1 /*
2  *
3  *  The Sleuth Kit
4  *
5  *  Contact: Brian Carrier [carrier <at> sleuthkit [dot] org]
6  *  Copyright (c) 2010-2012 Basis Technology Corporation. All Rights
7  *  reserved.
8  *
9  *  This software is distributed under the Common Public License 1.0
10  */
11 
12 #ifndef _TSK_IMGDBSQLITE_H
13 #define _TSK_IMGDBSQLITE_H
14 
15 // System includes
16 #include <string> // to get std::wstring
17 #include <list>
18 #include <vector>
19 using namespace std;
20 
21 // Framework includes
22 #include "tsk/framework/framework_i.h"
23 #include "TskImgDB.h"
24 #include "tsk/framework/utilities/SectorRuns.h"
25 #include "tsk/framework/utilities/UnallocRun.h"
26 #include "TskBlackboardArtifact.h"
27 #include "TskBlackboardAttribute.h"
28 
29 #include "tsk/libtsk.h"
30 
31 #ifdef HAVE_LIBSQLITE3
32   #include <sqlite3.h>
33 #else
34   #include "tsk/auto/sqlite3.h"
35 #endif
36 
37 /**
38  * Implementation of TskImgDB that uses SQLite to store the data.
39  * Do not use this in a distributed environment if multiple processes
40  * will be accessing the database at the same time.
41  */
42 class TSK_FRAMEWORK_API TskImgDBSqlite : public TskImgDB
43 {
44 public:
45     TskImgDBSqlite(const char * a_outpath);
46     virtual ~ TskImgDBSqlite();
47 
48     virtual int initialize();
49     virtual int open();
50 
51     virtual int close();
52 
53     virtual int begin();
54     virtual int commit();
55 
56     virtual int addToolInfo(const char* name, const char* version);
57     virtual int addImageInfo(int type, int sectorSize);
58     virtual int addImageName(char const * imgName);
59     virtual int addVolumeInfo(const TSK_VS_PART_INFO * vs_part);
60     virtual int addFsInfo(int volId, int fsId, const TSK_FS_INFO * fs_info);
61     virtual int addFsFileInfo(int fsId, const TSK_FS_FILE *fs_file, const char *name, int type, int idx, uint64_t & fileId, const char * path);
62 
63     virtual int addCarvedFileInfo(int vol_id, const char * name, uint64_t size, uint64_t *runStarts, uint64_t *runLengths, int numRuns, uint64_t & fileId);
64     virtual int addDerivedFileInfo(const std::string& name, const uint64_t parentId,
65                                         const bool isDirectory, const uint64_t size, const std::string& details,
66                                         const int ctime, const int crtime, const int atime, const int mtime, uint64_t & fileId, std::string path);
67     virtual int addFsBlockInfo(int fsID, uint64_t a_mFileId, int count, uint64_t blk_addr, uint64_t len);
68     virtual int addAllocUnallocMapInfo(int a_volID, int unallocImgID, uint64_t unallocImgStart, uint64_t length, uint64_t origImgStart);
69     virtual int getSessionID() const;
70     virtual int getFileIds(char *a_fileName, uint64_t *a_outBuffer, int a_buffSize) const;
71     virtual int getMaxFileIdReadyForAnalysis(uint64_t a_lastFileId, uint64_t & maxFileId) const;
72     virtual int getMinFileIdReadyForAnalysis(uint64_t & minFileId) const;
73     virtual uint64_t getFileId(int fsId, uint64_t fs_file_id) const;
74     virtual int getFileRecord(const uint64_t fileId, TskFileRecord& fileRecord) const;
75     virtual SectorRuns * getFileSectors(uint64_t fileId) const;
76     virtual std::string getImageBaseName() const;
77     virtual std::vector<std::wstring> getImageNamesW() const;
78     virtual std::vector<std::string> getImageNames() const;
79     virtual int getFileUniqueIdentifiers(uint64_t a_fileId, uint64_t &a_fsOffset, uint64_t &a_fsFileId, int &a_attrType, int &a_attrId) const;
80     virtual int getNumVolumes() const;
81     virtual int getNumFiles() const;
82     virtual int getImageInfo(int & type, int & sectorSize) const;
83     virtual int getVolumeInfo(std::list<TskVolumeInfoRecord> & volumeInfoList) const;
84     virtual int getFsInfo(std::list<TskFsInfoRecord> & fsInfoList) const;
85     virtual int getFileInfoSummary(std::list<TskFileTypeRecord>& fileTypeInfoList) const;
86     virtual int getFileInfoSummary(FILE_TYPES fileType, std::list<TskFileTypeRecord> & fileTypeInfoList) const;
87     virtual TskImgDB::KNOWN_STATUS getKnownStatus(const uint64_t fileId) const;
88 
89     virtual UnallocRun * getUnallocRun(int file_id, int file_offset) const;
90     virtual SectorRuns * getFreeSectors() const;
91 
92     virtual int updateFileStatus(uint64_t a_file_id, FILE_STATUS a_status);
93     virtual int updateKnownStatus(uint64_t a_file_id, KNOWN_STATUS a_status);
94 	virtual bool dbExist() const;
95 
96     // Get set of file ids that match the given condition (i.e. SQL where clause)
97     virtual std::vector<uint64_t> getFileIds(const std::string& condition) const;
98     virtual const std::vector<TskFileRecord> getFileRecords(const std::string& condition) const;
99 
100     // Get the number of files that match the given condition
101     virtual int getFileCount(const std::string& condition) const;
102 
103     virtual std::map<uint64_t, std::string> getUniqueCarvedFiles(HASH_TYPE hashType) const;
104     virtual std::vector<TskCarvedFileInfo> getUniqueCarvedFilesInfo(HASH_TYPE hashType) const;
105     virtual std::vector<uint64_t> getCarvedFileIds() const;
106 
107     virtual std::vector<uint64_t> getUniqueFileIds(HASH_TYPE hashType) const;
108     virtual std::vector<uint64_t> getFileIds() const;
109 
110     virtual int setHash(const uint64_t a_file_id, const TskImgDB::HASH_TYPE hashType, const std::string& hash) const;
111     virtual std::string getCfileName(const uint64_t a_file_id) const;
112 
113     virtual int addModule(const std::string& name, const std::string& description, int & moduleId);
114     virtual int setModuleStatus(uint64_t file_id, int module_id, int status);
115 	virtual int getModuleInfo(std::vector<TskModuleInfo> & moduleInfoList) const;
116     virtual int getModuleErrors(std::vector<TskModuleStatus> & moduleStatusList) const;
117     virtual std::string getFileName(uint64_t file_id) const;
118 
119     virtual int addUnallocImg(int & unallocImgId);
120     virtual int setUnallocImgStatus(int unallocImgId, TskImgDB::UNALLOC_IMG_STATUS status);
121     virtual TskImgDB::UNALLOC_IMG_STATUS getUnallocImgStatus(int unallocImgId) const;
122     virtual int getAllUnallocImgStatus(std::vector<TskUnallocImgStatusRecord> & unallocImgStatusList) const;
123 
124     virtual int addUnusedSectors(int unallocImgId, std::vector<TskUnusedSectorsRecord> & unusedSectorsList);
125     virtual int getUnusedSector(uint64_t fileId, TskUnusedSectorsRecord & unusedSectorsRecord) const;
126 
127 	virtual std::string quote(const std::string str) const;
128 
129 	friend class TskDBBlackboard;
130 
131 protected:
132     // Blackboard methods.
133     virtual TskBlackboardArtifact createBlackboardArtifact(uint64_t file_id, int artifactTypeID);
134     virtual void addBlackboardAttribute(TskBlackboardAttribute attr);
135 
136     virtual void addArtifactType(int typeID, string artifactTypeName, string displayName);
137     virtual void addAttributeType(int typeID, string attributeTypeName, string displayName);
138 
139     virtual string getArtifactTypeDisplayName(int artifactTypeID);
140     virtual int getArtifactTypeID(string artifactTypeString);
141     virtual string getArtifactTypeName(int artifactTypeID);
142     virtual vector<TskBlackboardArtifact> getMatchingArtifacts(string condition);
143 
144     virtual string getAttributeTypeDisplayName(int attributeTypeID);
145     virtual int getAttributeTypeID(string attributeTypeString);
146     virtual string getAttributeTypeName(int attributeTypeID);
147     virtual vector<TskBlackboardAttribute> getMatchingAttributes(string condition);
148     virtual vector<int> findAttributeTypes(int artifactTypeId);
149 private:
150     char m_outPath[256];
151     char m_dbFilePath[256];
152     sqlite3 * m_db;
153 
154     int dropTables();
155 
156     static int busyHandler(void *, int);
157     std::vector<uint64_t> getFileIdsWorker(std::string tableName, const std::string condition = "") const;
158     void constructStmt(std::string& stmt, std::string condition) const;
159     int addUnusedSector(uint64_t sectStart, uint64_t sectEnd, int volId, std::vector<TskUnusedSectorsRecord> & unusedSectorsList);
160     int getFileTypeRecords(const std::string& stmt, std::list<TskFileTypeRecord>& fileTypeInfoList) const;
161     virtual vector<TskBlackboardArtifact> getArtifactsHelper(uint64_t file_id, int artifactTypeID, string artifactTypeName);
162     void getCarvedFileInfo(const std::string& stmt, std::map<uint64_t, std::string>& results) const;
163 
164     /**
165      * A helper function for getUniqueCarvedFilesInfo() that executes a very specific SQL SELECT statement
166      * assembled by the caller.
167      *
168      * @param stmtToExecute The SQL statement.
169      * @param getHash A flag indicating whether the SELECT includes a hash value.
170      * @param carvedFileInfos[out] The data returned by the query as TskCarvedFileInfo objects.
171      * @return Throws TskException
172      */
173     void getCarvedFileInfo(const std::string &query,  bool getHash, std::vector<TskCarvedFileInfo> &carvedFileInfos) const;
174 
175     /**
176      * Executes an SQL statement.
177      *
178      * @param stmtToExecute The SQL statement.
179      * @param[out] statement The result set as a sqlite3_stmt object, caller should call sqlite3_finalize() on the pointer in case of normal execution.
180      * @param caller The caller in the form <class_name>::<member_function_name> for error messages.
181      * @return Throws TskException.
182      */
183     void executeStatement(const std::string &stmtToExecute, sqlite3_stmt *&statement, const std::string &caller) const;
184 };
185 
186 #endif
187