diff --git a/tsk/auto/auto_db.cpp b/tsk/auto/auto_db.cpp index 01a3caa4dd4aaa137d1f67df4c0240e64c857364..87b3b9f3d0b0760a948942094aaf9fb68e1d3693 100755 --- a/tsk/auto/auto_db.cpp +++ b/tsk/auto/auto_db.cpp @@ -17,6 +17,7 @@ #include "tsk/img/img_writer.h" #if HAVE_LIBEWF #include "tsk/img/ewf.h" +#include "tsk/img/tsk_img_i.h" #endif #include <string.h> @@ -209,6 +210,7 @@ TskAutoDb::addImageDetails(const char* deviceId) { string md5 = ""; string sha1 = ""; + string collectionDetails = ""; #if HAVE_LIBEWF if (m_img_info->itype == TSK_IMG_TYPE_EWF_EWF) { // @@@ This should really probably be inside of a tsk_img_ method @@ -219,6 +221,62 @@ TskAutoDb::addImageDetails(const char* deviceId) if (ewf_info->sha1hash_isset) { sha1 = ewf_info->sha1hash; } + + char *res = libewf_read_unique_description(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_case_number(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_evidence_number(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_examiner_name(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_notes(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_model(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_serial_number(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_device_label(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_version(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_platform(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_acquired_date(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_system_date(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_acquiry_operating_system(ewf_info->handle); + collectionDetails.append(res); + free(res); + + res = libewf_read_acquiry_software_version(ewf_info->handle); + collectionDetails.append(res); + free(res); } #endif @@ -229,7 +287,7 @@ TskAutoDb::addImageDetails(const char* deviceId) devId = ""; } if (m_db->addImageInfo(m_img_info->itype, m_img_info->sector_size, - m_curImgId, m_curImgTZone, m_img_info->size, md5, sha1, "", devId)) { + m_curImgId, m_curImgTZone, m_img_info->size, md5, sha1, "", devId, collectionDetails)) { registerError(); return 1; } diff --git a/tsk/auto/db_postgresql.cpp b/tsk/auto/db_postgresql.cpp index 666836810b06f67e95a7033d1fbcb0fb49cdda81..d305a9618699cdbd3ae27e938395df5386132c75 100755 --- a/tsk/auto/db_postgresql.cpp +++ b/tsk/auto/db_postgresql.cpp @@ -797,7 +797,7 @@ int TskDbPostgreSQL::addImageInfo(int type, int size, int64_t & objId, const str */ int TskDbPostgreSQL::addImageInfo(int type, int ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256) { - return addImageInfo(type, size, objId, timezone, 0, md5, sha1, sha256, ""); + return addImageInfo(type, size, objId, timezone, 0, md5, sha1, sha256, "", ""); } /** @@ -815,13 +815,13 @@ int TskDbPostgreSQL::addImageInfo(int type, int ssize, int64_t & objId, const st * @returns 1 on error, 0 on success */ int TskDbPostgreSQL::addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, - const string& sha1, const string& sha256, const string& deviceId) + const string& sha1, const string& sha256, const string& deviceId, const string& collectionDetails) { // Add the data source to the tsk_objects table. // We don't use addObject because we're passing in NULL as the parent - char stmt[2048]; + char stmt[20480000]; int expectedNumFileds = 1; - snprintf(stmt, 2048, "INSERT INTO tsk_objects (par_obj_id, type) VALUES (NULL, %d) RETURNING obj_id;", TSK_DB_OBJECT_TYPE_IMG); + snprintf(stmt, 20480000, "INSERT INTO tsk_objects (par_obj_id, type) VALUES (NULL, %d) RETURNING obj_id;", TSK_DB_OBJECT_TYPE_IMG); PGresult *res = get_query_result_set(stmt, "TskDbPostgreSQL::addObj: Error adding object to row: %s (result code %d)\n"); if (verifyNonEmptyResultSetSize(stmt, res, expectedNumFileds, "TskDbPostgreSQL::addObj: Unexpected number of columns in result set: Expected %d, Received %d\n")) { return 1; @@ -852,7 +852,7 @@ int TskDbPostgreSQL::addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, co PQfreemem(sha256_sql); return 1; } - snprintf(stmt, 2048, "INSERT INTO tsk_image_info (obj_id, type, ssize, tzone, size, md5, sha1, sha256) VALUES (%" PRId64 ", %d, %" PRIuOFF ", %s, %" PRIuOFF ", %s, %s, %s);", + snprintf(stmt, 20480000, "INSERT INTO tsk_image_info (obj_id, type, ssize, tzone, size, md5, sha1, sha256) VALUES (%" PRId64 ", %d, %" PRIuOFF ", %s, %" PRIuOFF ", %s, %s, %s);", objId, type, ssize, timezone_sql, size, md5_sql, sha1_sql, sha256_sql); int ret = attempt_exec(stmt, "Error adding data to tsk_image_info table: %s\n"); PQfreemem(timezone_sql); @@ -889,8 +889,8 @@ int TskDbPostgreSQL::addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, co PQfreemem(timeZone_sql); return 1; } - snprintf(stmt, 2048, "INSERT INTO data_source_info (obj_id, device_id, time_zone) VALUES (%" PRId64 ", %s, %s);", - objId, deviceId_sql, timeZone_sql); + snprintf(stmt, 20480000, "INSERT INTO data_source_info (obj_id, device_id, time_zone, acquisition_details) VALUES (%" PRId64 ", %s, %s, %s);", + objId, deviceId_sql, timeZone_sql, collectionDetails.c_str()); ret = attempt_exec(stmt, "Error adding device id to data_source_info table: %s\n"); PQfreemem(deviceId_sql); PQfreemem(timeZone_sql); diff --git a/tsk/auto/db_sqlite.cpp b/tsk/auto/db_sqlite.cpp index 2e660729a57ae56d4f345a8e2abaa63e321fa8a0..e1b0b014cf1220f51a2c4441c058a16bdda875e7 100755 --- a/tsk/auto/db_sqlite.cpp +++ b/tsk/auto/db_sqlite.cpp @@ -560,7 +560,7 @@ int int TskDbSqlite::addImageInfo(int type, int ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256) { - return addImageInfo(type, ssize, objId, timezone, size, md5, sha1, sha256, ""); + return addImageInfo(type, ssize, objId, timezone, size, md5, sha1, sha256, "", ""); } /** @@ -576,7 +576,7 @@ int * @returns 1 on error, 0 on success */ int TskDbSqlite::addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, - const string& sha1, const string& sha256, const string& deviceId) + const string& sha1, const string& sha256, const string& deviceId, const string& collectionDetails) { // Add the data source to the tsk_objects table. @@ -614,7 +614,7 @@ int TskDbSqlite::addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const #else deviceIdStr << deviceId; #endif - sql = sqlite3_mprintf("INSERT INTO data_source_info (obj_id, device_id, time_zone) VALUES (%lld, '%s', '%s');", objId, deviceIdStr.str().c_str(), timezone.c_str()); + sql = sqlite3_mprintf("INSERT INTO data_source_info (obj_id, device_id, time_zone, acquisition_details) VALUES (%lld, '%s', '%s', '%s');", objId, deviceIdStr.str().c_str(), timezone.c_str(), collectionDetails.c_str()); ret = attempt_exec(sql, "Error adding data to tsk_image_info table: %s\n"); sqlite3_free(sql); return ret; @@ -639,7 +639,6 @@ int return ret; } - /** * @returns 1 on error, 0 on success */ diff --git a/tsk/auto/tsk_db.h b/tsk/auto/tsk_db.h index 621eec3bc29c794821f70dd2a61577a8b92d7b35..f9aaff4d9cdd568953c1b24d6b77689cb9af111f 100755 --- a/tsk/auto/tsk_db.h +++ b/tsk/auto/tsk_db.h @@ -170,9 +170,9 @@ class TskDb { virtual TSK_RETVAL_ENUM setConnectionInfo(CaseDbConnectionInfo * info); virtual int addImageInfo(int type, int size, int64_t & objId, const string & timezone) = 0; virtual int addImageInfo(int type, int size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256) = 0; - virtual int addImageInfo(int type, TSK_OFF_T size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256, const string& deviceId) = 0; + virtual int addImageInfo(int type, TSK_OFF_T size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256, const string& deviceId, const string& collectionDetails) = 0; virtual int addImageName(int64_t objId, char const *imgName, int sequence) = 0; - virtual int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, int64_t & objId) = 0; + virtual int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, int64_t & objId) = 0; virtual int addVolumeInfo(const TSK_VS_PART_INFO * vs_part, int64_t parObjId, int64_t & objId) = 0; virtual int addFsInfo(const TSK_FS_INFO * fs_info, int64_t parObjId, int64_t & objId) = 0; virtual int addFsFile(TSK_FS_FILE * fs_file, const TSK_FS_ATTR * fs_attr, diff --git a/tsk/auto/tsk_db_postgresql.h b/tsk/auto/tsk_db_postgresql.h index f221483d7cb4cf5faa9630cf44380f9a143ec8dd..987da11b8644251d757fd07ac9e85e00241aaaf3 100755 --- a/tsk/auto/tsk_db_postgresql.h +++ b/tsk/auto/tsk_db_postgresql.h @@ -50,9 +50,9 @@ class TskDbPostgreSQL : public TskDb { int addImageInfo(int type, int size, int64_t & objId, const string & timezone); int addImageInfo(int type, int size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256); - int addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string& deviceId); + int addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string& deviceId, const string& collectionDetails); int addImageName(int64_t objId, char const *imgName, int sequence); - int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, + int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, int64_t & objId); int addVolumeInfo(const TSK_VS_PART_INFO * vs_part, int64_t parObjId, int64_t & objId); diff --git a/tsk/auto/tsk_db_sqlite.h b/tsk/auto/tsk_db_sqlite.h index 2da919a271efad954c00e498b4330fba80b8255f..e31e69bd08d4746928c40cd548475ebbf4ab5fad 100755 --- a/tsk/auto/tsk_db_sqlite.h +++ b/tsk/auto/tsk_db_sqlite.h @@ -45,9 +45,9 @@ class TskDbSqlite : public TskDb { int close(); int addImageInfo(int type, int size, int64_t & objId, const string & timezone); int addImageInfo(int type, int size, int64_t & objId, const string & timezone, TSK_OFF_T, const string &md5, const string &sha1, const string &sha256); - int addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string& deviceId); + int addImageInfo(int type, TSK_OFF_T ssize, int64_t & objId, const string & timezone, TSK_OFF_T size, const string &md5, const string &sha1, const string &sha256, const string& deviceId, const string& collectionDetails); int addImageName(int64_t objId, char const *imgName, int sequence); - int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, + int addVsInfo(const TSK_VS_INFO * vs_info, int64_t parObjId, int64_t & objId); int addVolumeInfo(const TSK_VS_PART_INFO * vs_part, int64_t parObjId, int64_t & objId); diff --git a/tsk/img/ewf.c b/tsk/img/ewf.c index fa3876bcd6650da4f222957ea9bccbb887efd212..f3962146d54862221315d29f2d254af8af19c4fc 100755 --- a/tsk/img/ewf.c +++ b/tsk/img/ewf.c @@ -406,7 +406,7 @@ ewf_open(int a_num_img, } ewf_info->md5hash_isset = result; - int sha1_result = libewf_handle_get_hash_value_sha1(ewf_info->handle, + int sha1_result = libewf_handle_get_utf8_hash_value_sha1(ewf_info->handle, (uint8_t *)ewf_info->sha1hash, 41, &ewf_error); if (sha1_result == -1) { diff --git a/tsk/img/tsk_img_i.h b/tsk/img/tsk_img_i.h old mode 100644 new mode 100755 index ee8586bd5030e9a8882923d3a2bc94962ae7b848..2af8e1d07a2a2e0436226368605402ca2a89908d --- a/tsk/img/tsk_img_i.h +++ b/tsk/img/tsk_img_i.h @@ -27,10 +27,110 @@ #include <fcntl.h> #include <errno.h> +#define BUFFER_SIZE 1024000 + #ifdef __cplusplus extern "C" { #endif +#if HAVE_LIBEWF +#include "libewf.h" + +inline int is_blank(const char* str) { + while (*str != '\0') { + if (!isspace((unsigned char)*str)) + return 0; + str++; + } + return 1; +} + +inline char* read_libewf_header_value(libewf_handle_t *handle, const uint8_t *identifier, size_t identifier_length, const char* key) { + libewf_error_t *ewf_error = NULL; + char* header_value = (char* )malloc(BUFFER_SIZE); + header_value[0] = '\0'; + + char* null_byte = (char*)malloc(1); + null_byte[0] = '\0'; + if (header_value == NULL) { + return null_byte; + } + + int result = libewf_handle_get_utf8_header_value(handle, identifier, identifier_length, (uint8_t *)header_value, BUFFER_SIZE, &ewf_error); + if (result == -1 || is_blank(header_value)) { + return null_byte; + } + + //+ 2 for new line char and null byte + char* result_str = (char*) malloc((strlen(key) + strlen(header_value) + 2) * sizeof(char)); + if (result_str == NULL) { + return null_byte; + } + + strcpy(result_str, key); + strcat(result_str, header_value); + strcat(result_str, "\n"); + + return result_str; +} + +inline char* libewf_read_unique_description(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "description", 11, "Description: "); +} + +inline char* libewf_read_case_number(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "case_number", 11, "Case Number: "); +} + +inline char* libewf_read_evidence_number(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "evidence_number", 15, "Evidence Number: "); +} + +inline char* libewf_read_examiner_name(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "examiner_name", 13, "Examiner Name: "); +} + +inline char* libewf_read_notes(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "notes", 5, "Notes: "); +} + +inline char* libewf_read_model(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "model", 5, "Model: "); +} + +inline char* libewf_read_serial_number(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "serial_number", 13, "Serial Number: "); +} + +inline char* libewf_read_device_label(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "device_label", 12, "Device Label:"); +} + +inline char* libewf_read_version(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "version", 7, "Version: "); +} + +inline char* libewf_read_platform(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "platform", 8, "Platform: "); +} + +inline char* libewf_read_acquired_date(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "acquiry_date", 12, "Acquired Date: "); +} + +inline char* libewf_read_system_date(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "system_date", 11, "System Date: "); +} + +inline char* libewf_read_acquiry_operating_system(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "acquiry_operating_system", 24, "Acquiry Operating System: "); +} + +inline char* libewf_read_acquiry_software_version(libewf_handle_t *handle) { + return read_libewf_header_value(handle, (uint8_t *) "acquiry_software_version", 24, "Acquiry Software Version: "); +} +#endif + // Cygwin needs this, but not everyone defines it #ifndef O_BINARY #define O_BINARY 0 @@ -44,4 +144,4 @@ extern TSK_TCHAR **tsk_img_findFiles(const TSK_TCHAR * a_startingName, } #endif -#endif +#endif \ No newline at end of file