📄 ifind_lib.c
字号:
/*** ifind (inode find)** The Sleuth Kit**** Given an image and block number, identify which inode it is used by** ** Brian Carrier [carrier <at> sleuthkit [dot] org]** Copyright (c) 2006-2008 Brian Carrier, Basis Technology. All Rights reserved** Copyright (c) 2003-2005 Brian Carrier. All rights reserved**** TASK** Copyright (c) 2002 Brian Carrier, @stake Inc. All rights reserved**** TCTUTILs** Copyright (c) 2001 Brian Carrier. All rights reserved****** This software is distributed under the Common Public License 1.0***//** * \file ifind_lib.c * Contains the library API functions used by the TSK ifind command * line tool. */#include "tsk_fs_i.h"/******************************************************************************* * Find an unallocated NTFS MFT entry based on its parent directory */typedef struct { TSK_INUM_T parinode; TSK_FS_IFIND_FLAG_ENUM flags; uint8_t found;} IFIND_PAR_DATA;/* inode walk call back for tsk_fs_ifind_par to find unallocated files * based on parent directory */static TSK_WALK_RET_ENUMifind_par_act(TSK_FS_FILE * fs_file, void *ptr){ IFIND_PAR_DATA *data = (IFIND_PAR_DATA *) ptr; TSK_FS_META_NAME_LIST *fs_name_list; /* go through each file name attribute for this file */ fs_name_list = fs_file->meta->name2; while (fs_name_list) { /* we found a file that has the target parent directory. * Make a FS_NAME structure and print it. */ if (fs_name_list->par_inode == data->parinode) { int i, cnt; uint8_t printed; TSK_FS_NAME *fs_name; if ((fs_name = tsk_fs_name_alloc(256, 0)) == NULL) return TSK_WALK_ERROR; /* Fill in the basics of the fs_name entry * so we can print in the fls formats */ fs_name->meta_addr = fs_file->meta->addr; fs_name->flags = TSK_FS_NAME_FLAG_UNALLOC; strncpy(fs_name->name, fs_name_list->name, fs_name->name_size); // now look for the $Data and $IDXROOT attributes fs_file->name = fs_name; printed = 0; // cycle through the attributes cnt = tsk_fs_file_attr_getsize(fs_file); for (i = 0; i < cnt; i++) { const TSK_FS_ATTR *fs_attr = tsk_fs_file_attr_get_idx(fs_file, i); if (!fs_attr) continue; if ((fs_attr->type == TSK_FS_ATTR_TYPE_NTFS_DATA) || (fs_attr->type == TSK_FS_ATTR_TYPE_NTFS_IDXROOT)) { if (data->flags & TSK_FS_IFIND_PAR_LONG) { tsk_fs_name_print_long(stdout, fs_file, NULL, fs_file->fs_info, fs_attr, 0); } else { tsk_fs_name_print(stdout, fs_file, NULL, fs_file->fs_info, fs_attr, 0); tsk_printf("\n"); } printed = 1; } } // if there were no attributes, print what we got if (printed == 0) { if (data->flags & TSK_FS_IFIND_PAR_LONG) { tsk_fs_name_print_long(stdout, fs_file, NULL, fs_file->fs_info, NULL, 0); } else { tsk_fs_name_print(stdout, fs_file, NULL, fs_file->fs_info, NULL, 0); tsk_printf("\n"); } } tsk_fs_name_free(fs_name); data->found = 1; } fs_name_list = fs_name_list->next; } return TSK_WALK_CONT;}/** * Searches for unallocated MFT entries that have a given * MFT entry as their parent directory (as reported in FILE_NAME). * @param fs File system to search * @param lclflags Flags * @param par Parent directory MFT entry address * @returns 1 on error and 0 on success */uint8_ttsk_fs_ifind_par(TSK_FS_INFO * fs, TSK_FS_IFIND_FLAG_ENUM lclflags, TSK_INUM_T par){ IFIND_PAR_DATA data; data.found = 0; data.flags = lclflags; data.parinode = par; /* Walk unallocated MFT entries */ if (fs->inode_walk(fs, fs->first_inum, fs->last_inum, TSK_FS_META_FLAG_UNALLOC, ifind_par_act, &data)) { return 1; } return 0;}/** * \ingroup fslib * * Find the meta data address for a given file name (UTF-8) * * @param a_fs FS to analyze * @param a_path UTF-8 path of file to search for * @param [out] a_result Meta data address of file * @param [out] a_fs_name Copy of name details (or NULL if details not wanted) * @returns -1 on (system) error, 0 if found, and 1 if not found */int8_ttsk_fs_path2inum(TSK_FS_INFO * a_fs, const char *a_path, TSK_INUM_T * a_result, TSK_FS_NAME * a_fs_name){ char *cpath; size_t clen; char *cur_dir; // The "current" directory or file we are looking for char *cur_attr; // The "current" attribute of the dir we are looking for char *strtok_last; TSK_INUM_T next_meta; *a_result = 0; // copy to a buffer that we can modify clen = strlen(a_path) + 1; if ((cpath = (char *) tsk_malloc(clen)) == NULL) { return -1; } strncpy(cpath, a_path, clen); cur_dir = (char *) strtok_r(cpath, "/", &strtok_last); cur_attr = NULL; /* If there is no token, then only a '/' was given */ if (cur_dir == NULL) { free(cpath); *a_result = a_fs->root_inum; // create the dummy entry if needed if (a_fs_name) { a_fs_name->meta_addr = a_fs->root_inum; a_fs_name->type = TSK_FS_NAME_TYPE_DIR; a_fs_name->flags = TSK_FS_NAME_FLAG_ALLOC; if (a_fs_name->name) a_fs_name->name[0] = '\0'; if (a_fs_name->shrt_name) a_fs_name->shrt_name[0] = '\0'; } return 0; } /* If this is NTFS, seperate out the attribute of the current directory */ if (TSK_FS_TYPE_ISNTFS(a_fs->ftype) && ((cur_attr = strchr(cur_dir, ':')) != NULL)) { *(cur_attr) = '\0'; cur_attr++; } if (tsk_verbose) tsk_fprintf(stderr, "Looking for %s\n", cur_dir); // initialize the first place to look, the root dir next_meta = a_fs->root_inum; // we loop until we know the outcome and then exit. // everything should return from inside the loop. while (1) { size_t i; uint8_t found_name; TSK_FS_DIR *fs_dir = NULL; if ((fs_dir = tsk_fs_dir_open_meta(a_fs, next_meta)) == NULL) { free(cpath); return -1; } // will be set to 1 if an entry in this dir matches the target found_name = 0; // cycle through each entry for (i = 0; i < tsk_fs_dir_getsize(fs_dir); i++) { TSK_FS_FILE *fs_file; if ((fs_file = tsk_fs_dir_get(fs_dir, i)) == NULL) { free(cpath); return -1; } /* * Check if this is the name that we are currently looking for, * as identified in 'cur_dir' */ if (TSK_FS_TYPE_ISFFS(a_fs->ftype) || TSK_FS_TYPE_ISEXT(a_fs->ftype)) { if (strcmp(fs_file->name->name, cur_dir) == 0) { found_name = 1; } } /* FAT is a special case because we do case insensitive and we check * the short name */ else if (TSK_FS_TYPE_ISFAT(a_fs->ftype)) { if (strcasecmp(fs_file->name->name, cur_dir) == 0) { found_name = 1; } else if (strcasecmp(fs_file->name->shrt_name, cur_dir) == 0) { found_name = 1; } } /* NTFS gets a case insensitive comparison */ else if (TSK_FS_TYPE_ISNTFS(a_fs->ftype)) { if (strcasecmp(fs_file->name->name, cur_dir) == 0) { /* ensure we have the right attribute name */ if (cur_attr == NULL) { found_name = 1; } else { if (fs_file->meta) { int cnt, i; // cycle through the attributes cnt = tsk_fs_file_attr_getsize(fs_file); for (i = 0; i < cnt; i++) { const TSK_FS_ATTR *fs_attr = tsk_fs_file_attr_get_idx(fs_file, i); if (!fs_attr) continue; if (strcasecmp(fs_attr->name, cur_attr) == 0) { found_name = 1; } } } if (found_name != 1) { free(cpath); if (tsk_verbose) tsk_fprintf(stderr, "Attribute name (%s) not found in %s: %" PRIuINUM "\n", cur_attr, cur_dir, fs_file->name->meta_addr); return 1; } } } } /* if found_name is 1, this entry was our target. Update * data and move on to the next step, if needed. */ if (found_name) { const char *pname; pname = cur_dir; // save a copy of the current name pointer // advance to the next name cur_dir = (char *) strtok_r(NULL, "/", &(strtok_last)); cur_attr = NULL; if (tsk_verbose)⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -