Skip to content
Snippets Groups Projects
Commit 17dde634 authored by Brian Carrier's avatar Brian Carrier
Browse files

Updated comments and a code layout

parent 67a2e2d0
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
API-CHANGES.txt
+ 1
0
View file @ 17dde634
...@@ -4,3 +4,4 @@ Changes to make once we are ready to do a backwards incompatible change. ...@@ -4,3 +4,4 @@ Changes to make once we are ready to do a backwards incompatible change.
- Java SleuthkitCase.addArtifactType shoudl return different if artifact already exists or getArtifactId should.... - Java SleuthkitCase.addArtifactType shoudl return different if artifact already exists or getArtifactId should....
- Java SleuthkitCase.findFilesWhere should return AbstractFile liek findFiles - Java SleuthkitCase.findFilesWhere should return AbstractFile liek findFiles
- getUniquePath() should not throw exception. - getUniquePath() should not throw exception.
- hashdb idx_open (and others) shoudl have htype be enum
tsk/hashdb/Makefile.am
+ 1
0
View file @ 17dde634
...@@ -4,6 +4,7 @@ EXTRA_DIST = .indent.pro ...@@ -4,6 +4,7 @@ EXTRA_DIST = .indent.pro
noinst_LTLIBRARIES = libtskhashdb.la noinst_LTLIBRARIES = libtskhashdb.la
libtskhashdb_la_SOURCES = ascii_index.c sqlite_index.cpp \ libtskhashdb_la_SOURCES = ascii_index.c sqlite_index.cpp \
tm_lookup.cpp md5sum_index.c nsrl_index.c \ tm_lookup.cpp md5sum_index.c nsrl_index.c \
hdb_open.cpp hdb_index.cpp \
hk_index.c idxonly_index.c encase_index.c tsk_hashdb_i.h hk_index.c idxonly_index.c encase_index.c tsk_hashdb_i.h
indent: indent:
......
tsk/hashdb/ascii_index.c
+ 4
6
View file @ 17dde634
...@@ -14,7 +14,8 @@ ...@@ -14,7 +14,8 @@
/** /**
* \file sqlite_index.c * \file sqlite_index.c
* Contains functions for creating a SQLite format hash index * Contains functions for creating the original binary search / ASCII index
* and looking up values in it.
*/ */
/** Initialize the TSK hash DB index file. This creates the intermediate file, /** Initialize the TSK hash DB index file. This creates the intermediate file,
...@@ -64,6 +65,7 @@ plain_txt_addentry_bin(TSK_HDB_INFO * hdb_info, unsigned char *hvalue, int hlen, ...@@ -64,6 +65,7 @@ plain_txt_addentry_bin(TSK_HDB_INFO * hdb_info, unsigned char *hvalue, int hlen,
TSK_OFF_T offset) TSK_OFF_T offset)
{ {
// Creating plain text indices is unsupported // Creating plain text indices is unsupported
// @@@ ERROR NEEDED HERE
return 1; return 1;
} }
...@@ -78,6 +80,7 @@ plain_txt_addentry_bin(TSK_HDB_INFO * hdb_info, unsigned char *hvalue, int hlen, ...@@ -78,6 +80,7 @@ plain_txt_addentry_bin(TSK_HDB_INFO * hdb_info, unsigned char *hvalue, int hlen,
plain_txt_finalize(TSK_HDB_INFO * hdb_info) plain_txt_finalize(TSK_HDB_INFO * hdb_info)
{ {
// Creating plain text indices is unsupported // Creating plain text indices is unsupported
// @@@ ERROR NEEDED HERE
return 1; return 1;
} }
...@@ -300,11 +303,6 @@ plain_txt_open(TSK_HDB_INFO * hdb_info, TSK_IDX_INFO * idx_info, uint8_t htype) ...@@ -300,11 +303,6 @@ plain_txt_open(TSK_HDB_INFO * hdb_info, TSK_IDX_INFO * idx_info, uint8_t htype)
/** /**
* \ingroup hashdblib * \ingroup hashdblib
* Search the index for a text/ASCII hash value * Search the index for a text/ASCII hash value
......
tsk/hashdb/hdb_index.cpp 0 → 100644
+ 507
0
View file @ 17dde634
/*
* The Sleuth Kit
*
* Brian Carrier [carrier <at> sleuthkit [dot] org]
* Copyright (c) 2003-2013 Brian Carrier. All rights reserved
*
*
* This software is distributed under the Common Public License 1.0
*/
#include "tsk_hashdb_i.h"
/**
* \file hdb_index.cpp
* Contains the code to make indexes for databases.
*/
/**
* Open a file and return a handle to it.
*/
static FILE *
tsk_idx_open_file(TSK_TCHAR *idx_fname)
{
if (idx_fname == NULL) {
return NULL;
}
FILE * idx = NULL;
#ifdef TSK_WIN32
{
HANDLE hWin;
//DWORD szLow, szHi;
if (-1 == GetFileAttributes(idx_fname)) {
//tsk_release_lock(&idx_info->lock);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_MISSING);
tsk_error_set_errstr(
"tsk_idx_open_file: Error finding index file: %"PRIttocTSK,
idx_fname);
return NULL;
}
if ((hWin = CreateFile(idx_fname, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) ==
INVALID_HANDLE_VALUE) {
//tsk_release_lock(&idx_info->lock);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"tsk_idx_open_file: Error opening index file: %"PRIttocTSK,
idx_fname);
return NULL;
}
idx = _fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r");
}
#else
{
idx = fopen(idx_fname, "r");
}
#endif
return idx;
}
/**
* Open an index for the given hash db
* We only create kdb (SQLite) files, but can open old indexes.
* @return NULL on error, TSK_IDX_INFO instance on success
*/
// @@@ htype should be enum
static TSK_IDX_INFO *
tsk_idx_open(TSK_HDB_INFO * hdb_info, uint8_t htype, uint8_t create)
{
TSK_IDX_INFO * idx_info;
size_t flen;
const int header_size = 16;
char header[header_size];
FILE * idx = NULL;
if (hdb_info->idx_info != NULL) {
return hdb_info->idx_info;
}
if ((idx_info =
(TSK_IDX_INFO *) tsk_malloc(sizeof(TSK_IDX_INFO))) == NULL) {
return NULL;
}
hdb_info->idx_info = idx_info;
/* Make the name for the index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
idx_info->idx_fname =
(TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR));
if (idx_info->idx_fname == NULL) {
free(idx_info);
// @@@ ERROR INFO NEEDED
return NULL;
}
/* Get hash type specific information */
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
hdb_info->hash_type = static_cast<TSK_HDB_HTYPE_ENUM>(htype);
hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN;
break;
case TSK_HDB_HTYPE_SHA1_ID:
hdb_info->hash_type = static_cast<TSK_HDB_HTYPE_ENUM>(htype);
hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN;
break;
default:
free(idx_info);
// @@@ ERROR INFO NEEDED
return NULL;
}
// Verify the new SQLITE index exists, get its size, and open it for header reading
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s.kdb"), hdb_info->db_fname);
if (((idx = tsk_idx_open_file(idx_info->idx_fname)) == NULL) && (create == 0)) {
// Try opening an old format index file
// Change the filename to the old format
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s-%") PRIcTSK _TSK_T(".idx"),
hdb_info->db_fname, TSK_HDB_HTYPE_MD5_STR);
break;
case TSK_HDB_HTYPE_SHA1_ID:
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s-%") PRIcTSK _TSK_T(".idx"),
hdb_info->db_fname, TSK_HDB_HTYPE_SHA1_STR);
break;
}
idx = tsk_idx_open_file(idx_info->idx_fname);
if (!idx) {
free(idx_info);
// @@@ ERROR NEEDED
return NULL;
}
if (1 != fread(header, header_size, 1, idx)) {
///@@@ ERROR
return NULL;
}
else if (strncmp(header,
IDX_PLAIN_TXT_HEADER,
strlen(IDX_PLAIN_TXT_HEADER)) == 0) {
idx_info->index_type = TSK_HDB_ITYPE_PLAIN_TXT;
idx_info->open = plain_txt_open;
idx_info->close = plain_txt_close;
idx_info->initialize = plain_txt_initialize;
idx_info->addentry = plain_txt_addentry;
idx_info->addentry_bin = plain_txt_addentry_bin;
idx_info->finalize = plain_txt_finalize;
idx_info->lookup_str = plain_txt_lookup_str;
idx_info->lookup_raw = plain_txt_lookup_raw;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_MISSING);
tsk_error_set_errstr(
"tsk_idx_open: Unrecognized header format: %s\n",
idx_info->idx_fname);
free(idx_info);
return NULL;
}
}
// kdb extension
else {
if (idx) {
if (1 != fread(header, header_size, 1, idx)) {
///@todo should this actually be an error?
idx_info->index_type = TSK_HDB_ITYPE_SQLITE_V1;
}
else if (strncmp(header,
IDX_SQLITE_V1_HEADER,
strlen(IDX_SQLITE_V1_HEADER)) == 0) {
idx_info->index_type = TSK_HDB_ITYPE_SQLITE_V1;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_MISSING);
tsk_error_set_errstr(
"tsk_idx_open: Unrecognized header format: %s\n",
idx_info->idx_fname);
free(idx_info);
return NULL;
}
}
idx_info->open = sqlite_v1_open;
idx_info->close = sqlite_v1_close;
idx_info->initialize = sqlite_v1_initialize;
idx_info->addentry = sqlite_v1_addentry;
idx_info->addentry_bin = sqlite_v1_addentry_bin;
idx_info->finalize = sqlite_v1_finalize;
idx_info->lookup_str = sqlite_v1_lookup_str;
idx_info->lookup_raw = sqlite_v1_lookup_raw;
}
// Open
if (idx_info->open(hdb_info, idx_info, htype) == 0) {
return idx_info;
}
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"Error setting up idx_info struct: %d\n", htype);
free(idx_info);
return NULL;
}
/**
* Ensures that the index is already opened or can be opened.
* @param hdb_info Database handle
* @param htype TSK_HDB_HTYPE_ENUM value
* @param
* @return 0 if already set up or if setup successful, 1 otherwise
*/
uint8_t
hdb_setupindex(TSK_HDB_INFO * hdb_info, uint8_t htype, uint8_t create)
{
// Lock for lazy load of idx_info and lazy alloc of idx_lbuf.
tsk_take_lock(&hdb_info->lock);
// already opened
if (hdb_info->idx_info != NULL) {
tsk_release_lock(&hdb_info->lock);
return 0;
}
hdb_info->idx_info = tsk_idx_open(hdb_info, htype, create);
if (hdb_info->idx_info != NULL) {
tsk_release_lock(&hdb_info->lock);
return 0;
}
tsk_release_lock(&hdb_info->lock);
return 1;
}
/**
* Creates and initialize a new TSK hash DB index file.
*
* @param hdb_info Hash database state structure
* @param a_dbtype String of index type to create
*
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxinitialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * a_dbtype)
{
char dbtmp[32];
int i;
bool create = true; //create new file if it doesn't already exist
/* Use the string of the index/hash type to figure out some
* settings */
// convert to char -- cheating way to deal with WCHARs..
for (i = 0; i < 31 && a_dbtype[i] != '\0'; i++) {
dbtmp[i] = (char) a_dbtype[i];
}
dbtmp[i] = '\0';
// MD5 index for NSRL file
if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_MD5_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
// SHA1 index for NSRL file
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_SHA1_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_SHA1_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_MD5SUM_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_MD5SUM_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_MD5SUM_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_HK_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_HK_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_HK_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_ENCASE_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_ENCASE_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_ENCASE_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: Unknown database type request: %s",
dbtmp);
return 1;
}
/* Setup the internal hash information */
if (hdb_setupindex(hdb_info, hdb_info->hash_type, create)) {
return 1;
}
/* Call db-specific initialize function */
return hdb_info->idx_info->initialize(hdb_info, a_dbtype);
}
/**
* Add a string hash entry to the index
*
* @param hdb_info Hash database state info
* @param hvalue String of hash value to add
* @param offset Byte offset of hash entry in original database.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxaddentry(TSK_HDB_INFO * hdb_info, char *hvalue,
TSK_OFF_T offset)
{
return hdb_info->idx_info->addentry(hdb_info, hvalue, offset);
}
/**
* Add a binary hash entry to the index
*
* @param hdb_info Hash database state info
* @param hvalue Array of integers of hash value to add
* @param hlen Number of bytes in hvalue
* @param offset Byte offset of hash entry in original database.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxaddentry_bin(TSK_HDB_INFO * hdb_info, unsigned char *hvalue, int hlen,
TSK_OFF_T offset)
{
return hdb_info->idx_info->addentry_bin(hdb_info, hvalue, hlen, offset);
}
/**
* Finalize index creation process.
*
* @param hdb_info Hash database state info structure.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxfinalize(TSK_HDB_INFO * hdb_info)
{
return hdb_info->idx_info->finalize(hdb_info);
}
/**
* \ingroup hashdblib
* Determine if the open hash database has an index.
*
* @param hdb_info Hash database to consider
* @param htype Hash type that index should be of
*
* @return 1 if index exists and 0 if not
*/
uint8_t
tsk_hdb_hasindex(TSK_HDB_INFO * hdb_info, uint8_t htype)
{
/* Check if the index is already open, and
* try to open it if not */
if (hdb_setupindex(hdb_info, htype, false)) {
return 0;
} else {
return 1;
}
}
/**
* \ingroup hashdblib
* Close an open hash index
*
* @param idx_info index to close
*/
void tsk_idx_close(TSK_IDX_INFO * idx_info)
{
if (idx_info->idx_fname) {
free(idx_info->idx_fname);
}
idx_info->close(idx_info);
}
/**
* \ingroup hashdblib
* Create an index for an open hash database.
* @param a_hdb_info Open hash database to index
* @param a_type Text of hash database type
* @returns 1 on error
*/
uint8_t
tsk_hdb_makeindex(TSK_HDB_INFO * a_hdb_info, TSK_TCHAR * a_type)
{
return a_hdb_info->makeindex(a_hdb_info, a_type);
}
/**
* Set db_name to the name of the database file
*
* @param hdb_info the hash database object
*/
void
tsk_hdb_name_from_path(TSK_HDB_INFO * hdb_info)
{
#ifdef TSK_WIN32
const char PATH_CHAR = '\\';
#else
const char PATH_CHAR = '/';
#endif
TSK_TCHAR * begin;
TSK_TCHAR * end;
int i;
hdb_info->db_name[0] = '\0';
begin = TSTRRCHR(hdb_info->db_fname, PATH_CHAR);
#ifdef TSK_WIN32
// cygwin can have forward slashes, so try that too on Windows
if (!begin) {
begin = TSTRRCHR(hdb_info->db_fname, '/');
}
#endif
if (!begin) {
begin = hdb_info->db_fname;
}
else {
// unlikely since this means that the dbname is "/"
if (TSTRLEN(begin) == 1)
return;
else
begin++;
}
// end points to the byte after the last one we want to use
if ((TSTRLEN(hdb_info->db_fname) > 4) && (TSTRICMP(&hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4], _TSK_T(".idx")) == 0))
end = &hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4];
else
end = begin + TSTRLEN(begin);
// @@@ TODO: Use TskUTF16_to_UTF8 to properly convert for Windows
for(i = 0; i < (end-begin); i++)
{
hdb_info->db_name[i] = (char) begin[i];
}
hdb_info->db_name[i] = '\0';
}
tsk/hashdb/hdb_open.cpp 0 → 100644
+ 211
0
View file @ 17dde634
/*
* The Sleuth Kit
*
* Brian Carrier [carrier <at> sleuthkit [dot] org]
* Copyright (c) 2003-2013 Brian Carrier. All rights reserved
*
*
* This software is distributed under the Common Public License 1.0
*/
#include "tsk_hashdb_i.h"
/**
* \file hdb_open.c
* Contains the generic hash database creation and lookup code.
*/
/**
* \ingroup hashdblib
* Open an existing hash database.
*
* @param db_file Path to database (even if only an index exists, in which case db path should still be listed).
* @param flags Flags for opening the database.
*
* @return Poiner to hash database state structure or NULL on error
*/
TSK_HDB_INFO *
tsk_hdb_open(TSK_TCHAR * db_file, TSK_HDB_OPEN_ENUM flags)
{
TSK_HDB_INFO *hdb_info;
size_t flen;
FILE *hDb;
uint8_t dbtype = 0;
if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) {
/* Open the database file */
#ifdef TSK_WIN32
{
HANDLE hWin;
if ((hWin = CreateFile(db_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"hdb_open: Error opening database file: %S",
db_file);
return NULL;
}
hDb =
_fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r");
if (hDb == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"hdb_open: Error converting Windows handle to C handle");
return NULL;
}
}
#else
if (NULL == (hDb = fopen(db_file, "r"))) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"hdb_open: Error opening database file: %s", db_file);
return NULL;
}
#endif
/* Try to figure out what type of DB it is */
if (nsrl_test(hDb)) {
dbtype = TSK_HDB_DBTYPE_NSRL_ID;
}
if (md5sum_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type (MD5sum)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_MD5SUM_ID;
}
if (encase_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type (EnCase)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_ENCASE_ID;
}
if (hk_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type (HK)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_HK_ID;
}
if (dbtype == 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type");
return NULL;
}
fseeko(hDb, 0, SEEK_SET);
}
else {
dbtype = TSK_HDB_DBTYPE_IDXONLY_ID;
hDb = NULL;
}
if ((hdb_info =
(TSK_HDB_INFO *) tsk_malloc(sizeof(TSK_HDB_INFO))) == NULL)
return NULL;
hdb_info->hDb = hDb;
/* Copy the database name into the structure */
flen = TSTRLEN(db_file) + 8; // + 32;
hdb_info->db_fname =
(TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR));
if (hdb_info->db_fname == NULL) {
free(hdb_info);
return NULL;
}
TSTRNCPY(hdb_info->db_fname, db_file, flen);
hdb_info->hash_type = static_cast<TSK_HDB_HTYPE_ENUM>(0);
hdb_info->hash_len = 0;
hdb_info->idx_info = NULL;
// Initialize mutex (or critical section) obj
tsk_init_lock(&hdb_info->lock);
/* Get database specific information */
hdb_info->db_type = static_cast<TSK_HDB_DBTYPE_ENUM>(dbtype);
switch (dbtype) {
case TSK_HDB_DBTYPE_NSRL_ID:
nsrl_name(hdb_info);
hdb_info->getentry = nsrl_getentry;
hdb_info->makeindex = nsrl_makeindex;
break;
case TSK_HDB_DBTYPE_MD5SUM_ID:
md5sum_name(hdb_info);
hdb_info->getentry = md5sum_getentry;
hdb_info->makeindex = md5sum_makeindex;
break;
case TSK_HDB_DBTYPE_ENCASE_ID:
encase_name(hdb_info);
hdb_info->getentry = encase_getentry;
hdb_info->makeindex = encase_makeindex;
break;
case TSK_HDB_DBTYPE_HK_ID:
hk_name(hdb_info);
hdb_info->getentry = hk_getentry;
hdb_info->makeindex = hk_makeindex;
break;
case TSK_HDB_DBTYPE_IDXONLY_ID:
idxonly_name(hdb_info);
hdb_info->getentry = idxonly_getentry;
hdb_info->makeindex = idxonly_makeindex;
break;
default:
return NULL;
}
return hdb_info;
}
/**
* \ingroup hashdblib
* Close an open hash database.
*
* @param hdb_info database to close
*/
void
tsk_hdb_close(TSK_HDB_INFO * hdb_info)
{
if (hdb_info->db_fname)
free(hdb_info->db_fname);
if (hdb_info->hDb)
fclose(hdb_info->hDb);
if (hdb_info->idx_info) {
tsk_idx_close(hdb_info->idx_info);
}
tsk_deinit_lock(&hdb_info->lock);
free(hdb_info);
}
tsk/hashdb/sqlite_index.cpp
+ 9
8
View file @ 17dde634
...@@ -85,7 +85,7 @@ static uint8_t tsk_hdb_commit_transaction(TSK_IDX_INFO * idx_info) { ...@@ -85,7 +85,7 @@ static uint8_t tsk_hdb_commit_transaction(TSK_IDX_INFO * idx_info) {
return attempt_exec_nocallback("COMMIT", "Error committing transaction %s\n", idx_info->idx_struct.idx_sqlite_v1->hIdx_sqlite); return attempt_exec_nocallback("COMMIT", "Error committing transaction %s\n", idx_info->idx_struct.idx_sqlite_v1->hIdx_sqlite);
} }
/** Initialize the TSK hash DB index file. /** Initialize the TSK hash DB index file by creating tables, etc..
* *
* @param hdb_info Hash database state structure * @param hdb_info Hash database state structure
* @param htype String of index type to create * @param htype String of index type to create
...@@ -125,11 +125,12 @@ sqlite_v1_initialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype) ...@@ -125,11 +125,12 @@ sqlite_v1_initialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype)
} }
if (attempt_exec_nocallback if (attempt_exec_nocallback
("CREATE TABLE hashset_hashes (md5 BINARY(16), sha1 BINARY(20), database_offset INTEGER);", ("CREATE TABLE hashset_hashes (md5 BINARY(16), sha1 BINARY(20), sha256 BINARY(32), database_offset INTEGER);",
"Error creating hashset_hashes table %s\n", hdb_info->idx_info->idx_struct.idx_sqlite_v1->hIdx_sqlite)) { "Error creating hashset_hashes table %s\n", hdb_info->idx_info->idx_struct.idx_sqlite_v1->hIdx_sqlite)) {
return 1; return 1;
} }
// @@@ This seems like the wrong long-term place for this because we could want to insert even if we don't initialize a new DB
if (hdb_info->hash_type == TSK_HDB_HTYPE_MD5_ID) { if (hdb_info->hash_type == TSK_HDB_HTYPE_MD5_ID) {
insertStmt = "INSERT INTO hashset_hashes (md5, database_offset) VALUES (?, ?)"; insertStmt = "INSERT INTO hashset_hashes (md5, database_offset) VALUES (?, ?)";
} else if (hdb_info->hash_type == TSK_HDB_HTYPE_SHA1_ID) { } else if (hdb_info->hash_type == TSK_HDB_HTYPE_SHA1_ID) {
...@@ -147,8 +148,9 @@ sqlite_v1_initialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype) ...@@ -147,8 +148,9 @@ sqlite_v1_initialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype)
return 0; return 0;
} }
/** /**
* Add a string entry to the intermediate index file. * Add a string representation of a hash value to the index.
* *
* @param hdb_info Hash database state info * @param hdb_info Hash database state info
* @param hvalue String of hash value to add * @param hvalue String of hash value to add
...@@ -188,7 +190,7 @@ sqlite_v1_addentry(TSK_HDB_INFO * hdb_info, char *hvalue, ...@@ -188,7 +190,7 @@ sqlite_v1_addentry(TSK_HDB_INFO * hdb_info, char *hvalue,
} }
/** /**
* Add a binary entry to the intermediate index file. * Add a binary representation of a hash value into the index.
* *
* @param hdb_info Hash database state info * @param hdb_info Hash database state info
* @param hvalue Array of integers of hash value to add * @param hvalue Array of integers of hash value to add
...@@ -217,8 +219,7 @@ sqlite_v1_addentry_bin(TSK_HDB_INFO * hdb_info, uint8_t* hvalue, int hlen, ...@@ -217,8 +219,7 @@ sqlite_v1_addentry_bin(TSK_HDB_INFO * hdb_info, uint8_t* hvalue, int hlen,
} }
/** /**
* Finalize index creation process by sorting the index and removing the * Finalize index creation process
* intermediate temp file.
* *
* @param hdb_info Hash database state info structure. * @param hdb_info Hash database state info structure.
* @return 1 on error and 0 on success * @return 1 on error and 0 on success
...@@ -244,11 +245,11 @@ sqlite_v1_finalize(TSK_HDB_INFO * hdb_info) ...@@ -244,11 +245,11 @@ sqlite_v1_finalize(TSK_HDB_INFO * hdb_info)
/** \internal /** \internal
* Setup the internal variables to read an index. This * Setup the internal variables to read an index or database. This
* opens the index and sets the needed size information. * opens the index and sets the needed size information.
* *
* @param hdb_info Hash database to analyze * @param hdb_info Hash database to analyze
* @param hash The hash type that was used to make the index. * @param htype The hash type that was used to make the index.
* *
* @return 1 on error and 0 on success * @return 1 on error and 0 on success
*/ */
......
tsk/hashdb/tm_lookup.cpp
+ 2
675
View file @ 17dde634
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
* The Sleuth Kit * The Sleuth Kit
* *
* Brian Carrier [carrier <at> sleuthkit [dot] org] * Brian Carrier [carrier <at> sleuthkit [dot] org]
* Copyright (c) 2003-2011 Brian Carrier. All rights reserved * Copyright (c) 2003-2013 Brian Carrier. All rights reserved
* *
* *
* This software is distributed under the Common Public License 1.0 * This software is distributed under the Common Public License 1.0
...@@ -13,388 +13,10 @@ ...@@ -13,388 +13,10 @@
/** /**
* \file tm_lookup.c * \file tm_lookup.c
* Contains the generic hash database creation and lookup code. * Contains the generic hash database lookup code.
*/ */
/**
* Open an existing old plaintext idx structure.
* We can load both kdb (SQLite) and the old plaintext idx files.
*/
FILE *
tsk_idx_open_file(TSK_TCHAR *idx_fname)
{
if (idx_fname == NULL) {
return NULL;
}
FILE * idx = NULL;
#ifdef TSK_WIN32
{
HANDLE hWin;
//DWORD szLow, szHi;
if (-1 == GetFileAttributes(idx_fname)) {
//tsk_release_lock(&idx_info->lock);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_MISSING);
tsk_error_set_errstr(
"tsk_idx_open_file: Error finding index file: %"PRIttocTSK,
idx_fname);
return NULL;
}
if ((hWin = CreateFile(idx_fname, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0, 0)) ==
INVALID_HANDLE_VALUE) {
//tsk_release_lock(&idx_info->lock);
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"tsk_idx_open_file: Error opening index file: %"PRIttocTSK,
idx_fname);
return NULL;
}
idx = _fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r");
}
#else
{
idx = fopen(idx_fname, "r");
}
#endif
return idx;
}
/**
* Open a newly created blank index file for the given hash db
* We only create kdb (SQLite) files.
* @return NULL on error, TSK_IDX_INFO instance on success
*/
TSK_IDX_INFO *
tsk_idx_open(TSK_HDB_INFO * hdb_info, uint8_t htype, bool create)
{
TSK_IDX_INFO * idx_info;
size_t flen;
const int header_size = 16;
char header[header_size];
FILE * idx = NULL;
if (hdb_info->idx_info != NULL) {
return hdb_info->idx_info;
}
if ((idx_info =
(TSK_IDX_INFO *) tsk_malloc(sizeof(TSK_IDX_INFO))) == NULL) {
return NULL;
}
hdb_info->idx_info = idx_info;
/* Make the name for the index file */
flen = TSTRLEN(hdb_info->db_fname) + 32;
idx_info->idx_fname =
(TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR));
if (idx_info->idx_fname == NULL) {
free(idx_info);
return NULL;
}
/* Get hash type specific information */
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
hdb_info->hash_type = static_cast<TSK_HDB_HTYPE_ENUM>(htype);
hdb_info->hash_len = TSK_HDB_HTYPE_MD5_LEN;
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s.kdb"),
hdb_info->db_fname);
break;
case TSK_HDB_HTYPE_SHA1_ID:
hdb_info->hash_type = static_cast<TSK_HDB_HTYPE_ENUM>(htype);
hdb_info->hash_len = TSK_HDB_HTYPE_SHA1_LEN;
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s.kdb"),
hdb_info->db_fname);
break;
default:
free(idx_info);
return NULL;
}
// Verify the index exists, get its size, and open it for header reading
if ((idx = tsk_idx_open_file(idx_info->idx_fname)) == NULL) {
// If file DNE, then we might want to create a new one
if (create) {
idx_info->index_type = TSK_HDB_ITYPE_SQLITE_V1;
} else {
// Try opening an old format index file
// Change the filename to the old format
switch (htype) {
case TSK_HDB_HTYPE_MD5_ID:
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s-%") PRIcTSK _TSK_T(".idx"),
hdb_info->db_fname, TSK_HDB_HTYPE_MD5_STR);
break;
case TSK_HDB_HTYPE_SHA1_ID:
TSNPRINTF(idx_info->idx_fname, flen,
_TSK_T("%s-%") PRIcTSK _TSK_T(".idx"),
hdb_info->db_fname, TSK_HDB_HTYPE_SHA1_STR);
break;
}
idx = tsk_idx_open_file(idx_info->idx_fname);
if (!idx) {
free(idx_info);
return NULL;
}
}
}
// Read header (if this was an existing file)
if (idx) {
if (NULL == fread(header, header_size, 1, idx)) {
///@todo should this actually be an error?
idx_info->index_type = TSK_HDB_ITYPE_SQLITE_V1;
} else if (strncmp(header,
IDX_SQLITE_V1_HEADER,
strlen(IDX_SQLITE_V1_HEADER)) == 0) {
idx_info->index_type = TSK_HDB_ITYPE_SQLITE_V1;
} else if (strncmp(header,
IDX_PLAIN_TXT_HEADER,
strlen(IDX_PLAIN_TXT_HEADER)) == 0) {
idx_info->index_type = TSK_HDB_ITYPE_PLAIN_TXT;
} else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_MISSING);
tsk_error_set_errstr(
"tsk_idx_open: Unrecognized header format: %s\n",
idx_info->idx_fname);
free(idx_info);
return NULL;
}
}
// Set up function pointers based on index type
switch (idx_info->index_type) {
case TSK_HDB_ITYPE_SQLITE_V1:
idx_info->open = sqlite_v1_open;
idx_info->close = sqlite_v1_close;
idx_info->initialize = sqlite_v1_initialize;
idx_info->addentry = sqlite_v1_addentry;
idx_info->addentry_bin = sqlite_v1_addentry_bin;
idx_info->finalize = sqlite_v1_finalize;
idx_info->lookup_str = sqlite_v1_lookup_str;
idx_info->lookup_raw = sqlite_v1_lookup_raw;
break;
case TSK_HDB_ITYPE_PLAIN_TXT:
idx_info->open = plain_txt_open;
idx_info->close = plain_txt_close;
idx_info->initialize = plain_txt_initialize;
idx_info->addentry = plain_txt_addentry;
idx_info->addentry_bin = plain_txt_addentry_bin;
idx_info->finalize = plain_txt_finalize;
idx_info->lookup_str = plain_txt_lookup_str;
idx_info->lookup_raw = plain_txt_lookup_raw;
break;
default:
free(idx_info);
return NULL;
}
// Open
if (idx_info->open(hdb_info, idx_info, htype) == 0) {
return idx_info;
}
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"Error setting up idx_info struct: %d\n", htype);
free(idx_info);
return NULL;
}
/**
* Set up the internal index structures
* @return 0 if already set up or if setup successful, 1 otherwise
*/
uint8_t
hdb_setupindex(TSK_HDB_INFO * hdb_info, uint8_t htype, bool create)
{
// Lock for lazy load of idx_info and lazy alloc of idx_lbuf.
tsk_take_lock(&hdb_info->lock);
if (hdb_info->idx_info != NULL) {
tsk_release_lock(&hdb_info->lock);
return 0;
}
hdb_info->idx_info = tsk_idx_open(hdb_info, htype, create);
if (hdb_info->idx_info != NULL) {
tsk_release_lock(&hdb_info->lock);
return 0;
}
tsk_release_lock(&hdb_info->lock);
return 1;
}
/** Initialize the TSK hash DB index file. This creates the intermediate file,
* which will have entries added to it.
*
* @param hdb_info Hash database state structure
* @param htype String of index type to create
*
* @return 1 on error and 0 on success
*
*/
uint8_t
tsk_hdb_idxinitialize(TSK_HDB_INFO * hdb_info, TSK_TCHAR * htype)
{
char dbtmp[32];
int i;
bool create = true; //create new file if it doesn't already exist
/* Use the string of the index/hash type to figure out some
* settings */
// convert to char -- cheating way to deal with WCHARs..
for (i = 0; i < 31 && htype[i] != '\0'; i++) {
dbtmp[i] = (char) htype[i];
}
dbtmp[i] = '\0';
if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_MD5_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_NSRL_SHA1_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_NSRL_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_NSRL_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_SHA1_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_MD5SUM_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_MD5SUM_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_MD5SUM_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_HK_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_HK_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_HK_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else if (strcmp(dbtmp, TSK_HDB_DBTYPE_ENCASE_STR) == 0) {
if (hdb_info->db_type != TSK_HDB_DBTYPE_ENCASE_ID) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: database detected as: %d index creation as: %d",
hdb_info->db_type, TSK_HDB_DBTYPE_ENCASE_ID);
return 1;
}
hdb_info->hash_type = TSK_HDB_HTYPE_MD5_ID;
}
else {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_ARG);
tsk_error_set_errstr(
"hdb_idxinitialize: Unknown database type request: %s",
dbtmp);
return 1;
}
/* Setup the internal hash information */
if (hdb_setupindex(hdb_info, hdb_info->hash_type, create)) {
return 1;
}
/* Call htype-specific initialize function */
return hdb_info->idx_info->initialize(hdb_info, htype);
}
/**
* Add a string entry to the intermediate index file.
*
* @param hdb_info Hash database state info
* @param hvalue String of hash value to add
* @param offset Byte offset of hash entry in original database.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxaddentry(TSK_HDB_INFO * hdb_info, char *hvalue,
TSK_OFF_T offset)
{
return hdb_info->idx_info->addentry(hdb_info, hvalue, offset);
}
/**
* Add a binary entry to the intermediate index file.
*
* @param hdb_info Hash database state info
* @param hvalue Array of integers of hash value to add
* @param hlen Number of bytes in hvalue
* @param offset Byte offset of hash entry in original database.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxaddentry_bin(TSK_HDB_INFO * hdb_info, unsigned char *hvalue, int hlen,
TSK_OFF_T offset)
{
return hdb_info->idx_info->addentry_bin(hdb_info, hvalue, hlen, offset);
}
/**
* Finalize index creation process by sorting the index and removing the
* intermediate temp file.
*
* @param hdb_info Hash database state info structure.
* @return 1 on error and 0 on success
*/
uint8_t
tsk_hdb_idxfinalize(TSK_HDB_INFO * hdb_info)
{
return hdb_info->idx_info->finalize(hdb_info);
}
/** /**
* \ingroup hashdblib * \ingroup hashdblib
...@@ -481,298 +103,3 @@ tsk_hdb_lookup_raw(TSK_HDB_INFO * hdb_info, uint8_t * hash, uint8_t len, ...@@ -481,298 +103,3 @@ tsk_hdb_lookup_raw(TSK_HDB_INFO * hdb_info, uint8_t * hash, uint8_t len,
return hdb_info->idx_info->lookup_raw(hdb_info, hash, len, flags, action, ptr); return hdb_info->idx_info->lookup_raw(hdb_info, hash, len, flags, action, ptr);
} }
/**
* \ingroup hashdblib
* Determine if the open hash database has an index.
*
* @param hdb_info Hash database to consider
* @param htype Hash type that index should be of
*
* @return 1 if index exists and 0 if not
*/
uint8_t
tsk_hdb_hasindex(TSK_HDB_INFO * hdb_info, uint8_t htype)
{
/* Check if the index is already open, and
* try to open it if not */
if (hdb_setupindex(hdb_info, htype, false)) {
return 0;
} else {
return 1;
}
}
/**
* \ingroup hashdblib
* Open a hash database.
*
* @param db_file Path to database (even if only an index exists).
* @param flags Flags for opening the database.
*
* @return Poiner to hash database state structure or NULL on error
*/
TSK_HDB_INFO *
tsk_hdb_open(TSK_TCHAR * db_file, TSK_HDB_OPEN_ENUM flags)
{
TSK_HDB_INFO *hdb_info;
size_t flen;
FILE *hDb;
uint8_t dbtype = 0;
if ((flags & TSK_HDB_OPEN_IDXONLY) == 0) {
/* Open the database file */
#ifdef TSK_WIN32
{
HANDLE hWin;
if ((hWin = CreateFile(db_file, GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING, 0,
0)) == INVALID_HANDLE_VALUE) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"hdb_open: Error opening database file: %S",
db_file);
return NULL;
}
hDb =
_fdopen(_open_osfhandle((intptr_t) hWin, _O_RDONLY), "r");
if (hDb == NULL) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"hdb_open: Error converting Windows handle to C handle");
return NULL;
}
}
#else
if (NULL == (hDb = fopen(db_file, "r"))) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_OPEN);
tsk_error_set_errstr(
"hdb_open: Error opening database file: %s", db_file);
return NULL;
}
#endif
/* Try to figure out what type of DB it is */
if (nsrl_test(hDb)) {
dbtype = TSK_HDB_DBTYPE_NSRL_ID;
}
if (md5sum_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type (MD5sum)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_MD5SUM_ID;
}
if (encase_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type (EnCase)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_ENCASE_ID;
}
if (hk_test(hDb)) {
if (dbtype != 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type (HK)");
return NULL;
}
dbtype = TSK_HDB_DBTYPE_HK_ID;
}
if (dbtype == 0) {
tsk_error_reset();
tsk_error_set_errno(TSK_ERR_HDB_UNKTYPE);
tsk_error_set_errstr(
"hdb_open: Error determining DB type");
return NULL;
}
fseeko(hDb, 0, SEEK_SET);
}
else {
dbtype = TSK_HDB_DBTYPE_IDXONLY_ID;
hDb = NULL;
}
if ((hdb_info =
(TSK_HDB_INFO *) tsk_malloc(sizeof(TSK_HDB_INFO))) == NULL)
return NULL;
hdb_info->hDb = hDb;
/* Copy the database name into the structure */
flen = TSTRLEN(db_file) + 8; // + 32;
hdb_info->db_fname =
(TSK_TCHAR *) tsk_malloc(flen * sizeof(TSK_TCHAR));
if (hdb_info->db_fname == NULL) {
free(hdb_info);
return NULL;
}
TSTRNCPY(hdb_info->db_fname, db_file, flen);
hdb_info->hash_type = static_cast<TSK_HDB_HTYPE_ENUM>(0);
hdb_info->hash_len = 0;
hdb_info->idx_info = NULL;
// Initialize mutex (or critical section) obj
tsk_init_lock(&hdb_info->lock);
/* Get database specific information */
hdb_info->db_type = static_cast<TSK_HDB_DBTYPE_ENUM>(dbtype);
switch (dbtype) {
case TSK_HDB_DBTYPE_NSRL_ID:
nsrl_name(hdb_info);
hdb_info->getentry = nsrl_getentry;
hdb_info->makeindex = nsrl_makeindex;
break;
case TSK_HDB_DBTYPE_MD5SUM_ID:
md5sum_name(hdb_info);
hdb_info->getentry = md5sum_getentry;
hdb_info->makeindex = md5sum_makeindex;
break;
case TSK_HDB_DBTYPE_ENCASE_ID:
encase_name(hdb_info);
hdb_info->getentry = encase_getentry;
hdb_info->makeindex = encase_makeindex;
break;
case TSK_HDB_DBTYPE_HK_ID:
hk_name(hdb_info);
hdb_info->getentry = hk_getentry;
hdb_info->makeindex = hk_makeindex;
break;
case TSK_HDB_DBTYPE_IDXONLY_ID:
idxonly_name(hdb_info);
hdb_info->getentry = idxonly_getentry;
hdb_info->makeindex = idxonly_makeindex;
break;
default:
return NULL;
}
return hdb_info;
}
/**
* \ingroup hashdblib
* Close an open hash index
*
* @param idx_info index to close
*/
void tsk_idx_close(TSK_IDX_INFO * idx_info)
{
if (idx_info->idx_fname) {
free(idx_info->idx_fname);
}
idx_info->close(idx_info);
}
/**
* \ingroup hashdblib
* Close an open hash database.
*
* @param hdb_info database to close
*/
void
tsk_hdb_close(TSK_HDB_INFO * hdb_info)
{
if (hdb_info->db_fname)
free(hdb_info->db_fname);
if (hdb_info->hDb)
fclose(hdb_info->hDb);
if (hdb_info->idx_info) {
tsk_idx_close(hdb_info->idx_info);
}
tsk_deinit_lock(&hdb_info->lock);
free(hdb_info);
}
/**
* \ingroup hashdblib
* Create an index for an open hash database.
* @param a_hdb_info Open hash database to index
* @param a_type Text of hash database type
* @returns 1 on error
*/
uint8_t
tsk_hdb_makeindex(TSK_HDB_INFO * a_hdb_info, TSK_TCHAR * a_type)
{
return a_hdb_info->makeindex(a_hdb_info, a_type);
}
/**
* Set db_name to the name of the database file
*
* @param hdb_info the hash database object
*/
void
tsk_hdb_name_from_path(TSK_HDB_INFO * hdb_info)
{
#ifdef TSK_WIN32
const char PATH_CHAR = '\\';
#else
const char PATH_CHAR = '/';
#endif
TSK_TCHAR * begin;
TSK_TCHAR * end;
int i;
hdb_info->db_name[0] = '\0';
begin = TSTRRCHR(hdb_info->db_fname, PATH_CHAR);
#ifdef TSK_WIN32
// cygwin can have forward slashes, so try that too on Windows
if (!begin) {
begin = TSTRRCHR(hdb_info->db_fname, '/');
}
#endif
if (!begin) {
begin = hdb_info->db_fname;
}
else {
// unlikely since this means that the dbname is "/"
if (TSTRLEN(begin) == 1)
return;
else
begin++;
}
// end points to the byte after the last one we want to use
if ((TSTRLEN(hdb_info->db_fname) > 4) && (TSTRICMP(&hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4], _TSK_T(".idx")) == 0))
end = &hdb_info->db_fname[TSTRLEN(hdb_info->db_fname)-4];
else
end = begin + TSTRLEN(begin);
// @@@ TODO: Use TskUTF16_to_UTF8 to properly convert for Windows
for(i = 0; i < (end-begin); i++)
{
hdb_info->db_name[i] = (char) begin[i];
}
hdb_info->db_name[i] = '\0';
}
tsk/hashdb/tsk_hashdb.h
+ 6
6
View file @ 17dde634
...@@ -96,12 +96,12 @@ extern "C" { ...@@ -96,12 +96,12 @@ extern "C" {
/* String versions of DB types */ /* String versions of DB types */
#define TSK_HDB_DBTYPE_NSRL_STR "nsrl" ///< NSRL String name #define TSK_HDB_DBTYPE_NSRL_STR "nsrl" ///< NSRL database
#define TSK_HDB_DBTYPE_NSRL_MD5_STR "nsrl-md5" ///< NSRL md5 string name #define TSK_HDB_DBTYPE_NSRL_MD5_STR "nsrl-md5" ///< NSRL database with MD5 index
#define TSK_HDB_DBTYPE_NSRL_SHA1_STR "nsrl-sha1" ///< NSRL SHA1 string name #define TSK_HDB_DBTYPE_NSRL_SHA1_STR "nsrl-sha1" ///< NSRL database with SHA1 index
#define TSK_HDB_DBTYPE_MD5SUM_STR "md5sum" ///< md5sum db string n ame #define TSK_HDB_DBTYPE_MD5SUM_STR "md5sum" ///< md5sum database
#define TSK_HDB_DBTYPE_HK_STR "hk" ///< hash keeper string name #define TSK_HDB_DBTYPE_HK_STR "hk" ///< hash keeper index
#define TSK_HDB_DBTYPE_ENCASE_STR "encase" ///< encase string name #define TSK_HDB_DBTYPE_ENCASE_STR "encase" ///< encase index
/// List of supported data base types /// List of supported data base types
#define TSK_HDB_DBTYPE_SUPPORT_STR "nsrl-md5, nsrl-sha1, md5sum, encase, hk" #define TSK_HDB_DBTYPE_SUPPORT_STR "nsrl-md5, nsrl-sha1, md5sum, encase, hk"
......
tsk/hashdb/tsk_hashdb_i.h
+ 5
0
View file @ 17dde634
...@@ -67,6 +67,11 @@ extern "C" { ...@@ -67,6 +67,11 @@ extern "C" {
#define IDX_SQLITE_V1_HEADER "SQLite format 3" #define IDX_SQLITE_V1_HEADER "SQLite format 3"
extern uint8_t
hdb_setupindex(TSK_HDB_INFO * hdb_info, uint8_t htype, uint8_t create);
extern void tsk_idx_close(TSK_IDX_INFO * idx_info);
extern uint8_t tsk_hdb_idxinitialize(TSK_HDB_INFO *, extern uint8_t tsk_hdb_idxinitialize(TSK_HDB_INFO *,
TSK_TCHAR * dbname); TSK_TCHAR * dbname);
extern uint8_t tsk_hdb_idxaddentry(TSK_HDB_INFO *, char *hvalue, extern uint8_t tsk_hdb_idxaddentry(TSK_HDB_INFO *, char *hvalue,
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment