TSK_FS_NAME and TSK_FS_META structures, which store the file and metadata category data.  

The tsk_fs_file_open_meta() function takes a metadata address as an argument and returns a TSK_FS_FILE structure.  The TSK_FS_FILE::name pointer will be NULL because the file name was not used to open the file and, for efficiency, TSK does not search the directory tree to locate the file name that points to the metadata address.  The first and last metadata addresses in the file system are defined in TSK_FS_INFO::first_inum and TSK_FS_INFO::last_inum.  

The tsk_fs_file_open() function takes a file name as an argument and first identifies the metadata address that the file name points to.  It then calls tsk_fs_file_open_meta(). Note that if you know the metadata address of a file, then using tsk_fs_file_open_meta() is more efficient then tsk_fs_file_open() because you can skip the process of mapping the file name to the metadata address. If you use tsk_fs_file_open() then the TSK_FS_FILE::name structure will be populated with the name details. 
 
The TSK_FS_FILE structure can be used to read file content and its fields can be used for processing. The  structure must be closed with tsk_fs_file_close().

	\subsection Reading File Content
There are two basic approaches to reading file content after you have a TSK_FS_FILE structure.  You can read data into a buffer from a specific offset in a file using tsk_fs_file_read().  You can also use  the tsk_fs_file_walk() function, which takes a callback function as an argument and will call the callback with the contents of each data unit in the file. 

Note that there are several ways of storing file content. For example, NTFS can store the content in a compressed form and can store small amounts of data in buffers inside of the metadata structure (instead of allocating a full data unit).  The callback for tsk_fs_file_walk() will be given the address from where the data came from, but it will be 0 and not be relevant if the TSK_FS_BLOCK_FLAG_ENUM flag is for a sparse, compressed, or non-resident file.  


	\subsection fs_file_attrs Attributes 
TSK allows each file to have multiple attributes.  An attribute is simply a data container.  Files in most file systems will have only one attribute, which stores the file content.  NTFS files will have multiple attributes because NTFS stores the file name, dates, and other information in different attributes. TSK allows you to read from all of the attributes. 

Each attribute has a type and an ID.  The types are defined in the TSK_FS_ATTR_TYPE_ENUM structure and the ID is an integer that is unique to the file. A file can have multiple attributes with the same type, but it can have only one attribute with a given id. 

The TSK APIs that have been previously presented will use the default attribute.  Many of the APIs have a variation that will allow you to specify a specific attribute type and ID.  For example, tsk_fs_file_read_type() has the same basic operation as tsk_fs_file_read() except it allows the caller to specify the type and ID.  There is also the tsk_fs_file_walk_type() function that is the more specific version of tsk_fs_file_walk() function. 

	\subsection fs_file_attr_read Accessing Attributes
The previous section outlined that some API functions allow you to access a specific attribute.  Sometimes though, you may want access to the attribute, which is stored in a TSK_FS_ATTR structure. 

To access the default attribute use tsk_fs_file_attr_get().  If you know the type that you want to access, you can use the tsk_fs_file_attr_get_type() function.

If you want to figure out what types exist or want to cycle through all of the attributes, you can use the tsk_fs_file_attr_getsize() function to get the number of attributes and the tsk_fs_file_attr_get_idx() function to get an attribute based on a 0 to n-1 based index. For example:

<code>
	int i, cnt;
	cnt = tsk_fs_file_attr_getsize(fs_file);
	for (i = 0; i < cnt; i++) {
		const TSK_FS_ATTR *fs_attr;
		fs_attr = tsk_fs_file_attr_get_idx(fs_file, i);
		if (!fs_attr)
			continue;
		...
	}
</code>

Once you have a TSK_FS_ATTR structure, you can read from it using the tsk_fs_attr_read() and tsk_fs_attr_walk() functions.  These operate just like the
tsk_fs_file_read() and tsk_fs_file_walk() functions and in fact the file-based functions simply load the relevant attribute and call the corresponding attribute-based function. 

	\subsection fs_file_runs Data Runs
This section provides some details on how the file content is stored in TSK.  If you use the APIs previously described, you will not need to read this section.  It is more of an FYI. 

TSK stores locations where file content is stored in run lists.  A run is a set of consecutive blocks that a file has allocated.  The run is stored based on the starting block and the length of the run.   
The run lists for the file attributes are stored in TSK_FS_META::attr, but note that the data may not be filled in until it is needed by TSK.  For efficiency, TSK only loads this data as needed (for some file systems).  The TSK_FS_META::attr_state field identifies if it has been loaded yet or not. 



\section fs_dir_open Opening and Reading a Directory

The previous section outlined how to open a file when you know its name or address.  In many cases, you will want to browse the files in a directory and see what files can be opened.  There two methods for browsing the file names.  

The first is that a directory can be opened using tsk_fs_dir_open() or tsk_fs_dir_open_meta().  The difference between these two functions is that tsk_fs_dir_open() uses the directory name and tsk_fs_dir_open_meta() uses the directory metadata address.  Like opening a file, the tsk_fs_dir_open_meta() is more efficient if you already know the metadata address because tsk_fs_dir_open() will first search the directory structure for the the metadata address and then call tsk_fs_dir_open_meta(). 

These return a TSK_FS_DIR structure that allows the caller to then access individual file names in the directory.  The number of entries in the directory can be obtained using the tsk_fs_dir_getsize() function and individual entries can be returned with the tsk_fs_dir_get() function.   You can close the open directory using tsk_fs_dir_close().  If you are recursing into directories, you could get into an infinite loop.  You can use the TSK_STACK structure to prevent this, see \ref basic_misc. 

You can also walk the directory tree using tsk_fs_dir_walk().  This will call the callback for every file or subdirectory in a directory and can recurse into directories if the proper flag is given.  To walk the entire directory structure, start the walk at the root directory (TSK_FS_INFO::root_inum) and set the recurse flag. 

These approaches all return a TSK_FS_FILE structure and these will all have the TSK_FS_FILE::name structure defined.  However, some of the files may not have the TSK_FS_FILE::meta structure defined if the file is deleted and the link to the metadata has been lost. 


Another way to browse the files is using the tsk_fs_meta_walk() function, which will process a range of metadata structures and call a callback function on each one.  The callback gets the corresponding TSK_FS_FILE structure with the file's metadata in TSK_FS_FILE::meta and TSK_FS_FILE::name set to NULL. 



	\subsection fs_dir_spec Virtual Files
When browsing the file system, using the directory structure is most convenient and therefore special files and directories were added to make finding all relevant data easier.  Orphan files, which were discussed in \ref fs_del, can be accessed from the <tt>/$OrphanFiles</tt> directory. This is a virtual directory, but TSK allows you to treat it as a normal directory (its flags in TSK_FS_META::flags will show that it is virtual though). 

TSK also provides special files so that you can access the boot sector and FATs in a FAT file system.  The <tt>$MBR</tt>, <tt>$FAT1</tt>, and <tt>$FAT2</tt> files are virtual files that point to the sectors for the boot sector, primary FAT, and backup FAT. You can use these virtual files to read the contents of those structures. 

\section fs_map Mapping Data
In some cases, you may want to identify which file has allocated a given block or which name points to a meta data structure. This can typically be done by using the tsk_fs_meta_walk() or tsk_fs_dir_walk() functions, respectively.  But, there are some convenience functions to make this easier. 

The tsk_fs_path2inum() function takes a UTF-8 path as an argument and will identify the meta data address that it points to.   

Next to \ref hashdbpage
 
Back to \ref users_guide "Table of Contents"

*/