Skip to content
Snippets Groups Projects
Commit a2e63d7e authored by Jeff Wallace's avatar Jeff Wallace
Browse files

"Fix line ending error"

parent 16511be9
No related branches found
No related tags found
No related merge requests found
/* /*
* Sleuth Kit Data Model * Sleuth Kit Data Model
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.datamodel; package org.sleuthkit.datamodel;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.GregorianCalendar; import java.util.GregorianCalendar;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map; import java.util.Map;
import java.util.TimeZone; import java.util.TimeZone;
import org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM; import org.sleuthkit.datamodel.TskData.TSK_FS_ATTR_TYPE_ENUM;
/** /**
* Interfaces with the Sleuthkit TSK c/c++ libraries Supports case management, * Interfaces with the Sleuthkit TSK c/c++ libraries Supports case management,
* add image process, reading data off content objects Setting up Hash database * add image process, reading data off content objects Setting up Hash database
* parameters and updating / reading values * parameters and updating / reading values
* *
* Caches image and filesystem handles and reuses them for the duration of the * Caches image and filesystem handles and reuses them for the duration of the
* application * application
*/ */
public class SleuthkitJNI { public class SleuthkitJNI {
private static final int MAX_DATABASES = 256; private static final int MAX_DATABASES = 256;
//Native methods //Native methods
private static native String getVersionNat(); private static native String getVersionNat();
private static native void startVerboseLoggingNat(String logPath); private static native void startVerboseLoggingNat(String logPath);
//database //database
private static native long newCaseDbNat(String dbPath) throws TskCoreException; private static native long newCaseDbNat(String dbPath) throws TskCoreException;
private static native long openCaseDbNat(String path) throws TskCoreException; private static native long openCaseDbNat(String path) throws TskCoreException;
private static native void closeCaseDbNat(long db) throws TskCoreException; private static native void closeCaseDbNat(long db) throws TskCoreException;
private static native int setDbNSRLNat(String hashDbPath) throws TskCoreException; private static native int setDbNSRLNat(String hashDbPath) throws TskCoreException;
private static native int addDbKnownBadNat(String hashDbPath) throws TskCoreException; private static native int addDbKnownBadNat(String hashDbPath) throws TskCoreException;
private static native String getDbName(String hashDbPath) throws TskCoreException; private static native String getDbName(String hashDbPath) throws TskCoreException;
private static native void closeDbLookupsNat() throws TskCoreException; private static native void closeDbLookupsNat() throws TskCoreException;
private static native int knownBadDbLookup(String hash, int dbHandle) throws TskCoreException; private static native int knownBadDbLookup(String hash, int dbHandle) throws TskCoreException;
private static native int nsrlDbLookup(String hash) throws TskCoreException; private static native int nsrlDbLookup(String hash) throws TskCoreException;
private static native int getIndexSizeNat(String hashDbPath) throws TskCoreException; private static native int getIndexSizeNat(String hashDbPath) throws TskCoreException;
//load image //load image
private static native long initAddImgNat(long db, String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) throws TskCoreException; private static native long initAddImgNat(long db, String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) throws TskCoreException;
private static native void runAddImgNat(long process, String[] imgPath, int splits, String timezone) throws TskCoreException, TskDataException; // if runAddImg finishes without being stopped, revertAddImg or commitAddImg MUST be called private static native void runAddImgNat(long process, String[] imgPath, int splits, String timezone) throws TskCoreException, TskDataException; // if runAddImg finishes without being stopped, revertAddImg or commitAddImg MUST be called
private static native void stopAddImgNat(long process) throws TskCoreException; private static native void stopAddImgNat(long process) throws TskCoreException;
private static native void revertAddImgNat(long process) throws TskCoreException; private static native void revertAddImgNat(long process) throws TskCoreException;
private static native long commitAddImgNat(long process) throws TskCoreException; private static native long commitAddImgNat(long process) throws TskCoreException;
//open functions //open functions
private static native long openImgNat(String[] imgPath, int splits) throws TskCoreException; private static native long openImgNat(String[] imgPath, int splits) throws TskCoreException;
private static native long openVsNat(long imgHandle, long vsOffset) throws TskCoreException; private static native long openVsNat(long imgHandle, long vsOffset) throws TskCoreException;
private static native long openVolNat(long vsHandle, long volId) throws TskCoreException; private static native long openVolNat(long vsHandle, long volId) throws TskCoreException;
private static native long openFsNat(long imgHandle, long fsId) throws TskCoreException; private static native long openFsNat(long imgHandle, long fsId) throws TskCoreException;
private static native long openFileNat(long fsHandle, long fileId, int attrType, int attrId) throws TskCoreException; private static native long openFileNat(long fsHandle, long fileId, int attrType, int attrId) throws TskCoreException;
//read functions //read functions
