Merge pull request #1617 from APriestman/5464_apfs_gettimes

5464 Fix tsk_gettimes for APFS file systems

Merge pull request #1617 from APriestman/5464_apfs_gettimes
225ec658 · Richard Cordovano · GitHub · ba326445 · 14e76f34 · 225ec658
Unverified Commit 225ec658 authored 5 years ago by Richard Cordovano Committed by GitHub 5 years ago
--- a/tools/autotools/tsk_gettimes.cpp
+++ b/tools/autotools/tsk_gettimes.cpp
@@ -46,11 +46,13 @@ class TskGetTimes:public TskAuto {
 	TskGetTimes(int32_t, bool);
    virtual TSK_RETVAL_ENUM processFile(TSK_FS_FILE * fs_file, const char *path);
    virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part);
+    virtual TSK_FILTER_ENUM filterPoolVol(const TSK_POOL_VOLUME_INFO * pool_vol);
    virtual TSK_FILTER_ENUM filterFs(TSK_FS_INFO * fs_info);
    virtual uint8_t handleError();
    
 private:
    int m_curVolAddr;
+    int m_curPoolVol;
    int32_t m_secSkew;
 	bool m_compute_hash;
 };
@@ -59,6 +61,7 @@ class TskGetTimes:public TskAuto {
 TskGetTimes::TskGetTimes(int32_t a_secSkew)
 {
    m_curVolAddr = -1;
+    m_curPoolVol = -1;
    m_secSkew = a_secSkew;
 	m_compute_hash = false;
 }
@@ -66,6 +69,7 @@ TskGetTimes::TskGetTimes(int32_t a_secSkew)
 TskGetTimes::TskGetTimes(int32_t a_secSkew, bool a_compute_hash)
 {
    m_curVolAddr = -1;
+    m_curPoolVol = -1;
    m_secSkew = a_secSkew;
 	m_compute_hash = a_compute_hash;
 }
@@ -87,14 +91,20 @@ TSK_RETVAL_ENUM TskGetTimes::processFile(TSK_FS_FILE * /*fs_file*/, const char *
 TSK_FILTER_ENUM
 TskGetTimes::filterFs(TSK_FS_INFO * fs_info)
 {
-    TSK_TCHAR volName[32];
+    TSK_TCHAR volName[65];
    if (m_curVolAddr > -1) {
-        TSNPRINTF(volName, 32, _TSK_T("vol%d/"),m_curVolAddr);
+        TSNPRINTF(volName, 32, _TSK_T("vol%d/"), m_curVolAddr);
    }
    else {
        volName[0] = '\0';
    }

+    TSK_TCHAR poolVolName[33];
+    if (m_curPoolVol > -1) {
+        TSNPRINTF(poolVolName, 32, _TSK_T("poolVol%d/"), m_curPoolVol);
+        TSTRNCAT(volName, poolVolName, 32);
+    }
+
    TSK_FS_FLS_FLAG_ENUM fls_flags = (TSK_FS_FLS_FLAG_ENUM)(TSK_FS_FLS_MAC | TSK_FS_FLS_DIR | TSK_FS_FLS_FILE | TSK_FS_FLS_FULL);
    if(m_compute_hash){
        fls_flags = (TSK_FS_FLS_FLAG_ENUM)(fls_flags | TSK_FS_FLS_HASH);
@@ -111,6 +121,15 @@ TSK_FILTER_ENUM
 TskGetTimes::filterVol(const TSK_VS_PART_INFO * vs_part)
 {
    m_curVolAddr = vs_part->addr;
+    m_curPoolVol = -1;
+    return TSK_FILTER_CONT;
+}
+
+
+TSK_FILTER_ENUM
+TskGetTimes::filterPoolVol(const TSK_POOL_VOLUME_INFO * pool_vol)
+{
+    m_curPoolVol = pool_vol->index;
    return TSK_FILTER_CONT;
 }


--- a/tsk/auto/auto.cpp
+++ b/tsk/auto/auto.cpp
@@ -202,6 +202,15 @@ TskAuto::filterVol(const TSK_VS_PART_INFO * /*vs_part*/)
    return TSK_FILTER_CONT;
 }

+TSK_FILTER_ENUM
+TskAuto::filterPoolVol(const TSK_POOL_VOLUME_INFO * /*pool_vol*/)
+{
+    /* Most of our tools can't handle pool volumes yet */
+    if (tsk_verbose)
+        fprintf(stderr, "filterPoolVol: Pool handling is not yet implemented for this tool\n");
+    return TSK_FILTER_SKIP;
+}
+
 TSK_FILTER_ENUM 
 TskAuto::filterFs(TSK_FS_INFO * /*fs_info*/)
 {
@@ -258,10 +267,18 @@ TSK_WALK_RET_ENUM
        return TSK_WALK_STOP;    

    // process it
-    TSK_RETVAL_ENUM retval2 = tsk->findFilesInFsRet(
-        a_vs_part->start * a_vs_part->vs->block_size, TSK_FS_TYPE_DETECT);
-    if ((retval2 == TSK_STOP) || (tsk->getStopProcessing())) {
-        return TSK_WALK_STOP;
+    if (tsk->hasPool(a_vs_part->start * a_vs_part->vs->block_size)) {
+        if (TSK_STOP == tsk->findFilesInPool(a_vs_part->start * a_vs_part->vs->block_size)
+            || tsk->getStopProcessing()) {
+            return TSK_WALK_STOP;
+        }
+    }
+    else {
+        TSK_RETVAL_ENUM retval2 = tsk->findFilesInFsRet(
+            a_vs_part->start * a_vs_part->vs->block_size, TSK_FS_TYPE_DETECT);
+        if ((retval2 == TSK_STOP) || (tsk->getStopProcessing())) {
+            return TSK_WALK_STOP;
+        }
    }

    //all errors would have been registered
@@ -301,7 +318,12 @@ TskAuto::findFilesInVs(TSK_OFF_T a_start, TSK_VS_TYPE_ENUM a_vtype)

        /* There was no volume system, but there could be a file system 
         * Errors will have been registered */
-        findFilesInFs(a_start);
+        if (hasPool(a_start)) {
+            findFilesInPool(a_start);
+        }
+        else {
+            findFilesInFs(a_start);
+        }
    }
    // process the volume system
    else {
@@ -334,6 +356,113 @@ TskAuto::findFilesInVs(TSK_OFF_T a_start)
    return findFilesInVs(a_start, TSK_VS_TYPE_DETECT);
 }

+/**
+ * Checks whether a volume contains a pool.
+ * @param a_start Byte offset to start analyzing from.
+ * @return true if a pool is found, false if not or on error 
+ */
+bool 
+TskAuto::hasPool(TSK_OFF_T a_start) 
+{
+    if (!m_img_info) {
+        tsk_error_reset();
+        tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
+        tsk_error_set_errstr("hasPool -- img_info");
+        registerError();
+        return false;
+    }
+
+    const auto pool = tsk_pool_open_img_sing(m_img_info, a_start, TSK_POOL_TYPE_DETECT);
+    if (pool == nullptr) {
+        return false;
+    }
+    pool->close(pool);
+    return true;
+}
+
+/**
+* Starts in a specified byte offset of the opened disk images and opens a pool
+* to search though any file systems in the pool. Will call processFile() on each file
+* that is found.
+* @param start Byte offset to start analyzing from.
+* @return 1 if an error occurred (message will have been registered), 0 on success
+*/
+uint8_t
+TskAuto::findFilesInPool(TSK_OFF_T start)
+{
+    return findFilesInPool(start, TSK_POOL_TYPE_DETECT);
+}
+
+
+/**
+* Starts in a specified byte offset of the opened disk images and opens a pool
+* to search though any file systems in the pool. Will call processFile() on each file
+* that is found.
+* @param start Byte offset to start analyzing from.
+* @param ptype The type of pool
+* @return 1 if an error occurred (message will have been registered), 0 on success
+*/
+uint8_t 
+TskAuto::findFilesInPool(TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype)
+{
+    if (!m_img_info) {
+        tsk_error_reset();
+        tsk_error_set_errno(TSK_ERR_AUTO_NOTOPEN);
+        tsk_error_set_errstr("findFilesInPool -- img_info");
+        registerError();
+        return TSK_ERR;
+    }
+
+    const auto pool = tsk_pool_open_img_sing(m_img_info, start, ptype);
+    if (pool == nullptr) {
+        tsk_error_set_errstr2(
+            "findFilesInPool: Error opening pool");
+        registerError();
+        return TSK_ERR;
+    }
+
+    /* Only APFS pools are currently supported */
+    if (pool->ctype == TSK_POOL_TYPE_APFS) {
+
+        TSK_POOL_VOLUME_INFO *vol_info = pool->vol_list;
+        while (vol_info != NULL) {
+
+            TSK_FILTER_ENUM filterRetval = filterPoolVol(vol_info);
+            if ((filterRetval == TSK_FILTER_STOP) || (m_stopAllProcessing))
+                return TSK_STOP;
+
+            if (filterRetval != TSK_FILTER_SKIP) {
+                TSK_FS_INFO *fs_info = apfs_open(pool, vol_info->block, TSK_FS_TYPE_APFS, "");
+                if (fs_info) {
+
+                    TSK_RETVAL_ENUM retval = findFilesInFsInt(fs_info, fs_info->root_inum);
+                    tsk_fs_close(fs_info);
+
+                    if (retval == TSK_STOP) {
+                        return TSK_STOP;
+                    }
+                }
+                else {
+                    tsk_error_set_errstr2(
+                        "findFilesInPool: Error opening APFS file system");
+                    registerError();
+                    return TSK_ERR;
+                }
+            }
+
+            vol_info = vol_info->next;
+        }
+    }
+    else {
+        tsk_error_reset();
+        tsk_error_set_errno(TSK_ERR_POOL_UNSUPTYPE);
+        tsk_error_set_errstr("%d", pool->ctype);
+        registerError();
+        return TSK_ERR;
+    }
+    return TSK_OK;
+}
+

 /**
 * Starts in a specified byte offset of the opened disk images and looks for a

--- a/tsk/auto/tsk_auto.h
+++ b/tsk/auto/tsk_auto.h
@@ -30,6 +30,7 @@
 #include "tsk/img/tsk_img.h"
 #include "tsk/vs/tsk_vs.h"
 #include "tsk/fs/tsk_fs.h"
+#include "tsk/pool/tsk_pool.h"

 #include <string>
 #include <vector>
@@ -84,6 +85,9 @@ class TskAuto {
    uint8_t findFilesInImg();
    uint8_t findFilesInVs(TSK_OFF_T start);
    uint8_t findFilesInVs(TSK_OFF_T start, TSK_VS_TYPE_ENUM vtype);
+    bool hasPool(TSK_OFF_T a_start);
+    uint8_t findFilesInPool(TSK_OFF_T start);
+    uint8_t findFilesInPool(TSK_OFF_T start, TSK_POOL_TYPE_ENUM ptype);
    uint8_t findFilesInFs(TSK_OFF_T start);
    uint8_t findFilesInFs(TSK_OFF_T start, TSK_FS_TYPE_ENUM ftype);
    uint8_t findFilesInFs(TSK_OFF_T start, TSK_INUM_T inum);
@@ -116,6 +120,16 @@ class TskAuto {
     */
    virtual TSK_FILTER_ENUM filterVol(const TSK_VS_PART_INFO * vs_part);

+    /**
+    * TskAuto calls this method before it processes each pool volume that is found in a
+    * pool. You can use this to learn about each volume before it is processed
+    * and you can force TskAuto to skip this volume. 
+    *
+    * @param pool_vol Pool volume details
+    * @returns Value to show if pool volume should be processed, skipped, or process should stop.
+    */
+    virtual TSK_FILTER_ENUM filterPoolVol(const TSK_POOL_VOLUME_INFO * pool_vol);
+
    /**
     * TskAuto calls this method before it processes each file system that is found in a 
     * volume. You can use this to learn about each file system before it is processed