private static native int readImgNat(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException; private static native int readImgNat(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
private static native int readVsNat(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException; private static native int readVsNat(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
private static native int readVolNat(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException; private static native int readVolNat(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
private static native int readFsNat(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException; private static native int readFsNat(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
private static native int readFileNat(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException; private static native int readFileNat(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException;
//close functions //close functions
private static native void closeImgNat(long imgHandle); private static native void closeImgNat(long imgHandle);
private static native void closeVsNat(long vsHandle); private static native void closeVsNat(long vsHandle);
private static native void closeFsNat(long fsHandle); private static native void closeFsNat(long fsHandle);
private static native void closeFileNat(long fileHandle); private static native void closeFileNat(long fileHandle);
//hash-lookup database functions //hash-lookup database functions
private static native void createLookupIndexNat(String dbPath) throws TskCoreException; private static native void createLookupIndexNat(String dbPath) throws TskCoreException;
private static native boolean lookupIndexExistsNat(String dbPath) throws TskCoreException; private static native boolean lookupIndexExistsNat(String dbPath) throws TskCoreException;
//util functions //util functions
private static native long findDeviceSizeNat(String devicePath) throws TskCoreException; private static native long findDeviceSizeNat(String devicePath) throws TskCoreException;
private static native String getCurDirNat(long process); private static native String getCurDirNat(long process);
//Linked library loading //Linked library loading
static { static {
if (LibraryUtils.isWindows()) { if (LibraryUtils.isWindows()) {
try { try {
//on windows force loading ms crt dependencies first // on windows force loading ms crt dependencies first
//in case linker can't find them on some systems // in case linker can't find them on some systems
//Note: if shipping with a different CRT version, this will only print a warning // Note: if shipping with a different CRT version, this will only print a warning
//and try to use linker mechanism to find the correct versions of libs. // and try to use linker mechanism to find the correct versions of libs.
//We should update this if we officially switch to a new version of CRT/compiler // We should update this if we officially switch to a new version of CRT/compiler
for(LibraryUtils.Lib crt : LibraryUtils.getCRTLibs()) {
LibraryUtils.loadLibrary(crt); for(LibraryUtils.Lib crt : LibraryUtils.getCRTLibs()) {
} LibraryUtils.loadLibrary(crt);
System.out.println("Loaded CRT libraries"); }
} catch (UnsatisfiedLinkError e1) { System.out.println("Loaded CRT libraries");
System.out.println(e1.toString()); } catch (UnsatisfiedLinkError e1) {
try { System.out.println(e1.toString());
// Try to load from system path try {
System.out.println("Can't find CRT libraries, attempting to load from System.loadLibrary"); //Try to load from system path.
System.loadLibrary("msvcr100"); System.out.println("Can't find CRT libraries, attempting to load from System.loadLibrary");
System.loadLibrary("msvcp100"); System.loadLibrary("msvcr100");
} catch (UnsatisfiedLinkError e2) { System.loadLibrary("msvcp100");
System.out.println("SleuthkitJNI: error loading CRT libraries, " + e2.toString()); } catch (UnsatisfiedLinkError e2) {
} System.out.println("SleuthkitJNI: error loading CRT libraries, " + e2.toString());
} }
} }
}
for(LibraryUtils.Lib lib : LibraryUtils.getLibs()) {
try { for (LibraryUtils.Lib lib : LibraryUtils.getLibs()) {
LibraryUtils.loadLibrary(lib); try {
System.out.println("SleuthkitJNI: loaded " + lib); LibraryUtils.loadLibrary(lib);
} catch (UnsatisfiedLinkError e) { System.out.println("SleuthkitJNI: loaded " + lib);
System.out.println("SleuthkitJNI: error loading " + lib + " library, " + e.toString()); } catch (UnsatisfiedLinkError e) {
} System.out.println("SleuthkitJNI: error loading " + lib + "library, " + e.toString());
} }
} }
public SleuthkitJNI() { }
}
public SleuthkitJNI() {
/** }
* Handle to TSK Case database
*/ /**
public static class CaseDbHandle { * Handle to TSK Case database
*/
private long caseDbPointer; public static class CaseDbHandle {
//map concat. image paths to cached image handle
private static final Map<String, Long> imageHandleCache = new HashMap<String, Long>(); private long caseDbPointer;
//map image and offsets to cached fs handle //map concat. image paths to cached image handle
private static final Map<Long, Map<Long, Long>> fsHandleCache = new HashMap<Long, Map<Long, Long>>(); private static final Map<String, Long> imageHandleCache = new HashMap<String, Long>();
//map image and offsets to cached fs handle
private CaseDbHandle(long pointer) { private static final Map<Long, Map<Long, Long>> fsHandleCache = new HashMap<Long, Map<Long, Long>>();
this.caseDbPointer = pointer;
} private CaseDbHandle(long pointer) {
this.caseDbPointer = pointer;
/** }
* Close the case database
* /**
* @throws TskCoreException exception thrown if critical error occurs * Close the case database
* within TSK *
*/ * @throws TskCoreException exception thrown if critical error occurs
void free() throws TskCoreException { * within TSK
SleuthkitJNI.closeCaseDbNat(caseDbPointer); */
} void free() throws TskCoreException {
SleuthkitJNI.closeCaseDbNat(caseDbPointer);
/** }
* Clear currently set lookup databases within TSK
* /**
* @throws TskCoreException exception thrown if critical error occurs * Clear currently set lookup databases within TSK
* within TSK *
*/ * @throws TskCoreException exception thrown if critical error occurs
void clearLookupDatabases() throws TskCoreException { * within TSK
closeDbLookupsNat(); */
} void clearLookupDatabases() throws TskCoreException {
closeDbLookupsNat();
/** }
* Set the NSRL database
* /**
* @param path The path to the database * Set the NSRL database
* @return a handle for that database *
*/ * @param path The path to the database
int setNSRLDatabase(String path) throws TskCoreException { * @return a handle for that database
return setDbNSRLNat(path); */
} int setNSRLDatabase(String path) throws TskCoreException {
return setDbNSRLNat(path);
/** }
* Add the known bad database
* /**
* @param path The path to the database * Add the known bad database
* @return a handle for that database *
*/ * @param path The path to the database
int addKnownBadDatabase(String path) throws TskCoreException { * @return a handle for that database
return addDbKnownBadNat(path); */
} int addKnownBadDatabase(String path) throws TskCoreException {
return addDbKnownBadNat(path);
/** }
* Start the process of adding a disk image to the case
* /**
* @param timezone Timezone that image was from * Start the process of adding a disk image to the case
* @param processUnallocSpace true if to process unallocated space in *
* the image * @param timezone Timezone that image was from
* @param noFatFsOrphans true if to skip processing of orphans on FAT * @param processUnallocSpace true if to process unallocated space in
* filesystems * the image
* * @param noFatFsOrphans true if to skip processing of orphans on FAT
* @return Object that can be used to manage the process. * filesystems
*/ *
AddImageProcess initAddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) { * @return Object that can be used to manage the process.
return new AddImageProcess(timezone, processUnallocSpace, noFatFsOrphans); */
} AddImageProcess initAddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) {
return new AddImageProcess(timezone, processUnallocSpace, noFatFsOrphans);
/** }
* Encapsulates a multi-step process to add a disk image. Adding a disk
* image takes a while and this object has objects to manage that /**
* process. Methods within this class are intended to be threadsafe. * Encapsulates a multi-step process to add a disk image. Adding a disk
*/ * image takes a while and this object has objects to manage that
public class AddImageProcess { * process. Methods within this class are intended to be threadsafe.
*/
private String timezone; public class AddImageProcess {
private boolean processUnallocSpace;
private boolean noFatFsOrphans; private String timezone;
private volatile long autoDbPointer; private boolean processUnallocSpace;
private boolean noFatFsOrphans;
private AddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) { private volatile long autoDbPointer;
this.timezone = timezone;
this.processUnallocSpace = processUnallocSpace; private AddImageProcess(String timezone, boolean processUnallocSpace, boolean noFatFsOrphans) {
this.noFatFsOrphans = noFatFsOrphans; this.timezone = timezone;
autoDbPointer = 0; this.processUnallocSpace = processUnallocSpace;
} this.noFatFsOrphans = noFatFsOrphans;
autoDbPointer = 0;
/** }
* Start the process of adding an image to the case database. MUST
* call either commit() or revert() after calling run(). /**
* * Start the process of adding an image to the case database. MUST
* @param imgPath Full path(s) to the image file(s). * call either commit() or revert() after calling run().
* @throws TskCoreException exception thrown if critical error *
* occurs within TSK * @param imgPath Full path(s) to the image file(s).
* @throws TskDataException exception thrown if non-critical error * @throws TskCoreException exception thrown if critical error
* occurs within TSK (should be OK to continue) * occurs within TSK
*/ * @throws TskDataException exception thrown if non-critical error
public void run(String[] imgPath) throws TskCoreException, TskDataException { * occurs within TSK (should be OK to continue)
if (autoDbPointer != 0) { */
throw new TskCoreException("AddImgProcess:run: AutoDB pointer is already set"); public void run(String[] imgPath) throws TskCoreException, TskDataException {
} if (autoDbPointer != 0) {
throw new TskCoreException("AddImgProcess:run: AutoDB pointer is already set");
synchronized (this) { }
autoDbPointer = initAddImgNat(caseDbPointer, timezoneLongToShort(timezone), processUnallocSpace, noFatFsOrphans);
} synchronized (this) {
if (autoDbPointer == 0) { autoDbPointer = initAddImgNat(caseDbPointer, timezoneLongToShort(timezone), processUnallocSpace, noFatFsOrphans);
//additional check in case initAddImgNat didn't throw exception }
throw new TskCoreException("AddImgProcess::run: AutoDB pointer is NULL after initAddImgNat"); if (autoDbPointer == 0) {
} //additional check in case initAddImgNat didn't throw exception
runAddImgNat(autoDbPointer, imgPath, imgPath.length, timezone); throw new TskCoreException("AddImgProcess::run: AutoDB pointer is NULL after initAddImgNat");
} }
runAddImgNat(autoDbPointer, imgPath, imgPath.length, timezone);
/** }
* Call while run() is executing in another thread to prematurely
* halt the process. Must call revert() in the other thread once the /**
* stopped run() returns. * Call while run() is executing in another thread to prematurely
* * halt the process. Must call revert() in the other thread once the
* @throws TskCoreException exception thrown if critical error * stopped run() returns.
* occurs within TSK *
*/ * @throws TskCoreException exception thrown if critical error
public void stop() throws TskCoreException { * occurs within TSK
if (autoDbPointer == 0) { */
throw new TskCoreException("AddImgProcess::stop: AutoDB pointer is NULL"); public void stop() throws TskCoreException {
} if (autoDbPointer == 0) {
throw new TskCoreException("AddImgProcess::stop: AutoDB pointer is NULL");
stopAddImgNat(autoDbPointer); }
}
stopAddImgNat(autoDbPointer);
/** }
* Rollback a process that has already been run(), reverting the
* database. This releases the C++ object and no additional /**
* operations can be performed. This method is threadsafe. * Rollback a process that has already been run(), reverting the
* * database. This releases the C++ object and no additional
* @throws TskCoreException exception thrown if critical error * operations can be performed. This method is threadsafe.
* occurs within TSK *
*/ * @throws TskCoreException exception thrown if critical error
public synchronized void revert() throws TskCoreException { * occurs within TSK
if (autoDbPointer == 0) { */
throw new TskCoreException("AddImgProcess::revert: AutoDB pointer is NULL"); public synchronized void revert() throws TskCoreException {
} if (autoDbPointer == 0) {
throw new TskCoreException("AddImgProcess::revert: AutoDB pointer is NULL");
revertAddImgNat(autoDbPointer); }
// the native code deleted the object
autoDbPointer = 0; revertAddImgNat(autoDbPointer);
} // the native code deleted the object
autoDbPointer = 0;
/** }
* Finish off a process that has already been run(), closing the
* transaction and committing the new image data to the database. /**
* * Finish off a process that has already been run(), closing the
* @return The id of the image that was added. This releases the C++ * transaction and committing the new image data to the database.
* object and no additional operations can be performed. This method *
* is threadsafe. * @return The id of the image that was added. This releases the C++
* * object and no additional operations can be performed. This method
* @throws TskCoreException exception thrown if critical error * is threadsafe.
* occurs within TSK *
*/ * @throws TskCoreException exception thrown if critical error
public synchronized long commit() throws TskCoreException { * occurs within TSK
if (autoDbPointer == 0) { */
throw new TskCoreException("AddImgProcess::commit: AutoDB pointer is NULL"); public synchronized long commit() throws TskCoreException {
} if (autoDbPointer == 0) {
throw new TskCoreException("AddImgProcess::commit: AutoDB pointer is NULL");
long id = commitAddImgNat(autoDbPointer); }
// the native code deleted the object
autoDbPointer = 0; long id = commitAddImgNat(autoDbPointer);
return id; // the native code deleted the object
} autoDbPointer = 0;
return id;
/** }
* Gets the directory currently being processed by TSK. This method
* is threadsafe. /**
* * Gets the directory currently being processed by TSK. This method
* @return the currently processing directory * is threadsafe.
*/ *
public synchronized String currentDirectory() { * @return the currently processing directory
return autoDbPointer == 0 ? "NO_INFO" : getCurDirNat(autoDbPointer); */
} public synchronized String currentDirectory() {
} return autoDbPointer == 0 ? "NO_INFO" : getCurDirNat(autoDbPointer);
} }
}
/** }
* Creates a new case database. Must call .free() on CaseDbHandle instance
* when done. /**
* * Creates a new case database. Must call .free() on CaseDbHandle instance
* @param path Location to create the database at. * when done.
* @return Handle for a new TskCaseDb instance. *
* @throws TskCoreException exception thrown if critical error occurs within * @param path Location to create the database at.
* TSK * @return Handle for a new TskCaseDb instance.
*/ * @throws TskCoreException exception thrown if critical error occurs within
static CaseDbHandle newCaseDb(String path) throws TskCoreException { * TSK
return new CaseDbHandle(newCaseDbNat(path)); */
} static CaseDbHandle newCaseDb(String path) throws TskCoreException {
return new CaseDbHandle(newCaseDbNat(path));
/** }
* Opens an existing case database. Must call .free() on CaseDbHandle
* instance when done. /**
* * Opens an existing case database. Must call .free() on CaseDbHandle
* @param path Location of the existing database. * instance when done.
* @return Handle for a new TskCaseDb instance. *
* @throws TskCoreException exception thrown if critical error occurs within * @param path Location of the existing database.
* TSK * @return Handle for a new TskCaseDb instance.
*/ * @throws TskCoreException exception thrown if critical error occurs within
static CaseDbHandle openCaseDb(String path) throws TskCoreException { * TSK
return new CaseDbHandle(openCaseDbNat(path)); */
} static CaseDbHandle openCaseDb(String path) throws TskCoreException {
return new CaseDbHandle(openCaseDbNat(path));
/** }
* get the Sleuth Kit version string
* /**
* @return the version string * get the Sleuth Kit version string
*/ *
public static String getVersion() { * @return the version string
return getVersionNat(); */
} public static String getVersion() {
return getVersionNat();
/** }
* Enable verbose logging and redirect stderr to the given log file.
*/ /**
public static void startVerboseLogging(String logPath) { * Enable verbose logging and redirect stderr to the given log file.
startVerboseLoggingNat(logPath); */
} public static void startVerboseLogging(String logPath) {
startVerboseLoggingNat(logPath);
/** }
* open the image and return the image info pointer
* /**
* @param imageFiles the paths to the images * open the image and return the image info pointer
* @return the image info pointer *
* @throws TskCoreException exception thrown if critical error occurs within * @param imageFiles the paths to the images
* TSK * @return the image info pointer
*/ * @throws TskCoreException exception thrown if critical error occurs within
public synchronized static long openImage(String[] imageFiles) throws TskCoreException { * TSK
long imageHandle = 0; */
public synchronized static long openImage(String[] imageFiles) throws TskCoreException {
StringBuilder keyBuilder = new StringBuilder(); long imageHandle = 0;
for (int i = 0; i < imageFiles.length; ++i) {
keyBuilder.append(imageFiles[i]); StringBuilder keyBuilder = new StringBuilder();
} for (int i = 0; i < imageFiles.length; ++i) {
final String imageKey = keyBuilder.toString(); keyBuilder.append(imageFiles[i]);
}
if (CaseDbHandle.imageHandleCache.containsKey(imageKey)) //get from cache final String imageKey = keyBuilder.toString();
{
imageHandle = CaseDbHandle.imageHandleCache.get(imageKey); if (CaseDbHandle.imageHandleCache.containsKey(imageKey)) //get from cache
} else { {
//open new handle and cache it imageHandle = CaseDbHandle.imageHandleCache.get(imageKey);
imageHandle = openImgNat(imageFiles, imageFiles.length); } else {
CaseDbHandle.fsHandleCache.put(imageHandle, new HashMap<Long, Long>()); //open new handle and cache it
CaseDbHandle.imageHandleCache.put(imageKey, imageHandle); imageHandle = openImgNat(imageFiles, imageFiles.length);
} CaseDbHandle.fsHandleCache.put(imageHandle, new HashMap<Long, Long>());
CaseDbHandle.imageHandleCache.put(imageKey, imageHandle);
return imageHandle; }
} return imageHandle;
/** }
* Get volume system Handle
* /**
* @param imgHandle a handle to previously opened image * Get volume system Handle
* @param vsOffset byte offset in the image to the volume system (usually 0) *
* @return pointer to a vsHandle structure in the sleuthkit * @param imgHandle a handle to previously opened image
* @throws TskCoreException exception thrown if critical error occurs within * @param vsOffset byte offset in the image to the volume system (usually 0)
* TSK * @return pointer to a vsHandle structure in the sleuthkit
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static long openVs(long imgHandle, long vsOffset) throws TskCoreException { * TSK
return openVsNat(imgHandle, vsOffset); */
} public static long openVs(long imgHandle, long vsOffset) throws TskCoreException {
return openVsNat(imgHandle, vsOffset);
//get pointers }
/**
* Get volume Handle //get pointers
* /**
* @param vsHandle pointer to the volume system structure in the sleuthkit * Get volume Handle
* @param volId id of the volume *
* @return pointer to a volHandle structure in the sleuthkit * @param vsHandle pointer to the volume system structure in the sleuthkit
* @throws TskCoreException exception thrown if critical error occurs within * @param volId id of the volume
* TSK * @return pointer to a volHandle structure in the sleuthkit
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static long openVsPart(long vsHandle, long volId) throws TskCoreException { * TSK
//returned long is ptr to vs Handle object in tsk */
return openVolNat(vsHandle, volId); public static long openVsPart(long vsHandle, long volId) throws TskCoreException {
} //returned long is ptr to vs Handle object in tsk
return openVolNat(vsHandle, volId);
/** }
* Get file system Handle Opened handle is cached (transparently) so it does
* not need be reopened next time for the duration of the application /**
* * Get file system Handle Opened handle is cached (transparently) so it does
* @param imgHandle pointer to imgHandle in sleuthkit * not need be reopened next time for the duration of the application
* @param fsOffset byte offset to the file system *
* @return pointer to a fsHandle structure in the sleuthkit * @param imgHandle pointer to imgHandle in sleuthkit
* @throws TskCoreException exception thrown if critical error occurs within * @param fsOffset byte offset to the file system
* TSK * @return pointer to a fsHandle structure in the sleuthkit
*/ * @throws TskCoreException exception thrown if critical error occurs within
public synchronized static long openFs(long imgHandle, long fsOffset) throws TskCoreException { * TSK
long fsHandle = 0; */
final Map<Long, Long> imgOffSetToFsHandle = CaseDbHandle.fsHandleCache.get(imgHandle); public synchronized static long openFs(long imgHandle, long fsOffset) throws TskCoreException {
if (imgOffSetToFsHandle.containsKey(fsOffset)) { long fsHandle = 0;
//return cached final Map<Long, Long> imgOffSetToFsHandle = CaseDbHandle.fsHandleCache.get(imgHandle);
fsHandle = imgOffSetToFsHandle.get(fsOffset); if (imgOffSetToFsHandle.containsKey(fsOffset)) {
} else { //return cached
fsHandle = openFsNat(imgHandle, fsOffset); fsHandle = imgOffSetToFsHandle.get(fsOffset);
//cache it } else {
imgOffSetToFsHandle.put(fsOffset, fsHandle); fsHandle = openFsNat(imgHandle, fsOffset);
} //cache it
return fsHandle; imgOffSetToFsHandle.put(fsOffset, fsHandle);
} }
return fsHandle;
/** }
* Get file Handle
* /**
* @param fsHandle fsHandle pointer in the sleuthkit * Get file Handle
* @param fileId id of the file *
* @param attrType file attribute type to open * @param fsHandle fsHandle pointer in the sleuthkit
* @param attrId file attribute id to open * @param fileId id of the file
* @return pointer to a file structure in the sleuthkit * @param attrType file attribute type to open
* @throws TskCoreException exception thrown if critical error occurs within * @param attrId file attribute id to open
* TSK * @return pointer to a file structure in the sleuthkit
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId) throws TskCoreException { * TSK
return openFileNat(fsHandle, fileId, attrType.getValue(), attrId); */
} public static long openFile(long fsHandle, long fileId, TSK_FS_ATTR_TYPE_ENUM attrType, int attrId) throws TskCoreException {
return openFileNat(fsHandle, fileId, attrType.getValue(), attrId);
//do reads }
/**
* reads data from an image //do reads
* /**
* @param imgHandle * reads data from an image
* @param readBuffer buffer to read to *
* @param offset byte offset in the image to start at * @param imgHandle
* @param len amount of data to read * @param readBuffer buffer to read to
* @return the number of characters read, or -1 if the end of the stream has * @param offset byte offset in the image to start at
* been reached * @param len amount of data to read
* @throws TskCoreException exception thrown if critical error occurs within * @return the number of characters read, or -1 if the end of the stream has
* TSK * been reached
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static int readImg(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException { * TSK
//returned byte[] is the data buffer */
return readImgNat(imgHandle, readBuffer, offset, len); public static int readImg(long imgHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
} //returned byte[] is the data buffer
return readImgNat(imgHandle, readBuffer, offset, len);
/** }
* reads data from an volume system
* /**
* @param vsHandle pointer to a volume system structure in the sleuthkit * reads data from an volume system
* @param readBuffer buffer to read to *
* @param offset sector offset in the image to start at * @param vsHandle pointer to a volume system structure in the sleuthkit
* @param len amount of data to read * @param readBuffer buffer to read to
* @return the number of characters read, or -1 if the end of the stream has * @param offset sector offset in the image to start at
* been reached * @param len amount of data to read
* @throws TskCoreException exception thrown if critical error occurs within * @return the number of characters read, or -1 if the end of the stream has
* TSK * been reached
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static int readVs(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException { * TSK
return readVsNat(vsHandle, readBuffer, offset, len); */
} public static int readVs(long vsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
return readVsNat(vsHandle, readBuffer, offset, len);
/** }
* reads data from an volume
* /**
* @param volHandle pointer to a volume structure in the sleuthkit * reads data from an volume
* @param readBuffer buffer to read to *
* @param offset byte offset in the image to start at * @param volHandle pointer to a volume structure in the sleuthkit
* @param len amount of data to read * @param readBuffer buffer to read to
* @return the number of characters read, or -1 if the end of the stream has * @param offset byte offset in the image to start at
* been reached * @param len amount of data to read
* @throws TskCoreException exception thrown if critical error occurs within * @return the number of characters read, or -1 if the end of the stream has
* TSK * been reached
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException { * TSK
//returned byte[] is the data buffer */
return readVolNat(volHandle, readBuffer, offset, len); public static int readVsPart(long volHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
} //returned byte[] is the data buffer
return readVolNat(volHandle, readBuffer, offset, len);
/** }
* reads data from an file system
* /**
* @param fsHandle pointer to a file system structure in the sleuthkit * reads data from an file system
* @param readBuffer buffer to read to *
* @param offset byte offset in the image to start at * @param fsHandle pointer to a file system structure in the sleuthkit
* @param len amount of data to read * @param readBuffer buffer to read to
* @return the number of characters read, or -1 if the end of the stream has * @param offset byte offset in the image to start at
* been reached * @param len amount of data to read
* @throws TskCoreException exception thrown if critical error occurs within * @return the number of characters read, or -1 if the end of the stream has
* TSK * been reached
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static int readFs(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException { * TSK
//returned byte[] is the data buffer */
return readFsNat(fsHandle, readBuffer, offset, len); public static int readFs(long fsHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
} //returned byte[] is the data buffer
return readFsNat(fsHandle, readBuffer, offset, len);
/** }
* reads data from an file
* /**
* @param fileHandle pointer to a file structure in the sleuthkit * reads data from an file
* @param readBuffer pre-allocated buffer to read to *
* @param offset byte offset in the image to start at * @param fileHandle pointer to a file structure in the sleuthkit
* @param len amount of data to read * @param readBuffer pre-allocated buffer to read to
* @return the number of characters read, or -1 if the end of the stream has * @param offset byte offset in the image to start at
* been reached * @param len amount of data to read
* @throws TskCoreException exception thrown if critical error occurs within * @return the number of characters read, or -1 if the end of the stream has
* TSK * been reached
*/ * @throws TskCoreException exception thrown if critical error occurs within
public static int readFile(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException { * TSK
return readFileNat(fileHandle, readBuffer, offset, len); */
} public static int readFile(long fileHandle, byte[] readBuffer, long offset, long len) throws TskCoreException {
return readFileNat(fileHandle, readBuffer, offset, len);
//free pointers }
/**
* frees the imgHandle pointer currently does not close the image, until the //free pointers
* application terminates (image handle is cached) /**
* * frees the imgHandle pointer currently does not close the image, until the
* @param imgHandle to close the image * application terminates (image handle is cached)
*/ *
public static void closeImg(long imgHandle) { * @param imgHandle to close the image
//@@@ TODO close the image handle when Case is closed instead */
//currently the image handle is not being freed, it's cached for duration of the application public static void closeImg(long imgHandle) {
//closeImgNat(imgHandle); //@@@ TODO close the image handle when Case is closed instead
} //currently the image handle is not being freed, it's cached for duration of the application
//closeImgNat(imgHandle);
/** }
* frees the vsHandle pointer
* /**
* @param vsHandle pointer to volume system structure in sleuthkit * frees the vsHandle pointer
*/ *
public static void closeVs(long vsHandle) { * @param vsHandle pointer to volume system structure in sleuthkit
closeVsNat(vsHandle); */
} public static void closeVs(long vsHandle) {
closeVsNat(vsHandle);
/** }
* frees the fsHandle pointer Currently does not do anything - preserves the
* cached object for the duration of the application /**
* * frees the fsHandle pointer Currently does not do anything - preserves the
* @param fsHandle pointer to file system structure in sleuthkit * cached object for the duration of the application
*/ *
public static void closeFs(long fsHandle) { * @param fsHandle pointer to file system structure in sleuthkit
//@@@ TODO close the fs handle when Case is closed instead */
//currently the fs handle is not being freed, it's cached for duration of the application public static void closeFs(long fsHandle) {
//closeFsNat(fsHandle); //@@@ TODO close the fs handle when Case is closed instead
} //currently the fs handle is not being freed, it's cached for duration of the application
//closeFsNat(fsHandle);
/** }
* frees the fileHandle pointer
* /**
* @param fileHandle pointer to file structure in sleuthkit * frees the fileHandle pointer
*/ *
public static void closeFile(long fileHandle) { * @param fileHandle pointer to file structure in sleuthkit
closeFileNat(fileHandle); */
} public static void closeFile(long fileHandle) {
closeFileNat(fileHandle);
/** }
* Create an index for the given database path.
* /**
* @param dbPath The path to the database * Create an index for the given database path.
* @throws TskCoreException if a critical error occurs within TSK core *
*/ * @param dbPath The path to the database
public static void createLookupIndex(String dbPath) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
createLookupIndexNat(dbPath); */
} public static void createLookupIndex(String dbPath) throws TskCoreException {
createLookupIndexNat(dbPath);
/** }
* Check if an index exists for the given database path.
* /**
* @param dbPath * Check if an index exists for the given database path.
* @return true if index exists *
* @throws TskCoreException if a critical error occurs within TSK core * @param dbPath
*/ * @return true if index exists
public static boolean lookupIndexExists(String dbPath) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
return lookupIndexExistsNat(dbPath); */
} public static boolean lookupIndexExists(String dbPath) throws TskCoreException {
return lookupIndexExistsNat(dbPath);
/** }
* Set the NSRL database
* /**
* @param path The path to the database * Set the NSRL database
* @return a handle for that database *
* @throws TskCoreException if a critical error occurs within TSK core * @param path The path to the database
*/ * @return a handle for that database
public static int setNSRLDatabase(String path) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
return setDbNSRLNat(path); */
} public static int setNSRLDatabase(String path) throws TskCoreException {
return setDbNSRLNat(path);
/** }
* Add the known bad database
* /**
* @param path The path to the database * Add the known bad database
* @return a handle for that database *
* @throws TskCoreException if a critical error occurs within TSK core * @param path The path to the database
*/ * @return a handle for that database
public static int addKnownBadDatabase(String path) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
return addDbKnownBadNat(path); */
} public static int addKnownBadDatabase(String path) throws TskCoreException {
return addDbKnownBadNat(path);
/** }
* Get the name of the database
* /**
* @param path The path to the database * Get the name of the database
* @throws TskCoreException if a critical error occurs within TSK core *
*/ * @param path The path to the database
public static String getDatabaseName(String path) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
return getDbName(path); */
} public static String getDatabaseName(String path) throws TskCoreException {
return getDbName(path);
/** }
* Look up the given hash in the NSRL database
* /**
* @param hash * Look up the given hash in the NSRL database
* @return the status of the hash in the NSRL *
* @throws TskCoreException if a critical error occurs within TSK core * @param hash
*/ * @return the status of the hash in the NSRL
public static TskData.FileKnown nsrlHashLookup(String hash) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
return TskData.FileKnown.valueOf((byte) nsrlDbLookup(hash)); */
} public static TskData.FileKnown nsrlHashLookup(String hash) throws TskCoreException {
return TskData.FileKnown.valueOf((byte) nsrlDbLookup(hash));
/** }
* Look up the given hash in the known bad database
* /**
* @param hash * Look up the given hash in the known bad database
* @param dbHandle previously opened hash db handle *
* @return the status of the hash in the known bad database * @param hash
* @throws TskCoreException if a critical error occurs within TSK core * @param dbHandle previously opened hash db handle
*/ * @return the status of the hash in the known bad database
public static TskData.FileKnown knownBadHashLookup(String hash, int dbHandle) throws TskCoreException { * @throws TskCoreException if a critical error occurs within TSK core
return TskData.FileKnown.valueOf((byte) knownBadDbLookup(hash, dbHandle)); */
} public static TskData.FileKnown knownBadHashLookup(String hash, int dbHandle) throws TskCoreException {
return TskData.FileKnown.valueOf((byte) knownBadDbLookup(hash, dbHandle));
/** }
* Get the size of the index of the given database
* /**
* @param path the path to the database * Get the size of the index of the given database
* @return the size of the index or -1 if it doesn't exist *
* @throws TskCoreException * @param path the path to the database
*/ * @return the size of the index or -1 if it doesn't exist
public static int getIndexSize(String path) throws TskCoreException { * @throws TskCoreException
return getIndexSizeNat(path); */
} public static int getIndexSize(String path) throws TskCoreException {
return getIndexSizeNat(path);
/** }
* Convert this timezone from long to short form
* Convert timezoneLongForm passed in from long to short form /**
* * Convert this timezone from long to short form
* @param timezoneLongForm the long form (e.g., America/New_York) * Convert timezoneLongForm passed in from long to short form
* @return the short form (e.g., EST5EDT) string representation, or an empty string if *
* empty long form was passed in * @param timezoneLongForm the long form (e.g., America/New_York)
*/ * @return the short form (e.g., EST5EDT) string representation, or an empty string if
private static String timezoneLongToShort(String timezoneLongForm) { * empty long form was passed in
if (timezoneLongForm == null || timezoneLongForm.isEmpty()) { */
return ""; private static String timezoneLongToShort(String timezoneLongForm) {
} if (timezoneLongForm == null || timezoneLongForm.isEmpty()) {
return "";
String timezoneShortForm = ""; }
TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
int offset = zone.getRawOffset() / 1000; String timezoneShortForm = "";
int hour = offset / 3600; TimeZone zone = TimeZone.getTimeZone(timezoneLongForm);
int min = (offset % 3600) / 60; int offset = zone.getRawOffset() / 1000;
DateFormat dfm = new SimpleDateFormat("z"); int hour = offset / 3600;
dfm.setTimeZone(zone); int min = (offset % 3600) / 60;
boolean hasDaylight = zone.useDaylightTime(); DateFormat dfm = new SimpleDateFormat("z");
String first = dfm.format(new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3); // make it only 3 letters code dfm.setTimeZone(zone);
String second = dfm.format(new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3); // make it only 3 letters code boolean hasDaylight = zone.useDaylightTime();
int mid = hour * -1; String first = dfm.format(new GregorianCalendar(2010, 1, 1).getTime()).substring(0, 3); // make it only 3 letters code
timezoneShortForm = first + Integer.toString(mid); String second = dfm.format(new GregorianCalendar(2011, 6, 6).getTime()).substring(0, 3); // make it only 3 letters code
if (min != 0) { int mid = hour * -1;
timezoneShortForm = timezoneShortForm + ":" + (min < 10 ? "0" : "") + Integer.toString(min); timezoneShortForm = first + Integer.toString(mid);
} if (min != 0) {
if (hasDaylight) { timezoneShortForm = timezoneShortForm + ":" + (min < 10 ? "0" : "") + Integer.toString(min);
timezoneShortForm = timezoneShortForm + second; }
} if (hasDaylight) {
return timezoneShortForm; timezoneShortForm = timezoneShortForm + second;
} }
return timezoneShortForm;
/** }
* Get size of a device (physical, logical device, image) pointed to by
* devPath /**
* * Get size of a device (physical, logical device, image) pointed to by
* @param devPath device path pointing to the device * devPath
* @return size of the device in bytes *
* @throws TskCoreException exception thrown if the device size could not be * @param devPath device path pointing to the device
* queried * @return size of the device in bytes
*/ * @throws TskCoreException exception thrown if the device size could not be
public static long findDeviceSize(String devPath) throws TskCoreException { * queried
return findDeviceSizeNat(devPath); */
} public static long findDeviceSize(String devPath) throws TskCoreException {
} return findDeviceSizeNat(devPath);
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment